[selinux-policy] - Dontaudit to getattr on dirs for dovecot-deliver - Allow raiudusd server connect to postgresql soc
Miroslav Grepl
mgrepl at fedoraproject.org
Wed May 22 12:29:36 UTC 2013
commit d4d3448653a5cdb91badead3934d4f79bc9a8d42
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed May 22 14:29:22 2013 +0200
- Dontaudit to getattr on dirs for dovecot-deliver
- Allow raiudusd server connect to postgresql socket
- Add kerberos support for radiusd
- Allow saslauthd to connect to ldap port
- Allow postfix to manage postfix_private_t files
- Add chronyd support for #965457
- Fix labeling for HOME_DIR/\.icedtea
- CHange squid and snmpd to be allowed also write own logs
- Fix labeling for /usr/libexec/qemu-ga
- Allow virtd_t to use virt_lock_t
- Allow also sealert to read the policy from the kernel
- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use
- Dontaudit listing of users homedir by sendmail Seems like a leak
- Allow passenger to transition to puppet master
- Allow apache to connect to mythtv
- Add definition for mythtv ports
policy-rawhide-base.patch | 62 ++++-
policy-rawhide-contrib.patch | 599 ++++++++++++++++++++++++------------------
selinux-policy.spec | 20 ++-
3 files changed, 413 insertions(+), 268 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2c5b246..7e6a578 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5083,7 +5083,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..2b87328 100644
+index 4edc40d..999b8f1 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5276,7 +5276,11 @@ index 4edc40d..2b87328 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -188,21 +221,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -185,24 +218,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+ network_port(mxi, tcp,8005,s0, udp,8005,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+ network_port(mysqlmanagerd, tcp,2273,s0)
++network_port(mythtv, tcp,6543-6544,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -5308,7 +5312,7 @@ index 4edc40d..2b87328 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +254,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5357,7 +5361,7 @@ index 4edc40d..2b87328 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +301,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5368,7 +5372,7 @@ index 4edc40d..2b87328 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +313,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5381,7 +5385,7 @@ index 4edc40d..2b87328 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +337,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5400,7 +5404,7 @@ index 4edc40d..2b87328 100644
########################################
#
-@@ -330,6 +379,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5409,7 +5413,7 @@ index 4edc40d..2b87328 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +393,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -8714,7 +8718,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..9389e60 100644
+index 64ff4d7..92d80ef 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11193,7 +11197,7 @@ index 64ff4d7..9389e60 100644
## </param>
## <param name="class">
## <summary>
-@@ -6562,3 +7781,459 @@ interface(`files_unconfined',`
+@@ -6562,3 +7781,467 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -11516,7 +11520,9 @@ index 64ff4d7..9389e60 100644
+ gen_require(`
+ type mnt_t;
+ type usr_t;
++ type tmp_t;
+ type var_t;
++ type var_run_t;
+ type tmp_t;
+ ')
+
@@ -11527,7 +11533,12 @@ index 64ff4d7..9389e60 100644
+ files_root_filetrans($1, mnt_t, dir, "misc")
+ files_root_filetrans($1, mnt_t, dir, "net")
+ files_root_filetrans($1, usr_t, dir, "export")
++ files_root_filetrans($1, usr_t, dir, "opt")
+ files_root_filetrans($1, usr_t, dir, "emul")
++ files_root_filetrans($1, var_t, dir, "srv")
++ files_root_filetrans($1, var_run_t, dir, "run")
++ files_root_filetrans($1, tmp_t, dir, "sandbox")
++ files_root_filetrans($1, tmp_t, dir, "tmp")
+ files_root_filetrans($1, var_t, dir, "nsr")
+ files_etc_filetrans_etc_runtime($1, file, "runtime")
+ files_etc_filetrans_etc_runtime($1, dir, "blkid")
@@ -11541,6 +11552,7 @@ index 64ff4d7..9389e60 100644
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
++ files_var_filetrans($1, tmp_t, dir, "tmp")
+')
+
+########################################
@@ -18853,7 +18865,7 @@ index 76d9f66..3063a17 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..2e18809 100644
+index fe0c682..871b8fd 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -19373,16 +19385,35 @@ index fe0c682..2e18809 100644
## Read ssh server keys
## </summary>
## <param name="domain">
-@@ -714,7 +814,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +814,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
- dontaudit $1 sshd_key_t:file { getattr read };
+ dontaudit $1 sshd_key_t:file read_file_perms;
++')
++
++######################################
++## <summary>
++## Append ssh home directory content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_append_home_files',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ append_files_pattern($1, ssh_home_t, ssh_home_t)
++ userdom_search_user_home_dirs($1)
')
######################################
-@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +873,124 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -31362,7 +31393,7 @@ index 4584457..e432df3 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..117a29a 100644
+index 6a50270..ca097a7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -31671,7 +31702,7 @@ index 6a50270..117a29a 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +300,128 @@ optional_policy(`
+@@ -194,24 +300,129 @@ optional_policy(`
')
optional_policy(`
@@ -31726,6 +31757,7 @@ index 6a50270..117a29a 100644
-#
+optional_policy(`
+ ssh_exec(mount_t)
++ ssh_append_home_files(mount_t)
+')
+
+optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d4b02fd..1038f5b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -516,7 +516,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..7722b79 100644
+index cc43d25..a19d427 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -585,7 +585,7 @@ index cc43d25..7722b79 100644
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
-+userdom_user_tmp_file(abrt_var_cache_t)
++userdom_user_tmp_content(abrt_var_cache_t)
+# pid files
type abrt_var_run_t;
@@ -4453,10 +4453,10 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..cb872c5 100644
+index 1a82e29..6893a8e 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,360 @@
+@@ -1,297 +1,367 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
@@ -4634,18 +4634,12 @@ index 1a82e29..cb872c5 100644
-## <p>
-## Determine whether httpd can send mail.
-## </p>
-+## <p>
-+## Allow http daemon to check spam
-+## </p>
-+## </desc>
-+gen_tunable(httpd_can_check_spam, false)
-+
-+## <desc>
-+## <p>
-+## Allow http daemon to send mail
-+## </p>
++## <p>
++## Allow http daemon to connect to mythtv
++## </p>
## </desc>
- gen_tunable(httpd_can_sendmail, false)
+-gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_can_connect_mythtv, false)
## <desc>
-## <p>
@@ -4653,20 +4647,22 @@ index 1a82e29..cb872c5 100644
-## with avahi service via dbus.
-## </p>
+## <p>
-+## Allow Apache to communicate with avahi service via dbus
++## Allow http daemon to check spam
+## </p>
## </desc>
- gen_tunable(httpd_dbus_avahi, false)
+-gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_can_check_spam, false)
## <desc>
-## <p>
-## Determine wether httpd can use support.
-## </p>
+## <p>
-+## Allow httpd cgi support
++## Allow http daemon to send mail
+## </p>
## </desc>
- gen_tunable(httpd_enable_cgi, false)
+-gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_can_sendmail, false)
## <desc>
-## <p>
@@ -4674,11 +4670,11 @@ index 1a82e29..cb872c5 100644
-## FTP server by listening on the ftp port.
-## </p>
+## <p>
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow Apache to communicate with avahi service via dbus
+## </p>
## </desc>
- gen_tunable(httpd_enable_ftp_server, false)
+-gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_dbus_avahi, false)
## <desc>
-## <p>
@@ -4686,12 +4682,11 @@ index 1a82e29..cb872c5 100644
-## user home directories.
-## </p>
+## <p>
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd cgi support
+## </p>
## </desc>
-gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_enable_cgi, false)
## <desc>
-## <p>
@@ -4700,12 +4695,13 @@ index 1a82e29..cb872c5 100644
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
-+## <p>
-+## Allow httpd to connect to the ldap port
-+## </p>
++## <p>
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++## </p>
## </desc>
-gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_enable_ftp_server, false)
## <desc>
-## <p>
@@ -4713,23 +4709,24 @@ index 1a82e29..cb872c5 100644
-## its temporary content.
-## </p>
+## <p>
-+## Allow httpd to read home directories
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
+## </p>
## </desc>
-gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_can_connect_ftp, false)
## <desc>
-## <p>
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-## </p>
-+## <p>
-+## Allow httpd to read user content
-+## </p>
++## <p>
++## Allow httpd to connect to the ldap port
++## </p>
## </desc>
-gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_can_connect_ldap, false)
## <desc>
-## <p>
@@ -4737,11 +4734,11 @@ index 1a82e29..cb872c5 100644
-## to port 80 for graceful shutdown.
-## </p>
+## <p>
-+## Allow Apache to run in stickshift mode, not transition to passenger
++## Allow httpd to read home directories
+## </p>
## </desc>
-gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_run_stickshift, false)
++gen_tunable(httpd_enable_homedirs, false)
## <desc>
-## <p>
@@ -4749,22 +4746,22 @@ index 1a82e29..cb872c5 100644
-## manage IPA content files.
-## </p>
+## <p>
-+## Allow Apache to query NS records
++## Allow httpd to read user content
+## </p>
## </desc>
-gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_verify_dns, false)
++gen_tunable(httpd_read_user_content, false)
## <desc>
-## <p>
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-## </p>
+## <p>
-+## Allow httpd daemon to change its resource limits
++## Allow Apache to run in stickshift mode, not transition to passenger
+## </p>
## </desc>
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_setrlimit, false)
++gen_tunable(httpd_run_stickshift, false)
## <desc>
-## <p>
@@ -4772,11 +4769,11 @@ index 1a82e29..cb872c5 100644
-## generic user home content files.
-## </p>
+## <p>
-+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++## Allow Apache to query NS records
+## </p>
## </desc>
-gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_ssi_exec, false)
++gen_tunable(httpd_verify_dns, false)
## <desc>
-## <p>
@@ -4784,11 +4781,10 @@ index 1a82e29..cb872c5 100644
-## its resource limits.
-## </p>
+## <p>
-+## Allow Apache to execute tmp content.
++## Allow httpd daemon to change its resource limits
+## </p>
## </desc>
--gen_tunable(httpd_setrlimit, false)
-+gen_tunable(httpd_tmp_exec, false)
+ gen_tunable(httpd_setrlimit, false)
## <desc>
-## <p>
@@ -4797,13 +4793,10 @@ index 1a82e29..cb872c5 100644
-## as system CGI scripts.
-## </p>
+## <p>
-+## Unify HTTPD to communicate with the terminal.
-+## Needed for entering the passphrase for certificates at
-+## the terminal.
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
## </desc>
--gen_tunable(httpd_ssi_exec, false)
-+gen_tunable(httpd_tty_comm, false)
+ gen_tunable(httpd_ssi_exec, false)
## <desc>
-## <p>
@@ -4812,11 +4805,19 @@ index 1a82e29..cb872c5 100644
-## passphrase for certificates at the terminal.
-## </p>
+## <p>
-+## Unify HTTPD handling of all content files.
++## Allow Apache to execute tmp content.
++## </p>
++## </desc>
++gen_tunable(httpd_tmp_exec, false)
++
++## <desc>
++## <p>
++## Unify HTTPD to communicate with the terminal.
++## Needed for entering the passphrase for certificates at
++## the terminal.
+## </p>
## </desc>
--gen_tunable(httpd_tty_comm, false)
-+gen_tunable(httpd_unified, false)
+ gen_tunable(httpd_tty_comm, false)
## <desc>
-## <p>
@@ -4824,11 +4825,10 @@ index 1a82e29..cb872c5 100644
-## to its content types.
-## </p>
+## <p>
-+## Allow httpd to access openstack ports
++## Unify HTTPD handling of all content files.
+## </p>
## </desc>
--gen_tunable(httpd_unified, false)
-+gen_tunable(httpd_use_openstack, false)
+ gen_tunable(httpd_unified, false)
## <desc>
-## <p>
@@ -4836,6 +4836,13 @@ index 1a82e29..cb872c5 100644
-## cifs file systems.
-## </p>
+## <p>
++## Allow httpd to access openstack ports
++## </p>
++## </desc>
++gen_tunable(httpd_use_openstack, false)
++
++## <desc>
++## <p>
+## Allow httpd to access cifs file systems
+## </p>
## </desc>
@@ -4966,7 +4973,7 @@ index 1a82e29..cb872c5 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +362,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -4979,7 +4986,7 @@ index 1a82e29..cb872c5 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +372,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5001,7 +5008,7 @@ index 1a82e29..cb872c5 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -323,12 +394,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -5021,7 +5028,7 @@ index 1a82e29..cb872c5 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +421,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5072,7 +5079,7 @@ index 1a82e29..cb872c5 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +463,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5114,7 +5121,7 @@ index 1a82e29..cb872c5 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +500,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5123,7 +5130,7 @@ index 1a82e29..cb872c5 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +510,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -5134,7 +5141,7 @@ index 1a82e29..cb872c5 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +544,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5362,7 +5369,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +710,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5396,6 +5403,10 @@ index 1a82e29..cb872c5 100644
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
++tunable_policy(`httpd_can_connect_mythtv',`
++ corenet_tcp_connect_mythtv_port(httpd_t)
++')
++
+tunable_policy(`httpd_can_connect_zabbix',`
+ corenet_tcp_connect_zabbix_port(httpd_t)
')
@@ -5418,7 +5429,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +758,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5503,7 +5514,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +799,38 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +810,38 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5524,10 +5535,8 @@ index 1a82e29..cb872c5 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
+-')
+-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
@@ -5544,8 +5553,10 @@ index 1a82e29..cb872c5 100644
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
-')
@@ -5577,7 +5588,7 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
-@@ -743,14 +841,6 @@ optional_policy(`
+@@ -743,14 +852,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5592,7 +5603,7 @@ index 1a82e29..cb872c5 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +855,23 @@ optional_policy(`
+@@ -765,6 +866,23 @@ optional_policy(`
')
optional_policy(`
@@ -5616,7 +5627,7 @@ index 1a82e29..cb872c5 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +888,42 @@ optional_policy(`
+@@ -781,34 +899,42 @@ optional_policy(`
')
optional_policy(`
@@ -5670,7 +5681,7 @@ index 1a82e29..cb872c5 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +931,18 @@ optional_policy(`
+@@ -816,8 +942,18 @@ optional_policy(`
')
optional_policy(`
@@ -5689,7 +5700,7 @@ index 1a82e29..cb872c5 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +951,7 @@ optional_policy(`
+@@ -826,6 +962,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5697,7 +5708,7 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
-@@ -836,20 +962,38 @@ optional_policy(`
+@@ -836,20 +973,38 @@ optional_policy(`
')
optional_policy(`
@@ -5730,19 +5741,19 @@ index 1a82e29..cb872c5 100644
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
-+')
-+
-+optional_policy(`
-+ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
-@@ -857,6 +1001,16 @@ optional_policy(`
+@@ -857,6 +1012,16 @@ optional_policy(`
')
optional_policy(`
@@ -5759,7 +5770,7 @@ index 1a82e29..cb872c5 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1019,7 @@ optional_policy(`
+@@ -865,6 +1030,7 @@ optional_policy(`
')
optional_policy(`
@@ -5767,7 +5778,7 @@ index 1a82e29..cb872c5 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1032,166 @@ optional_policy(`
+@@ -877,65 +1043,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5833,10 +5844,11 @@ index 1a82e29..cb872c5 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -5895,11 +5907,10 @@ index 1a82e29..cb872c5 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -5956,7 +5967,7 @@ index 1a82e29..cb872c5 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1200,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1211,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6111,7 +6122,7 @@ index 1a82e29..cb872c5 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1284,104 @@ optional_policy(`
+@@ -1077,172 +1295,104 @@ optional_policy(`
')
')
@@ -6131,13 +6142,13 @@ index 1a82e29..cb872c5 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-+allow httpd_sys_script_t self:process getsched;
-
+-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
++allow httpd_sys_script_t self:process getsched;
+
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6296,7 +6307,8 @@ index 1a82e29..cb872c5 100644
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
@@ -6308,8 +6320,7 @@ index 1a82e29..cb872c5 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6347,7 +6358,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1389,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1400,70 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6441,7 +6452,7 @@ index 1a82e29..cb872c5 100644
########################################
#
-@@ -1315,8 +1460,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1471,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6458,7 +6469,7 @@ index 1a82e29..cb872c5 100644
')
########################################
-@@ -1324,49 +1476,36 @@ optional_policy(`
+@@ -1324,49 +1487,36 @@ optional_policy(`
# User content local policy
#
@@ -6522,7 +6533,7 @@ index 1a82e29..cb872c5 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1515,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1526,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -10766,7 +10777,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..bd3362e 100644
+index 914ee2d..6567c77 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -10779,16 +10790,34 @@ index 914ee2d..bd3362e 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -35,6 +38,8 @@ files_pid_file(chronyd_var_run_t)
- allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t)
+ # Local policy
+ #
+
+-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
++
++allow chronyd_t chronyd_keys_t:file append_file_perms;
++allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
-@@ -82,12 +87,8 @@ auth_use_nsswitch(chronyd_t)
+
+ manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+@@ -76,18 +84,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+ corenet_udp_bind_chronyd_port(chronyd_t)
+ corenet_udp_sendrecv_chronyd_port(chronyd_t)
+
++dev_read_rand(chronyd_t)
++dev_read_urand(chronyd_t)
++
+ dev_rw_realtime_clock(chronyd_t)
+
+ auth_use_nsswitch(chronyd_t)
logging_send_syslog_msg(chronyd_t)
@@ -21086,7 +21115,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..5690e77 100644
+index a7bfaf0..457c894 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21430,7 +21459,7 @@ index a7bfaf0..5690e77 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +303,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +303,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -21456,6 +21485,7 @@ index a7bfaf0..5690e77 100644
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
++files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
@@ -21489,7 +21519,7 @@ index a7bfaf0..5690e77 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +346,6 @@ optional_policy(`
+@@ -326,5 +347,6 @@ optional_policy(`
')
optional_policy(`
@@ -24353,7 +24383,7 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..735cc94
+index 0000000..ab1fd22
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,146 @@
@@ -24407,7 +24437,7 @@ index 0000000..735cc94
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
-+files_type(glusterd_var_lib_t);
++files_type(glusterd_var_lib_t)
+
+########################################
+#
@@ -36591,7 +36621,7 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..640ff5e 100644
+index 6ffaba2..d341a52 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,64 @@
@@ -36629,7 +36659,7 @@ index 6ffaba2..640ff5e 100644
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\..icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -39855,7 +39885,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..a270fd4 100644
+index afd2fad..363dd67 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -40053,7 +40083,7 @@ index afd2fad..a270fd4 100644
+init_dontaudit_rw_stream_socket(system_mail_t)
+
+userdom_use_inherited_user_terminals(system_mail_t)
-+userdom_dontaudit_search_user_home_dirs(system_mail_t)
++userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@@ -50565,7 +50595,7 @@ index bf59ef7..c050b37 100644
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
')
diff --git a/passenger.te b/passenger.te
-index 4e114ff..fddaed2 100644
+index 4e114ff..c016f25 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
@@ -50654,11 +50684,12 @@ index 4e114ff..fddaed2 100644
userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
-@@ -90,14 +91,15 @@ optional_policy(`
+@@ -90,14 +91,16 @@ optional_policy(`
')
optional_policy(`
- puppet_manage_lib_files(passenger_t)
++ puppet_domtrans_master(passenger_t)
+ puppet_manage_lib(passenger_t)
puppet_read_config(passenger_t)
- puppet_append_log_files(passenger_t)
@@ -55376,7 +55407,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..e9e96bd 100644
+index 191a66f..aa3e5f0 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -55465,7 +55496,7 @@ index 191a66f..e9e96bd 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -102,160 +102,63 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -102,160 +102,64 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -55591,6 +55622,7 @@ index 191a66f..e9e96bd 100644
+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
++manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
@@ -55650,7 +55682,7 @@ index 191a66f..e9e96bd 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +166,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +167,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -55719,7 +55751,7 @@ index 191a66f..e9e96bd 100644
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -316,14 +213,11 @@ optional_policy(`
+@@ -316,14 +214,11 @@ optional_policy(`
')
optional_policy(`
@@ -55735,7 +55767,7 @@ index 191a66f..e9e96bd 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -333,12 +227,14 @@ optional_policy(`
+@@ -333,12 +228,14 @@ optional_policy(`
########################################
#
@@ -55752,7 +55784,7 @@ index 191a66f..e9e96bd 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,35 +251,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,35 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -55797,7 +55829,7 @@ index 191a66f..e9e96bd 100644
mta_read_aliases(postfix_cleanup_t)
-@@ -393,36 +288,53 @@ optional_policy(`
+@@ -393,36 +289,53 @@ optional_policy(`
########################################
#
@@ -55859,7 +55891,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -434,6 +346,7 @@ optional_policy(`
+@@ -434,6 +347,7 @@ optional_policy(`
')
optional_policy(`
@@ -55867,7 +55899,7 @@ index 191a66f..e9e96bd 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +357,10 @@ optional_policy(`
+@@ -444,6 +358,10 @@ optional_policy(`
')
optional_policy(`
@@ -55878,7 +55910,7 @@ index 191a66f..e9e96bd 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +375,17 @@ optional_policy(`
+@@ -458,15 +376,17 @@ optional_policy(`
########################################
#
@@ -55902,7 +55934,7 @@ index 191a66f..e9e96bd 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +395,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +396,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -55922,7 +55954,7 @@ index 191a66f..e9e96bd 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +412,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +413,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -55930,7 +55962,7 @@ index 191a66f..e9e96bd 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +419,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +420,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -55956,7 +55988,7 @@ index 191a66f..e9e96bd 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +444,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +445,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -55976,7 +56008,7 @@ index 191a66f..e9e96bd 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +495,26 @@ optional_policy(`
+@@ -576,19 +496,26 @@ optional_policy(`
########################################
#
@@ -56008,7 +56040,7 @@ index 191a66f..e9e96bd 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +529,7 @@ optional_policy(`
+@@ -603,10 +530,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -56020,7 +56052,7 @@ index 191a66f..e9e96bd 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +544,24 @@ optional_policy(`
+@@ -621,17 +545,24 @@ optional_policy(`
#######################################
#
@@ -56048,7 +56080,7 @@ index 191a66f..e9e96bd 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +577,77 @@ optional_policy(`
+@@ -647,67 +578,77 @@ optional_policy(`
########################################
#
@@ -56144,7 +56176,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -720,24 +660,27 @@ optional_policy(`
+@@ -720,24 +661,27 @@ optional_policy(`
########################################
#
@@ -56178,7 +56210,7 @@ index 191a66f..e9e96bd 100644
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-@@ -754,6 +697,7 @@ optional_policy(`
+@@ -754,6 +698,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -56186,7 +56218,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -764,31 +708,99 @@ optional_policy(`
+@@ -764,31 +709,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -59283,10 +59315,10 @@ index 4ecda09..8c0b242 100644
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..b7b5ee7 100644
+index 7cb8b1f..7c5c5fb 100644
--- a/puppet.if
+++ b/puppet.if
-@@ -1,4 +1,12 @@
+@@ -1,4 +1,32 @@
-## <summary>Configuration management system.</summary>
+## <summary>Puppet client daemon</summary>
+## <desc>
@@ -59297,10 +59329,30 @@ index 7cb8b1f..b7b5ee7 100644
+## the client system matches.
+## </p>
+## </desc>
++
++########################################
++## <summary>
++## Execute puppet_master in the puppet_master
++## domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`puppet_domtrans_master',`
++ gen_require(`
++ type puppet_master_t, puppet_master_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, puppet_master_exec_t, puppet_master_t)
++')
########################################
## <summary>
-@@ -40,16 +48,19 @@ interface(`puppet_domtrans_puppetca',`
+@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',`
#
interface(`puppet_run_puppetca',`
gen_require(`
@@ -59324,7 +59376,7 @@ index 7cb8b1f..b7b5ee7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -57,15 +68,13 @@ interface(`puppet_run_puppetca',`
+@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',`
## </summary>
## </param>
#
@@ -59344,7 +59396,7 @@ index 7cb8b1f..b7b5ee7 100644
')
################################################
-@@ -78,158 +87,164 @@ interface(`puppet_read_config',`
+@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
## </summary>
## </param>
#
@@ -59539,16 +59591,16 @@ index 7cb8b1f..b7b5ee7 100644
-
- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
--
-- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
-- allow $2 system_r;
+interface(`puppet_manage_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
+- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
+- allow $2 system_r;
+-
- files_search_etc($1)
- admin_pattern($1, puppet_etc_t)
+ logging_search_logs($1)
@@ -63050,7 +63102,7 @@ index 4460582..60cf556 100644
+
')
diff --git a/radius.te b/radius.te
-index 1e7927f..5874c98 100644
+index 1e7927f..eb72458 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -63076,7 +63128,16 @@ index 1e7927f..5874c98 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -97,7 +100,6 @@ domain_use_interactive_fds(radiusd_t)
+@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+ corenet_udp_sendrecv_all_ports(radiusd_t)
+ corenet_udp_bind_generic_node(radiusd_t)
+
++corenet_tcp_connect_postgresql_port(radiusd_t)
++
+ corenet_sendrecv_radacct_server_packets(radiusd_t)
+ corenet_udp_bind_radacct_port(radiusd_t)
+
+@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -63084,7 +63145,7 @@ index 1e7927f..5874c98 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +111,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -63092,6 +63153,18 @@ index 1e7927f..5874c98 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
+@@ -122,6 +125,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0")
++ kerberos_manage_host_rcache(radiusd_t)
++')
++
++optional_policy(`
+ logrotate_exec(radiusd_t)
+ ')
+
diff --git a/radvd.if b/radvd.if
index ac7058d..48739ac 100644
--- a/radvd.if
@@ -74228,7 +74301,7 @@ index b2f388a..3e6a93f 100644
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/sasl.te b/sasl.te
-index a63b875..64a7c79 100644
+index a63b875..1c9e41b 100644
--- a/sasl.te
+++ b/sasl.te
@@ -1,4 +1,4 @@
@@ -74265,7 +74338,7 @@ index a63b875..64a7c79 100644
manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
-@@ -43,29 +44,19 @@ kernel_read_kernel_sysctls(saslauthd_t)
+@@ -43,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
kernel_rw_afs_state(saslauthd_t)
@@ -74279,6 +74352,7 @@ index a63b875..64a7c79 100644
-
-corenet_sendrecv_pop_client_packets(saslauthd_t)
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
++corenet_tcp_connect_ldap_port(saslauthd_t)
corenet_tcp_connect_pop_port(saslauthd_t)
-corenet_tcp_sendrecv_pop_port(saslauthd_t)
-
@@ -74300,7 +74374,7 @@ index a63b875..64a7c79 100644
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
-@@ -73,33 +64,37 @@ selinux_compute_access_vector(saslauthd_t)
+@@ -73,33 +65,37 @@ selinux_compute_access_vector(saslauthd_t)
auth_use_pam(saslauthd_t)
@@ -75692,7 +75766,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..a89828e 100644
+index 49b12ae..46356db 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -75860,13 +75934,15 @@ index 49b12ae..a89828e 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +177,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
+
++selinux_read_policy(setroubleshoot_fixit_t)
++
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+seutil_read_module_store(setroubleshoot_fixit_t)
@@ -75875,7 +75951,7 @@ index 49b12ae..a89828e 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +193,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -77427,10 +77503,10 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 81864ce..54a1bc6 100644
+index 81864ce..24fe118 100644
--- a/snmp.te
+++ b/snmp.te
-@@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t)
+@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
#
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
@@ -77445,7 +77521,11 @@ index 81864ce..54a1bc6 100644
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
- allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++manage_files_pattern(snmpd_t, snmpd_log_t, snmpd_log_t)
+ logging_log_filetrans(snmpd_t, snmpd_log_t, file)
+
+ manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t)
kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
@@ -79071,7 +79151,7 @@ index 5e1f053..e7820bc 100644
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
-index 221c560..6ea61f9 100644
+index 221c560..4966b22 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -79108,7 +79188,14 @@ index 221c560..6ea61f9 100644
########################################
#
# Local policy
-@@ -80,13 +86,13 @@ setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
+@@ -74,19 +80,17 @@ allow squid_t squid_conf_t:file read_file_perms;
+ allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
+-append_files_pattern(squid_t, squid_log_t, squid_log_t)
+-create_files_pattern(squid_t, squid_log_t, squid_log_t)
+-setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
++manage_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
@@ -79125,7 +79212,7 @@ index 221c560..6ea61f9 100644
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
files_pid_filetrans(squid_t, squid_var_run_t, file)
-@@ -96,7 +102,6 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -96,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
kernel_read_network_state(squid_t)
@@ -79133,7 +79220,7 @@ index 221c560..6ea61f9 100644
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
-@@ -156,7 +161,6 @@ dev_read_urand(squid_t)
+@@ -156,7 +159,6 @@ dev_read_urand(squid_t)
domain_use_interactive_fds(squid_t)
files_read_etc_runtime_files(squid_t)
@@ -79141,7 +79228,7 @@ index 221c560..6ea61f9 100644
files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dirs(squid_t)
files_getattr_home_dir(squid_t)
-@@ -178,7 +182,6 @@ libs_exec_lib_files(squid_t)
+@@ -178,7 +180,6 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
@@ -79149,7 +79236,7 @@ index 221c560..6ea61f9 100644
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -200,6 +203,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -200,6 +201,8 @@ tunable_policy(`squid_use_tproxy',`
optional_policy(`
apache_content_template(squid)
@@ -79158,7 +79245,7 @@ index 221c560..6ea61f9 100644
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -209,18 +214,18 @@ optional_policy(`
+@@ -209,18 +212,18 @@ optional_policy(`
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
@@ -79184,7 +79271,7 @@ index 221c560..6ea61f9 100644
')
optional_policy(`
-@@ -238,3 +243,24 @@ optional_policy(`
+@@ -238,3 +241,24 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -85338,10 +85425,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..d60e3e4 100644
+index c30da4c..76e4399 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,81 @@
+@@ -1,52 +1,83 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -85417,6 +85504,7 @@ index c30da4c..d60e3e4 100644
-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-
-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
@@ -85453,6 +85541,7 @@ index c30da4c..d60e3e4 100644
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
@@ -87141,7 +87230,7 @@ index 9dec06c..7877729 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..f48ade0 100644
+index 1f22fba..b70a2de 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -87347,7 +87436,7 @@ index 1f22fba..f48ade0 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +165,121 @@ type virt_qmf_exec_t;
+@@ -155,290 +165,124 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
@@ -87355,35 +87444,37 @@ index 1f22fba..f48ade0 100644
domain_type(virt_bridgehelper_t)
-domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
--
+
-type virtd_lxc_t;
-type virtd_lxc_exec_t;
-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-
--type virtd_lxc_var_run_t;
--files_pid_file(virtd_lxc_var_run_t)
+type virt_bridgehelper_exec_t;
+domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
+role system_r types virt_bridgehelper_t;
--type svirt_lxc_file_t;
--files_mountpoint(svirt_lxc_file_t)
--fs_noxattr_type(svirt_lxc_file_t)
--term_pty(svirt_lxc_file_t)
+-type virtd_lxc_var_run_t;
+-files_pid_file(virtd_lxc_var_run_t)
+# policy for qemu_ga
+type virt_qemu_ga_t;
+type virt_qemu_ga_exec_t;
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
--virt_lxc_domain_template(svirt_lxc_net)
+-type svirt_lxc_file_t;
+-files_mountpoint(svirt_lxc_file_t)
+-fs_noxattr_type(svirt_lxc_file_t)
+-term_pty(svirt_lxc_file_t)
+type virt_qemu_ga_var_run_t;
+files_pid_file(virt_qemu_ga_var_run_t)
+-virt_lxc_domain_template(svirt_lxc_net)
++type virt_qemu_ga_log_t;
++logging_log_file(virt_qemu_ga_log_t)
+
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
-+type virt_qemu_ga_log_t;
-+logging_log_file(virt_qemu_ga_log_t)
++type virt_qemu_ga_tmp_t;
++files_tmp_file(virt_qemu_ga_tmp_t)
########################################
#
@@ -87595,24 +87686,24 @@ index 1f22fba..f48ade0 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+-
+-corenet_udp_sendrecv_generic_if(svirt_t)
+-corenet_udp_sendrecv_generic_node(svirt_t)
+-corenet_udp_sendrecv_all_ports(svirt_t)
+-corenet_udp_bind_generic_node(svirt_t)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
- corenet_udp_sendrecv_generic_if(svirt_t)
- corenet_udp_sendrecv_generic_node(svirt_t)
- corenet_udp_sendrecv_all_ports(svirt_t)
- corenet_udp_bind_generic_node(svirt_t)
--
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
corenet_udp_bind_all_ports(svirt_t)
@@ -87708,7 +87799,7 @@ index 1f22fba..f48ade0 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +289,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +292,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -87754,28 +87845,28 @@ index 1f22fba..f48ade0 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +323,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +326,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +335,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +338,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -87783,7 +87874,7 @@ index 1f22fba..f48ade0 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +343,15 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +346,15 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -87810,7 +87901,7 @@ index 1f22fba..f48ade0 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +362,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +365,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -87839,7 +87930,7 @@ index 1f22fba..f48ade0 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +409,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +412,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -87859,20 +87950,20 @@ index 1f22fba..f48ade0 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +431,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +434,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
--
--ifdef(`hide_broken_symptoms',`
-- dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
+-ifdef(`hide_broken_symptoms',`
+- dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
@@ -87894,7 +87985,7 @@ index 1f22fba..f48ade0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +457,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +460,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -87903,18 +87994,14 @@ index 1f22fba..f48ade0 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -649,104 +473,325 @@ optional_policy(`
- optional_policy(`
- dbus_system_bus_client(virtd_t)
+@@ -653,100 +480,326 @@ optional_policy(`
+ avahi_dbus_chat(virtd_t)
+ ')
- optional_policy(`
-- avahi_dbus_chat(virtd_t)
+- consolekit_dbus_chat(virtd_t)
- ')
+ optional_policy(`
-+ avahi_dbus_chat(virtd_t)
-+ ')
-+
-+ optional_policy(`
+ consolekit_dbus_chat(virtd_t)
+ ')
+
@@ -88108,7 +88195,7 @@ index 1f22fba..f48ade0 100644
+files_search_all(virt_domain)
- optional_policy(`
-- consolekit_dbus_chat(virtd_t)
+- firewalld_dbus_chat(virtd_t)
- ')
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
@@ -88120,28 +88207,25 @@ index 1f22fba..f48ade0 100644
+fs_rw_inherited_noxattr_fs_files(virt_domain)
- optional_policy(`
-- firewalld_dbus_chat(virtd_t)
+- hal_dbus_chat(virtd_t)
- ')
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
- optional_policy(`
-- hal_dbus_chat(virtd_t)
+- networkmanager_dbus_chat(virtd_t)
- ')
+sysnet_read_config(virt_domain)
- optional_policy(`
-- networkmanager_dbus_chat(virtd_t)
+- policykit_dbus_chat(virtd_t)
- ')
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
-
-- optional_policy(`
-- policykit_dbus_chat(virtd_t)
-- ')
++
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
')
@@ -88282,10 +88366,15 @@ index 1f22fba..f48ade0 100644
+virt_manage_images(virsh_t)
+virt_manage_config(virsh_t)
+virt_stream_connect(virsh_t)
++
++manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
++manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
++manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
++files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +811,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88298,12 +88387,12 @@ index 1f22fba..f48ade0 100644
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-
-allow virsh_t svirt_lxc_domain:process transition;
--
--can_exec(virsh_t, virsh_exec_t)
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+-can_exec(virsh_t, virsh_exec_t)
+-
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
@@ -88315,7 +88404,7 @@ index 1f22fba..f48ade0 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +830,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -88342,7 +88431,7 @@ index 1f22fba..f48ade0 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +842,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +850,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -88374,7 +88463,7 @@ index 1f22fba..f48ade0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +875,20 @@ optional_policy(`
+@@ -847,14 +883,20 @@ optional_policy(`
')
optional_policy(`
@@ -88387,8 +88476,8 @@ index 1f22fba..f48ade0 100644
optional_policy(`
xen_manage_image_dirs(virsh_t)
-+ xen_read_image_files(virsh_t)
-+ xen_read_lib_files(virsh_t)
++ xen_read_image_files(virsh_t)
++ xen_read_lib_files(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
- xen_read_xenstored_pid_files(virsh_t)
@@ -88396,7 +88485,7 @@ index 1f22fba..f48ade0 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +913,44 @@ optional_policy(`
+@@ -879,34 +921,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -88450,7 +88539,7 @@ index 1f22fba..f48ade0 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +960,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +968,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -88468,7 +88557,7 @@ index 1f22fba..f48ade0 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +982,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +990,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -88479,7 +88568,7 @@ index 1f22fba..f48ade0 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +991,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +999,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -88487,7 +88576,7 @@ index 1f22fba..f48ade0 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1003,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1011,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -88506,7 +88595,7 @@ index 1f22fba..f48ade0 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1017,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1025,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -88551,7 +88640,7 @@ index 1f22fba..f48ade0 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1054,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1062,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -88578,7 +88667,7 @@ index 1f22fba..f48ade0 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1072,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1080,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88597,7 +88686,7 @@ index 1f22fba..f48ade0 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1091,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1099,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -88624,7 +88713,7 @@ index 1f22fba..f48ade0 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1116,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1124,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -88763,7 +88852,7 @@ index 1f22fba..f48ade0 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1214,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1222,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -88778,7 +88867,7 @@ index 1f22fba..f48ade0 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1232,8 @@ optional_policy(`
+@@ -1183,9 +1240,8 @@ optional_policy(`
########################################
#
@@ -88789,7 +88878,7 @@ index 1f22fba..f48ade0 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1246,79 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1254,85 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -88807,6 +88896,12 @@ index 1f22fba..f48ade0 100644
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
+
++can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
++
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
++files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
++
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7c9d6e1..27a30bd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 45%{?dist}
+Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed May 22 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-46
+- Dontaudit to getattr on dirs for dovecot-deliver
+- Allow raiudusd server connect to postgresql socket
+- Add kerberos support for radiusd
+- Allow saslauthd to connect to ldap port
+- Allow postfix to manage postfix_private_t files
+- Add chronyd support for #965457
+- Fix labeling for HOME_DIR/\.icedtea
+- CHange squid and snmpd to be allowed also write own logs
+- Fix labeling for /usr/libexec/qemu-ga
+- Allow virtd_t to use virt_lock_t
+- Allow also sealert to read the policy from the kernel
+- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content
+- Dontaudit listing of users homedir by sendmail Seems like a leak
+- Allow passenger to transition to puppet master
+- Allow apache to connect to mythtv
+- Add definition for mythtv ports
+
* Fri May 17 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-45
- Add additional fixes for #948073 bug
- Allow sge_execd_t to also connect to sge ports
More information about the scm-commits
mailing list