[selinux-policy] Make vdagent able to request loading kernel module
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Jun 19 19:22:24 UTC 2013
commit 859a101f23482c0a1f8db565cb3743ae1fb43de7
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Jun 19 15:22:03 2013 -0400
Make vdagent able to request loading kernel module
- Add support for cloud-init make it as unconfined domain
- Allow snmpd to run smartctl in fsadm_t domain
- remove duplicate openshift_search_lib() interface
- Allow mysqld to search openshift lib files
- Allow openshift cgroup to interact with passedin file descriptors
- Allow colord to list directories inthe users homedir
- aide executes prelink to check files
- Make sure cupsd_t creates content in /etc/cups with the correct label
- Lest dontaudit apache read all domains, so passenger will not cause this avc
- Allow gssd to connect to gssproxy
- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS
- Allow systemd-tmpfiles to relabel also lock files
- Allow useradd to add homdir in /var/lib/openshift
- Allow setfiles and semanage to write output to /run/files
policy-rawhide-base.patch | 830 +++++++++++++++++++++++++++---------------
policy-rawhide-contrib.patch | 333 ++++++++++++-----
selinux-policy.spec | 22 +-
3 files changed, 790 insertions(+), 395 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 3cca223..deb0e92 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2373,7 +2373,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..4165b4d 100644
+index d555767..4065a9a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2814,10 +2814,10 @@ index d555767..4165b4d 100644
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
+userdom_delete_all_user_home_content(useradd_t)
@@ -2835,17 +2835,21 @@ index d555767..4165b4d 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +593,8 @@ optional_policy(`
+@@ -542,7 +593,12 @@ optional_policy(`
')
optional_policy(`
- nscd_run(useradd_t, useradd_roles)
+ nscd_domtrans(useradd_t)
+# nscd_run(useradd_t, useradd_roles)
++')
++
++optional_policy(`
++ openshift_manage_lib_dirs(useradd_t)
')
optional_policy(`
-@@ -550,6 +602,11 @@ optional_policy(`
+@@ -550,6 +606,11 @@ optional_policy(`
')
optional_policy(`
@@ -2857,7 +2861,7 @@ index d555767..4165b4d 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +616,12 @@ optional_policy(`
+@@ -559,3 +620,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -5637,7 +5641,7 @@ index b31c054..17e11e0 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..0fc6f53 100644
+index 76f285e..7a424f4 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6330,18 +6334,105 @@ index 76f285e..0fc6f53 100644
## </summary>
## </param>
#
-@@ -2975,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2903,20 +3178,20 @@ interface(`dev_getattr_mtrr_dev',`
+
+ ########################################
+ ## <summary>
+-## Read the memory type range
++## Write the memory type range
+ ## registers (MTRR). (Deprecated)
+ ## </summary>
+ ## <desc>
+ ## <p>
+-## Read the memory type range
++## Write the memory type range
+ ## registers (MTRR). This interface has
+ ## been deprecated, dev_rw_mtrr() should be
+ ## used instead.
+ ## </p>
+ ## <p>
+ ## The MTRR device ioctls can be used for
+-## reading and writing; thus, read access to the
+-## device cannot be separated from write access.
++## reading and writing; thus, write access to the
++## device cannot be separated from read access.
+ ## </p>
+ ## </desc>
+ ## <param name="domain">
+@@ -2925,43 +3200,34 @@ interface(`dev_getattr_mtrr_dev',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_read_mtrr',`
++interface(`dev_write_mtrr',`
+ refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+ dev_rw_mtrr($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Write the memory type range
+-## registers (MTRR). (Deprecated)
++## Do not audit attempts to write the memory type
++## range registers (MTRR).
+ ## </summary>
+-## <desc>
+-## <p>
+-## Write the memory type range
+-## registers (MTRR). This interface has
+-## been deprecated, dev_rw_mtrr() should be
+-## used instead.
+-## </p>
+-## <p>
+-## The MTRR device ioctls can be used for
+-## reading and writing; thus, write access to the
+-## device cannot be separated from read access.
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_write_mtrr',`
+- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+- dev_rw_mtrr($1)
++interface(`dev_dontaudit_write_mtrr',`
++ gen_require(`
++ type mtrr_device_t;
++ ')
++
++ dontaudit $1 mtrr_device_t:file write_file_perms;
++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write the memory type
++## Do not audit attempts to read the memory type
+ ## range registers (MTRR).
+ ## </summary>
+ ## <param name="domain">
+@@ -2970,13 +3236,13 @@ interface(`dev_write_mtrr',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_write_mtrr',`
++interface(`dev_dontaudit_read_mtrr',`
+ gen_require(`
type mtrr_device_t;
')
- dontaudit $1 mtrr_device_t:file write;
- dontaudit $1 mtrr_device_t:chr_file write;
-+ dontaudit $1 mtrr_device_t:file write_file_perms;
-+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
++ dontaudit $1 mtrr_device_t:file { open read };
++ dontaudit $1 mtrr_device_t:chr_file { open read };
')
########################################
-@@ -3144,6 +3419,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3410,42 @@ interface(`dev_create_null_dev',`
########################################
## <summary>
@@ -6384,7 +6475,7 @@ index 76f285e..0fc6f53 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
-@@ -3163,6 +3474,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3465,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
## <summary>
@@ -6409,7 +6500,7 @@ index 76f285e..0fc6f53 100644
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
-@@ -3254,7 +3583,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3574,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -6436,7 +6527,7 @@ index 76f285e..0fc6f53 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3262,12 +3609,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3600,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -6453,83 +6544,319 @@ index 76f285e..0fc6f53 100644
')
########################################
-@@ -3855,6 +4203,96 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4194,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
+-## Search the sysfs directories.
+## Set the attributes of sysfs directories.
-+## </summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3863,53 +4202,53 @@ interface(`dev_getattr_sysfs_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_search_sysfs',`
++interface(`dev_setattr_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- search_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search sysfs.
++## Get attributes of sysfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_search_sysfs',`
++interface(`dev_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- dontaudit $1 sysfs_t:dir search_dir_perms;
++ allow $1 sysfs_t:filesystem getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the sysfs directories.
++## Mount a filesystem on /sys
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allow access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_list_sysfs',`
++interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir mounton;
+ ')
+
+ ########################################
+ ## <summary>
+-## Write in a sysfs directories.
++## Mount sysfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3917,37 +4256,35 @@ interface(`dev_list_sysfs',`
+ ## </summary>
+ ## </param>
+ #
+-# cjp: added for cpuspeed
+-interface(`dev_write_sysfs_dirs',`
++interface(`dev_mount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- allow $1 sysfs_t:dir write;
++ allow $1 sysfs_t:filesystem mount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write in a sysfs directory.
++## Unmount sysfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_write_sysfs_dirs',`
++interface(`dev_unmount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- dontaudit $1 sysfs_t:dir write;
++ allow $1 sysfs_t:filesystem unmount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete sysfs
+-## directories.
++## Search the sysfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3955,47 +4292,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_manage_sysfs_dirs',`
++interface(`dev_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ search_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read hardware state information.
++## Do not audit attempts to search sysfs.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`dev_read_sysfs',`
++interface(`dev_dontaudit_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- read_files_pattern($1, sysfs_t, sysfs_t)
+- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ dontaudit $1 sysfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow caller to modify hardware state information.
++## List the contents of the sysfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4003,20 +4328,18 @@ interface(`dev_read_sysfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rw_sysfs',`
++interface(`dev_list_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- rw_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write the TPM device.
++## Write in a sysfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4024,21 +4347,210 @@ interface(`dev_rw_sysfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rw_tpm',`
++# cjp: added for cpuspeed
++interface(`dev_write_sysfs_dirs',`
+ gen_require(`
+- type device_t, tpm_device_t;
++ type sysfs_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, tpm_device_t)
++ allow $1 sysfs_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read from pseudo random number generator devices (e.g., /dev/urandom).
++## Do not audit attempts to write in a sysfs directory.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read from pseudo random number
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`dev_setattr_sysfs_dirs',`
++interface(`dev_dontaudit_write_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ allow $1 sysfs_t:dir setattr_dir_perms;
++ dontaudit $1 sysfs_t:dir write;
+')
+
+########################################
+## <summary>
-+## Get attributes of sysfs filesystems.
++## Read cpu online hardware state information.
+## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dev_getattr_sysfs_fs',`
++interface(`dev_read_cpu_online',`
+ gen_require(`
-+ type sysfs_t;
++ type cpu_online_t;
+ ')
+
-+ allow $1 sysfs_t:filesystem getattr;
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
+')
+
+########################################
+## <summary>
-+## Mount a filesystem on /sys
++## Relabel cpu online hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allow access.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dev_mounton_sysfs',`
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
++ type cpu_online_t;
+ type sysfs_t;
+ ')
+
-+ allow $1 sysfs_t:dir mounton;
++ dev_search_sysfs($1)
++ allow $1 cpu_online_t:file relabel_file_perms;
+')
+
++
+########################################
+## <summary>
-+## Mount sysfs filesystems.
++## Read hardware state information.
+## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read the contents of
++## the sysfs filesystem. This filesystem contains
++## information, parameters, and other settings on the
++## hardware installed on the system.
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <infoflow type="read" weight="10"/>
+#
-+interface(`dev_mount_sysfs_fs',`
++interface(`dev_read_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ allow $1 sysfs_t:filesystem mount;
++ read_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
-+## Unmount sysfs filesystems.
++## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6537,59 +6864,20 @@ index 76f285e..0fc6f53 100644
+## </summary>
+## </param>
+#
-+interface(`dev_unmount_sysfs_fs',`
++interface(`dev_rw_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ allow $1 sysfs_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
- ## Search the sysfs directories.
- ## </summary>
- ## <param name="domain">
-@@ -3904,6 +4342,7 @@ interface(`dev_list_sysfs',`
- type sysfs_t;
- ')
-
++ rw_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
- list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
-@@ -3946,23 +4385,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
-
- ########################################
- ## <summary>
--## Create, read, write, and delete sysfs
--## directories.
-+## Read cpu online hardware state information.
- ## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+## </p>
-+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_read_cpu_online',`
-+ gen_require(`
-+ type cpu_online_t;
-+ ')
+
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
-+## Relabel cpu online hardware state information.
++## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6597,38 +6885,8 @@ index 76f285e..0fc6f53 100644
+## </summary>
+## </param>
+#
-+interface(`dev_relabel_cpu_online',`
- gen_require(`
-+ type cpu_online_t;
- type sysfs_t;
- ')
-
-- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ dev_search_sysfs($1)
-+ allow $1 cpu_online_t:file relabel_file_perms;
- ')
-
-+
- ########################################
- ## <summary>
- ## Read hardware state information.
-@@ -4016,7 +4481,7 @@ interface(`dev_rw_sysfs',`
-
- ########################################
- ## <summary>
--## Read and write the TPM device.
-+## Relabel hardware state directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4024,9 +4489,65 @@ interface(`dev_rw_sysfs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_tpm',`
+interface(`dev_relabel_sysfs_dirs',`
- gen_require(`
-- type device_t, tpm_device_t;
++ gen_require(`
+ type sysfs_t;
+ ')
+
@@ -6686,10 +6944,22 @@ index 76f285e..0fc6f53 100644
+interface(`dev_rw_tpm',`
+ gen_require(`
+ type device_t, tpm_device_t;
- ')
-
- rw_chr_files_pattern($1, device_t, tpm_device_t)
-@@ -4113,6 +4634,25 @@ interface(`dev_write_urand',`
++ ')
++
++ rw_chr_files_pattern($1, device_t, tpm_device_t)
++')
++
++########################################
++## <summary>
++## Read from pseudo random number generator devices (e.g., /dev/urandom).
++## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read from pseudo random number
+ ## generator devices (e.g., /dev/urandom). Typically this is
+ ## used in situations when a cryptographically secure random
+ ## number is not necessarily needed. One example is the Stack
+@@ -4113,6 +4625,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -6715,7 +6985,7 @@ index 76f285e..0fc6f53 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4409,9 +4949,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +4940,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -6727,7 +6997,7 @@ index 76f285e..0fc6f53 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4419,17 +4959,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +4950,17 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@@ -6750,7 +7020,7 @@ index 76f285e..0fc6f53 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4437,12 +4977,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +4968,12 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@@ -6766,7 +7036,7 @@ index 76f285e..0fc6f53 100644
')
########################################
-@@ -4539,6 +5079,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5070,134 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
@@ -6901,7 +7171,7 @@ index 76f285e..0fc6f53 100644
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
-@@ -4557,6 +5225,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5216,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -6926,7 +7196,7 @@ index 76f285e..0fc6f53 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5448,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5439,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -6953,7 +7223,7 @@ index 76f285e..0fc6f53 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5557,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5548,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -8788,7 +9058,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..455cc6c 100644
+index 64ff4d7..fe6d89c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10464,17 +10734,51 @@ index 64ff4d7..455cc6c 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5774,8 +6714,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5761,7 +6701,7 @@ interface(`files_relabel_all_lock_dirs',`
+
+ ########################################
+ ## <summary>
+-## Get the attributes of generic lock files.
++## Relabel to and from all lock file types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5769,13 +6709,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_relabel_all_lock_files',`
+ gen_require(`
++ attribute lockfile;
type var_t, var_lock_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Get the attributes of generic lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_getattr_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
+ files_search_locks($1)
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6730,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6751,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -10492,7 +10796,7 @@ index 64ff4d7..455cc6c 100644
')
########################################
-@@ -5816,9 +6754,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6775,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -10503,7 +10807,7 @@ index 64ff4d7..455cc6c 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6796,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6817,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -10513,7 +10817,7 @@ index 64ff4d7..455cc6c 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6818,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6839,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -10523,7 +10827,7 @@ index 64ff4d7..455cc6c 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6855,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6876,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -10533,7 +10837,7 @@ index 64ff4d7..455cc6c 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +6894,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +6915,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -10542,7 +10846,7 @@ index 64ff4d7..455cc6c 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +6914,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +6935,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -10591,7 +10895,7 @@ index 64ff4d7..455cc6c 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6007,6 +6978,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +6999,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -10617,7 +10921,7 @@ index 64ff4d7..455cc6c 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6021,7 +7011,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7032,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -10626,7 +10930,7 @@ index 64ff4d7..455cc6c 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7030,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7051,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -10635,7 +10939,7 @@ index 64ff4d7..455cc6c 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7050,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7071,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -10644,7 +10948,7 @@ index 64ff4d7..455cc6c 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7112,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7133,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -10652,7 +10956,32 @@ index 64ff4d7..455cc6c 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6164,7 +7153,7 @@ interface(`files_rw_generic_pids',`
+@@ -6151,6 +7161,24 @@ interface(`files_pid_filetrans_lock_dir',`
+
+ ########################################
+ ## <summary>
++## rw generic pid files inherited from another process
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_inherited_generic_pid_files',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read and write generic process ID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -6164,7 +7192,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -10661,7 +10990,7 @@ index 64ff4d7..455cc6c 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,55 +7220,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7259,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -10724,7 +11053,7 @@ index 64ff4d7..455cc6c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6287,42 +7264,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7303,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -10774,7 +11103,7 @@ index 64ff4d7..455cc6c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,18 +7300,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7339,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -10798,7 +11127,7 @@ index 64ff4d7..455cc6c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6349,37 +7319,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7358,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -10850,7 +11179,7 @@ index 64ff4d7..455cc6c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6387,18 +7360,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7399,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -10873,7 +11202,7 @@ index 64ff4d7..455cc6c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6406,18 +7378,18 @@ interface(`files_list_spool',`
+@@ -6406,18 +7417,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -10897,7 +11226,7 @@ index 64ff4d7..455cc6c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6425,19 +7397,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6425,19 +7436,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -10922,7 +11251,7 @@ index 64ff4d7..455cc6c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6445,55 +7416,43 @@ interface(`files_read_generic_spool',`
+@@ -6445,45 +7455,312 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -10973,57 +11302,38 @@ index 64ff4d7..455cc6c 100644
- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
++ ')
++
+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
-
- ########################################
- ## <summary>
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++## <summary>
+## Delete all process ID directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6501,64 +7460,814 @@ interface(`files_spool_filetrans',`
- ## </summary>
- ## </param>
- #
--interface(`files_polyinstantiate_all',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_delete_all_pid_dirs',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
++
+########################################
+## <summary>
+## Make the specified type a file
@@ -11275,89 +11585,13 @@ index 64ff4d7..455cc6c 100644
+interface(`files_spool_filetrans',`
+ gen_require(`
+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_polyinstantiate_all',`
-+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
-+ ')
-+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
- allow $1 polyparent:dir { getattr mounton };
+ ')
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
-+
-+########################################
-+## <summary>
-+## Unconfined access to files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_unconfined',`
-+ gen_require(`
-+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
+ allow $1 var_t:dir search_dir_perms;
+@@ -6562,3 +7839,474 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+## <summary>
@@ -11483,15 +11717,10 @@ index 64ff4d7..455cc6c 100644
+ gen_require(`
+ attribute tmpfsfile;
+ ')
-
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
++
+ allow $1 tmpfsfile:file { read write };
+')
-
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
++
+########################################
+## <summary>
+## Do not audit attempts to read security files
@@ -11506,13 +11735,7 @@ index 64ff4d7..455cc6c 100644
+ gen_require(`
+ attribute security_file_type;
+ ')
-
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
++
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
@@ -11534,36 +11757,32 @@ index 64ff4d7..455cc6c 100644
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
- ')
++ ')
+
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Unconfined access to files.
++')
++
++########################################
++## <summary>
+## Allow any file point to be the entrypoint of this domain
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_unconfined',`
++#
+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ attribute file_type;
- ')
++ ')
+ allow $1 file_type:file entrypoint;
+')
-
-- typeattribute $1 files_unconfined_type;
++
+########################################
+## <summary>
+## Do not audit attempts to rw inherited file perms
@@ -11758,7 +11977,7 @@ index 64ff4d7..455cc6c 100644
+ ')
+ files_type($1)
+ typeattribute $1 base_file_type;
- ')
++')
+
+########################################
+## <summary>
@@ -32936,7 +33155,7 @@ index 3822072..1029e3b 100644
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..73ef1e8 100644
+index ec01d0b..64db314 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -33373,11 +33592,11 @@ index ec01d0b..73ef1e8 100644
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
--logging_send_syslog_msg(semanage_t)
--
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -33465,7 +33684,7 @@ index ec01d0b..73ef1e8 100644
')
########################################
-@@ -522,108 +599,178 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -33547,12 +33766,12 @@ index ec01d0b..73ef1e8 100644
+ # pki is leaking
+ pki_dontaudit_write_log(setfiles_t)
+')
-
--seutil_libselinux_linked(setfiles_t)
++
+optional_policy(`
+ xserver_append_xdm_tmp_files(setfiles_t)
+')
-+
+
+-seutil_libselinux_linked(setfiles_t)
+ifdef(`hide_broken_symptoms',`
+
+ optional_policy(`
@@ -33729,6 +33948,9 @@ index ec01d0b..73ef1e8 100644
+
+userdom_dontaudit_write_user_home_content_files(policy_manager_domain)
+userdom_use_user_ptys(policy_manager_domain)
++
++files_rw_inherited_generic_pid_files(setfiles_domain)
++files_rw_inherited_generic_pid_files(seutil_semanage_domain)
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..06e2834 100644
--- a/policy/modules/system/setrans.fc
@@ -35732,10 +35954,10 @@ index 0000000..2e5b822
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..35c1a7d
+index 0000000..87474b2
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,645 @@
+@@ -0,0 +1,647 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -36037,6 +36259,7 @@ index 0000000..35c1a7d
+files_getattr_all_sockets(systemd_tmpfiles_t)
+files_getattr_all_symlinks(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
++files_relabel_all_lock_files(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
@@ -36060,6 +36283,7 @@ index 0000000..35c1a7d
+
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_write_all_levels(systemd_tmpfiles_t)
++mls_file_upgrade(systemd_tmpfiles_t)
+
+selinux_get_enforce_mode(systemd_tmpfiles_t)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index dd55837..41328d9 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1468,7 +1468,7 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 4b28ab3..cf64a9a 100644
+index 4b28ab3..6e8746f 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1479,7 +1479,16 @@ index 4b28ab3..cf64a9a 100644
role aide_roles types aide_t;
type aide_log_t;
-@@ -34,11 +35,16 @@ logging_log_filetrans(aide_t, aide_log_t, file)
+@@ -23,7 +24,7 @@ files_type(aide_db_t)
+ # Local policy
+ #
+
+-allow aide_t self:capability { dac_override fowner };
++allow aide_t self:capability { dac_override fowner ipc_lock };
+
+ manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+
+@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
@@ -1494,6 +1503,10 @@ index 4b28ab3..cf64a9a 100644
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
++
++optional_policy(`
++ prelink_domtrans(aide_t)
++')
optional_policy(`
seutil_use_newrole_fds(aide_t)
@@ -4511,7 +4524,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..a434dfd 100644
+index 1a82e29..392480e 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5199,7 +5212,7 @@ index 1a82e29..a434dfd 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5275,6 +5288,7 @@ index 1a82e29..a434dfd 100644
+corecmd_exec_shell(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
++domain_dontaudit_read_all_domains_state(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
@@ -5427,7 +5441,7 @@ index 1a82e29..a434dfd 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5487,7 +5501,7 @@ index 1a82e29..a434dfd 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5572,7 +5586,7 @@ index 1a82e29..a434dfd 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +810,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5653,7 +5667,7 @@ index 1a82e29..a434dfd 100644
')
optional_policy(`
-@@ -743,14 +862,6 @@ optional_policy(`
+@@ -743,14 +863,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5668,7 +5682,7 @@ index 1a82e29..a434dfd 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +876,23 @@ optional_policy(`
+@@ -765,6 +877,23 @@ optional_policy(`
')
optional_policy(`
@@ -5692,7 +5706,7 @@ index 1a82e29..a434dfd 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +909,42 @@ optional_policy(`
+@@ -781,34 +910,42 @@ optional_policy(`
')
optional_policy(`
@@ -5746,7 +5760,7 @@ index 1a82e29..a434dfd 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +952,18 @@ optional_policy(`
+@@ -816,8 +953,18 @@ optional_policy(`
')
optional_policy(`
@@ -5765,7 +5779,7 @@ index 1a82e29..a434dfd 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +972,7 @@ optional_policy(`
+@@ -826,6 +973,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5773,7 +5787,7 @@ index 1a82e29..a434dfd 100644
')
optional_policy(`
-@@ -836,20 +983,38 @@ optional_policy(`
+@@ -836,20 +984,38 @@ optional_policy(`
')
optional_policy(`
@@ -5818,7 +5832,7 @@ index 1a82e29..a434dfd 100644
')
optional_policy(`
-@@ -857,6 +1022,16 @@ optional_policy(`
+@@ -857,6 +1023,16 @@ optional_policy(`
')
optional_policy(`
@@ -5835,7 +5849,7 @@ index 1a82e29..a434dfd 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,11 +1040,16 @@ optional_policy(`
+@@ -865,11 +1041,16 @@ optional_policy(`
')
optional_policy(`
@@ -5852,7 +5866,7 @@ index 1a82e29..a434dfd 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1057,166 @@ optional_policy(`
+@@ -877,65 +1058,165 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5891,7 +5905,6 @@ index 1a82e29..a434dfd 100644
+ allow httpd_t self:process setexec;
+
+ files_dontaudit_getattr_all_files(httpd_t)
-+ domain_dontaudit_read_all_domains_state(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
+')
+
@@ -10891,7 +10904,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..6567c77 100644
+index 914ee2d..770ae51 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -10904,7 +10917,7 @@ index 914ee2d..6567c77 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t)
+@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
# Local policy
#
@@ -10916,13 +10929,12 @@ index 914ee2d..6567c77 100644
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
-+
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +84,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -11439,21 +11451,28 @@ index 29782b8..685edff 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..8a40857
+index 0000000..cc740da
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,29 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
-+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
++/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
-+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
++/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
++
++/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
++
++/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
++/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
-+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
@@ -11515,10 +11534,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..c158ef5
+index 0000000..a56e579
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,296 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -11530,6 +11549,19 @@ index 0000000..c158ef5
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(mongod)
++cloudform_domain_template(cloud_init)
++
++type cloud_init_tmp_t;
++files_tmp_file(cloud_init_tmp_t)
++
++type cloud_init_unit_file_t;
++systemd_unit_file(cloud_init_unit_file_t)
++
++type cloud_var_lib_t;
++files_type(cloud_var_lib_t)
++
++type cloud_log_t;
++logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
@@ -11583,6 +11615,93 @@ index 0000000..c158ef5
+
+miscfiles_read_certs(cloudform_domain)
+
++#################################
++#
++# cloud-init local policy
++#
++
++allow cloud_init_t self:capability { fowner chown fsetid dac_override };
++
++allow cloud_init_t self:udp_socket create_socket_perms;
++
++manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
++manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
++files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
++
++manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
++manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
++manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
++
++manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
++logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
++
++kernel_read_network_state(cloud_init_t)
++
++corenet_tcp_connect_http_port(cloud_init_t)
++
++corecmd_exec_bin(cloud_init_t)
++corecmd_exec_shell(cloud_init_t)
++
++fs_getattr_all_fs(cloud_init_t)
++
++storage_raw_read_fixed_disk(cloud_init_t)
++
++libs_exec_ldconfig(cloud_init_t)
++
++logging_send_syslog_msg(cloud_init_t)
++
++miscfiles_read_localization(cloud_init_t)
++
++selinux_validate_context(cloud_init_t)
++
++systemd_dbus_chat_hostnamed(cloud_init_t)
++systemd_exec_systemctl(cloud_init_t)
++systemd_start_all_services(cloud_init_t)
++
++usermanage_domtrans_passwd(cloud_init_t)
++
++optional_policy(`
++ dbus_system_bus_client(cloud_init_t)
++')
++
++optional_policy(`
++ dmidecode_domtrans(cloud_init_t)
++')
++
++optional_policy(`
++ fstools_domtrans(cloud_init_t)
++')
++
++optional_policy(`
++ hostname_exec(cloud_init_t)
++')
++
++optional_policy(`
++ mount_domtrans(cloud_init_t)
++')
++
++optional_policy(`
++ # it check file context and run restorecon
++ seutil_read_file_contexts(cloud_init_t)
++ seutil_domtrans_setfiles(cloud_init_t)
++')
++
++optional_policy(`
++ ssh_exec_keygen(cloud_init_t)
++ ssh_read_user_home_files(cloud_init_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(cloud_init_t)
++ sysnet_read_dhcpc_state(cloud_init_t)
++ sysnet_dns_name_resolve(cloud_init_t)
++')
++
++optional_policy(`
++ unconfined_domain(cloud_init_t)
++')
++
++
+########################################
+#
+# deltacloudd local policy
@@ -12252,7 +12371,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..9d70983 100644
+index 09f18e2..3547d05 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -12315,7 +12434,7 @@ index 09f18e2..9d70983 100644
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
-@@ -98,25 +104,28 @@ storage_write_scsi_generic(colord_t)
+@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t)
auth_use_nsswitch(colord_t)
@@ -12337,6 +12456,7 @@ index 09f18e2..9d70983 100644
-')
+userdom_rw_user_tmpfs_files(colord_t)
+userdom_home_reader(colord_t)
++userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
optional_policy(`
@@ -12354,7 +12474,7 @@ index 09f18e2..9d70983 100644
')
optional_policy(`
-@@ -133,3 +142,16 @@ optional_policy(`
+@@ -133,3 +143,16 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
@@ -16587,7 +16707,7 @@ index 06da9a0..6d69a2f 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..c7268a7 100644
+index 9f34c2e..ab0eee9 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16729,7 +16849,7 @@ index 9f34c2e..c7268a7 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -16737,7 +16857,13 @@ index 9f34c2e..c7268a7 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+ files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
++cups_filetrans_named_content(cupsd_t)
+
+ allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -16765,7 +16891,7 @@ index 9f34c2e..c7268a7 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -16777,7 +16903,7 @@ index 9f34c2e..c7268a7 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -16802,7 +16928,7 @@ index 9f34c2e..c7268a7 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -16810,7 +16936,7 @@ index 9f34c2e..c7268a7 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16830,7 +16956,7 @@ index 9f34c2e..c7268a7 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16839,7 +16965,7 @@ index 9f34c2e..c7268a7 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16865,7 +16991,7 @@ index 9f34c2e..c7268a7 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +309,8 @@ optional_policy(`
+@@ -275,6 +310,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16874,7 +17000,7 @@ index 9f34c2e..c7268a7 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +321,10 @@ optional_policy(`
+@@ -285,8 +322,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16885,7 +17011,7 @@ index 9f34c2e..c7268a7 100644
')
')
-@@ -299,8 +337,8 @@ optional_policy(`
+@@ -299,8 +338,8 @@ optional_policy(`
')
optional_policy(`
@@ -16895,7 +17021,7 @@ index 9f34c2e..c7268a7 100644
')
optional_policy(`
-@@ -309,7 +347,6 @@ optional_policy(`
+@@ -309,7 +348,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16903,7 +17029,7 @@ index 9f34c2e..c7268a7 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +374,11 @@ optional_policy(`
+@@ -337,7 +375,11 @@ optional_policy(`
')
optional_policy(`
@@ -16916,7 +17042,7 @@ index 9f34c2e..c7268a7 100644
')
########################################
-@@ -345,12 +386,11 @@ optional_policy(`
+@@ -345,12 +387,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16932,7 +17058,7 @@ index 9f34c2e..c7268a7 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16953,7 +17079,7 @@ index 9f34c2e..c7268a7 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16974,7 +17100,7 @@ index 9f34c2e..c7268a7 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16986,7 +17112,7 @@ index 9f34c2e..c7268a7 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +477,12 @@ optional_policy(`
+@@ -452,9 +478,12 @@ optional_policy(`
')
optional_policy(`
@@ -17000,7 +17126,7 @@ index 9f34c2e..c7268a7 100644
')
optional_policy(`
-@@ -490,10 +518,6 @@ optional_policy(`
+@@ -490,10 +519,6 @@ optional_policy(`
# Lpd local policy
#
@@ -17011,7 +17137,7 @@ index 9f34c2e..c7268a7 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -17044,7 +17170,7 @@ index 9f34c2e..c7268a7 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +561,6 @@ optional_policy(`
+@@ -546,7 +562,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17052,7 +17178,7 @@ index 9f34c2e..c7268a7 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -17204,7 +17330,7 @@ index 9f34c2e..c7268a7 100644
########################################
#
-@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -17212,7 +17338,7 @@ index 9f34c2e..c7268a7 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -17226,7 +17352,7 @@ index 9f34c2e..c7268a7 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -17235,7 +17361,7 @@ index 9f34c2e..c7268a7 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +653,4 @@ optional_policy(`
+@@ -769,3 +654,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -38237,7 +38363,7 @@ index 6194b80..af1201e 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..550e8d7 100644
+index 6a306ee..0a31eec 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -38681,7 +38807,7 @@ index 6a306ee..550e8d7 100644
')
optional_policy(`
-@@ -300,221 +324,179 @@ optional_policy(`
+@@ -300,221 +324,180 @@ optional_policy(`
########################################
#
@@ -38888,6 +39014,7 @@ index 6a306ee..550e8d7 100644
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+dev_rwx_zero(mozilla_plugin_t)
++dev_dontaudit_read_mtrr(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
@@ -39001,7 +39128,7 @@ index 6a306ee..550e8d7 100644
')
optional_policy(`
-@@ -523,36 +505,48 @@ optional_policy(`
+@@ -523,36 +506,48 @@ optional_policy(`
')
optional_policy(`
@@ -39063,7 +39190,7 @@ index 6a306ee..550e8d7 100644
')
optional_policy(`
-@@ -560,7 +554,7 @@ optional_policy(`
+@@ -560,7 +555,7 @@ optional_policy(`
')
optional_policy(`
@@ -39072,7 +39199,7 @@ index 6a306ee..550e8d7 100644
')
optional_policy(`
-@@ -568,108 +562,118 @@ optional_policy(`
+@@ -568,108 +563,118 @@ optional_policy(`
')
optional_policy(`
@@ -42420,7 +42547,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..dfa6623 100644
+index 9f6179e..2b85b52 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -42578,7 +42705,18 @@ index 9f6179e..dfa6623 100644
')
optional_policy(`
-@@ -153,29 +154,22 @@ optional_policy(`
+@@ -144,6 +145,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ openshift_search_lib(mysqld_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(mysqld_t)
+ ')
+
+@@ -153,29 +158,22 @@ optional_policy(`
#######################################
#
@@ -42613,7 +42751,7 @@ index 9f6179e..dfa6623 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +181,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +185,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -42629,10 +42767,10 @@ index 9f6179e..dfa6623 100644
-miscfiles_read_localization(mysqld_safe_t)
+auth_read_passwd(mysqld_safe_t)
++
++domain_dontaudit_signull_all_domains(mysqld_safe_t)
-userdom_search_user_home_dirs(mysqld_safe_t)
-+domain_dontaudit_signull_all_domains(mysqld_safe_t)
-+
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
@@ -42641,7 +42779,7 @@ index 9f6179e..dfa6623 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +203,7 @@ optional_policy(`
+@@ -205,7 +207,7 @@ optional_policy(`
########################################
#
@@ -42650,7 +42788,7 @@ index 9f6179e..dfa6623 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +212,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +216,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -42668,7 +42806,7 @@ index 9f6179e..dfa6623 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +225,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +229,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -42699,9 +42837,9 @@ index 9f6179e..dfa6623 100644
-files_read_usr_files(mysqlmanagerd_t)
-files_search_pids(mysqlmanagerd_t)
-files_search_var_lib(mysqlmanagerd_t)
-
+-
-miscfiles_read_localization(mysqlmanagerd_t)
-
+-
-userdom_search_user_home_dirs(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/mythtv.fc b/mythtv.fc
@@ -49852,10 +49990,10 @@ index 0000000..bddd4b3
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..d94eda8
+index 0000000..877c71a
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,545 @@
+@@ -0,0 +1,546 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -50325,6 +50463,7 @@ index 0000000..d94eda8
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
++allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
@@ -69325,7 +69464,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..ede6c81 100644
+index e5212e6..74f3e1b 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -69514,24 +69653,24 @@ index e5212e6..ede6c81 100644
optional_policy(`
- nis_read_ypserv_config(rpcd_t)
+ domain_unconfined_signal(rpcd_t)
-+')
-+
-+optional_policy(`
-+ quota_manage_db(rpcd_t)
')
optional_policy(`
- quota_manage_db_files(rpcd_t)
-+ nis_read_ypserv_config(rpcd_t)
++ quota_manage_db(rpcd_t)
')
optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
-+ quota_read_db(rpcd_t)
++ nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
- unconfined_signal(rpcd_t)
++ quota_read_db(rpcd_t)
++')
++
++optional_policy(`
+ rhcs_manage_cluster_tmp_files(rpcd_t)
')
@@ -69663,13 +69802,17 @@ index e5212e6..ede6c81 100644
')
optional_policy(`
-@@ -306,8 +270,7 @@ optional_policy(`
+@@ -306,8 +270,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
- kerberos_manage_host_rcache(gssd_t)
- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
++')
++
++optional_policy(`
++ gssproxy_stream_connect(gssd_t)
')
optional_policy(`
@@ -78547,7 +78690,7 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 81864ce..24fe118 100644
+index 81864ce..4b6b771 100644
--- a/snmp.te
+++ b/snmp.te
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
@@ -78617,11 +78760,15 @@ index 81864ce..24fe118 100644
seutil_dontaudit_search_config(snmpd_t)
-@@ -131,7 +133,7 @@ optional_policy(`
+@@ -131,7 +133,11 @@ optional_policy(`
')
optional_policy(`
- corosync_stream_connect(snmpd_t)
++ fstools_domtrans(snmpd_t)
++')
++
++optional_policy(`
+ rhcs_stream_connect_cluster(snmpd_t)
')
@@ -86439,7 +86586,7 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 77be35a..4abe2aa 100644
+index 77be35a..0e9a7d1 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -86450,21 +86597,27 @@ index 77be35a..4abe2aa 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
-@@ -43,13 +44,15 @@ dev_rw_input_dev(vdagent_t)
+@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+ setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+ logging_log_filetrans(vdagent_t, vdagent_log_t, file)
+
++kernel_request_load_module(vdagent_t)
++
+ dev_rw_input_dev(vdagent_t)
dev_read_sysfs(vdagent_t)
dev_dontaudit_write_mtrr(vdagent_t)
-files_read_etc_files(vdagent_t)
-
+-
init_read_state(vdagent_t)
-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
++
++term_use_virtio_console(vdagent_t)
-miscfiles_read_localization(vdagent_t)
-+term_use_virtio_console(vdagent_t)
-+
+logging_send_syslog_msg(vdagent_t)
userdom_read_all_users_state(vdagent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cc7fb92..a2c9477 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 52%{?dist}
+Release: 53%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -97,6 +97,7 @@ SELinux policy development and man page package
%post devel
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
+exit 0
%package doc
Summary: SELinux policy documentation
@@ -534,6 +535,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jun 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-53
+- Make vdagent able to request loading kernel module
+- Add support for cloud-init make it as unconfined domain
+- Allow snmpd to run smartctl in fsadm_t domain
+- remove duplicate openshift_search_lib() interface
+- Allow mysqld to search openshift lib files
+- Allow openshift cgroup to interact with passedin file descriptors
+- Allow colord to list directories inthe users homedir
+- aide executes prelink to check files
+- Make sure cupsd_t creates content in /etc/cups with the correct label
+- Lest dontaudit apache read all domains, so passenger will not cause this avc
+- Allow gssd to connect to gssproxy
+- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS
+- Allow systemd-tmpfiles to relabel also lock files
+- Allow useradd to add homdir in /var/lib/openshift
+- Allow setfiles and semanage to write output to /run/files
+
* Fri Jun 14 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-52
- Add labeling for /dev/tgt
- Dontaudit leak fd from firewalld for modprobe
@@ -726,7 +744,7 @@ SELinux Reference policy mls base module.
- Allow certwatch to read net_config_t when it executes apache
- Allow readahead to create /run/systemd and then create its own directory with the correct label
-* Fri May 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-43
+* Mon May 13 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-43
- Transition directories and files when in a user_tmp_t directory
- Change certwatch to domtrans to apache instead of just execute
- Allow virsh_t to read xen lib files
More information about the scm-commits
mailing list