[selinux-policy] - virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lx
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Feb 14 18:08:09 UTC 2013
commit 2599f2f5906d2965fe69988c63f6aabf0189db90
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Feb 14 19:06:59 2013 +0100
- virsh now does a setexeccon call
- Additional rules required by openshift domains
- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-serv
- Allow spamd_update_t to search spamc_home_t
- Avcs discovered by mounting an isci device under /mnt
- Allow lspci running as logrotate to read pci.ids
- Additional fix for networkmanager_read_pid_files()
- Fix networkmanager_read_pid_files() interface
- Allow all svirt domains to connect to svirt_socket_t
- Allow virsh to set SELinux context for a process.
- Allow tuned to create netlink_kobject_uevent_socket
- Allow systemd-timestamp to set SELinux context
- Add support for /var/lib/systemd/linger
- Fix ssh_sysadm_login to be working on MLS as expected
policy-rawhide-base.patch | 140 +++++++++++++++-------
policy-rawhide-contrib.patch | 268 +++++++++++++++++++++++++++++-------------
selinux-policy.spec | 18 +++-
3 files changed, 296 insertions(+), 130 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ba651ec..8195c81 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -220921,7 +220921,7 @@ index fe0c682..da12170 100644
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..94900fb 100644
+index 5fc0391..386c48c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3)
@@ -221187,7 +221187,6 @@ index 5fc0391..94900fb 100644
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
-+userdom_dyntransition_admin_users(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@@ -221200,6 +221199,7 @@ index 5fc0391..94900fb 100644
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
+ userdom_spec_domtrans_all_users(sshd_t)
++ userdom_dyntransition_admin_users(sshd_t)
+')
+
+optional_policy(`
@@ -226158,7 +226158,7 @@ index bb5c4a6..7ebb938 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 9a4d3a7..b7b205c 100644
+index 9a4d3a7..9d960bb 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -1,6 +1,9 @@
@@ -226183,7 +226183,7 @@ index 9a4d3a7..b7b205c 100644
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -42,11 +50,23 @@ ifdef(`distro_gentoo', `
+@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', `
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -226207,7 +226207,9 @@ index 9a4d3a7..b7b205c 100644
#
# /var
-@@ -55,6 +75,7 @@ ifdef(`distro_gentoo', `
+ #
++/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0)
+ /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
@@ -226215,13 +226217,13 @@ index 9a4d3a7..b7b205c 100644
ifdef(`distro_debian',`
/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -73,3 +94,4 @@ ifdef(`distro_suse', `
+@@ -73,3 +95,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..386109d 100644
+index 24e7804..c0ec978 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -106,6 +106,8 @@ interface(`init_domain',`
@@ -226458,7 +226460,7 @@ index 24e7804..386109d 100644
')
########################################
-@@ -566,6 +622,24 @@ interface(`init_sigchld',`
+@@ -566,6 +622,58 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -226480,10 +226482,44 @@ index 24e7804..386109d 100644
+
+########################################
+## <summary>
++## Create objects in the init_var_lib_t directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`init_var_lib_filetrans',`
++ gen_require(`
++ type init_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -576,10 +650,66 @@ interface(`init_sigchld',`
+@@ -576,10 +684,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -226552,7 +226588,7 @@ index 24e7804..386109d 100644
')
########################################
-@@ -743,22 +873,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +907,23 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -226585,7 +226621,7 @@ index 24e7804..386109d 100644
')
########################################
-@@ -787,7 +918,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +952,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -226594,7 +226630,7 @@ index 24e7804..386109d 100644
## </summary>
## </param>
#
-@@ -830,11 +961,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +995,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -226609,7 +226645,7 @@ index 24e7804..386109d 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -845,11 +977,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1011,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -226623,7 +226659,7 @@ index 24e7804..386109d 100644
')
')
-@@ -865,19 +997,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1031,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -226669,7 +226705,7 @@ index 24e7804..386109d 100644
')
########################################
-@@ -933,9 +1087,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1121,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -226684,7 +226720,7 @@ index 24e7804..386109d 100644
files_search_etc($1)
')
-@@ -1026,7 +1185,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1219,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -226695,7 +226731,7 @@ index 24e7804..386109d 100644
')
########################################
-@@ -1125,6 +1286,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1320,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -226721,7 +226757,7 @@ index 24e7804..386109d 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1144,6 +1324,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1358,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -226746,7 +226782,7 @@ index 24e7804..386109d 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1195,12 +1393,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1427,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -226760,7 +226796,7 @@ index 24e7804..386109d 100644
')
########################################
-@@ -1440,6 +1633,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1667,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -226788,7 +226824,7 @@ index 24e7804..386109d 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1526,6 +1740,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1526,6 +1774,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -226814,7 +226850,7 @@ index 24e7804..386109d 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1584,6 +1817,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1851,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -226839,14 +226875,16 @@ index 24e7804..386109d 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1656,6 +1907,43 @@ interface(`init_read_utmp',`
+@@ -1656,11 +1941,48 @@ interface(`init_read_utmp',`
########################################
## <summary>
+-## Do not audit attempts to write utmp.
+## Read utmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
+## </summary>
+## </param>
@@ -226880,10 +226918,15 @@ index 24e7804..386109d 100644
+
+########################################
+## <summary>
- ## Do not audit attempts to write utmp.
- ## </summary>
- ## <param name="domain">
-@@ -1744,7 +2032,7 @@ interface(`init_dontaudit_rw_utmp',`
++## Do not audit attempts to write utmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -1744,7 +2066,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -226892,11 +226935,10 @@ index 24e7804..386109d 100644
')
########################################
-@@ -1785,7 +2073,134 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2107,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
--########################################
+######################################
+## <summary>
+## Allow search directory in the /run/systemd directory.
@@ -227024,11 +227066,10 @@ index 24e7804..386109d 100644
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
-+########################################
+ ########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
- ## </summary>
-@@ -1819,3 +2234,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2268,283 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -227313,7 +227354,7 @@ index 24e7804..386109d 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..b8592b4 100644
+index dd3be8d..4d9b509 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -227380,10 +227421,10 @@ index dd3be8d..b8592b4 100644
files_pid_file(init_var_run_t)
#
-+# init_var_lib_t is the type for /var/lib/random-seed
++# init_var_lib_t is the type for /var/lib/systemd
+#
+type init_var_lib_t;
-+files_pid_file(init_var_lib_t)
++files_type(init_var_lib_t)
+
+type machineid_t;
+files_config_file(machineid_t)
@@ -234737,10 +234778,10 @@ index b7686d5..9a50b11 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..4221a94
+index 0000000..595f756
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,39 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -234768,6 +234809,7 @@ index 0000000..4221a94
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
++/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
+
@@ -235828,10 +235870,10 @@ index 0000000..a4b0917
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..1131866
+index 0000000..c0a85ab
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,616 @@
+@@ -0,0 +1,624 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -235855,6 +235897,9 @@ index 0000000..1131866
+type systemd_logind_sessions_t;
+files_pid_file(systemd_logind_sessions_t)
+
++type systemd_logind_var_lib_t;
++files_type(systemd_logind_var_lib_t)
++
+# /run/systemd/{seats, users}
+type systemd_logind_var_run_t;
+files_pid_file(systemd_logind_var_run_t)
@@ -235918,13 +235963,17 @@ index 0000000..1131866
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
-+allow systemd_logind_t self:process getcap;
++allow systemd_logind_t self:process { getcap };
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+
+mls_file_read_all_levels(systemd_logind_t)
+mls_file_write_all_levels(systemd_logind_t)
+
++manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
++manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
++init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
++
+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
@@ -236002,7 +236051,6 @@ index 0000000..1131866
+logging_send_syslog_msg(systemd_logind_t)
+logging_stream_connect_syslog(systemd_logind_t)
+
-+
+udev_read_db(systemd_logind_t)
+udev_manage_rules_files(systemd_logind_t)
+
@@ -236350,7 +236398,7 @@ index 0000000..1131866
+# Timedated policy
+#
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
-+allow systemd_timedated_t self:process { getattr getsched signal };
++allow systemd_timedated_t self:process { getattr getsched signal setfscreate };
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
@@ -236383,6 +236431,8 @@ index 0000000..1131866
+miscfiles_manage_localization(systemd_timedated_t)
+miscfiles_etc_filetrans_localization(systemd_timedated_t)
+
++seutil_read_file_contexts(systemd_timedated_t)
++
+userdom_read_all_users_state(systemd_timedated_t)
+
+optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 99e5617..1726b5d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -25955,7 +25955,7 @@ index d03fd43..f73c152 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..ac1375b 100644
+index 20f726b..eb0d80a 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -25999,7 +25999,7 @@ index 20f726b..ac1375b 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,227 @@ type gconfd_exec_t;
+@@ -29,107 +47,228 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -26210,6 +26210,7 @@ index 20f726b..ac1375b 100644
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
++allow gkeyringd_domain config_home_t:dir add_entry_dir_perms;
+allow gkeyringd_domain config_home_t:file write;
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
@@ -32457,7 +32458,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..5c6ac99 100644
+index 7bab8e5..3124cab 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,18 @@
@@ -32519,7 +32520,7 @@ index 7bab8e5..5c6ac99 100644
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,79 +52,91 @@ allow logrotate_t self:msg { send receive };
+@@ -48,79 +52,93 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@@ -32606,8 +32607,6 @@ index 7bab8e5..5c6ac99 100644
logging_exec_all_logs(logrotate_t)
-miscfiles_read_localization(logrotate_t)
--
--seutil_dontaudit_read_config(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
+systemd_getattr_unit_files(logrotate_t)
+systemd_start_all_unit_files(logrotate_t)
@@ -32615,6 +32614,9 @@ index 7bab8e5..5c6ac99 100644
+systemd_status_all_unit_files(logrotate_t)
+init_stream_connect(logrotate_t)
+-seutil_dontaudit_read_config(logrotate_t)
++miscfiles_read_hwdata(logrotate_t)
+
-userdom_use_user_terminals(logrotate_t)
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
@@ -32639,7 +32641,7 @@ index 7bab8e5..5c6ac99 100644
')
optional_policy(`
-@@ -140,11 +156,11 @@ optional_policy(`
+@@ -140,11 +158,11 @@ optional_policy(`
')
optional_policy(`
@@ -32653,7 +32655,7 @@ index 7bab8e5..5c6ac99 100644
')
optional_policy(`
-@@ -178,7 +194,7 @@ optional_policy(`
+@@ -178,7 +196,7 @@ optional_policy(`
')
optional_policy(`
@@ -32662,7 +32664,7 @@ index 7bab8e5..5c6ac99 100644
')
optional_policy(`
-@@ -198,21 +214,22 @@ optional_policy(`
+@@ -198,21 +216,22 @@ optional_policy(`
')
optional_policy(`
@@ -32689,7 +32691,7 @@ index 7bab8e5..5c6ac99 100644
')
optional_policy(`
-@@ -228,10 +245,20 @@ optional_policy(`
+@@ -228,10 +247,20 @@ optional_policy(`
')
optional_policy(`
@@ -32710,7 +32712,7 @@ index 7bab8e5..5c6ac99 100644
su_exec(logrotate_t)
')
-@@ -241,13 +268,11 @@ optional_policy(`
+@@ -241,13 +270,11 @@ optional_policy(`
#######################################
#
@@ -41731,7 +41733,7 @@ index a1fb3c3..8fe1d63 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..96dbf6f 100644
+index 0e8508c..163b870 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -41936,7 +41938,13 @@ index 0e8508c..96dbf6f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -212,12 +258,12 @@ interface(`networkmanager_read_pid_files',`
+@@ -207,17 +253,17 @@ interface(`networkmanager_read_pid_files',`
+ ')
+
+ files_search_pids($1)
+- allow $1 NetworkManager_var_run_t:file read_file_perms;
++ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+ ')
########################################
## <summary>
@@ -47641,10 +47649,10 @@ index 0000000..1a26cd5
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..b89f7fc
+index 0000000..30757e2
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,463 @@
+@@ -0,0 +1,467 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -47955,6 +47963,10 @@ index 0000000..b89f7fc
+ ssh_dontaudit_search_user_home_dir(openshift_domain)
+')
+
++optional_policy(`
++ udev_read_pid_files(openshift_domain)
++')
++
+#######################################################
+#
+# Policy for openshift user domain process
@@ -48035,7 +48047,7 @@ index 0000000..b89f7fc
+fs_read_cgroup_files(openshift_cgroup_read_t)
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
-+read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
++manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
+
+########################################
+#
@@ -49384,29 +49396,36 @@ index dfd46e4..9515043 100644
/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/pegasus.if b/pegasus.if
-index d2fc677..920b13f 100644
+index d2fc677..22b745a 100644
--- a/pegasus.if
+++ b/pegasus.if
-@@ -1,52 +1 @@
+@@ -1,52 +1,37 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
--
+
-########################################
--## <summary>
++######################################
+ ## <summary>
-## All of the rules required to
-## administrate an pegasus environment.
--## </summary>
++## Creates types and rules for a basic
++## openlmi init daemon domain.
+ ## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
--## </param>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
+ ## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
--#
+ #
-interface(`pegasus_admin',`
- gen_require(`
- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
@@ -49439,18 +49458,46 @@ index d2fc677..920b13f 100644
-
- files_search_pids($1)
- admin_pattern($1, pegasus_var_run_t)
--')
++template(`pegasus_openlmi_domain_template',`
++ gen_require(`
++ attribute pegasus_openlmi_domain;
++ ')
++
++ ##############################
++ #
++ # Declarations
++ #
++
++ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
++ type $1_exec_t;
++ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
++
++ ##############################
++ #
++ # Local policy
++ #
++
++ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
++
++ kernel_read_system_state(pegasus_openlmi_$1_t)
++ logging_send_syslog_msg(pegasus_openlmi_$1_t)
+ ')
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..e440d35 100644
+index 7bcf327..0ff4cb5 100644
--- a/pegasus.te
+++ b/pegasus.te
-@@ -1,4 +1,4 @@
+@@ -1,17 +1,16 @@
-policy_module(pegasus, 1.8.3)
+policy_module(pegasus, 1.8.0)
########################################
#
-@@ -9,9 +9,6 @@ type pegasus_t;
+ # Declarations
+ #
+
++attribute pegasus_openlmi_domain;
++
+ type pegasus_t;
type pegasus_exec_t;
init_daemon_domain(pegasus_t, pegasus_exec_t)
@@ -49460,7 +49507,29 @@ index 7bcf327..e440d35 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -39,11 +36,12 @@ allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac
+@@ -30,20 +29,33 @@ files_type(pegasus_mof_t)
+ type pegasus_var_run_t;
+ files_pid_file(pegasus_var_run_t)
+
++# pegasus openlmi providers
++#pegasus_openlmi_domain_template(account)
++
++#######################################
++#
++# pegasus openlmi providers local policy
++#
++
++corecmd_exec_bin(pegasus_openlmi_domain)
++
++sysnet_read_config(pegasus_openlmi_domain)
++
+ ########################################
+ #
+-# Local policy
++# pegasus local policy
+ #
+
+ allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -49476,7 +49545,7 @@ index 7bcf327..e440d35 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +52,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +66,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -49507,7 +49576,7 @@ index 7bcf327..e440d35 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +78,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +92,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -49540,7 +49609,7 @@ index 7bcf327..e440d35 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +106,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +120,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -49548,7 +49617,7 @@ index 7bcf327..e440d35 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +121,23 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +135,23 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -49578,7 +49647,7 @@ index 7bcf327..e440d35 100644
')
optional_policy(`
-@@ -151,16 +149,15 @@ optional_policy(`
+@@ -151,16 +163,15 @@ optional_policy(`
')
optional_policy(`
@@ -49598,7 +49667,7 @@ index 7bcf327..e440d35 100644
')
optional_policy(`
-@@ -168,7 +165,7 @@ optional_policy(`
+@@ -168,7 +179,7 @@ optional_policy(`
')
optional_policy(`
@@ -75467,7 +75536,7 @@ index 1499b0b..82fc7f6 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..9e4d192 100644
+index 4faa7e0..3a3ac18 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
@@ -75955,17 +76024,17 @@ index 4faa7e0..9e4d192 100644
allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
-+allow spamd_t self:unix_stream_socket connectto;
-+allow spamd_t self:tcp_socket create_stream_socket_perms;
-+allow spamd_t self:udp_socket create_socket_perms;
-
+-
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
--
++allow spamd_t self:unix_stream_socket connectto;
++allow spamd_t self:tcp_socket create_stream_socket_perms;
++allow spamd_t self:udp_socket create_socket_perms;
+
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@@ -76170,7 +76239,7 @@ index 4faa7e0..9e4d192 100644
')
optional_policy(`
-@@ -474,32 +552,30 @@ optional_policy(`
+@@ -474,32 +552,32 @@ optional_policy(`
########################################
#
@@ -76202,16 +76271,18 @@ index 4faa7e0..9e4d192 100644
-corenet_tcp_sendrecv_generic_if(spamd_update_t)
-corenet_tcp_sendrecv_generic_node(spamd_update_t)
-corenet_tcp_sendrecv_all_ports(spamd_update_t)
-+kernel_read_system_state(spamd_update_t)
++allow spamd_update_t spamc_home_t:dir search_dir_perms;
-corenet_sendrecv_http_client_packets(spamd_update_t)
++kernel_read_system_state(spamd_update_t)
++
+# for updating rules
corenet_tcp_connect_http_port(spamd_update_t)
-corenet_tcp_sendrecv_http_port(spamd_update_t)
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +584,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -79437,9 +79508,18 @@ index 38389e6..4847b43 100644
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/tgtd.te b/tgtd.te
-index c93c973..0eff459 100644
+index c93c973..08aef1e 100644
--- a/tgtd.te
+++ b/tgtd.te
+@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
+ # Local policy
+ #
+
+-allow tgtd_t self:capability sys_resource;
++allow tgtd_t self:capability { dac_override sys_resource };
+ allow tgtd_t self:capability2 block_suspend;
+ allow tgtd_t self:process { setrlimit signal };
+ allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
@@ -79448,15 +79528,16 @@ index c93c973..0eff459 100644
corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
-@@ -69,16 +68,12 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+@@ -69,7 +68,7 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
dev_read_sysfs(tgtd_t)
-files_read_etc_files(tgtd_t)
--
++files_list_mnt(tgtd_t)
+
fs_read_anon_inodefs_files(tgtd_t)
- storage_manage_fixed_disk(tgtd_t)
+@@ -77,8 +76,6 @@ storage_manage_fixed_disk(tgtd_t)
logging_send_syslog_msg(tgtd_t)
@@ -80827,30 +80908,45 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..ffc2e44 100644
+index 7116181..9815e42 100644
--- a/tuned.te
+++ b/tuned.te
-@@ -31,8 +31,9 @@ files_pid_file(tuned_var_run_t)
+@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
+ type tuned_log_t;
+ logging_log_file(tuned_log_t)
+
++type tuned_tmp_t;
++files_tmp_file(tuned_tmp_t)
++
+ type tuned_var_run_t;
+ files_pid_file(tuned_var_run_t)
+
+@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t)
allow tuned_t self:capability { sys_admin sys_nice };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:process { setsched signal };
allow tuned_t self:fifo_file rw_fifo_file_perms;
++allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow tuned_t self:udp_socket create_socket_perms;
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -44,7 +45,7 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+@@ -44,7 +49,11 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-logging_log_filetrans(tuned_t, tuned_log_t, file)
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
++
++manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
++manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
++files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-@@ -57,6 +58,7 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +66,7 @@ kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
kernel_rw_hotplug_sysctls(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
@@ -80858,7 +80954,7 @@ index 7116181..ffc2e44 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -67,28 +69,44 @@ dev_read_urand(tuned_t)
+@@ -67,28 +77,44 @@ dev_read_urand(tuned_t)
dev_rw_sysfs(tuned_t)
dev_rw_netcontrol(tuned_t)
@@ -80866,10 +80962,10 @@ index 7116181..ffc2e44 100644
files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
++
++fs_getattr_all_fs(tuned_t)
-fs_getattr_xattr_fs(tuned_t)
-+fs_getattr_all_fs(tuned_t)
-+
+auth_use_nsswitch(tuned_t)
logging_send_syslog_msg(tuned_t)
@@ -84048,7 +84144,7 @@ index 9dec06c..d8a2b54 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..def6a6b 100644
+index 1f22fba..64b70d6 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -84510,9 +84606,7 @@ index 1f22fba..def6a6b 100644
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@@ -84541,7 +84635,9 @@ index 1f22fba..def6a6b 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -85172,8 +85268,9 @@ index 1f22fba..def6a6b 100644
+typealias virsh_exec_t alias xm_exec_t;
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
- allow virsh_t self:process { getcap getsched setsched setcap signal };
++allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
@@ -85190,7 +85287,7 @@ index 1f22fba..def6a6b 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +802,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +802,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -85203,12 +85300,12 @@ index 1f22fba..def6a6b 100644
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-
-allow virsh_t svirt_lxc_domain:process transition;
+-
+-can_exec(virsh_t, virsh_exec_t)
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
--can_exec(virsh_t, virsh_exec_t)
--
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
@@ -85216,10 +85313,11 @@ index 1f22fba..def6a6b 100644
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
-kernel_read_crypto_sysctls(virsh_t)
++kernel_write_proc_files(virsh_t)
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +820,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +821,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -85246,7 +85344,7 @@ index 1f22fba..def6a6b 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +840,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +841,21 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -85277,7 +85375,7 @@ index 1f22fba..def6a6b 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,6 +872,10 @@ optional_policy(`
+@@ -847,6 +873,10 @@ optional_policy(`
')
optional_policy(`
@@ -85288,7 +85386,7 @@ index 1f22fba..def6a6b 100644
rpm_exec(virsh_t)
')
-@@ -854,7 +883,7 @@ optional_policy(`
+@@ -854,7 +884,7 @@ optional_policy(`
xen_manage_image_dirs(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
@@ -85297,7 +85395,7 @@ index 1f22fba..def6a6b 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +908,40 @@ optional_policy(`
+@@ -879,34 +909,40 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -85348,7 +85446,7 @@ index 1f22fba..def6a6b 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +951,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +952,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -85364,7 +85462,7 @@ index 1f22fba..def6a6b 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +971,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +972,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -85375,7 +85473,7 @@ index 1f22fba..def6a6b 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +980,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +981,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -85383,7 +85481,7 @@ index 1f22fba..def6a6b 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +992,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +993,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -85402,7 +85500,7 @@ index 1f22fba..def6a6b 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1006,38 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,20 +1007,38 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -85447,7 +85545,7 @@ index 1f22fba..def6a6b 100644
allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1046,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,19 +1047,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -85467,7 +85565,7 @@ index 1f22fba..def6a6b 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1053,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1054,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -85486,7 +85584,7 @@ index 1f22fba..def6a6b 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1072,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1073,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -85513,7 +85611,7 @@ index 1f22fba..def6a6b 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,11 +1097,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,11 +1098,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -85522,15 +85620,17 @@ index 1f22fba..def6a6b 100644
miscfiles_read_fonts(svirt_lxc_domain)
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++systemd_read_unit_files(svirt_lxc_domain)
++
++userdom_use_inherited_user_terminals(svirt_lxc_domain)
++
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
-+
-+systemd_read_unit_files(svirt_lxc_domain)
optional_policy(`
udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1115,67 @@ optional_policy(`
+@@ -1078,81 +1118,67 @@ optional_policy(`
apache_read_sys_content(svirt_lxc_domain)
')
@@ -85638,7 +85738,7 @@ index 1f22fba..def6a6b 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1188,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1191,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -85653,7 +85753,7 @@ index 1f22fba..def6a6b 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1206,8 @@ optional_policy(`
+@@ -1183,9 +1209,8 @@ optional_policy(`
########################################
#
@@ -85664,7 +85764,7 @@ index 1f22fba..def6a6b 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1220,65 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1223,65 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -85731,7 +85831,7 @@ index 1f22fba..def6a6b 100644
+
+type svirt_socket_t;
+role system_r types svirt_socket_t;
-+allow svirt_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
++allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
--- a/vlock.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7cf9fb0..6429a62 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 12%{?dist}
+Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Feb 14 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-13
+- virsh now does a setexeccon call
+- Additional rules required by openshift domains
+- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work
+- Allow spamd_update_t to search spamc_home_t
+- Avcs discovered by mounting an isci device under /mnt
+- Allow lspci running as logrotate to read pci.ids
+- Additional fix for networkmanager_read_pid_files()
+- Fix networkmanager_read_pid_files() interface
+- Allow all svirt domains to connect to svirt_socket_t
+- Allow virsh to set SELinux context for a process.
+- Allow tuned to create netlink_kobject_uevent_socket
+- Allow systemd-timestamp to set SELinux context
+- Add support for /var/lib/systemd/linger
+- Fix ssh_sysadm_login to be working on MLS as expected
+
* Mon Feb 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-12
- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file
- Add missing files_rw_inherited_tmp_files interface
More information about the scm-commits
mailing list