[selinux-policy/f20] * Thu Aug 29 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74 - Add selinux-policy-sandbox pkg
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Aug 29 14:00:50 UTC 2013
commit 3b489b72053eae989cb16ecd1776dada3556f538
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Aug 29 16:00:31 2013 +0200
* Thu Aug 29 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74
- Add selinux-policy-sandbox pkg
policy-rawhide-base.patch | 203 ++++++----
policy-rawhide-contrib.patch | 903 ++++++++++++++++++++++++------------------
selinux-policy.spec | 5 +-
3 files changed, 656 insertions(+), 455 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a6f54f7..a8e95dd 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3046,7 +3046,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..51181b8 100644
+index 644d4d7..f9bcd44 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3350,7 +3350,15 @@ index 644d4d7..51181b8 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +457,15 @@ ifdef(`distro_suse', `
+@@ -342,6 +416,7 @@ ifdef(`distro_redhat', `
+ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3367,7 +3375,7 @@ index 644d4d7..51181b8 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +475,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -8283,7 +8291,7 @@ index 6529bd9..831344c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..57cc8d1 100644
+index 6a1e4d1..84e8030 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8426,7 +8434,7 @@ index 6a1e4d1..57cc8d1 100644
## Unconfined access to domains.
## </summary>
## <param name="domain">
-@@ -1530,4 +1561,45 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -8471,6 +8479,24 @@ index 6a1e4d1..57cc8d1 100644
+ ')
+
+ allow $1 domain:process transition;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to access check /proc
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`domain_dontaudit_access_check',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..2b917b5 100644
@@ -17142,7 +17168,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..98d1e34 100644
+index 88d0028..897634a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -17581,7 +17607,7 @@ index 88d0028..98d1e34 100644
virt_stream_connect(sysadm_t)
+ virt_filetrans_home_content(sysadm_t)
+ virt_manage_pid_dirs(sysadm_t)
-+ virt_transition_svirt_lxc(sysadm_t, sysadm_r)
++ virt_transition_svirt_sandbox(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -18396,7 +18422,7 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..d74943c
+index 0000000..36f6ee2
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,332 @@
@@ -18723,7 +18749,7 @@ index 0000000..d74943c
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
-+ virt_transition_svirt_lxc(unconfined_t, unconfined_r)
++ virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
@@ -20223,7 +20249,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..2d08ed2 100644
+index 5fc0391..7931fba 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20602,8 +20628,8 @@ index 5fc0391..2d08ed2 100644
optional_policy(`
+ kernel_write_proc_files(sshd_t)
-+ virt_transition_svirt_lxc(sshd_t, system_r)
-+ virt_stream_connect_lxc(sshd_t)
++ virt_transition_svirt_sandbox(sshd_t, system_r)
++ virt_stream_connect_sandbox(sshd_t)
+ virt_stream_connect(sshd_t)
+')
+
@@ -20975,7 +21001,7 @@ index d1f64a0..8f50bb9 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..307cefc 100644
+index 6bf0ecc..9b46e11 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -21204,14 +21230,18 @@ index 6bf0ecc..307cefc 100644
class x_synthetic_event all_x_synthetic_event_perms;
+ class x_client destroy;
+ class x_server manage;
-+ class x_screen { saver_setattr saver_hide saver_show };
++ class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor };
+ class x_pointer { get_property set_property manage };
-+ class x_keyboard { read manage };
++ class x_keyboard { read manage freeze };
')
##############################
-@@ -386,6 +328,15 @@ template(`xserver_common_x_domain_template',`
- allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+@@ -383,9 +325,18 @@ template(`xserver_common_x_domain_template',`
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+ # can receive default events
+ allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
+- allow $2 xevent_t:{ x_event x_synthetic_event } receive;
++ allow $2 xevent_t:{ x_event x_synthetic_event } { send receive };
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
+
@@ -21220,9 +21250,9 @@ index 6bf0ecc..307cefc 100644
+
+ allow $2 root_xdrawable_t:x_drawable write;
+ allow $2 xserver_t:x_server manage;
-+ allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
++ allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show };
+ allow $2 xserver_t:x_pointer { get_property set_property manage };
-+ allow $2 xserver_t:x_keyboard { read manage };
++ allow $2 xserver_t:x_keyboard { read manage freeze };
')
#######################################
@@ -21903,32 +21933,36 @@ index 6bf0ecc..307cefc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
- type xserver_t;
-+ type xserver_t, root_xdrawable_t;
++ type xserver_t, root_xdrawable_t, xevent_t;
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
+ class x_screen all_x_screen_perms;
+ class x_drawable { manage };
+ attribute x_domain;
-+ class x_drawable { read manage setattr show };
-+ class x_resource { write read };
++ class x_drawable all_x_drawable_perms;
++ class x_resource all_x_resource_perms;
++ class x_synthetic_event all_x_synthetic_event_perms;
++ class x_cursor all_x_cursor_perms;
')
allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+ allow $1 xserver_t:{ x_screen } setattr;
+
-+ allow $1 x_domain:x_drawable { read manage setattr show };
-+ allow $1 x_domain:x_resource { write read };
-+ allow $1 root_xdrawable_t:x_drawable { manage read };
++ allow $1 x_domain:x_cursor all_x_cursor_perms;
++ allow $1 x_domain:x_drawable all_x_drawable_perms;
++ allow $1 x_domain:x_resource all_x_resource_perms;
++ allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms;
++ allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms;
')
########################################
-@@ -1284,10 +1654,623 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1658,623 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -22555,7 +22589,7 @@ index 6bf0ecc..307cefc 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..0c869cb 100644
+index 2696452..b67997e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23059,7 +23093,7 @@ index 2696452..0c869cb 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +557,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23083,6 +23117,7 @@ index 2696452..0c869cb 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
++dev_rw_wireless(xdm_t)
dev_getattr_xserver_misc_dev(xdm_t)
dev_setattr_xserver_misc_dev(xdm_t)
+dev_rw_xserver_misc(xdm_t)
@@ -23112,7 +23147,7 @@ index 2696452..0c869cb 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +609,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +610,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23141,7 +23176,7 @@ index 2696452..0c869cb 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +639,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23190,7 +23225,7 @@ index 2696452..0c869cb 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +686,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23341,7 +23376,7 @@ index 2696452..0c869cb 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +837,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23368,7 +23403,7 @@ index 2696452..0c869cb 100644
')
optional_policy(`
-@@ -514,12 +864,56 @@ optional_policy(`
+@@ -514,12 +865,56 @@ optional_policy(`
')
optional_policy(`
@@ -23425,7 +23460,7 @@ index 2696452..0c869cb 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +931,78 @@ optional_policy(`
+@@ -537,28 +932,78 @@ optional_policy(`
')
optional_policy(`
@@ -23513,7 +23548,7 @@ index 2696452..0c869cb 100644
')
optional_policy(`
-@@ -570,6 +1014,14 @@ optional_policy(`
+@@ -570,6 +1015,14 @@ optional_policy(`
')
optional_policy(`
@@ -23528,7 +23563,16 @@ index 2696452..0c869cb 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1046,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -584,7 +1037,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+ type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+
+ allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+-allow xserver_t input_xevent_t:x_event send;
++allow xserver_t xevent_type:x_event send;
+
+ # setuid/setgid for the wrapper program to change UID
+ # sys_rawio is for iopl access - should not be needed for frame-buffer
+@@ -594,8 +1047,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23541,7 +23585,7 @@ index 2696452..0c869cb 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1063,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1064,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23557,7 +23601,7 @@ index 2696452..0c869cb 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1079,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1080,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23568,7 +23612,7 @@ index 2696452..0c869cb 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1094,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1095,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23590,7 +23634,7 @@ index 2696452..0c869cb 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1114,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1115,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23604,7 +23648,7 @@ index 2696452..0c869cb 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1140,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1141,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23636,7 +23680,7 @@ index 2696452..0c869cb 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1172,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23654,7 +23698,7 @@ index 2696452..0c869cb 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1195,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1196,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23678,7 +23722,7 @@ index 2696452..0c869cb 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1214,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23687,7 +23731,7 @@ index 2696452..0c869cb 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1258,44 @@ optional_policy(`
+@@ -775,16 +1259,44 @@ optional_policy(`
')
optional_policy(`
@@ -23733,7 +23777,7 @@ index 2696452..0c869cb 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1304,10 @@ optional_policy(`
+@@ -793,6 +1305,10 @@ optional_policy(`
')
optional_policy(`
@@ -23744,7 +23788,7 @@ index 2696452..0c869cb 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1323,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23758,7 +23802,7 @@ index 2696452..0c869cb 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1334,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23767,7 +23811,7 @@ index 2696452..0c869cb 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1347,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1348,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23802,7 +23846,7 @@ index 2696452..0c869cb 100644
')
optional_policy(`
-@@ -902,7 +1412,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23811,7 +23855,7 @@ index 2696452..0c869cb 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1466,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23843,7 +23887,7 @@ index 2696452..0c869cb 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1512,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1513,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -25895,10 +25939,10 @@ index 9dfecf7..6d00f5c 100644
+
+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..8c37105 100644
+index f6cbda9..51e9aef 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
-@@ -23,39 +23,47 @@ dontaudit hostname_t self:capability sys_tty_config;
+@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
@@ -25925,8 +25969,7 @@ index f6cbda9..8c37105 100644
term_dontaudit_use_console(hostname_t)
-term_use_all_ttys(hostname_t)
-term_use_all_ptys(hostname_t)
-+term_use_all_inherited_ttys(hostname_t)
-+term_use_all_inherited_ptys(hostname_t)
++term_use_all_inherited_terms(hostname_t)
init_use_fds(hostname_t)
init_use_script_fds(hostname_t)
@@ -28848,7 +28891,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..323d9ec 100644
+index 9e54bf9..bc0e6c2 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28930,7 +28973,7 @@ index 9e54bf9..323d9ec 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -165,16 +176,22 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -28945,7 +28988,16 @@ index 9e54bf9..323d9ec 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,10 +200,10 @@ optional_policy(`
+
+ optional_policy(`
++ iptables_domtrans(ipsec_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ipsec_t)
+ ')
+
+@@ -187,10 +204,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -28960,7 +29012,7 @@ index 9e54bf9..323d9ec 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -210,10 +223,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+@@ -210,10 +227,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -28973,7 +29025,7 @@ index 9e54bf9..323d9ec 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -28990,7 +29042,7 @@ index 9e54bf9..323d9ec 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -28999,7 +29051,7 @@ index 9e54bf9..323d9ec 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -29011,7 +29063,7 @@ index 9e54bf9..323d9ec 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -29035,7 +29087,7 @@ index 9e54bf9..323d9ec 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +352,10 @@ optional_policy(`
+@@ -322,6 +356,10 @@ optional_policy(`
')
optional_policy(`
@@ -29046,7 +29098,7 @@ index 9e54bf9..323d9ec 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +369,7 @@ optional_policy(`
+@@ -335,7 +373,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -29055,7 +29107,7 @@ index 9e54bf9..323d9ec 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +408,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -29075,7 +29127,7 @@ index 9e54bf9..323d9ec 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +438,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -29088,7 +29140,7 @@ index 9e54bf9..323d9ec 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -33769,7 +33821,7 @@ index 3822072..ec95692 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..063ef61 100644
+index ec01d0b..59ed766 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -34297,7 +34349,7 @@ index ec01d0b..063ef61 100644
')
########################################
-@@ -522,108 +598,189 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,191 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -34565,6 +34617,8 @@ index ec01d0b..063ef61 100644
+
+files_rw_inherited_generic_pid_files(setfiles_domain)
+files_rw_inherited_generic_pid_files(policy_manager_domain)
++files_create_boot_flag(policy_manager_domain, ".autorelabel")
++files_delete_boot_flag(policy_manager_domain)
+
optional_policy(`
- hotplug_use_fds(setfiles_t)
@@ -42960,7 +43014,7 @@ index 3c5dba7..5dc956a 100644
+ dontaudit $1 user_home_type:dir_file_class_set audit_access;
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..211263f 100644
+index e2b538b..3a775a7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -43048,7 +43102,7 @@ index e2b538b..211263f 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,227 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -43106,6 +43160,7 @@ index e2b538b..211263f 100644
+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
+
+# Nautilus causes this avc
++domain_dontaudit_access_check(unpriv_userdomain)
+dontaudit unpriv_userdomain self:dir setattr;
+allow unpriv_userdomain self:key manage_key_perms;
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8060cc3..69b9cf3 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -15490,7 +15490,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..9436993 100644
+index 28e1b86..f871609 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -15731,7 +15731,7 @@ index 28e1b86..9436993 100644
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,72 +180,67 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -15802,6 +15802,7 @@ index 28e1b86..9436993 100644
+# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
++files_read_all_locks(crond_t)
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
@@ -15834,7 +15835,7 @@ index 28e1b86..9436993 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -311,41 +249,46 @@ logging_set_loginuid(crond_t)
+@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -15897,7 +15898,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -353,102 +296,136 @@ optional_policy(`
+@@ -353,102 +297,136 @@ optional_policy(`
')
optional_policy(`
@@ -16065,7 +16066,7 @@ index 28e1b86..9436993 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -457,11 +434,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -16078,7 +16079,7 @@ index 28e1b86..9436993 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +458,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -16086,7 +16087,7 @@ index 28e1b86..9436993 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +469,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -16109,7 +16110,7 @@ index 28e1b86..9436993 100644
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +493,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -16139,7 +16140,7 @@ index 28e1b86..9436993 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +522,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -16157,7 +16158,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -546,10 +541,6 @@ optional_policy(`
+@@ -546,10 +542,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -16168,7 +16169,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -581,6 +572,7 @@ optional_policy(`
+@@ -581,6 +573,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -16176,7 +16177,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -588,15 +580,19 @@ optional_policy(`
+@@ -588,15 +581,19 @@ optional_policy(`
')
optional_policy(`
@@ -16198,7 +16199,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -606,6 +602,7 @@ optional_policy(`
+@@ -606,6 +603,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -16206,7 +16207,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -613,12 +610,24 @@ optional_policy(`
+@@ -613,12 +611,24 @@ optional_policy(`
')
optional_policy(`
@@ -16233,7 +16234,7 @@ index 28e1b86..9436993 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +635,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16267,7 +16268,7 @@ index 28e1b86..9436993 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +668,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -51301,7 +51302,7 @@ index 0000000..fdc4a03
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..c1eed44
+index 0000000..9724884
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,549 @@
@@ -51403,7 +51404,7 @@ index 0000000..c1eed44
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
-+virt_lxc_domain(openshift_initrc_t)
++virt_sandbox_domain(openshift_initrc_t)
+
+systemd_dbus_chat_logind(openshift_initrc_t)
+
@@ -79994,7 +79995,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..46356db 100644
+index 49b12ae..e5948ba 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -80091,7 +80092,15 @@ index 49b12ae..46356db 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t)
+ term_dontaudit_use_all_ptys(setroubleshootd_t)
+ term_dontaudit_use_all_ttys(setroubleshootd_t)
+
++mls_dbus_recv_all_levels(setroubleshootd_t)
++
+ auth_use_nsswitch(setroubleshootd_t)
+
+ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -80124,7 +80133,7 @@ index 49b12ae..46356db 100644
')
optional_policy(`
-@@ -135,10 +137,18 @@ optional_policy(`
+@@ -135,10 +139,18 @@ optional_policy(`
')
optional_policy(`
@@ -80143,7 +80152,7 @@ index 49b12ae..46356db 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,15 +158,17 @@ optional_policy(`
+@@ -148,15 +160,17 @@ optional_policy(`
########################################
#
@@ -80162,7 +80171,7 @@ index 49b12ae..46356db 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +177,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +179,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@@ -80179,7 +80188,7 @@ index 49b12ae..46356db 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +193,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +195,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -84071,7 +84080,7 @@ index a240455..54c5c1f 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..e9632c3 100644
+index 8b537aa..3bce4df 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -84160,7 +84169,7 @@ index 8b537aa..e9632c3 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -84170,6 +84179,7 @@ index 8b537aa..e9632c3 100644
sysnet_use_ldap(sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
++userdom_manage_all_users_keys(sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
@@ -87277,10 +87287,10 @@ index 0000000..8b2dfff
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..bf58d50
+index 0000000..ec3eb8f
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,147 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -87355,6 +87365,7 @@ index 0000000..bf58d50
+dev_rw_xserver_misc(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
++domain_dontaudit_read_all_domains_state(thumb_t)
+
+files_read_non_security_files(thumb_t)
+
@@ -90079,7 +90090,7 @@ index c30da4c..b81eaa0 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..bdba959 100644
+index 9dec06c..4e31afe 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -91221,17 +91232,17 @@ index 9dec06c..bdba959 100644
-## <infoflow type="write" weight="10"/>
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_stream_connect_lxc',`
++interface(`virt_stream_connect_sandbox',`
gen_require(`
- type virt_var_run_t;
-+ attribute svirt_lxc_domain;
-+ type svirt_lxc_file_t;
++ attribute svirt_sandbox_domain;
++ type svirt_sandbox_file_t;
')
files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
-+ ps_process_pattern(svirt_lxc_domain, $1)
++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++ ps_process_pattern(svirt_sandbox_domain, $1)
')
+
@@ -91555,16 +91566,16 @@ index 9dec06c..bdba959 100644
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
--
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-
+-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
@@ -91613,7 +91624,7 @@ index 9dec06c..bdba959 100644
-## <rolecap/>
#
-interface(`virt_admin',`
-+template(`virt_lxc_domain_template',`
++template(`virt_sandbox_domain_template',`
gen_require(`
- attribute virt_domain, virt_image_type, virt_tmpfs_type;
- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
@@ -91623,14 +91634,14 @@ index 9dec06c..bdba959 100644
- type virt_var_run_t, virt_tmp_t, virt_log_t;
- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
- type virt_etc_t, svirt_cache_t;
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
')
- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
-+ type $1_t, svirt_lxc_domain;
++ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
@@ -91656,14 +91667,14 @@ index 9dec06c..bdba959 100644
+## </summary>
+## </param>
+#
-+template(`virt_lxc_domain',`
++template(`virt_sandbox_domain',`
+ gen_require(`
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
+ ')
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ typeattribute $1 svirt_lxc_domain;
++ typeattribute $1 svirt_sandbox_domain;
+')
- files_search_etc($1)
@@ -91732,16 +91743,16 @@ index 9dec06c..bdba959 100644
+## </param>
+## <rolecap/>
+#
-+interface(`virt_transition_svirt_lxc',`
++interface(`virt_transition_svirt_sandbox',`
+ gen_require(`
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
+ ')
+
-+ allow $1 svirt_lxc_domain:process transition;
-+ role $2 types svirt_lxc_domain;
-+ allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
++ allow $1 svirt_sandbox_domain:process transition;
++ role $2 types svirt_sandbox_domain;
++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+
-+ allow svirt_lxc_domain $1:process sigchld;
++ allow svirt_sandbox_domain $1:process sigchld;
+')
- files_search_locks($1)
@@ -91766,7 +91777,7 @@ index 9dec06c..bdba959 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..cbd02ae 100644
+index 1f22fba..d200be6 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -92028,7 +92039,7 @@ index 1f22fba..cbd02ae 100644
-# Common virt domain local policy
+# Declarations
#
-+attribute svirt_lxc_domain;
++attribute svirt_sandbox_domain;
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -92181,8 +92192,8 @@ index 1f22fba..cbd02ae 100644
- dev_rw_sysfs(virt_domain)
-')
+# virt lxc container files
-+type svirt_lxc_file_t;
-+files_mountpoint(svirt_lxc_file_t)
++type svirt_sandbox_file_t alias svirt_lxc_file_t;
++files_mountpoint(svirt_sandbox_file_t)
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
@@ -92247,11 +92258,11 @@ index 1f22fba..cbd02ae 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
--
--filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
@@ -92402,14 +92413,14 @@ index 1f22fba..cbd02ae 100644
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
-can_exec(virtd_t, virt_tmp_t)
-
-kernel_read_crypto_sysctls(virtd_t)
@@ -92547,7 +92558,7 @@ index 1f22fba..cbd02ae 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +504,326 @@ optional_policy(`
+@@ -658,20 +504,12 @@ optional_policy(`
')
optional_policy(`
@@ -92561,95 +92572,82 @@ index 1f22fba..cbd02ae 100644
optional_policy(`
networkmanager_dbus_chat(virtd_t)
')
-+')
-+
-+optional_policy(`
-+ dmidecode_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
-+ dnsmasq_domtrans(virtd_t)
-+ dnsmasq_signal(virtd_t)
-+ dnsmasq_kill(virtd_t)
-+ dnsmasq_signull(virtd_t)
-+ dnsmasq_create_pid_dirs(virtd_t)
+-
+- optional_policy(`
+- policykit_dbus_chat(virtd_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -684,14 +522,20 @@ optional_policy(`
+ dnsmasq_kill(virtd_t)
+ dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
+- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
+- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
-+ dnsmasq_manage_pid_files(virtd_t)
-+')
-+
-+optional_policy(`
+ dnsmasq_manage_pid_files(virtd_t)
+ ')
+
+ optional_policy(`
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
-+ iptables_domtrans(virtd_t)
-+ iptables_initrc_domtrans(virtd_t)
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
-+ iptables_manage_config(virtd_t)
-+')
-+
-+optional_policy(`
-+ kerberos_keytab_template(virtd, virtd_t)
-+')
-+
-+optional_policy(`
-+ lvm_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
+ iptables_manage_config(virtd_t)
+ ')
+
+@@ -704,11 +548,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ # Run mount in the mount_t domain.
-+ mount_domtrans(virtd_t)
-+ mount_signal(virtd_t)
-+')
-+
-+optional_policy(`
+ mount_domtrans(virtd_t)
+ mount_signal(virtd_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(virtd_t)
-+ policykit_domtrans_auth(virtd_t)
-+ policykit_domtrans_resolve(virtd_t)
-+ policykit_read_lib(virtd_t)
-+')
-+
-+optional_policy(`
-+ qemu_exec(virtd_t)
-+')
-+
-+optional_policy(`
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+@@ -719,10 +565,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
-+ sasl_connect(virtd_t)
-+')
-+
-+optional_policy(`
+ sasl_connect(virtd_t)
+ ')
+
+ optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
-+ kernel_read_xen_state(virtd_t)
-+ kernel_write_xen_state(virtd_t)
-+
-+ xen_exec(virtd_t)
-+ xen_stream_connect(virtd_t)
-+ xen_stream_connect_xenstore(virtd_t)
-+ xen_read_image_files(virtd_t)
-+')
-+
-+optional_policy(`
-+ udev_domtrans(virtd_t)
-+ udev_read_db(virtd_t)
-+')
-+
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
+@@ -737,44 +591,261 @@ optional_policy(`
+ udev_read_db(virtd_t)
+ ')
+
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
-+########################################
-+#
+ ########################################
+ #
+-# Virsh local policy
+# virtual domains common policy
-+#
+ #
+allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -92658,12 +92656,20 @@ index 1f22fba..cbd02ae 100644
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
-+
+
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+-allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
+dontaudit virt_domain virt_content_t:dir write;
-+
+
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -92677,7 +92683,13 @@ index 1f22fba..cbd02ae 100644
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-+
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -92708,13 +92720,19 @@ index 1f22fba..cbd02ae 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-+
+
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+dontaudit virt_domain virt_tmpfs_type:file { read write };
-+
+
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+
+-can_exec(virsh_t, virsh_exec_t)
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -92761,10 +92779,7 @@ index 1f22fba..cbd02ae 100644
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
-
-- optional_policy(`
-- policykit_dbus_chat(virtd_t)
-- ')
++
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
@@ -92772,78 +92787,53 @@ index 1f22fba..cbd02ae 100644
+
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
- ')
-
- optional_policy(`
-- dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
+ alsa_read_rw_config(virt_domain)
- ')
-
- optional_policy(`
-- dnsmasq_domtrans(virtd_t)
-- dnsmasq_signal(virtd_t)
-- dnsmasq_kill(virtd_t)
-- dnsmasq_signull(virtd_t)
-- dnsmasq_create_pid_dirs(virtd_t)
-- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
-- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
-- dnsmasq_manage_pid_files(virtd_t)
++')
++
++optional_policy(`
+ ptchown_domtrans(virt_domain)
- ')
-
- optional_policy(`
-- iptables_domtrans(virtd_t)
-- iptables_initrc_domtrans(virtd_t)
-- iptables_manage_config(virtd_t)
++')
++
++optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
- ')
-
- optional_policy(`
-- kerberos_keytab_template(virtd, virtd_t)
++')
++
++optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
- ')
++')
- optional_policy(`
-- lvm_domtrans(virtd_t)
++optional_policy(`
+ xserver_rw_shm(virt_domain)
- ')
-
--optional_policy(`
-- mount_domtrans(virtd_t)
-- mount_signal(virtd_t)
++')
++
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
- ')
-
--optional_policy(`
-- policykit_domtrans_auth(virtd_t)
-- policykit_domtrans_resolve(virtd_t)
-- policykit_read_lib(virtd_t)
++')
++
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
- ')
-
--optional_policy(`
-- qemu_exec(virtd_t)
++')
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
- ')
-
--optional_policy(`
-- sasl_connect(virtd_t)
++')
++
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
@@ -92855,102 +92845,81 @@ index 1f22fba..cbd02ae 100644
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
++ fs_getattr_dos_fs(virt_domain)
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
- ')
-
- optional_policy(`
-- kernel_read_xen_state(virtd_t)
-- kernel_write_xen_state(virtd_t)
++')
++
++optional_policy(`
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
+')
-
-- xen_exec(virtd_t)
-- xen_stream_connect(virtd_t)
-- xen_stream_connect_xenstore(virtd_t)
-- xen_read_image_files(virtd_t)
++
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
- ')
-
- optional_policy(`
-- udev_domtrans(virtd_t)
-- udev_read_db(virtd_t)
++')
++
++optional_policy(`
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
- ')
-
- ########################################
- #
--# Virsh local policy
++')
++
++########################################
++#
+# xm local policy
- #
++#
+type virsh_t;
+type virsh_exec_t;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-
--allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
--allow virsh_t self:process { getcap getsched setsched setcap signal };
++
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
- allow virsh_t self:fifo_file rw_fifo_file_perms;
--allow virsh_t self:unix_stream_socket { accept connectto listen };
--allow virsh_t self:tcp_socket { accept listen };
++allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
-+ps_process_pattern(virsh_t, svirt_lxc_domain)
++ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
+can_exec(virsh_t, virsh_exec_t)
-+virt_domtrans(virsh_t)
-+virt_manage_images(virsh_t)
-+virt_manage_config(virsh_t)
-+virt_stream_connect(virsh_t)
-+
+ virt_domtrans(virsh_t)
+ virt_manage_images(virsh_t)
+ virt_manage_config(virsh_t)
+ virt_stream_connect(virsh_t)
+
+-kernel_read_crypto_sysctls(virsh_t)
+manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
-
- manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
- manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +835,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+virt_transition_svirt_lxc(virsh_t, system_r)
-
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
++
++manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
++manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++virt_transition_svirt_sandbox(virsh_t, system_r)
++
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
-
--can_exec(virsh_t, virsh_exec_t)
--
--virt_domtrans(virsh_t)
--virt_manage_images(virsh_t)
--virt_manage_config(virsh_t)
--virt_stream_connect(virsh_t)
--
--kernel_read_crypto_sysctls(virsh_t)
++
+kernel_write_proc_files(virsh_t)
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +855,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +856,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -92977,7 +92946,7 @@ index 1f22fba..cbd02ae 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +875,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +876,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -93009,7 +92978,7 @@ index 1f22fba..cbd02ae 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +908,20 @@ optional_policy(`
+@@ -847,14 +909,20 @@ optional_policy(`
')
optional_policy(`
@@ -93031,7 +93000,7 @@ index 1f22fba..cbd02ae 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +946,45 @@ optional_policy(`
+@@ -879,49 +947,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93061,7 +93030,7 @@ index 1f22fba..cbd02ae 100644
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow virtd_lxc_t self:packet_socket create_socket_perms;
-+ps_process_pattern(virtd_lxc_t, svirt_lxc_domain)
++ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain)
+allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
@@ -93078,19 +93047,30 @@ index 1f22fba..cbd02ae 100644
-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+-
+-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
+-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-
- manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +994,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
- allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
-+files_associate_rootfs(svirt_lxc_file_t)
++
++manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom };
++files_associate_rootfs(svirt_sandbox_file_t)
+
+seutil_read_file_contexts(virtd_lxc_t)
@@ -93104,7 +93084,7 @@ index 1f22fba..cbd02ae 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1016,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1017,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93115,15 +93095,16 @@ index 1f22fba..cbd02ae 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1025,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
- files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
+-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
++files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set)
+fs_read_fusefs_files(virtd_lxc_t)
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1037,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1038,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -93147,7 +93128,7 @@ index 1f22fba..cbd02ae 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,29 +1062,33 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1063,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93185,135 +93166,202 @@ index 1f22fba..cbd02ae 100644
########################################
#
-# Common virt lxc domain local policy
-+# virt_lxc_domain local policy
- #
--
++# svirt_sandbox_domain local policy
+ #
++allow svirt_sandbox_domain self:key manage_key_perms;
++allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
++allow svirt_sandbox_domain self:fifo_file manage_file_perms;
++allow svirt_sandbox_domain self:sem create_sem_perms;
++allow svirt_sandbox_domain self:shm create_shm_perms;
++allow svirt_sandbox_domain self:msgq create_msgq_perms;
++allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
++
++
++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
++
++allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
++allow svirt_sandbox_domain virtd_lxc_t:fd use;
++allow svirt_sandbox_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_sandbox_domain virt_lxc_var_run_t:file read_file_perms;
++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_sandbox_domain)
++kernel_list_all_proc(svirt_sandbox_domain)
++kernel_read_all_sysctls(svirt_sandbox_domain)
++kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++
++corecmd_exec_all_executables(svirt_sandbox_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
++files_dontaudit_getattr_all_files(svirt_sandbox_domain)
++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
++files_entrypoint_all_files(svirt_sandbox_domain)
++files_list_var(svirt_sandbox_domain)
++files_list_var_lib(svirt_sandbox_domain)
++files_search_all(svirt_sandbox_domain)
++files_read_config_files(svirt_sandbox_domain)
++files_read_usr_symlinks(svirt_sandbox_domain)
++files_search_locks(svirt_sandbox_domain)
++
++fs_getattr_all_fs(svirt_sandbox_domain)
++fs_list_inotifyfs(svirt_sandbox_domain)
++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
++fs_read_fusefs_files(svirt_sandbox_domain)
++
++auth_dontaudit_read_passwd(svirt_sandbox_domain)
++auth_dontaudit_read_login_records(svirt_sandbox_domain)
++auth_dontaudit_write_login_records(svirt_sandbox_domain)
++auth_search_pam_console_data(svirt_sandbox_domain)
++
++clock_read_adjtime(svirt_sandbox_domain)
++
++init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_write_utmp(svirt_sandbox_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
++
++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
++miscfiles_read_fonts(svirt_sandbox_domain)
++miscfiles_read_hwdata(svirt_sandbox_domain)
++
++systemd_read_unit_files(svirt_sandbox_domain)
++
++userdom_use_inherited_user_terminals(svirt_sandbox_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++
++optional_policy(`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++')
+
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-+allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
- allow svirt_lxc_domain self:fifo_file manage_file_perms;
- allow svirt_lxc_domain self:sem create_sem_perms;
- allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1096,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
- allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
- allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
-
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
-allow svirt_lxc_domain virtd_lxc_t:fd use;
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-
+-
-allow svirt_lxc_domain virsh_t:fd use;
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virsh_t:process sigchld;
-+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_lxc_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched setrlimit transition signal_perms };
-
+-
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-
- manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1114,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
-+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
- allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
- allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
-
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
-
- kernel_getattr_proc(svirt_lxc_domain)
- kernel_list_all_proc(svirt_lxc_domain)
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
-kernel_read_kernel_sysctls(svirt_lxc_domain)
-+kernel_read_all_sysctls(svirt_lxc_domain)
- kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
-kernel_read_system_state(svirt_lxc_domain)
- kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
-
- corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1133,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
- files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
- files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
- files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
-# files_entrypoint_all_files(svirt_lxc_domain)
-+files_entrypoint_all_files(svirt_lxc_domain)
- files_list_var(svirt_lxc_domain)
- files_list_var_lib(svirt_lxc_domain)
- files_search_all(svirt_lxc_domain)
- files_read_config_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
-files_read_usr_files(svirt_lxc_domain)
- files_read_usr_symlinks(svirt_lxc_domain)
-+files_search_locks(svirt_lxc_domain)
-
- fs_getattr_all_fs(svirt_lxc_domain)
- fs_list_inotifyfs(svirt_lxc_domain)
-+fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-+fs_read_fusefs_files(svirt_lxc_net_t)
-
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
-
-+auth_dontaudit_read_passwd(svirt_lxc_domain)
- auth_dontaudit_read_login_records(svirt_lxc_domain)
- auth_dontaudit_write_login_records(svirt_lxc_domain)
- auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1158,94 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
-
- libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
-miscfiles_read_localization(svirt_lxc_domain)
-+miscfiles_dontaudit_access_check_cert(svirt_lxc_domain)
- miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
- miscfiles_read_fonts(svirt_lxc_domain)
-+miscfiles_read_hwdata(svirt_lxc_domain)
-+
-+systemd_read_unit_files(svirt_lxc_domain)
-+
-+userdom_use_inherited_user_terminals(svirt_lxc_domain)
-+userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain)
-+userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain)
-+
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ apache_exec_modules(svirt_lxc_domain)
-+ apache_read_sys_content(svirt_lxc_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+')
-
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
-+ ssh_use_ptys(svirt_lxc_net_t)
++ ssh_use_ptys(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+- udev_read_pid_files(svirt_lxc_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ userhelper_dontaudit_write_config(svirt_lxc_domain)
++ userhelper_dontaudit_write_config(svirt_sandbox_domain)
')
--########################################
--#
+ ########################################
+ #
-# Lxc net local policy
--#
-+virt_lxc_domain_template(svirt_lxc_net)
++# svirt_lxc_net_t local policy
+ #
++virt_sandbox_domain_template(svirt_lxc_net)
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
@@ -93369,13 +93417,13 @@ index 1f22fba..cbd02ae 100644
-
files_read_kernel_modules(svirt_lxc_net_t)
-+fs_noxattr_type(svirt_lxc_file_t)
++fs_noxattr_type(svirt_sandbox_file_t)
fs_mount_cgroup(svirt_lxc_net_t)
fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
+fs_manage_cgroup_files(svirt_lxc_net_t)
+
-+term_pty(svirt_lxc_file_t)
++term_pty(svirt_sandbox_file_t)
auth_use_nsswitch(svirt_lxc_net_t)
@@ -93388,14 +93436,62 @@ index 1f22fba..cbd02ae 100644
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-')
--
+
-#######################################
--#
++########################################
+ #
-# Prot exec local policy
--#
--
++# svirt_lxc_net_t local policy
+ #
++virt_sandbox_domain_template(svirt_qemu_net)
++
++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_qemu_net_t self:capability2 block_suspend;
++allow svirt_qemu_net_t self:process { execstack execmem };
++allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++allow svirt_qemu_net_t self:udp_socket create_socket_perms;
++allow svirt_qemu_net_t self:tcp_socket create_stream_socket_perms;
++allow svirt_qemu_net_t self:netlink_route_socket create_netlink_socket_perms;
++allow svirt_qemu_net_t self:packet_socket create_socket_perms;
++allow svirt_qemu_net_t self:socket create_socket_perms;
++allow svirt_qemu_net_t self:rawip_socket create_socket_perms;
++allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
-allow svirt_prot_exec_t self:process { execmem execstack };
--
++kernel_read_network_state(svirt_qemu_net_t)
++kernel_read_irq_sysctls(svirt_qemu_net_t)
++
++dev_read_sysfs(svirt_qemu_net_t)
++dev_getattr_mtrr_dev(svirt_qemu_net_t)
++dev_read_rand(svirt_qemu_net_t)
++dev_read_urand(svirt_qemu_net_t)
++
++corenet_tcp_bind_generic_node(svirt_qemu_net_t)
++corenet_udp_bind_generic_node(svirt_qemu_net_t)
++corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
++corenet_udp_sendrecv_all_ports(svirt_qemu_net_t)
++corenet_udp_bind_all_ports(svirt_qemu_net_t)
++corenet_tcp_bind_all_ports(svirt_qemu_net_t)
++corenet_tcp_connect_all_ports(svirt_qemu_net_t)
++
++files_read_kernel_modules(svirt_qemu_net_t)
++
++fs_noxattr_type(svirt_sandbox_file_t)
++fs_mount_cgroup(svirt_qemu_net_t)
++fs_manage_cgroup_dirs(svirt_qemu_net_t)
++fs_manage_cgroup_files(svirt_qemu_net_t)
++
++term_pty(svirt_sandbox_file_t)
++
++auth_use_nsswitch(svirt_qemu_net_t)
++
++rpm_read_db(svirt_qemu_net_t)
++
++logging_send_audit_msgs(svirt_qemu_net_t)
++
++userdom_use_user_ptys(svirt_qemu_net_t)
+
########################################
#
-# Qmf local policy
@@ -93410,7 +93506,7 @@ index 1f22fba..cbd02ae 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1258,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93425,7 +93521,7 @@ index 1f22fba..cbd02ae 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1276,8 @@ optional_policy(`
+@@ -1183,9 +1334,8 @@ optional_policy(`
########################################
#
@@ -93436,7 +93532,7 @@ index 1f22fba..cbd02ae 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1290,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1348,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -94518,7 +94614,7 @@ index 304ae09..c1d10a1 100644
-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
-index 25b702d..177cf16 100644
+index 25b702d..36b2f81 100644
--- a/wm.if
+++ b/wm.if
@@ -1,4 +1,4 @@
@@ -94527,7 +94623,7 @@ index 25b702d..177cf16 100644
#######################################
## <summary>
-@@ -29,58 +29,44 @@
+@@ -29,54 +29,46 @@
#
template(`wm_role_template',`
gen_require(`
@@ -94578,6 +94674,8 @@ index 25b702d..177cf16 100644
+
+ kernel_read_system_state($1_wm_t)
+
++ auth_use_nsswitch($1_wm_t)
++
mls_file_read_all_levels($1_wm_t)
mls_file_write_all_levels($1_wm_t)
mls_xwin_read_all_levels($1_wm_t)
@@ -94595,14 +94693,10 @@ index 25b702d..177cf16 100644
- ')
- ')
-
-- optional_policy(`
-- pulseaudio_run($1_wm_t, $2)
-- ')
--
optional_policy(`
- xserver_role($2, $1_wm_t)
- xserver_manage_core_devices($1_wm_t)
-@@ -89,7 +75,7 @@ template(`wm_role_template',`
+ pulseaudio_run($1_wm_t, $2)
+ ')
+@@ -89,7 +81,7 @@ template(`wm_role_template',`
########################################
## <summary>
@@ -94611,7 +94705,7 @@ index 25b702d..177cf16 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -102,33 +88,5 @@ interface(`wm_exec',`
+@@ -102,33 +94,5 @@ interface(`wm_exec',`
type wm_exec_t;
')
@@ -94646,10 +94740,10 @@ index 25b702d..177cf16 100644
- allow $1_wm_t $2:dbus send_msg;
-')
diff --git a/wm.te b/wm.te
-index 7c7f7fa..dfeac3e 100644
+index 7c7f7fa..20ce90b 100644
--- a/wm.te
+++ b/wm.te
-@@ -1,36 +1,40 @@
+@@ -1,36 +1,88 @@
-policy_module(wm, 1.2.5)
+policy_module(wm, 1.2.0)
+
@@ -94671,28 +94765,75 @@ index 7c7f7fa..dfeac3e 100644
+corecmd_executable_file(wm_exec_t)
allow wm_domain self:fifo_file rw_fifo_file_perms;
- allow wm_domain self:process getsched;
+-allow wm_domain self:process getsched;
++allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
++allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
++
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
-kernel_read_system_state(wm_domain)
-
dev_read_urand(wm_domain)
-
--files_read_usr_files(wm_domain)
++dev_read_sound(wm_domain)
++dev_write_sound(wm_domain)
++dev_rw_wireless(wm_domain)
++dev_read_sysfs(wm_domain)
+
-+fs_getattr_tmpfs(wm_domain)
++fs_getattr_all_fs(wm_domain)
+
++corecmd_dontaudit_access_all_executables(wm_domain)
++corecmd_getattr_all_executables(wm_domain)
+
+-files_read_usr_files(wm_domain)
+application_signull(wm_domain)
++
++init_read_state(wm_domain)
miscfiles_read_fonts(wm_domain)
-miscfiles_read_localization(wm_domain)
-userdom_manage_user_tmp_sockets(wm_domain)
-userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
++systemd_dbus_chat_logind(wm_domain)
++systemd_read_logind_sessions_files(wm_domain)
++systemd_write_inhibit_pipes(wm_domain)
++systemd_login_read_pid_files(wm_domain)
++
++userdom_read_user_home_content_files(wm_domain)
++
++udev_read_pid_files(wm_domain)
++
++optional_policy(`
++ gnome_stream_connect_gkeyringd(wm_domain)
++')
++
+optional_policy(`
+ dbus_system_bus_client(wm_domain)
+ dbus_session_bus_client(wm_domain)
++ optional_policy(`
++ accountsd_dbus_chat(wm_domain)
++ ')
++
++ optional_policy(`
++ bluetooth_dbus_chat(wm_domain)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat_power(wm_domain)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(wm_domain)
++ ')
++
++ optional_policy(`
++ policykit_dbus_chat(wm_domain)
++ ')
++
++ optional_policy(`
++ systemd_dbus_chat_logind(wm_domain)
++ ')
+')
+
+optional_policy(`
@@ -94700,13 +94841,15 @@ index 7c7f7fa..dfeac3e 100644
+')
+
+optional_policy(`
-+ xserver_manage_core_devices(wm_domain)
++ userhelper_exec_console(wm_domain)
+')
-+
-userdom_manage_user_home_content_dirs(wm_domain)
-userdom_manage_user_home_content_files(wm_domain)
-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
++optional_policy(`
++ xserver_manage_core_devices(wm_domain)
++')
diff --git a/xen.fc b/xen.fc
index 42d83b0..7977c2c 100644
--- a/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ce9f03a..7054d3f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 73%{?dist}
+Release: 74%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -554,6 +554,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 29 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74
+- Add selinux-policy-sandbox pkg
+
* Tue Aug 27 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-73
0
- Allow rhsmcertd to read init state
More information about the scm-commits
mailing list