[selinux-policy/f18] - Fix systemd_dbus_chat_timedated interface - Allow userdomains to dbus chat with systemd-hostnamed
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Feb 22 07:02:13 UTC 2013
commit dcdabb0ae3c1d8f37e6cad369bc6e1c270b86b21
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Feb 22 08:00:58 2013 +0100
- Fix systemd_dbus_chat_timedated interface
- Allow userdomains to dbus chat with systemd-hostnamed
- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
- Fix dbus_system_domain() interface
- Fix thumb_role() interface
- Allow cgred to list inotifyfs filesystem
- New access required for virt-sandbox
- Allow gluster to get attrs on all fs
- Allow dnsmasq to create content in /var/run/NetworkManager
policy-f18-base.patch | 185 ++++++++++++++++++++++++++--------------------
policy-f18-contrib.patch | 131 +++++++++++++++++++++------------
selinux-policy.spec | 13 +++-
3 files changed, 202 insertions(+), 127 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 1130d24..389d7e7 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -112431,7 +112431,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..7a2ff89 100644
+index db981df..c165d31 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112705,7 +112705,7 @@ index db981df..7a2ff89 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +388,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +388,12 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112714,10 +112714,11 @@ index db981df..7a2ff89 100644
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +441,15 @@ ifdef(`distro_suse', `
+@@ -376,11 +442,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112734,7 +112735,7 @@ index db981df..7a2ff89 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +459,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +460,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -141718,10 +141719,10 @@ index 0000000..7917796
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..aa755d2
+index 0000000..8fbbd45
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,984 @@
+@@ -0,0 +1,1007 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -142704,14 +142705,37 @@ index 0000000..aa755d2
+
+ allow $1 systemd_timedated_t:dbus send_msg;
+ allow systemd_timedated_t $1:dbus send_msg;
++ ps_process_pattern(systemd_timedated_t, $1)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## systemd timedated over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_dbus_chat_hostnamed',`
++ gen_require(`
++ type systemd_hostnamed_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_hostnamed_t:dbus send_msg;
++ allow systemd_hostnamed_t $1:dbus send_msg;
++ ps_process_pattern(systemd_hostnamed_t, $1)
+')
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..665d5cf
+index 0000000..52f0a12
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,610 @@
+@@ -0,0 +1,612 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -143203,6 +143227,8 @@ index 0000000..665d5cf
+seutil_read_config(systemd_localed_t)
+seutil_read_file_contexts(systemd_localed_t)
+
++logging_stream_connect_syslog(systemd_localed_t)
++
+miscfiles_manage_localization(systemd_localed_t)
+miscfiles_etc_filetrans_localization(systemd_localed_t)
+
@@ -144677,7 +144703,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..57e15ac 100644
+index e720dcd..2a4e6ef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -144693,7 +144719,7 @@ index e720dcd..57e15ac 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,133 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -144845,6 +144871,7 @@ index e720dcd..57e15ac 100644
+ miscfiles_read_public_files($1_usertype)
- tunable_policy(`allow_execmem',`
++ systemd_dbus_chat_hostnamed($1_usertype)
+ systemd_dbus_chat_logind($1_usertype)
+ systemd_read_logind_sessions_files($1_usertype)
+ systemd_write_inhibit_pipes($1_usertype)
@@ -144878,7 +144905,7 @@ index e720dcd..57e15ac 100644
')
#######################################
-@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -144887,7 +144914,7 @@ index e720dcd..57e15ac 100644
##############################
#
# Domain access to home dir
-@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -144915,7 +144942,7 @@ index e720dcd..57e15ac 100644
')
#######################################
-@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -144927,7 +144954,7 @@ index e720dcd..57e15ac 100644
##############################
#
# Domain access to home dir
-@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +269,47 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -144991,7 +145018,7 @@ index e720dcd..57e15ac 100644
')
')
-@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +317,25 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -145017,7 +145044,7 @@ index e720dcd..57e15ac 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +350,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -145087,7 +145114,7 @@ index e720dcd..57e15ac 100644
')
#######################################
-@@ -317,11 +426,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +427,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -145119,7 +145146,7 @@ index e720dcd..57e15ac 100644
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
-@@ -348,59 +477,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +478,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -145210,7 +145237,7 @@ index e720dcd..57e15ac 100644
')
#######################################
-@@ -431,6 +561,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +562,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -145218,7 +145245,7 @@ index e720dcd..57e15ac 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +594,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +595,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -145229,7 +145256,7 @@ index e720dcd..57e15ac 100644
')
')
-@@ -491,7 +622,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +623,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -145239,7 +145266,7 @@ index e720dcd..57e15ac 100644
##############################
#
-@@ -501,41 +633,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +634,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -145314,7 +145341,7 @@ index e720dcd..57e15ac 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,100 +688,140 @@ template(`userdom_common_user_template',`
+@@ -546,100 +689,140 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -145493,7 +145520,7 @@ index e720dcd..57e15ac 100644
mysql_stream_connect($1_t)
')
')
-@@ -651,40 +833,52 @@ template(`userdom_common_user_template',`
+@@ -651,40 +834,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -145558,7 +145585,7 @@ index e720dcd..57e15ac 100644
')
')
-@@ -709,17 +903,33 @@ template(`userdom_common_user_template',`
+@@ -709,17 +904,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -145597,7 +145624,7 @@ index e720dcd..57e15ac 100644
userdom_change_password_template($1)
-@@ -727,82 +937,100 @@ template(`userdom_login_user_template', `
+@@ -727,82 +938,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -145734,7 +145761,7 @@ index e720dcd..57e15ac 100644
')
')
-@@ -834,6 +1062,12 @@ template(`userdom_restricted_user_template',`
+@@ -834,6 +1063,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -145747,7 +145774,7 @@ index e720dcd..57e15ac 100644
##############################
#
# Local policy
-@@ -874,46 +1108,128 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,46 +1109,128 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -145889,7 +145916,7 @@ index e720dcd..57e15ac 100644
')
')
-@@ -948,27 +1264,33 @@ template(`userdom_unpriv_user_template', `
+@@ -948,27 +1265,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -145927,7 +145954,7 @@ index e720dcd..57e15ac 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -979,47 +1301,82 @@ template(`userdom_unpriv_user_template', `
+@@ -979,47 +1302,82 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -146036,7 +146063,7 @@ index e720dcd..57e15ac 100644
## <ul>
## <li>Raw disk access</li>
## <li>Set all sysctls</li>
-@@ -1040,7 +1397,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1040,7 +1398,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -146045,7 +146072,7 @@ index e720dcd..57e15ac 100644
')
##############################
-@@ -1067,6 +1424,7 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1425,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -146053,7 +146080,7 @@ index e720dcd..57e15ac 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1433,9 @@ template(`userdom_admin_user_template',`
+@@ -1075,6 +1434,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -146063,7 +146090,7 @@ index e720dcd..57e15ac 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1450,7 @@ template(`userdom_admin_user_template',`
+@@ -1089,6 +1451,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -146071,7 +146098,7 @@ index e720dcd..57e15ac 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1468,14 @@ template(`userdom_admin_user_template',`
+@@ -1106,10 +1469,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -146086,7 +146113,7 @@ index e720dcd..57e15ac 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,29 +1486,38 @@ template(`userdom_admin_user_template',`
+@@ -1120,29 +1487,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -146129,7 +146156,7 @@ index e720dcd..57e15ac 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1527,8 @@ template(`userdom_admin_user_template',`
+@@ -1152,6 +1528,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -146138,7 +146165,7 @@ index e720dcd..57e15ac 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1159,13 +1536,17 @@ template(`userdom_admin_user_template',`
+@@ -1159,13 +1537,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -146157,7 +146184,7 @@ index e720dcd..57e15ac 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1592,8 @@ template(`userdom_security_admin_template',`
+@@ -1211,6 +1593,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -146166,7 +146193,7 @@ index e720dcd..57e15ac 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1606,10 @@ template(`userdom_security_admin_template',`
+@@ -1223,8 +1607,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -146178,7 +146205,7 @@ index e720dcd..57e15ac 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,29 +1620,31 @@ template(`userdom_security_admin_template',`
+@@ -1235,29 +1621,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -146221,7 +146248,7 @@ index e720dcd..57e15ac 100644
')
optional_policy(`
-@@ -1317,12 +1704,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1705,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -146238,7 +146265,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -1363,6 +1753,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,6 +1754,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -146290,7 +146317,7 @@ index e720dcd..57e15ac 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1467,11 +1902,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1467,11 +1903,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -146322,7 +146349,7 @@ index e720dcd..57e15ac 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1968,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1969,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -146337,7 +146364,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -1528,9 +1991,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1992,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -146349,7 +146376,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -1587,6 +2052,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2053,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -146392,7 +146419,7 @@ index e720dcd..57e15ac 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2167,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2168,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -146401,7 +146428,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -1680,10 +2183,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2184,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -146416,7 +146443,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -1726,6 +2231,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2232,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -146460,7 +146487,7 @@ index e720dcd..57e15ac 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2287,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2288,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -146486,7 +146513,7 @@ index e720dcd..57e15ac 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2336,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2337,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -146524,7 +146551,7 @@ index e720dcd..57e15ac 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2376,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2377,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -146542,7 +146569,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -1856,25 +2442,25 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,25 +2443,25 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -146574,7 +146601,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1882,46 +2468,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+@@ -1882,46 +2469,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
## </summary>
## </param>
#
@@ -146644,7 +146671,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1929,18 +2522,17 @@ interface(`userdom_exec_user_home_content_files',`
+@@ -1929,18 +2523,17 @@ interface(`userdom_exec_user_home_content_files',`
## </summary>
## </param>
#
@@ -146666,7 +146693,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1948,20 +2540,79 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
+@@ -1948,20 +2541,79 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
## </summary>
## </param>
#
@@ -146752,7 +146779,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2018,6 +2669,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2670,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -146777,7 +146804,7 @@ index e720dcd..57e15ac 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2919,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2920,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -146792,7 +146819,7 @@ index e720dcd..57e15ac 100644
files_search_tmp($1)
')
-@@ -2274,7 +2943,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2944,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -146801,7 +146828,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -2521,6 +3190,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3191,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -146827,7 +146854,7 @@ index e720dcd..57e15ac 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3225,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3226,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -146843,7 +146870,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3253,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3254,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -146852,7 +146879,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3261,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,14 +3262,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -146887,7 +146914,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -2674,6 +3379,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3380,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -146912,7 +146939,7 @@ index e720dcd..57e15ac 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3415,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3416,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -146955,7 +146982,7 @@ index e720dcd..57e15ac 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3451,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3452,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -146993,7 +147020,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -2742,8 +3496,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3497,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -147023,7 +147050,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -2815,69 +3588,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3589,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -147124,7 +147151,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3657,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3658,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -147139,7 +147166,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -2954,7 +3726,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3727,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -147148,7 +147175,7 @@ index e720dcd..57e15ac 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3742,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3743,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -147182,7 +147209,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -3074,7 +3830,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3831,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -147191,7 +147218,7 @@ index e720dcd..57e15ac 100644
')
########################################
-@@ -3129,12 +3885,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,12 +3886,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -147207,7 +147234,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3142,36 +3899,37 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3142,36 +3900,37 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -147255,7 +147282,7 @@ index e720dcd..57e15ac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3179,35 +3937,91 @@ interface(`userdom_read_all_users_state',`
+@@ -3179,35 +3938,91 @@ interface(`userdom_read_all_users_state',`
## </summary>
## </param>
#
@@ -147355,7 +147382,7 @@ index e720dcd..57e15ac 100644
## descriptors from any user domains.
## </summary>
## <param name="domain">
-@@ -3242,6 +4056,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4057,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -147398,7 +147425,7 @@ index e720dcd..57e15ac 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4112,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4113,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -147423,7 +147450,7 @@ index e720dcd..57e15ac 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4164,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4165,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 8d57318..c160a11 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -8725,7 +8725,7 @@ index 33facaf..11700ae 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 806191a..d962a82 100644
+index 806191a..06ea735 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -8794,13 +8794,14 @@ index 806191a..d962a82 100644
domain_read_all_domains_state(cgred_t)
domain_setpriority_all_domains(cgred_t)
-@@ -100,10 +110,9 @@ files_getattr_all_files(cgred_t)
+@@ -100,10 +110,10 @@ files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
# /etc/group
-files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
++fs_list_inotifyfs(cgred_t)
-logging_send_syslog_msg(cgred_t)
+auth_use_nsswitch(cgred_t)
@@ -15887,7 +15888,7 @@ index e6345ce..31f269b 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/dbus.if b/dbus.if
-index fb4bf82..90299b3 100644
+index fb4bf82..0730306 100644
--- a/dbus.if
+++ b/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -15983,9 +15984,9 @@ index fb4bf82..90299b3 100644
- corenet_tcp_sendrecv_all_ports($1_dbusd_t)
- corenet_tcp_bind_generic_node($1_dbusd_t)
- corenet_tcp_bind_reserved_port($1_dbusd_t)
--
-- dev_read_urand($1_dbusd_t)
+- dev_read_urand($1_dbusd_t)
+-
- domain_use_interactive_fds($1_dbusd_t)
- domain_read_all_domains_state($1_dbusd_t)
-
@@ -16124,7 +16125,7 @@ index fb4bf82..90299b3 100644
')
########################################
-@@ -423,27 +387,16 @@ interface(`dbus_system_bus_unconfined',`
+@@ -423,27 +387,19 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@@ -16140,21 +16141,22 @@ index fb4bf82..90299b3 100644
- role system_r types $1;
-
domtrans_pattern(system_dbusd_t, $2, $1)
--
+
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
--
++ ps_process_pattern($1, system_dbusd_t)
+
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
')
########################################
-@@ -466,26 +419,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -466,26 +422,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
## <summary>
@@ -16187,7 +16189,7 @@ index fb4bf82..90299b3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -493,10 +445,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -493,10 +448,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -18898,7 +18900,7 @@ index 9bd812b..53f895e 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index fdaeeba..a29af29 100644
+index fdaeeba..2c0f597 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -18911,7 +18913,7 @@ index fdaeeba..a29af29 100644
########################################
#
# Local policy
-@@ -48,13 +51,15 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,13 +51,18 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
@@ -18924,12 +18926,15 @@ index fdaeeba..a29af29 100644
kernel_read_system_state(dnsmasq_t)
+kernel_read_network_state(dnsmasq_t)
+kernel_request_load_module(dnsmasq_t)
++
++corecmd_exec_bin(dnsmasq_t)
++corecmd_exec_shell(dnsmasq_t)
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -76,7 +81,6 @@ dev_read_urand(dnsmasq_t)
+@@ -76,7 +84,6 @@ dev_read_urand(dnsmasq_t)
domain_use_interactive_fds(dnsmasq_t)
@@ -18937,7 +18942,7 @@ index fdaeeba..a29af29 100644
files_read_etc_runtime_files(dnsmasq_t)
fs_getattr_all_fs(dnsmasq_t)
-@@ -86,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t)
+@@ -86,8 +93,6 @@ auth_use_nsswitch(dnsmasq_t)
logging_send_syslog_msg(dnsmasq_t)
@@ -18946,7 +18951,7 @@ index fdaeeba..a29af29 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +98,21 @@ optional_policy(`
+@@ -96,7 +101,21 @@ optional_policy(`
')
optional_policy(`
@@ -18960,7 +18965,7 @@ index fdaeeba..a29af29 100644
+
+optional_policy(`
+ networkmanager_read_conf(dnsmasq_t)
-+ networkmanager_read_pid_files(dnsmasq_t)
++ networkmanager_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
@@ -18968,7 +18973,7 @@ index fdaeeba..a29af29 100644
')
optional_policy(`
-@@ -113,5 +129,7 @@ optional_policy(`
+@@ -113,5 +132,7 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -23638,10 +23643,10 @@ index 0000000..e15bbb0
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..0497583
+index 0000000..b0039ff
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,104 @@
+policy_module(glusterd, 1.0.0)
+
+########################################
@@ -23739,6 +23744,8 @@ index 0000000..0497583
+
+auth_use_nsswitch(glusterd_t)
+
++fs_getattr_all_fs(glusterd_t)
++
+logging_send_syslog_msg(glusterd_t)
+
+sysnet_read_config(glusterd_t)
@@ -39036,7 +39043,7 @@ index 386543b..8fe1d63 100644
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 2324d9e..163b870 100644
+index 2324d9e..b9c69d2 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -39137,7 +39144,7 @@ index 2324d9e..163b870 100644
########################################
## <summary>
## Read NetworkManager PID files.
-@@ -189,5 +253,112 @@ interface(`networkmanager_read_pid_files',`
+@@ -189,5 +253,131 @@ interface(`networkmanager_read_pid_files',`
')
files_search_pids($1)
@@ -39147,6 +39154,25 @@ index 2324d9e..163b870 100644
+
+########################################
+## <summary>
++## Read NetworkManager PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_manage_pid_files',`
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++')
++
++########################################
++## <summary>
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+## </summary>
@@ -68640,10 +68666,10 @@ index 0000000..601aea3
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..2c9eaeb
+index 0000000..5fc93a3
--- /dev/null
+++ b/thumb.if
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,128 @@
+
+## <summary>policy for thumb</summary>
+
@@ -68726,8 +68752,7 @@ index 0000000..2c9eaeb
+ allow $2 thumb_t:process signal;
+ allow thumb_t $2:unix_stream_socket connectto;
+
-+ allow $2 thumb_t:dbus send_msg;
-+ allow thumb_t $2:dbus send_msg;
++ thumb_dbus_chat($2)
+ thumb_filetrans_home_content($2)
+')
+
@@ -72206,7 +72231,7 @@ index 6f0736b..882e76b 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..450e551 100644
+index 947bbc6..36ba28d 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
@@ -72445,7 +72470,7 @@ index 947bbc6..450e551 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +216,73 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,67 +216,74 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
@@ -72545,6 +72570,7 @@ index 947bbc6..450e551 100644
allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
++allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
@@ -72558,7 +72584,7 @@ index 947bbc6..450e551 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +293,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +294,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -72594,7 +72620,7 @@ index 947bbc6..450e551 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +326,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +327,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -72619,7 +72645,7 @@ index 947bbc6..450e551 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +355,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -72653,7 +72679,7 @@ index 947bbc6..450e551 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +387,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -72672,7 +72698,7 @@ index 947bbc6..450e551 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +413,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -72682,7 +72708,7 @@ index 947bbc6..450e551 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +423,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +424,36 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -72719,7 +72745,7 @@ index 947bbc6..450e551 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +471,10 @@ optional_policy(`
+@@ -322,6 +472,10 @@ optional_policy(`
')
optional_policy(`
@@ -72730,7 +72756,7 @@ index 947bbc6..450e551 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +488,34 @@ optional_policy(`
+@@ -335,19 +489,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -72766,7 +72792,7 @@ index 947bbc6..450e551 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +530,12 @@ optional_policy(`
+@@ -362,6 +531,12 @@ optional_policy(`
')
optional_policy(`
@@ -72779,7 +72805,7 @@ index 947bbc6..450e551 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +543,11 @@ optional_policy(`
+@@ -369,11 +544,11 @@ optional_policy(`
')
optional_policy(`
@@ -72796,7 +72822,7 @@ index 947bbc6..450e551 100644
')
optional_policy(`
-@@ -384,6 +558,7 @@ optional_policy(`
+@@ -384,6 +559,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -72804,7 +72830,7 @@ index 947bbc6..450e551 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +577,86 @@ optional_policy(`
+@@ -402,35 +578,86 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -72900,7 +72926,7 @@ index 947bbc6..450e551 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +664,631 @@ dev_write_sound(virt_domain)
+@@ -438,34 +665,642 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -72922,14 +72948,14 @@ index 947bbc6..450e551 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -73004,7 +73030,7 @@ index 947bbc6..450e551 100644
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
-+')
+ ')
+
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
@@ -73171,14 +73197,19 @@ index 947bbc6..450e551 100644
+#
+# virt_lxc local policy
+#
-+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
++allow virtd_lxc_t self:process { transition setpgid signal_perms };
+allow virtd_lxc_t self:capability2 compromise_kernel;
+
+allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
-+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
++allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow virtd_lxc_t self:packet_socket create_socket_perms;
++ps_process_pattern(virtd_lxc_t, svirt_lxc_domain)
++allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
++
++files_entrypoint_all_files(virtd_lxc_t)
+
+allow virtd_lxc_t virt_image_type:dir mounton;
+manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
@@ -73269,6 +73300,12 @@ index 947bbc6..450e551 100644
+
+sysnet_exec_ifconfig(virtd_lxc_t)
+
++userdom_read_admin_home_files(virtd_lxc_t)
++
++optional_policy(`
++ gnome_read_generic_cache_files(virtd_lxc_t)
++')
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -73359,7 +73396,7 @@ index 947bbc6..450e551 100644
+
+optional_policy(`
+ udev_read_pid_files(svirt_lxc_domain)
- ')
++')
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0ef65b7..11590e0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 80%{?dist}
+Release: 81%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Feb 22 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-81
+- Fix systemd_dbus_chat_timedated interface
+- Allow userdomains to dbus chat with systemd-hostnamed
+- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
+- Fix dbus_system_domain() interface
+- Fix thumb_role() interface
+- Allow cgred to list inotifyfs filesystem
+- New access required for virt-sandbox
+- Allow gluster to get attrs on all fs
+- Allow dnsmasq to create content in /var/run/NetworkManager
+
* Tue Feb 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-80
- Update virt_qemu_ga_t policy
- Allow authconfig running from realmd to restart oddjob service
More information about the scm-commits
mailing list