[selinux-policy/f18] * Mon Sep 10 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-17 - Merge openshift policy - Allow xau
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Sep 10 12:09:18 UTC 2012
commit 72a308110f88661f4af80781ab2d06b6126772e9
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Sep 10 14:09:00 2012 +0200
* Mon Sep 10 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-17
- Merge openshift policy
- Allow xauth to read /dev/urandom
- systemd needs to relabel content in /run/systemd directories
- Files unconfined should be able to perform all services on all files
- Puppet tmp file can be leaked to all domains
- Dontaudit rhsmcertd-worker to search /root/.local
- Allow chown capability for zarafa domains
- Allow system cronjobs to runcon into openshift domains
- Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories
policy-rawhide.patch | 322 ++++++---
policy_contrib-rawhide.patch | 1536 +++++++++++++++++++++++++++++++++++++-----
selinux-policy.spec | 13 +-
3 files changed, 1613 insertions(+), 258 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 4c08960..36b4027 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -62802,7 +62802,7 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..9d5a8c0 100644
+index e0791b9..8ad5b9d 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
@@ -62894,18 +62894,22 @@ index e0791b9..9d5a8c0 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +175,10 @@ optional_policy(`
+@@ -157,6 +175,14 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
+optional_policy(`
++ openshift_rw_inherited_content(ping_t)
++')
++
++optional_policy(`
+ zabbix_read_tmp(ping_t)
+')
+
########################################
#
# Traceroute local policy
-@@ -170,7 +192,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -170,7 +196,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -62913,7 +62917,7 @@ index e0791b9..9d5a8c0 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -194,6 +215,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +219,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -62921,7 +62925,7 @@ index e0791b9..9d5a8c0 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +226,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +230,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -68274,7 +68278,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..b5b32d3 100644
+index cf04cb5..edd588e 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.11.0)
@@ -68380,7 +68384,7 @@ index cf04cb5..b5b32d3 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +211,259 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +211,263 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -68626,6 +68630,10 @@ index cf04cb5..b5b32d3 100644
+# these seem questionable:
+
+optional_policy(`
++ puppet_rw_tmp(domain)
++')
++
++optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+')
@@ -70653,7 +70661,7 @@ index e1e814d..76477ca 100644
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 52ef84e..14fabe2 100644
+index 52ef84e..59b37a3 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -10,7 +10,9 @@ attribute files_unconfined_type;
@@ -70728,7 +70736,12 @@ index 52ef84e..14fabe2 100644
########################################
#
-@@ -229,6 +245,6 @@ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_fil
+@@ -225,10 +241,11 @@ fs_associate_tmpfs(tmpfsfile)
+ # Create/access any file in a labeled filesystem;
+ allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
++allow files_unconfined_type file_type:service *;
+
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;
@@ -73479,7 +73492,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 01dd2f1..bce2776 100644
+index 01dd2f1..b62922c 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -73591,6 +73604,15 @@ index 01dd2f1..bce2776 100644
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
+@@ -601,7 +660,7 @@ interface(`term_use_generic_ptys',`
+
+ ########################################
+ ## <summary>
+-## Dot not audit attempts to read and
++## Do not audit attempts to read and
+ ## write the generic pty type. This is
+ ## generally only used in the targeted policy.
+ ## </summary>
@@ -616,6 +675,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -75874,10 +75896,10 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..20bc285
+index 0000000..905a4b5
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,384 @@
+@@ -0,0 +1,388 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -76240,6 +76262,10 @@ index 0000000..20bc285
+')
+
+optional_policy(`
++ openshift_run(unconfined_usertype, unconfined_r)
++')
++
++optional_policy(`
+ usermanage_run_useradd(unconfined_t, unconfined_r)
+')
+
@@ -76739,7 +76765,7 @@ index 078bcd7..8ed5b99 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..61070e4 100644
+index fe0c682..b161c31 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -77218,7 +77244,7 @@ index fe0c682..61070e4 100644
')
######################################
-@@ -754,3 +894,64 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +894,101 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -77283,8 +77309,45 @@ index fe0c682..61070e4 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
++
++########################################
++## <summary>
++## Do not audit attempts to read and
++## write the sshd pty type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`ssh_dontaudit_use_ptys',`
++ gen_require(`
++ type sshd_devpts_t;
++ ')
++
++ dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl };
++')
++
++########################################
++## <summary>
++## Read and write inherited sshd pty type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`ssh_use_ptys',`
++ gen_require(`
++ type sshd_devpts_t;
++ ')
++
++ allow $1 sshd_devpts_t:chr_file { getattr read write ioctl };
++')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..5c691d1 100644
+index b17e27a..47fd62a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
@@ -77615,7 +77678,7 @@ index b17e27a..5c691d1 100644
')
optional_policy(`
-@@ -283,6 +330,15 @@ optional_policy(`
+@@ -283,6 +330,24 @@ optional_policy(`
')
optional_policy(`
@@ -77628,10 +77691,19 @@ index b17e27a..5c691d1 100644
+')
+
+optional_policy(`
++ openshift_dyntransition(sshd_t)
++ openshift_transition(sshd_t)
++ openshift_manage_tmp_files(sshd_t)
++ openshift_manage_tmp_sockets(sshd_t)
++ openshift_mounton_tmp(sshd_t)
++ openshift_search_lib(sshd_t)
++')
++
++optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
-@@ -290,6 +346,29 @@ optional_policy(`
+@@ -290,6 +355,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -77661,7 +77733,7 @@ index b17e27a..5c691d1 100644
########################################
#
# ssh_keygen local policy
-@@ -298,19 +377,26 @@ optional_policy(`
+@@ -298,19 +386,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -77689,7 +77761,7 @@ index b17e27a..5c691d1 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +413,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -327,9 +422,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -77703,7 +77775,7 @@ index b17e27a..5c691d1 100644
')
optional_policy(`
-@@ -339,3 +427,83 @@ optional_policy(`
+@@ -339,3 +436,83 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -79249,7 +79321,7 @@ index 130ced9..1b31c76 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..20ee046 100644
+index d40f750..29cb626 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -79484,7 +79556,7 @@ index d40f750..20ee046 100644
')
########################################
-@@ -247,45 +311,78 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,45 +311,81 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -79518,6 +79590,9 @@ index d40f750..20ee046 100644
+kernel_read_system_state(xauth_t)
kernel_request_load_module(xauth_t)
++dev_read_rand(xauth_t)
++dev_read_urand(xauth_t)
++
domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
@@ -79573,7 +79648,7 @@ index d40f750..20ee046 100644
')
optional_policy(`
-@@ -299,64 +396,105 @@ optional_policy(`
+@@ -299,64 +399,105 @@ optional_policy(`
# XDM Local policy
#
@@ -79689,7 +79764,7 @@ index d40f750..20ee046 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +503,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +506,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -79719,7 +79794,7 @@ index d40f750..20ee046 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +533,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +536,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -79772,7 +79847,7 @@ index d40f750..20ee046 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +585,25 @@ files_list_mnt(xdm_t)
+@@ -430,9 +588,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -79798,7 +79873,7 @@ index d40f750..20ee046 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +612,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +615,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -79840,7 +79915,7 @@ index d40f750..20ee046 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +652,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +655,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -79890,7 +79965,7 @@ index d40f750..20ee046 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +702,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +705,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -79912,7 +79987,7 @@ index d40f750..20ee046 100644
')
optional_policy(`
-@@ -514,12 +724,64 @@ optional_policy(`
+@@ -514,12 +727,64 @@ optional_policy(`
')
optional_policy(`
@@ -79977,7 +80052,7 @@ index d40f750..20ee046 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +799,69 @@ optional_policy(`
+@@ -537,28 +802,69 @@ optional_policy(`
')
optional_policy(`
@@ -80056,7 +80131,7 @@ index d40f750..20ee046 100644
')
optional_policy(`
-@@ -570,6 +873,14 @@ optional_policy(`
+@@ -570,6 +876,14 @@ optional_policy(`
')
optional_policy(`
@@ -80071,7 +80146,7 @@ index d40f750..20ee046 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +905,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +908,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -80084,7 +80159,7 @@ index d40f750..20ee046 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +922,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +925,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -80100,7 +80175,7 @@ index d40f750..20ee046 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +949,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +952,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -80122,7 +80197,7 @@ index d40f750..20ee046 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +969,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +972,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -80136,7 +80211,7 @@ index d40f750..20ee046 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +995,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +998,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -80168,7 +80243,7 @@ index d40f750..20ee046 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1027,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1030,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -80182,7 +80257,7 @@ index d40f750..20ee046 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,8 +1046,6 @@ init_getpgid(xserver_t)
+@@ -708,8 +1049,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -80191,7 +80266,7 @@ index d40f750..20ee046 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -717,11 +1053,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -717,11 +1056,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -80206,7 +80281,7 @@ index d40f750..20ee046 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1112,40 @@ optional_policy(`
+@@ -775,16 +1115,40 @@ optional_policy(`
')
optional_policy(`
@@ -80248,7 +80323,7 @@ index d40f750..20ee046 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1154,10 @@ optional_policy(`
+@@ -793,6 +1157,10 @@ optional_policy(`
')
optional_policy(`
@@ -80259,7 +80334,7 @@ index d40f750..20ee046 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1173,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1176,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -80273,7 +80348,7 @@ index d40f750..20ee046 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1184,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1187,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -80282,7 +80357,7 @@ index d40f750..20ee046 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1197,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1200,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -80317,7 +80392,7 @@ index d40f750..20ee046 100644
')
optional_policy(`
-@@ -859,6 +1219,10 @@ optional_policy(`
+@@ -859,6 +1222,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -80328,7 +80403,7 @@ index d40f750..20ee046 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1266,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1269,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -80337,7 +80412,7 @@ index d40f750..20ee046 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1320,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1323,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -80369,7 +80444,7 @@ index d40f750..20ee046 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1366,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1369,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -83178,7 +83253,7 @@ index d26fe81..efdc556 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..fb77fcb 100644
+index 4a88fa1..c9eef60 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -83426,7 +83501,7 @@ index 4a88fa1..fb77fcb 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -196,16 +301,154 @@ tunable_policy(`init_upstart',`
+@@ -196,16 +301,158 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -83435,6 +83510,7 @@ index 4a88fa1..fb77fcb 100644
optional_policy(`
- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
++ modutils_list_module_config(init_t)
')
optional_policy(`
@@ -83501,6 +83577,7 @@ index 4a88fa1..fb77fcb 100644
+ files_list_var(init_t)
+ files_create_lock_dirs(init_t)
+ files_relabel_all_lock_dirs(init_t)
++ files_read_kernel_modules(init_t)
+
+ fs_getattr_all_fs(init_t)
+ fs_manage_cgroup_dirs(init_t)
@@ -83545,6 +83622,8 @@ index 4a88fa1..fb77fcb 100644
+ systemd_logger_stream_connect(init_t)
+ systemd_config_all_services(init_t)
+ systemd_relabelto_fifo_file_passwd_run(init_t)
++ systemd_relabel_unit_dirs(init_t)
++ systemd_relabel_unit_files(init_t)
+ systemd_config_all_services(initrc_t)
+
+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
@@ -83583,7 +83662,7 @@ index 4a88fa1..fb77fcb 100644
')
optional_policy(`
-@@ -213,6 +456,22 @@ optional_policy(`
+@@ -213,6 +460,22 @@ optional_policy(`
')
optional_policy(`
@@ -83606,7 +83685,7 @@ index 4a88fa1..fb77fcb 100644
unconfined_domain(init_t)
')
-@@ -222,8 +481,9 @@ optional_policy(`
+@@ -222,8 +485,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -83618,7 +83697,7 @@ index 4a88fa1..fb77fcb 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +511,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +515,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -83634,7 +83713,7 @@ index 4a88fa1..fb77fcb 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +535,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +539,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -83677,7 +83756,7 @@ index 4a88fa1..fb77fcb 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +572,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +576,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -83685,7 +83764,7 @@ index 4a88fa1..fb77fcb 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +583,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +587,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -83696,7 +83775,7 @@ index 4a88fa1..fb77fcb 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +594,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +598,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -83716,7 +83795,7 @@ index 4a88fa1..fb77fcb 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +611,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -83724,7 +83803,7 @@ index 4a88fa1..fb77fcb 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +619,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +623,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -83736,7 +83815,7 @@ index 4a88fa1..fb77fcb 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +638,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +642,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -83750,7 +83829,7 @@ index 4a88fa1..fb77fcb 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +653,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +657,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -83764,7 +83843,7 @@ index 4a88fa1..fb77fcb 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +668,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +672,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -83772,7 +83851,7 @@ index 4a88fa1..fb77fcb 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +680,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +684,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -83780,7 +83859,7 @@ index 4a88fa1..fb77fcb 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -411,18 +701,17 @@ logging_read_audit_config(initrc_t)
+@@ -411,18 +705,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -83802,7 +83881,7 @@ index 4a88fa1..fb77fcb 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +765,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +769,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -83813,7 +83892,7 @@ index 4a88fa1..fb77fcb 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +789,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +793,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -83822,7 +83901,7 @@ index 4a88fa1..fb77fcb 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +804,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +808,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -83830,7 +83909,7 @@ index 4a88fa1..fb77fcb 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +825,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +829,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -83838,7 +83917,7 @@ index 4a88fa1..fb77fcb 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +835,35 @@ ifdef(`distro_redhat',`
+@@ -540,8 +839,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -83874,7 +83953,7 @@ index 4a88fa1..fb77fcb 100644
')
optional_policy(`
-@@ -549,14 +871,27 @@ ifdef(`distro_redhat',`
+@@ -549,14 +875,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -83902,7 +83981,7 @@ index 4a88fa1..fb77fcb 100644
')
')
-@@ -567,6 +902,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +906,39 @@ ifdef(`distro_suse',`
')
')
@@ -83942,7 +84021,7 @@ index 4a88fa1..fb77fcb 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +947,8 @@ optional_policy(`
+@@ -579,6 +951,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -83951,7 +84030,7 @@ index 4a88fa1..fb77fcb 100644
')
optional_policy(`
-@@ -600,6 +970,7 @@ optional_policy(`
+@@ -600,6 +974,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -83959,7 +84038,7 @@ index 4a88fa1..fb77fcb 100644
')
optional_policy(`
-@@ -612,6 +983,17 @@ optional_policy(`
+@@ -612,6 +987,17 @@ optional_policy(`
')
optional_policy(`
@@ -83977,7 +84056,7 @@ index 4a88fa1..fb77fcb 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1010,13 @@ optional_policy(`
+@@ -628,9 +1014,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -83991,7 +84070,7 @@ index 4a88fa1..fb77fcb 100644
')
optional_policy(`
-@@ -655,6 +1041,10 @@ optional_policy(`
+@@ -655,6 +1045,10 @@ optional_policy(`
')
optional_policy(`
@@ -84002,7 +84081,7 @@ index 4a88fa1..fb77fcb 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1062,15 @@ optional_policy(`
+@@ -672,6 +1066,15 @@ optional_policy(`
')
optional_policy(`
@@ -84018,7 +84097,7 @@ index 4a88fa1..fb77fcb 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1111,7 @@ optional_policy(`
+@@ -712,6 +1115,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -84026,7 +84105,7 @@ index 4a88fa1..fb77fcb 100644
')
optional_policy(`
-@@ -729,7 +1129,14 @@ optional_policy(`
+@@ -729,7 +1133,14 @@ optional_policy(`
')
optional_policy(`
@@ -84041,7 +84120,7 @@ index 4a88fa1..fb77fcb 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1159,10 @@ optional_policy(`
+@@ -752,6 +1163,10 @@ optional_policy(`
')
optional_policy(`
@@ -84052,7 +84131,7 @@ index 4a88fa1..fb77fcb 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1172,20 @@ optional_policy(`
+@@ -761,10 +1176,20 @@ optional_policy(`
')
optional_policy(`
@@ -84073,7 +84152,7 @@ index 4a88fa1..fb77fcb 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1194,10 @@ optional_policy(`
+@@ -773,6 +1198,10 @@ optional_policy(`
')
optional_policy(`
@@ -84084,7 +84163,7 @@ index 4a88fa1..fb77fcb 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1219,6 @@ optional_policy(`
+@@ -794,8 +1223,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -84093,7 +84172,7 @@ index 4a88fa1..fb77fcb 100644
')
optional_policy(`
-@@ -804,6 +1227,10 @@ optional_policy(`
+@@ -804,6 +1231,10 @@ optional_policy(`
')
optional_policy(`
@@ -84104,7 +84183,7 @@ index 4a88fa1..fb77fcb 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1240,12 @@ optional_policy(`
+@@ -813,10 +1244,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -84117,7 +84196,7 @@ index 4a88fa1..fb77fcb 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1257,6 @@ optional_policy(`
+@@ -828,8 +1261,6 @@ optional_policy(`
')
optional_policy(`
@@ -84126,7 +84205,7 @@ index 4a88fa1..fb77fcb 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1267,30 @@ optional_policy(`
+@@ -840,12 +1271,30 @@ optional_policy(`
')
optional_policy(`
@@ -84159,7 +84238,7 @@ index 4a88fa1..fb77fcb 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1300,18 @@ optional_policy(`
+@@ -855,6 +1304,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -84178,7 +84257,7 @@ index 4a88fa1..fb77fcb 100644
')
optional_policy(`
-@@ -870,6 +1327,10 @@ optional_policy(`
+@@ -870,6 +1331,10 @@ optional_policy(`
')
optional_policy(`
@@ -84189,7 +84268,7 @@ index 4a88fa1..fb77fcb 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1341,164 @@ optional_policy(`
+@@ -880,3 +1345,164 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -86049,7 +86128,7 @@ index 321bb13..e7fd936 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..8c87704 100644
+index 0034021..2d55123 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.19.0)
@@ -86258,19 +86337,21 @@ index 0034021..8c87704 100644
kernel_read_system_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
-@@ -401,7 +453,10 @@ kernel_read_messages(syslogd_t)
+@@ -400,8 +452,12 @@ kernel_read_proc_symlinks(syslogd_t)
+ kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
-
--corenet_all_recvfrom_unlabeled(syslogd_t)
++kernel_read_ring_buffer(syslogd_t)
++
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unix_dgram_sockets(syslogd_t)
+')
-+
+
+-corenet_all_recvfrom_unlabeled(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,10 +482,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,10 +483,28 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -86290,6 +86371,7 @@ index 0034021..8c87704 100644
+dev_read_urand(syslogd_t)
+# relating to systemd-kmsg-syslogd
+dev_write_kmsg(syslogd_t)
++dev_read_kmsg(syslogd_t)
+domain_read_all_domains_state(syslogd_t)
domain_use_interactive_fds(syslogd_t)
@@ -86298,7 +86380,7 @@ index 0034021..8c87704 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -442,13 +514,16 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,13 +516,16 @@ files_read_kernel_symbol_table(syslogd_t)
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -86315,7 +86397,7 @@ index 0034021..8c87704 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -460,6 +535,7 @@ init_use_fds(syslogd_t)
+@@ -460,6 +537,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -86323,7 +86405,7 @@ index 0034021..8c87704 100644
miscfiles_read_localization(syslogd_t)
-@@ -493,15 +569,29 @@ optional_policy(`
+@@ -493,15 +571,29 @@ optional_policy(`
')
optional_policy(`
@@ -90169,10 +90251,10 @@ index 0000000..7da5bf6
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..846c140
+index 0000000..23bac8e
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,756 @@
+@@ -0,0 +1,792 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -90667,6 +90749,42 @@ index 0000000..846c140
+
+#######################################
+## <summary>
++## Relabel systemd unit directories
++## </summary>
++## <param name="script_file">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_relabel_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++#######################################
++## <summary>
++## Relabel systemd unit files
++## </summary>
++## <param name="script_file">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_relabel_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++#######################################
++## <summary>
+## Send generic signals to systemd_passwd_agent processes.
+## </summary>
+## <param name="domain">
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 91c8035..2f029cd 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2029,7 +2029,7 @@ index fd9fa07..c0ecd7e 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 6480167..d30bdbf 100644
+index 6480167..273a121 100644
--- a/apache.if
+++ b/apache.if
@@ -13,62 +13,46 @@
@@ -2674,7 +2674,7 @@ index 6480167..d30bdbf 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1349,88 @@ interface(`apache_admin',`
+@@ -1205,14 +1349,106 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -2747,6 +2747,24 @@ index 6480167..d30bdbf 100644
+
+########################################
+## <summary>
++## Allow any httpd_exec_t to be an entrypoint of this domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_entrypoint',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++ allow $1 httpd_exec_t:file entrypoint;
++')
++
++########################################
++## <summary>
+## Transition to apache home content
+## </summary>
+## <param name="domain">
@@ -2769,7 +2787,7 @@ index 6480167..d30bdbf 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..18e92f6 100644
+index 0833afb..e901478 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3478,7 +3496,7 @@ index 0833afb..18e92f6 100644
')
optional_policy(`
-@@ -594,6 +930,34 @@ optional_policy(`
+@@ -594,6 +930,37 @@ optional_policy(`
')
optional_policy(`
@@ -3492,6 +3510,9 @@ index 0833afb..18e92f6 100644
+ passenger_exec(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+ passenger_manage_lib_files(httpd_t)
++ files_dontaudit_getattr_all_files(httpd_t)
++ domain_dontaudit_read_all_domains_state(httpd_t)
++ domain_getpgid_all_domains(httpd_t)
+ ',`
+ passenger_domtrans(httpd_t)
+ passenger_manage_pid_content(httpd_t)
@@ -3513,7 +3534,7 @@ index 0833afb..18e92f6 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +972,11 @@ optional_policy(`
+@@ -608,6 +975,11 @@ optional_policy(`
')
optional_policy(`
@@ -3525,7 +3546,7 @@ index 0833afb..18e92f6 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +989,12 @@ optional_policy(`
+@@ -620,6 +992,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3538,7 +3559,7 @@ index 0833afb..18e92f6 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1008,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1011,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3551,7 +3572,7 @@ index 0833afb..18e92f6 100644
########################################
#
-@@ -671,28 +1050,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1053,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3595,7 +3616,7 @@ index 0833afb..18e92f6 100644
')
########################################
-@@ -702,6 +1083,7 @@ optional_policy(`
+@@ -702,6 +1086,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3603,7 +3624,7 @@ index 0833afb..18e92f6 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1098,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1101,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3632,7 +3653,7 @@ index 0833afb..18e92f6 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -745,7 +1135,6 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -745,7 +1138,6 @@ tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
@@ -3640,7 +3661,7 @@ index 0833afb..18e92f6 100644
corenet_all_recvfrom_netlabel(httpd_suexec_t)
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
-@@ -757,13 +1146,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1149,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3673,7 +3694,7 @@ index 0833afb..18e92f6 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1193,25 @@ optional_policy(`
+@@ -786,6 +1196,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3699,7 +3720,7 @@ index 0833afb..18e92f6 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1232,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1235,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3717,7 +3738,7 @@ index 0833afb..18e92f6 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1251,49 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1254,49 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -3774,7 +3795,7 @@ index 0833afb..18e92f6 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1301,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1304,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -3815,7 +3836,7 @@ index 0833afb..18e92f6 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1346,20 @@ optional_policy(`
+@@ -859,10 +1349,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3836,7 +3857,7 @@ index 0833afb..18e92f6 100644
')
########################################
-@@ -878,7 +1375,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,7 +1378,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -3844,7 +3865,7 @@ index 0833afb..18e92f6 100644
logging_search_logs(httpd_rotatelogs_t)
-@@ -908,11 +1404,144 @@ optional_policy(`
+@@ -908,11 +1407,143 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -3862,7 +3883,7 @@ index 0833afb..18e92f6 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
- ')
++')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
@@ -3990,8 +4011,7 @@ index 0833afb..18e92f6 100644
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
-+')
-+
+ ')
diff --git a/apcupsd.fc b/apcupsd.fc
index cd07b96..f3506be 100644
--- a/apcupsd.fc
@@ -11920,90 +11940,98 @@ index 3559a05..224142a 100644
/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/atjobs/[^/]* -- <<none>>
diff --git a/cron.if b/cron.if
-index 6e12dc7..59480a6 100644
+index 6e12dc7..1382775 100644
--- a/cron.if
+++ b/cron.if
-@@ -12,6 +12,11 @@
+@@ -12,12 +12,17 @@
## </param>
#
template(`cron_common_crontab_template',`
+ gen_require(`
-+ type crond_t, crond_var_run_t, crontab_exec_t;
-+ type cron_spool_t, user_cron_spool_t;
++ attribute crontab_domain;
++ type crontab_exec_t;
+ ')
+
##############################
#
# Declarations
-@@ -30,11 +35,15 @@ template(`cron_common_crontab_template',`
+ #
- # dac_override is to create the file in the directory under /tmp
- allow $1_t self:capability { fowner setuid setgid chown dac_override };
-- allow $1_t self:process { setsched signal_perms };
-+ allow $1_t self:process { getcap setsched signal_perms };
- allow $1_t self:fifo_file rw_fifo_file_perms;
+- type $1_t;
++ type $1_t, crontab_domain;
+ userdom_user_application_domain($1_t, crontab_exec_t)
+ type $1_tmp_t;
+@@ -28,63 +33,15 @@ template(`cron_common_crontab_template',`
+ # Local policy
+ #
+
+- # dac_override is to create the file in the directory under /tmp
+- allow $1_t self:capability { fowner setuid setgid chown dac_override };
+- allow $1_t self:process { setsched signal_perms };
+- allow $1_t self:fifo_file rw_fifo_file_perms;
+-
- allow $1_t $1_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, file)
-+ allow $1_t crond_t:process signal;
-+ allow $1_t crond_var_run_t:file read_file_perms;
-+
+-
+- # create files in /var/spool/cron
+- manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+- filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+- files_list_spool($1_t)
+-
+- # crontab signals crond by updating the mtime on the spooldir
+- allow $1_t cron_spool_t:dir setattr;
+-
+- kernel_read_system_state($1_t)
+-
+- # for the checks used by crontab -u
+- selinux_dontaudit_search_fs($1_t)
+-
+- fs_getattr_xattr_fs($1_t)
+-
+- domain_use_interactive_fds($1_t)
+-
+- files_read_etc_files($1_t)
+- files_read_usr_files($1_t)
+- files_dontaudit_search_pids($1_t)
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
- # create files in /var/spool/cron
- manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-@@ -42,7 +51,7 @@ template(`cron_common_crontab_template',`
- files_list_spool($1_t)
-
- # crontab signals crond by updating the mtime on the spooldir
-- allow $1_t cron_spool_t:dir setattr;
-+ allow $1_t cron_spool_t:dir setattr_dir_perms;
-
- kernel_read_system_state($1_t)
-
-@@ -50,6 +59,8 @@ template(`cron_common_crontab_template',`
- selinux_dontaudit_search_fs($1_t)
-
- fs_getattr_xattr_fs($1_t)
-+ fs_manage_cgroup_dirs($1_t)
-+ fs_manage_cgroup_files($1_t)
-
- domain_use_interactive_fds($1_t)
-
-@@ -58,12 +69,16 @@ template(`cron_common_crontab_template',`
- files_dontaudit_search_pids($1_t)
-
auth_domtrans_chk_passwd($1_t)
-+ auth_rw_var_auth($1_t)
+ auth_use_nsswitch($1_t)
- logging_send_syslog_msg($1_t)
- logging_send_audit_msgs($1_t)
-+ logging_set_loginuid($1_t)
-
- init_dontaudit_write_utmp($1_t)
- init_read_utmp($1_t)
-+ init_read_state($1_t)
-
- miscfiles_read_localization($1_t)
+- logging_send_syslog_msg($1_t)
+- logging_send_audit_msgs($1_t)
+-
+- init_dontaudit_write_utmp($1_t)
+- init_read_utmp($1_t)
++ userdom_home_reader($1_t)
-@@ -72,9 +87,12 @@ template(`cron_common_crontab_template',`
- userdom_manage_user_tmp_dirs($1_t)
- userdom_manage_user_tmp_files($1_t)
- # Access terminals.
+- miscfiles_read_localization($1_t)
+-
+- seutil_read_config($1_t)
+-
+- userdom_manage_user_tmp_dirs($1_t)
+- userdom_manage_user_tmp_files($1_t)
+- # Access terminals.
- userdom_use_user_terminals($1_t)
-+ userdom_use_inherited_user_terminals($1_t)
- # Read user crontabs
- userdom_read_user_home_content_files($1_t)
-+ userdom_read_user_home_content_symlinks($1_t)
-+
-+ userdom_home_reader($1_t)
+- # Read user crontabs
+- userdom_read_user_home_content_files($1_t)
+-
+- tunable_policy(`fcron_crond',`
+- # fcron wants an instant update of a crontab change for the administrator
+- # also crontab does a security check for crontab -u
+- dontaudit $1_t crond_t:process signal;
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_t)
+- ')
+ ')
- tunable_policy(`fcron_crond',`
- # fcron wants an instant update of a crontab change for the administrator
-@@ -101,10 +119,12 @@ template(`cron_common_crontab_template',`
+ ########################################
+@@ -101,10 +58,12 @@ template(`cron_common_crontab_template',`
## User domain for the role
## </summary>
## </param>
@@ -12016,7 +12044,7 @@ index 6e12dc7..59480a6 100644
')
role $1 types { cronjob_t crontab_t };
-@@ -115,9 +135,20 @@ interface(`cron_role',`
+@@ -115,9 +74,20 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
@@ -12038,7 +12066,7 @@ index 6e12dc7..59480a6 100644
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
-@@ -150,29 +181,21 @@ interface(`cron_role',`
+@@ -150,29 +120,21 @@ interface(`cron_role',`
## User domain for the role
## </summary>
## </param>
@@ -12075,7 +12103,7 @@ index 6e12dc7..59480a6 100644
optional_policy(`
gen_require(`
-@@ -180,9 +203,8 @@ interface(`cron_unconfined_role',`
+@@ -180,9 +142,8 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
@@ -12086,7 +12114,7 @@ index 6e12dc7..59480a6 100644
')
########################################
-@@ -199,6 +221,7 @@ interface(`cron_unconfined_role',`
+@@ -199,6 +160,7 @@ interface(`cron_unconfined_role',`
## User domain for the role
## </summary>
## </param>
@@ -12094,7 +12122,7 @@ index 6e12dc7..59480a6 100644
#
interface(`cron_admin_role',`
gen_require(`
-@@ -219,7 +242,10 @@ interface(`cron_admin_role',`
+@@ -219,7 +181,10 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
@@ -12106,7 +12134,7 @@ index 6e12dc7..59480a6 100644
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -263,6 +289,9 @@ interface(`cron_system_entry',`
+@@ -263,6 +228,9 @@ interface(`cron_system_entry',`
domtrans_pattern(crond_t, $2, $1)
role system_r types $1;
@@ -12116,7 +12144,7 @@ index 6e12dc7..59480a6 100644
')
########################################
-@@ -303,7 +332,7 @@ interface(`cron_exec',`
+@@ -303,7 +271,7 @@ interface(`cron_exec',`
########################################
## <summary>
@@ -12125,7 +12153,7 @@ index 6e12dc7..59480a6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -321,6 +350,29 @@ interface(`cron_initrc_domtrans',`
+@@ -321,6 +289,29 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
@@ -12155,7 +12183,7 @@ index 6e12dc7..59480a6 100644
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
-@@ -358,6 +410,24 @@ interface(`cron_sigchld',`
+@@ -358,6 +349,24 @@ interface(`cron_sigchld',`
########################################
## <summary>
@@ -12180,7 +12208,7 @@ index 6e12dc7..59480a6 100644
## Read a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -376,6 +446,47 @@ interface(`cron_read_pipes',`
+@@ -376,6 +385,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -12228,7 +12256,7 @@ index 6e12dc7..59480a6 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -407,7 +518,43 @@ interface(`cron_rw_pipes',`
+@@ -407,7 +457,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -12273,7 +12301,7 @@ index 6e12dc7..59480a6 100644
')
########################################
-@@ -467,6 +614,25 @@ interface(`cron_search_spool',`
+@@ -467,6 +553,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -12299,7 +12327,7 @@ index 6e12dc7..59480a6 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -480,6 +646,7 @@ interface(`cron_manage_pid_files',`
+@@ -480,6 +585,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -12307,7 +12335,7 @@ index 6e12dc7..59480a6 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -535,7 +702,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -535,7 +641,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -12316,7 +12344,7 @@ index 6e12dc7..59480a6 100644
')
########################################
-@@ -553,7 +720,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -553,7 +659,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -12325,7 +12353,7 @@ index 6e12dc7..59480a6 100644
')
########################################
-@@ -586,11 +753,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -586,11 +692,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -12341,7 +12369,7 @@ index 6e12dc7..59480a6 100644
')
########################################
-@@ -626,7 +796,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -626,7 +735,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -12390,7 +12418,7 @@ index 6e12dc7..59480a6 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/cron.te b/cron.te
-index b357856..2af4e88 100644
+index b357856..91fc6e1 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -12399,7 +12427,7 @@ index b357856..2af4e88 100644
gen_require(`
class passwd rootok;
-@@ -10,18 +10,18 @@ gen_require(`
+@@ -10,35 +10,36 @@ gen_require(`
#
## <desc>
@@ -12426,7 +12454,10 @@ index b357856..2af4e88 100644
## </desc>
gen_tunable(fcron_crond, false)
-@@ -31,14 +31,14 @@ type anacron_exec_t;
++attribute crontab_domain;
+ attribute cron_spool_type;
+
+ type anacron_exec_t;
application_executable_file(anacron_exec_t)
type cron_spool_t;
@@ -12443,7 +12474,7 @@ index b357856..2af4e88 100644
# var/log files
type cron_log_t;
-@@ -61,11 +61,17 @@ domain_cron_exemption_source(crond_t)
+@@ -61,11 +62,17 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
@@ -12461,7 +12492,7 @@ index b357856..2af4e88 100644
type crontab_exec_t;
application_executable_file(crontab_exec_t)
-@@ -79,14 +85,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+@@ -79,14 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@@ -12479,7 +12510,7 @@ index b357856..2af4e88 100644
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
-@@ -94,10 +102,6 @@ files_lock_file(system_cronjob_lock_t)
+@@ -94,10 +103,6 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
@@ -12490,7 +12521,7 @@ index b357856..2af4e88 100644
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
-@@ -106,8 +110,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
+@@ -106,8 +111,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
@@ -12512,7 +12543,7 @@ index b357856..2af4e88 100644
########################################
#
-@@ -115,7 +131,7 @@ ubac_constrained(user_cron_spool_t)
+@@ -115,7 +132,7 @@ ubac_constrained(user_cron_spool_t)
#
# Allow our crontab domain to unlink a user cron spool file.
@@ -12521,7 +12552,7 @@ index b357856..2af4e88 100644
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
-@@ -125,7 +141,7 @@ selinux_compute_create_context(admin_crontab_t)
+@@ -125,7 +142,7 @@ selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
@@ -12530,7 +12561,7 @@ index b357856..2af4e88 100644
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
-@@ -136,9 +152,9 @@ tunable_policy(`fcron_crond', `
+@@ -136,9 +153,9 @@ tunable_policy(`fcron_crond', `
# Cron daemon local policy
#
@@ -12542,7 +12573,7 @@ index b357856..2af4e88 100644
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -151,6 +167,7 @@ allow crond_t self:sem create_sem_perms;
+@@ -151,6 +168,7 @@ allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
@@ -12550,7 +12581,7 @@ index b357856..2af4e88 100644
manage_files_pattern(crond_t, cron_log_t, cron_log_t)
logging_log_filetrans(crond_t, cron_log_t, file)
-@@ -187,27 +204,47 @@ fs_list_inotifyfs(crond_t)
+@@ -187,27 +205,47 @@ fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -12599,7 +12630,7 @@ index b357856..2af4e88 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,20 +257,23 @@ miscfiles_read_localization(crond_t)
+@@ -220,20 +258,23 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -12628,7 +12659,7 @@ index b357856..2af4e88 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -241,7 +281,7 @@ ifdef(`distro_redhat', `
+@@ -241,7 +282,7 @@ ifdef(`distro_redhat', `
')
')
@@ -12637,7 +12668,7 @@ index b357856..2af4e88 100644
files_polyinstantiate_all(crond_t)
')
-@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +291,27 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -12665,7 +12696,7 @@ index b357856..2af4e88 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +320,8 @@ optional_policy(`
+@@ -264,6 +321,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -12674,7 +12705,7 @@ index b357856..2af4e88 100644
')
optional_policy(`
-@@ -286,15 +344,25 @@ optional_policy(`
+@@ -286,15 +345,25 @@ optional_policy(`
')
optional_policy(`
@@ -12700,7 +12731,7 @@ index b357856..2af4e88 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +375,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -12721,7 +12752,7 @@ index b357856..2af4e88 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +407,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -12729,7 +12760,7 @@ index b357856..2af4e88 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,11 +418,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,11 +419,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -12747,7 +12778,7 @@ index b357856..2af4e88 100644
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
-@@ -353,7 +436,6 @@ files_dontaudit_search_boot(system_cronjob_t)
+@@ -353,7 +437,6 @@ files_dontaudit_search_boot(system_cronjob_t)
corecmd_exec_all_executables(system_cronjob_t)
@@ -12755,7 +12786,7 @@ index b357856..2af4e88 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -12763,7 +12794,7 @@ index b357856..2af4e88 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -376,7 +459,6 @@ fs_getattr_all_sockets(system_cronjob_t)
+@@ -376,7 +460,6 @@ fs_getattr_all_sockets(system_cronjob_t)
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
@@ -12771,7 +12802,7 @@ index b357856..2af4e88 100644
files_read_etc_runtime_files(system_cronjob_t)
files_list_all(system_cronjob_t)
files_getattr_all_dirs(system_cronjob_t)
-@@ -391,6 +473,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -12779,7 +12810,7 @@ index b357856..2af4e88 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +496,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +497,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -12791,7 +12822,7 @@ index b357856..2af4e88 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +524,8 @@ optional_policy(`
+@@ -439,6 +525,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -12800,7 +12831,7 @@ index b357856..2af4e88 100644
')
optional_policy(`
-@@ -446,6 +533,14 @@ optional_policy(`
+@@ -446,6 +534,14 @@ optional_policy(`
')
optional_policy(`
@@ -12815,7 +12846,7 @@ index b357856..2af4e88 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,6 +551,10 @@ optional_policy(`
+@@ -456,6 +552,10 @@ optional_policy(`
')
optional_policy(`
@@ -12826,7 +12857,7 @@ index b357856..2af4e88 100644
lpd_list_spool(system_cronjob_t)
')
-@@ -464,7 +563,9 @@ optional_policy(`
+@@ -464,7 +564,9 @@ optional_policy(`
')
optional_policy(`
@@ -12836,7 +12867,7 @@ index b357856..2af4e88 100644
')
optional_policy(`
-@@ -472,6 +573,10 @@ optional_policy(`
+@@ -472,6 +574,10 @@ optional_policy(`
')
optional_policy(`
@@ -12847,7 +12878,7 @@ index b357856..2af4e88 100644
postfix_read_config(system_cronjob_t)
')
-@@ -480,7 +585,7 @@ optional_policy(`
+@@ -480,7 +586,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -12856,7 +12887,7 @@ index b357856..2af4e88 100644
')
optional_policy(`
-@@ -495,6 +600,7 @@ optional_policy(`
+@@ -495,6 +601,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -12864,7 +12895,7 @@ index b357856..2af4e88 100644
')
optional_policy(`
-@@ -502,7 +608,18 @@ optional_policy(`
+@@ -502,7 +609,18 @@ optional_policy(`
')
optional_policy(`
@@ -12883,7 +12914,7 @@ index b357856..2af4e88 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -542,7 +659,6 @@ kernel_read_kernel_sysctls(cronjob_t)
+@@ -542,7 +660,6 @@ kernel_read_kernel_sysctls(cronjob_t)
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(cronjob_t)
@@ -12891,7 +12922,7 @@ index b357856..2af4e88 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -595,9 +711,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +712,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -12905,6 +12936,85 @@ index b357856..2af4e88 100644
allow crond_t user_cron_spool_t:file manage_file_perms;
')
+@@ -626,3 +746,78 @@ optional_policy(`
+
+ unconfined_domain(unconfined_cronjob_t)
+ ')
++
++##############################
++#
++# crontab common policy
++#
++
++# dac_override is to create the file in the directory under /tmp
++allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
++allow crontab_domain self:process { getcap setsched signal_perms };
++allow crontab_domain self:fifo_file rw_fifo_file_perms;
++
++allow crontab_domain crond_t:process signal;
++allow crontab_domain crond_var_run_t:file read_file_perms;
++
++# create files in /var/spool/cron
++manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
++filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
++files_list_spool(crontab_domain)
++
++# crontab signals crond by updating the mtime on the spooldir
++allow crontab_domain cron_spool_t:dir setattr_dir_perms;
++
++kernel_read_system_state(crontab_domain)
++
++# for the checks used by crontab -u
++selinux_dontaudit_search_fs(crontab_domain)
++
++fs_getattr_xattr_fs(crontab_domain)
++fs_manage_cgroup_dirs(crontab_domain)
++fs_manage_cgroup_files(crontab_domain)
++
++domain_use_interactive_fds(crontab_domain)
++
++files_read_etc_files(crontab_domain)
++files_read_usr_files(crontab_domain)
++files_dontaudit_search_pids(crontab_domain)
++
++fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
++
++auth_rw_var_auth(crontab_domain)
++
++logging_send_syslog_msg(crontab_domain)
++logging_send_audit_msgs(crontab_domain)
++logging_set_loginuid(crontab_domain)
++
++init_dontaudit_write_utmp(crontab_domain)
++init_read_utmp(crontab_domain)
++init_read_state(crontab_domain)
++
++miscfiles_read_localization(crontab_domain)
++
++seutil_read_config(crontab_domain)
++
++userdom_manage_user_tmp_dirs(crontab_domain)
++userdom_manage_user_tmp_files(crontab_domain)
++# Access terminals.
++userdom_use_inherited_user_terminals(crontab_domain)
++# Read user crontabs
++userdom_read_user_home_content_files(crontab_domain)
++userdom_read_user_home_content_symlinks(crontab_domain)
++
++tunable_policy(`fcron_crond',`
++ # fcron wants an instant update of a crontab change for the administrator
++ # also crontab does a security check for crontab -u
++ dontaudit crontab_domain crond_t:process signal;
++')
++
++#optional_policy(`
++# ssh_dontaudit_use_ptys(crontab_domain)
++#')
++
++optional_policy(`
++ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
++ openshift_transition(system_cronjob_t)
++')
diff --git a/ctdbd.fc b/ctdbd.fc
new file mode 100644
index 0000000..2db6b61
@@ -39095,6 +39205,1045 @@ index 0000000..faa9b16
+logging_send_syslog_msg(openhpid_t)
+
+miscfiles_read_localization(openhpid_t)
+diff --git a/openshift-origin.fc b/openshift-origin.fc
+new file mode 100644
+index 0000000..30ca148
+--- /dev/null
++++ b/openshift-origin.fc
+@@ -0,0 +1 @@
++# Left Blank
+diff --git a/openshift-origin.if b/openshift-origin.if
+new file mode 100644
+index 0000000..3eb6a30
+--- /dev/null
++++ b/openshift-origin.if
+@@ -0,0 +1 @@
++## <summary></summary>
+diff --git a/openshift-origin.te b/openshift-origin.te
+new file mode 100644
+index 0000000..722adfb
+--- /dev/null
++++ b/openshift-origin.te
+@@ -0,0 +1,11 @@
++policy_module(openshift-origin,1.0.0)
++gen_require(`
++ attribute openshift_domain;
++')
++
++########################################
++#
++# openshift origin standard local policy
++#
++corenet_tcp_connect_all_ports(openshift_domain)
++corenet_tcp_bind_all_ports(openshift_domain)
+diff --git a/openshift.fc b/openshift.fc
+new file mode 100644
+index 0000000..2144799
+--- /dev/null
++++ b/openshift.fc
+@@ -0,0 +1,26 @@
++/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++
++/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
++/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++#/usr/libexec/stickshift/cartridges(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++#/var/lib/stickshift/.* <<none>>
++/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++
++/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
++
++/usr/bin/rhc-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
++
++/usr/bin/rhc-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/bin/rhc-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++
++/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
++
++/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0)
+diff --git a/openshift.if b/openshift.if
+new file mode 100644
+index 0000000..fc734fd
+--- /dev/null
++++ b/openshift.if
+@@ -0,0 +1,545 @@
++## <summary> policy for openshift </summary>
++
++########################################
++## <summary>
++## Execute openshift server in the openshift domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`openshift_initrc_domtrans',`
++ gen_require(`
++ type openshift_initrc_t;
++ type openshift_initrc_exec_t;
++ ')
++
++ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
++')
++
++########################################
++## <summary>
++## Search openshift cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_search_cache',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ allow $1 openshift_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read openshift cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_read_cache_files',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, openshift_cache_t openshift_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## openshift cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_cache_files',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, openshift_cache_t, openshift_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## openshift cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_cache_dirs',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t)
++')
++
++
++########################################
++## <summary>
++## Allow the specified domain to read openshift's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openshift_read_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to append
++## openshift log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openshift_append_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++## <summary>
++## Allow domain to manage openshift log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
++ manage_files_pattern($1, openshift_log_t, openshift_log_t)
++ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++## <summary>
++## Search openshift lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_search_lib',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ allow $1 openshift_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read openshift lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_read_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read openshift lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_append_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## openshift lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage openshift lib dirs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_lib_dirs',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read openshift PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_read_pid_files',`
++ gen_require(`
++ type openshift_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 openshift_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an openshift environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openshift_admin',`
++ gen_require(`
++ type openshift_t;
++ type openshift_initrc_exec_t;
++ type openshift_cache_t;
++ type openshift_log_t;
++ type openshift_var_lib_t;
++ type openshift_var_run_t;
++ ')
++
++ allow $1 openshift_t:process { ptrace signal_perms };
++ ps_process_pattern($1, openshift_t)
++
++ openshift_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 openshift_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var($1)
++ admin_pattern($1, openshift_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, openshift_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, openshift_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, openshift_var_run_t)
++
++')
++
++########################################
++## <summary>
++## Make the specified type usable as a openshift domain.
++## </summary>
++## <param name="openshiftdomain_prefix">
++## <summary>
++## The prefix of the domain (e.g., openshift
++## is the prefix for openshift_t).
++## </summary>
++## </param>
++#
++template(`openshift_service_domain_template',`
++ gen_require(`
++ attribute openshift_domain;
++ attribute openshift_user_domain;
++ ')
++
++ type $1_t, openshift_domain, openshift_user_domain;
++ #typeattribute $1_t openshift_domain, openshift_user_domain;
++ domain_type($1_t)
++ role system_r types $1_t;
++ mcs_untrusted_proc($1_t)
++ domain_user_exemption_target($1_t)
++ auth_use_nsswitch($1_t)
++ domain_obj_id_change_exemption($1_t)
++ domain_dyntrans_type($1_t)
++
++ type $1_app_t, openshift_domain;
++ #typeattribute $1_app_t, openshift_domain;
++ domain_type($1_app_t)
++ role system_r types $1_app_t;
++ mcs_untrusted_proc($1_app_t)
++ domain_user_exemption_target($1_app_t)
++ domain_obj_id_change_exemption($1_app_t)
++ domain_dyntrans_type($1_app_t)
++')
++
++########################################
++## <summary>
++## Make the specified type usable as a openshift domain.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used as a openshift domain type.
++## </summary>
++## </param>
++#
++template(`openshift_net_type',`
++ gen_require(`
++ attribute openshift_net_domain;
++ ')
++
++ typeattribute $1 openshift_net_domain;
++')
++
++########################################
++## <summary>
++## Read and write inherited openshift files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_rw_inherited_content',`
++ gen_require(`
++ attribute openshift_file_type;
++ ')
++
++ allow $1 openshift_file_type:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Manage openshift tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_tmp_files',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
++')
++
++########################################
++## <summary>
++## Manage openshift tmp sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_tmp_sockets',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
++')
++
++########################################
++## <summary>
++## Mounton openshift tmp directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_mounton_tmp',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ allow $1 openshift_tmp_t:dir mounton;
++')
++
++########################################
++## <summary>
++## Dontaudit Read and write inherited script fifo files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_dontaudit_rw_inherited_fifo_files',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Allow calling app to transition to an openshift domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openshift_transition',`
++ gen_require(`
++ attribute openshift_user_domain;
++ ')
++
++ allow $1 openshift_user_domain:process transition;
++ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
++ allow openshift_user_domain $1:fd use;
++ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
++ allow openshift_user_domain $1:process sigchld;
++ dontaudit $1 openshift_user_domain:socket_class_set { read write };
++')
++
++########################################
++## <summary>
++## Allow calling app to transition to an openshift domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openshift_dyntransition',`
++ gen_require(`
++ attribute openshift_user_domain;
++ ')
++
++ allow $1 openshift_user_domain:process dyntransition;
++ dontaudit openshift_user_domain $1:key view;
++ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
++ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
++ allow $1 openshift_user_domain:process { rlimitinh signal };
++ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
++')
++
++########################################
++## <summary>
++## Execute openshift in the openshift domain, and
++## allow the specified role the openshift domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_run',`
++ gen_require(`
++ type openshift_initrc_exec_t;
++ ')
++
++ openshift_initrc_domtrans($1)
++ role_transition $2 openshift_initrc_exec_t system_r;
++ openshift_transition($1)
++')
+diff --git a/openshift.te b/openshift.te
+new file mode 100644
+index 0000000..0d24b97
+--- /dev/null
++++ b/openshift.te
+@@ -0,0 +1,419 @@
++policy_module(openshift,1.0.0)
++
++gen_require(`
++ role system_r;
++')
++
++########################################
++#
++# Declarations
++#
++
++# openshift applications that can use the network.
++attribute openshift_net_domain;
++# Attribute representing all openshift user processes execludes run by apache
++attribute openshift_user_domain;
++# Attribute representing all openshift processes
++attribute openshift_domain;
++
++# Attribute for all openshift content
++attribute openshift_file_type;
++
++# Type of openshift init script
++type openshift_initrc_t;
++type openshift_initrc_exec_t;
++init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
++init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
++oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t)
++
++type openshift_initrc_tmp_t;
++files_tmp_file(openshift_initrc_tmp_t)
++
++type openshift_tmp_t, openshift_file_type;
++files_tmp_file(openshift_tmp_t)
++files_mountpoint(openshift_tmp_t)
++files_poly(openshift_tmp_t)
++files_poly_parent(openshift_tmp_t)
++
++type openshift_var_run_t;
++files_pid_file(openshift_var_run_t)
++
++type openshift_var_lib_t, openshift_file_type;
++files_poly(openshift_var_lib_t)
++files_poly_parent(openshift_var_lib_t)
++
++type openshift_rw_file_t, openshift_file_type;
++files_poly(openshift_rw_file_t)
++files_poly_parent(openshift_rw_file_t)
++
++type openshift_log_t;
++logging_log_file(openshift_log_t)
++
++type openshift_port_t;
++corenet_port(openshift_port_t)
++corenet_reserved_port(openshift_port_t)
++
++########################################
++#
++# Template to create openshift_t and openshift_app_t
++#
++
++openshift_service_domain_template(openshift)
++
++########################################
++#
++# openshift general local policy
++#
++
++allow openshift_domain self:process { setcurrent getcap getattr fork getpgid setpgid setrlimit setfscreate setsched signal_perms getsched execmem execstack };
++
++allow openshift_domain self:msg all_msg_perms;
++allow openshift_domain self:msgq create_msgq_perms;
++allow openshift_domain self:shm create_shm_perms;
++allow openshift_domain self:sem create_sem_perms;
++# Not sure if we should allow or dontaudit.
++#allow openshift_domain self:socket create_socket_perms;
++dontaudit openshift_domain self:netlink_tcpdiag_socket create;
++allow openshift_domain self:tcp_socket create_stream_socket_perms;
++
++allow openshift_domain self:fifo_file manage_fifo_file_perms;
++allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
++dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
++
++allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
++
++dontaudit openshift_domain openshift_initrc_tmp_t:file append;
++dontaudit openshift_domain openshift_var_run_t:file append;
++dontaudit openshift_domain openshift_file_type:sock_file execute;
++
++manage_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++manage_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++manage_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++manage_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++manage_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++allow openshift_domain openshift_file_type:file execmod;
++files_read_var_lib_symlinks(openshift_domain)
++can_exec(openshift_domain, openshift_file_type)
++allow openshift_domain openshift_file_type:file entrypoint;
++
++manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++files_tmp_filetrans(openshift_user_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
++allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
++
++list_dirs_pattern(openshift_domain, openshift_var_lib_t, openshift_var_lib_t)
++read_files_pattern(openshift_domain, openshift_var_lib_t, openshift_var_lib_t)
++rw_fifo_files_pattern(openshift_domain, openshift_var_lib_t, openshift_var_lib_t)
++rw_sock_files_pattern(openshift_domain, openshift_var_lib_t, openshift_var_lib_t)
++read_lnk_files_pattern(openshift_domain, openshift_var_lib_t, openshift_var_lib_t)
++allow openshift_domain openshift_var_lib_t:file entrypoint;
++
++# Dontaudit openshift domains trying to search other openshift domains directories,
++# this happens just when users are probing the system
++dontaudit openshift_user_domain openshift_var_lib_t:dir search_dir_perms
++;
++
++kernel_read_system_state(openshift_user_domain)
++kernel_read_network_state(openshift_user_domain)
++kernel_dontaudit_list_all_proc(openshift_user_domain)
++kernel_dontaudit_list_all_sysctls(openshift_user_domain)
++kernel_dontaudit_request_load_module(openshift_user_domain)
++kernel_get_sysvipc_info(openshift_user_domain)
++
++corecmd_exec_bin(openshift_user_domain)
++corecmd_exec_shell(openshift_user_domain)
++corecmd_dontaudit_exec_all_executables(openshift_user_domain)
++# corecmd_dontaudit_read_all_executables(openshift_user_domain)
++
++dev_list_sysfs(openshift_user_domain)
++dev_read_rand(openshift_user_domain)
++dev_dontaudit_append_rand(openshift_user_domain)
++dev_dontaudit_write_urand(openshift_user_domain)
++dev_dontaudit_getattr_all_blk_files(openshift_user_domain)
++dev_dontaudit_getattr_all_chr_files(openshift_user_domain)
++
++domain_use_interactive_fds(openshift_user_domain)
++domain_dontaudit_read_all_domains_state(openshift_user_domain)
++
++fs_rw_hugetlbfs_files(openshift_user_domain)
++fs_dontaudit_rw_anon_inodefs_files(openshift_user_domain)
++fs_search_tmpfs(openshift_user_domain)
++fs_getattr_xattr_fs(openshift_user_domain)
++fs_dontaudit_getattr_all_fs(openshift_user_domain)
++fs_list_inotifyfs(openshift_user_domain)
++fs_dontaudit_list_auto_mountpoints(openshift_user_domain)
++fs_dontaudit_list_tmpfs(openshift_user_domain)
++storage_dontaudit_getattr_fixed_disk_dev(openshift_user_domain)
++storage_getattr_fixed_disk_dev(openshift_user_domain)
++fs_get_xattr_fs_quotas(openshift_user_domain)
++fs_rw_inherited_tmpfs_files(openshift_user_domain)
++fs_dontaudit_rw_anon_inodefs_files(openshift_user_domain)
++
++dontaudit openshift_domain file_type:dir read;
++files_dontaudit_list_home(openshift_user_domain)
++files_dontaudit_search_all_pids(openshift_user_domain)
++files_dontaudit_getattr_all_dirs(openshift_user_domain)
++files_dontaudit_getattr_all_files(openshift_user_domain)
++files_dontaudit_list_mnt(openshift_user_domain)
++files_dontaudit_list_var(openshift_user_domain)
++files_dontaudit_getattr_lost_found_dirs(openshift_user_domain)
++files_dontaudit_search_all_mountpoints(openshift_user_domain)
++files_dontaudit_search_spool(openshift_user_domain)
++files_dontaudit_search_all_dirs(openshift_user_domain)
++files_dontaudit_list_var(openshift_user_domain)
++files_read_etc_files(openshift_user_domain)
++files_exec_etc_files(openshift_user_domain)
++files_read_usr_files(openshift_user_domain)
++files_dontaudit_getattr_non_security_sockets(openshift_user_domain)
++files_dontaudit_setattr_etc_runtime_files(openshift_user_domain)
++
++libs_exec_lib_files(openshift_user_domain)
++libs_exec_ld_so(openshift_user_domain)
++
++logging_send_syslog_msg(openshift_user_domain)
++
++selinux_validate_context(openshift_user_domain)
++
++logging_inherit_append_all_logs(openshift_user_domain)
++
++init_dontaudit_read_utmp(openshift_user_domain)
++
++miscfiles_read_localization(openshift_user_domain)
++miscfiles_read_fonts(openshift_user_domain)
++miscfiles_read_man_pages(openshift_user_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_user_domain)
++
++mta_dontaudit_read_spool_symlinks(openshift_user_domain)
++
++term_dontaudit_search_ptys(openshift_user_domain)
++term_use_ptmx(openshift_user_domain)
++
++userdom_dontaudit_search_admin_dir(openshift_user_domain)
++
++application_exec(openshift_user_domain)
++
++optional_policy(`
++ apache_exec(openshift_user_domain)
++ apache_exec_modules(openshift_user_domain)
++ apache_list_modules(openshift_user_domain)
++ apache_read_config(openshift_user_domain)
++ apache_search_config(openshift_user_domain)
++ apache_read_sys_content(openshift_user_domain)
++ apache_exec_sys_script(openshift_user_domain)
++')
++
++########################################
++#
++# openshift initrc local policy
++#
++
++mcs_process_set_categories(openshift_initrc_t)
++
++manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
++
++manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
++
++manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
++manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
++logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
++
++allow openshift_initrc_t openshift_user_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow openshift_user_domain openshift_initrc_t:fd use;
++allow openshift_user_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++allow openshift_user_domain openshift_initrc_t:process sigchld;
++dontaudit openshift_user_domain openshift_initrc_t:key view;
++dontaudit openshift_user_domain openshift_initrc_t:process signull;
++dontaudit openshift_user_domain openshift_initrc_t:socket_class_set { read write };
++
++optional_policy(`
++ unconfined_domain_noaudit(openshift_initrc_t)
++')
++
++########################################
++#
++# generic policy
++#
++
++corecmd_exec_all_executables(openshift_user_domain)
++
++optional_policy(`
++ apache_entrypoint(openshift_user_domain)
++')
++
++optional_policy(`
++ ssh_getattr_user_home_dir(openshift_user_domain)
++ ssh_dontaudit_search_user_home_dir(openshift_user_domain)
++')
++
++########################################
++#
++# Cron support
++#
++
++optional_policy(`
++ cron_role(system_r, openshift_user_domain)
++')
++
++########################################
++#
++# Mysql support
++#
++
++allow openshift_user_domain self:process setexec;
++
++optional_policy(`
++ mysql_search_db(openshift_user_domain)
++')
++
++########################################
++#
++# Node.js support
++#
++
++allow openshift_user_domain anon_inodefs_t:file write;
++
++#############################################
++#
++# openshift cgi script policy
++#
++
++optional_policy(`
++ apache_content_template(openshift)
++ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
++ oddjob_dbus_chat(httpd_openshift_script_t)
++ dbus_system_bus_client(httpd_openshift_script_t)
++ ')
++
++
++#################################
++# Potentially dangerous configs #
++#################################
++
++# Allow users to execute files in their home dir
++allow openshift_user_domain openshift_var_lib_t:file { execute execute_no_trans };
++
++#################################
++# Allow Log Rotation #
++#################################
++
++corecmd_shell_entry_type(openshift_user_domain)
++corecmd_bin_entry_type(openshift_user_domain)
++userdom_use_inherited_user_ptys(openshift_user_domain)
++
++optional_policy(`
++ oddjob_dontaudit_rw_fifo_file(openshift_user_domain)
++')
++type openshift_cgroup_read_t;
++type openshift_cgroup_read_exec_t;
++application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
++
++optional_policy(`
++ gpg_entry_type(openshift_user_domain)
++')
++
++optional_policy(`
++ apache_exec_rotatelogs(openshift_user_domain)
++')
++
++########################################
++#
++# openshift_cgroup_read local policy
++#
++
++allow openshift_cgroup_read_t self:process { getattr signal_perms };
++allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
++allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
++allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++
++corecmd_exec_bin(openshift_cgroup_read_t)
++
++dev_read_urand(openshift_cgroup_read_t)
++
++domain_use_interactive_fds(openshift_cgroup_read_t)
++
++files_read_etc_files(openshift_cgroup_read_t)
++
++fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
++
++userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
++
++miscfiles_read_generic_certs(openshift_cgroup_read_t)
++miscfiles_read_localization(openshift_cgroup_read_t)
++
++domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
++role system_r types openshift_cgroup_read_t;
++
++allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
++
++fs_read_cgroup_files(openshift_cgroup_read_t)
++
++allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
++read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
++
++#optional_policy(`
++# ssh_dontaudit_use_ptys(openshift_cgroup_read_t)
++#')
++
++#######################################################
++#
++# Policy for all openshift user domain process
++#
++
++allow openshift_domain self:process ptrace;
++
++manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++list_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++read_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++rw_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++rw_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++read_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++
++term_use_ptmx(openshift_domain)
++
++#optional_policy(`
++# ssh_use_ptys(openshift_domain)
++#')
++
++#######################################################
++#
++# Policy for openshift user domain process
++#
++
++manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
++allow openshift_user_domain openshift_domain:process transition;
++allow openshift_user_domain openshift_domain:process ptrace;
++
++############################################################################
++#
++# Rules specific to openshift and openshift_app_t
++#
++
++kernel_read_vm_sysctls(openshift_t)
++kernel_read_vm_sysctls(openshift_app_t)
++kernel_search_vm_sysctl(openshift_t)
++kernel_search_vm_sysctl(openshift_app_t)
++netutils_domtrans_ping(openshift_t)
++netutils_kill_ping(openshift_t)
++netutils_signal_ping(openshift_t)
++
++openshift_net_type(openshift_app_t)
++openshift_net_type(openshift_t)
diff --git a/openvpn.if b/openvpn.if
index d883214..d6afa87 100644
--- a/openvpn.if
@@ -45361,7 +46510,7 @@ index 2855a44..6993089 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/puppet.te b/puppet.te
-index baa88f6..f683a84 100644
+index baa88f6..5b66b56 100644
--- a/puppet.te
+++ b/puppet.te
@@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0)
@@ -45484,7 +46633,7 @@ index baa88f6..f683a84 100644
portage_domtrans(puppet_t)
portage_domtrans_fetch(puppet_t)
portage_domtrans_gcc_config(puppet_t)
-@@ -164,8 +191,131 @@ optional_policy(`
+@@ -164,8 +191,135 @@ optional_policy(`
')
optional_policy(`
@@ -45548,6 +46697,10 @@ index baa88f6..f683a84 100644
+')
+
+optional_policy(`
++ openshift_initrc_domtrans(puppet_t)
++')
++
++optional_policy(`
+ quota_filetrans_named_content(puppet_t)
+')
+
@@ -45618,7 +46771,7 @@ index baa88f6..f683a84 100644
')
########################################
-@@ -184,51 +334,84 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+@@ -184,51 +338,84 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
@@ -45709,7 +46862,7 @@ index baa88f6..f683a84 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -239,3 +422,9 @@ optional_policy(`
+@@ -239,3 +426,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -49862,7 +51015,7 @@ index 137605a..7624759 100644
+ ')
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..a94c367 100644
+index 783f678..72af387 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -49875,7 +51028,7 @@ index 783f678..a94c367 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,17 +46,26 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+@@ -43,17 +46,30 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -49903,6 +51056,10 @@ index 783f678..a94c367 100644
sysnet_dns_name_resolve(rhsmcertd_t)
+
+rpm_read_db(rhsmcertd_t)
++
++optional_policy(`
++ gnome_dontaudit_search_config(rhsmcertd_t)
++')
diff --git a/ricci.fc b/ricci.fc
index 5b08327..4d5819e 100644
--- a/ricci.fc
@@ -51433,7 +52590,7 @@ index 951d8f6..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/rpm.te b/rpm.te
-index 60149a5..aa590f5 100644
+index 60149a5..31fc8f1 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,12 +1,11 @@
@@ -51703,7 +52860,7 @@ index 60149a5..aa590f5 100644
')
optional_policy(`
-@@ -372,8 +401,13 @@ optional_policy(`
+@@ -372,8 +401,17 @@ optional_policy(`
')
optional_policy(`
@@ -51714,12 +52871,16 @@ index 60149a5..aa590f5 100644
+')
+
+optional_policy(`
++ openshift_initrc_domtrans(rpm_script_t)
++')
++
++optional_policy(`
+ tzdata_domtrans(rpm_t)
+ tzdata_domtrans(rpm_script_t)
')
optional_policy(`
-@@ -381,7 +415,7 @@ optional_policy(`
+@@ -381,7 +419,7 @@ optional_policy(`
')
optional_policy(`
@@ -51728,7 +52889,7 @@ index 60149a5..aa590f5 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -394,6 +428,6 @@ optional_policy(`
+@@ -394,6 +432,6 @@ optional_policy(`
')
optional_policy(`
@@ -63040,7 +64201,7 @@ index 6f0736b..aaee499 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..d820f4c 100644
+index 947bbc6..35ef05b 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -63695,7 +64856,7 @@ index 947bbc6..d820f4c 100644
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -459,13 +688,469 @@ logging_send_syslog_msg(virt_domain)
+@@ -459,13 +688,471 @@ logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
@@ -64160,6 +65321,8 @@ index 947bbc6..d820f4c 100644
+allow virt_bridgehelper_t self:tun_socket create_socket_perms;
+allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
+
++manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
++
+kernel_read_network_state(virt_bridgehelper_t)
+
+corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -65897,7 +67060,7 @@ index 21ae664..cb3a098 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/zarafa.te b/zarafa.te
-index 91267bc..5bce06b 100644
+index 91267bc..e52c851 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -65911,15 +67074,19 @@ index 91267bc..5bce06b 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -51,7 +55,6 @@ auth_use_nsswitch(zarafa_deliver_t)
- allow zarafa_gateway_t self:capability { chown kill };
+@@ -48,10 +52,9 @@ auth_use_nsswitch(zarafa_deliver_t)
+ # zarafa_gateway local policy
+ #
+
+-allow zarafa_gateway_t self:capability { chown kill };
++allow zarafa_gateway_t self:capability { kill };
allow zarafa_gateway_t self:process setrlimit;
-corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
corenet_all_recvfrom_netlabel(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
-@@ -59,7 +62,22 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -59,16 +62,28 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -65929,7 +67096,6 @@ index 91267bc..5bce06b 100644
+# zarafa-indexer local policy
+#
+
-+allow zarafa_indexer_t self:capability chown;
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
@@ -65943,15 +67109,33 @@ index 91267bc..5bce06b 100644
#######################################
#
-@@ -68,7 +86,6 @@ auth_use_nsswitch(zarafa_gateway_t)
+ # zarafa-ical local policy
+ #
- allow zarafa_ical_t self:capability chown;
+-allow zarafa_ical_t self:capability chown;
-corenet_all_recvfrom_unlabeled(zarafa_ical_t)
corenet_all_recvfrom_netlabel(zarafa_ical_t)
corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
-@@ -101,11 +118,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+@@ -83,7 +98,6 @@ auth_use_nsswitch(zarafa_ical_t)
+ # zarafa-monitor local policy
+ #
+
+-allow zarafa_monitor_t self:capability chown;
+
+ auth_use_nsswitch(zarafa_monitor_t)
+
+@@ -92,7 +106,7 @@ auth_use_nsswitch(zarafa_monitor_t)
+ # zarafa_server local policy
+ #
+
+-allow zarafa_server_t self:capability { chown kill net_bind_service };
++allow zarafa_server_t self:capability { kill net_bind_service };
+ allow zarafa_server_t self:process setrlimit;
+
+ manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+@@ -101,11 +115,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
@@ -65965,7 +67149,12 @@ index 91267bc..5bce06b 100644
corenet_all_recvfrom_netlabel(zarafa_server_t)
corenet_tcp_sendrecv_generic_if(zarafa_server_t)
corenet_tcp_sendrecv_generic_node(zarafa_server_t)
-@@ -139,7 +156,6 @@ allow zarafa_spooler_t self:capability { chown kill };
+@@ -135,11 +149,10 @@ optional_policy(`
+ # zarafa_spooler local policy
+ #
+
+-allow zarafa_spooler_t self:capability { chown kill };
++allow zarafa_spooler_t self:capability { kill };
can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
@@ -65973,7 +67162,44 @@ index 91267bc..5bce06b 100644
corenet_all_recvfrom_netlabel(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
-@@ -164,8 +180,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+@@ -150,11 +163,35 @@ auth_use_nsswitch(zarafa_spooler_t)
+
+ ########################################
+ #
++# zarafa_gateway local policy
++#
++
++allow zarafa_gateway_t self:capability { kill };
++allow zarafa_gateway_t self:process setrlimit;
++
++corenet_tcp_bind_pop_port(zarafa_gateway_t)
++
++#######################################
++#
++# zarafa-ical local policy
++#
++
++
++corenet_tcp_bind_http_cache_port(zarafa_ical_t)
++
++######################################
++#
++# zarafa-monitor local policy
++#
++
++
++########################################
++#
+ # zarafa domains local policy
+ #
+
+ # bad permission on /etc/zarafa
+-allow zarafa_domain self:capability { dac_override setgid setuid };
++allow zarafa_domain self:capability { dac_override chown setgid setuid };
+ allow zarafa_domain self:process signal;
+ allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+ allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+@@ -164,8 +201,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 08e199c..5f1571b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 16%{?dist}
+Release: 17%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -495,6 +495,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 10 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-17
+- Merge openshift policy
+- Allow xauth to read /dev/urandom
+- systemd needs to relabel content in /run/systemd directories
+- Files unconfined should be able to perform all services on all files
+- Puppet tmp file can be leaked to all domains
+- Dontaudit rhsmcertd-worker to search /root/.local
+- Allow chown capability for zarafa domains
+- Allow system cronjobs to runcon into openshift domains
+- Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories
+
* Fri Sep 7 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-16
- nmbd wants to create /var/nmbd
- Stop transitioning out of anaconda and firstboot, just causes AVC messages
More information about the scm-commits
mailing list