[selinux-policy/f20] - Cleanup related to init_domain()+inetd_domain fixes - Use just init_domain instead of init_daemon_
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Sep 4 21:25:00 UTC 2013
commit 90a1b2304bdd20a7848aee5f9815ad1ca25cd63a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Sep 4 23:24:38 2013 +0200
- Cleanup related to init_domain()+inetd_domain fixes
- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
- svirt domains neeed to create kobject_uevint_sockets
- Lots of new access required for sosreport
- Allow tgtd_t to connect to isns ports
- Allow init_t to transition to all inetd domains:
- openct needs to be able to create netlink_object_uevent_sockets
- Dontaudit leaks into ldconfig_t
- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
- Move kernel_stream_connect into all Xwindow using users
- Dontaudit inherited lock files in ifconfig o dhcpc_t
policy-rawhide-base.patch | 337 +++++++++++++++++++++++++++++++++---------
policy-rawhide-contrib.patch | 168 +++++++++++++---------
selinux-policy.spec | 17 ++-
3 files changed, 383 insertions(+), 139 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 718fb3d..81c1286 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1820,7 +1820,7 @@ index 688abc2..3d89250 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..bfc85a0 100644
+index 03ec5ca..025c177 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', `
@@ -1843,41 +1843,234 @@ index 03ec5ca..bfc85a0 100644
optional_policy(`
cron_read_pipes($1_su_t)
')
-@@ -208,7 +202,7 @@ template(`su_role_template',`
+@@ -172,14 +166,6 @@ template(`su_role_template',`
+ role $2 types $1_su_t;
- auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
+ allow $3 $1_su_t:process signal;
+-
+- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+- dontaudit $1_su_t self:capability sys_tty_config;
+- allow $1_su_t self:process { setexec setsched setrlimit };
+- allow $1_su_t self:fifo_file rw_fifo_file_perms;
+- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+- allow $1_su_t self:key { search write };
+-
+ allow $1_su_t $3:key search;
+
+ # Transition from the user domain to this domain.
+@@ -194,125 +180,12 @@ template(`su_role_template',`
+ allow $3 $1_su_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+- kernel_read_kernel_sysctls($1_su_t)
+- kernel_search_key($1_su_t)
+- kernel_link_key($1_su_t)
+-
+- # for SSP
+- dev_read_urand($1_su_t)
+-
+- fs_search_auto_mountpoints($1_su_t)
+
+- # needed for pam_rootok
+- selinux_compute_access_vector($1_su_t)
+-
+- auth_domtrans_chk_passwd($1_su_t)
+- auth_dontaudit_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
+- auth_rw_faillog($1_su_t)
+-
+- corecmd_search_bin($1_su_t)
+-
+- domain_use_interactive_fds($1_su_t)
+-
+- files_read_etc_files($1_su_t)
+- files_read_etc_runtime_files($1_su_t)
+- files_search_var_lib($1_su_t)
+- files_dontaudit_getattr_tmp_dirs($1_su_t)
+-
+- init_dontaudit_use_fds($1_su_t)
+- # Write to utmp.
+- init_rw_utmp($1_su_t)
+ auth_use_pam($1_su_t)
- auth_rw_faillog($1_su_t)
- corecmd_search_bin($1_su_t)
-@@ -228,10 +222,10 @@ template(`su_role_template',`
+ mls_file_write_all_levels($1_su_t)
logging_send_syslog_msg($1_su_t)
-
+-
- miscfiles_read_localization($1_su_t)
-
- userdom_use_user_terminals($1_su_t)
- userdom_search_user_home_dirs($1_su_t)
-+ userdom_search_admin_dir($1_su_t)
-
- ifdef(`distro_redhat',`
- # RHEL5 and possibly newer releases incl. Fedora
-@@ -277,12 +271,7 @@ template(`su_role_template',`
- ')
- ')
-
+-
+- userdom_use_user_terminals($1_su_t)
+- userdom_search_user_home_dirs($1_su_t)
+-
+- ifdef(`distro_redhat',`
+- # RHEL5 and possibly newer releases incl. Fedora
+- auth_domtrans_upd_passwd($1_su_t)
+-
+- optional_policy(`
+- locallogin_search_keys($1_su_t)
+- ')
+- ')
+-
+- ifdef(`distro_rhel4',`
+- domain_role_change_exemption($1_su_t)
+- domain_subj_id_change_exemption($1_su_t)
+- domain_obj_id_change_exemption($1_su_t)
+-
+- selinux_get_fs_mount($1_su_t)
+- selinux_validate_context($1_su_t)
+- selinux_compute_create_context($1_su_t)
+- selinux_compute_relabel_context($1_su_t)
+- selinux_compute_user_contexts($1_su_t)
+-
+- # Relabel ttys and ptys.
+- term_relabel_all_ttys($1_su_t)
+- term_relabel_all_ptys($1_su_t)
+- # Close and re-open ttys and ptys to get the fd into the correct domain.
+- term_use_all_ttys($1_su_t)
+- term_use_all_ptys($1_su_t)
+-
+- seutil_read_config($1_su_t)
+- seutil_read_default_contexts($1_su_t)
+-
+- if(secure_mode) {
+- # Only allow transitions to unprivileged user domains.
+- userdom_spec_domtrans_unpriv_users($1_su_t)
+- } else {
+- # Allow transitions to all user domains
+- userdom_spec_domtrans_all_users($1_su_t)
+- }
+-
+- optional_policy(`
+- unconfined_domtrans($1_su_t)
+- unconfined_signal($1_su_t)
+- ')
+- ')
+-
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $3:socket_class_set { read write };
- ')
-
- tunable_policy(`allow_polyinstantiation',`
-+ tunable_policy(`polyinstantiation_enabled',`
- fs_mount_xattr_fs($1_su_t)
- fs_unmount_xattr_fs($1_su_t)
- ')
+- fs_mount_xattr_fs($1_su_t)
+- fs_unmount_xattr_fs($1_su_t)
+- ')
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_search_nfs($1_su_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_search_cifs($1_su_t)
+- ')
+-
+- optional_policy(`
+- cron_read_pipes($1_su_t)
+- ')
+-
+- optional_policy(`
+- kerberos_use($1_su_t)
+- ')
+-
+- optional_policy(`
+- # used when the password has expired
+- usermanage_read_crack_db($1_su_t)
+- ')
+-
+- # Modify .Xauthority file (via xauth program).
+- optional_policy(`
+- xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+- xserver_domtrans_xauth($1_su_t)
+- ')
+ ')
+
+ #######################################
+diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
+index 85bb77e..0df3b43 100644
+--- a/policy/modules/admin/su.te
++++ b/policy/modules/admin/su.te
+@@ -9,3 +9,81 @@ attribute su_domain_type;
+
+ type su_exec_t;
+ corecmd_executable_file(su_exec_t)
++
++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++dontaudit su_domain_type self:capability sys_tty_config;
++allow su_domain_type self:process { setexec setsched setrlimit };
++allow su_domain_type self:fifo_file rw_fifo_file_perms;
++allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
++allow su_domain_type self:key { search write };
++
++kernel_read_kernel_sysctls(su_domain_type)
++kernel_search_key(su_domain_type)
++kernel_link_key(su_domain_type)
++
++# for SSP
++dev_read_urand(su_domain_type)
++dev_dontaudit_getattr_all(su_domain_type)
++
++fs_search_auto_mountpoints(su_domain_type)
++
++# needed for pam_rootok
++selinux_compute_access_vector(su_domain_type)
++
++corecmd_search_bin(su_domain_type)
++
++domain_use_interactive_fds(su_domain_type)
++
++files_read_etc_files(su_domain_type)
++files_read_etc_runtime_files(su_domain_type)
++files_search_var_lib(su_domain_type)
++files_dontaudit_getattr_tmp_dirs(su_domain_type)
++
++init_dontaudit_use_fds(su_domain_type)
++# Write to utmp.
++init_rw_utmp(su_domain_type)
++
++userdom_use_user_terminals(su_domain_type)
++userdom_search_user_home_dirs(su_domain_type)
++userdom_search_admin_dir(su_domain_type)
++
++ifdef(`distro_redhat',`
++ # RHEL5 and possibly newer releases incl. Fedora
++ auth_domtrans_upd_passwd(su_domain_type)
++
++ optional_policy(`
++ locallogin_search_keys(su_domain_type)
++ ')
++')
++
++tunable_policy(`polyinstantiation_enabled',`
++ fs_mount_xattr_fs(su_domain_type)
++ fs_unmount_xattr_fs(su_domain_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs(su_domain_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(su_domain_type)
++')
++
++optional_policy(`
++ cron_read_pipes(su_domain_type)
++')
++
++optional_policy(`
++ kerberos_use(su_domain_type)
++')
++
++optional_policy(`
++ # used when the password has expired
++ usermanage_read_crack_db(su_domain_type)
++')
++
++# Modify .Xauthority file (via xauth program).
++optional_policy(`
++ xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
++ xserver_domtrans_xauth(su_domain_type)
++')
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02..2b59ed0 100644
--- a/policy/modules/admin/sudo.fc
@@ -29858,7 +30051,7 @@ index 808ba93..9d8f729 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..f0cbd38 100644
+index 23a645e..52a8540 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -29891,21 +30084,23 @@ index 23a645e..f0cbd38 100644
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
+@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
+files_list_var_lib(ldconfig_t)
++files_dontaudit_leaks(ldconfig_t)
+files_manage_var_lib_symlinks(ldconfig_t)
+
corecmd_search_bin(ldconfig_t)
domain_use_interactive_fds(ldconfig_t)
+-files_search_var_lib(ldconfig_t)
+files_search_home(ldconfig_t)
- files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t)
init_use_script_ptys(ldconfig_t)
init_read_script_tmp_files(ldconfig_t)
@@ -35040,7 +35235,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..7a9577f 100644
+index b7686d5..087fe08 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -35136,7 +35331,7 @@ index b7686d5..7a9577f 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -35159,10 +35354,11 @@ index b7686d5..7a9577f 100644
files_dontaudit_search_locks(dhcpc_t)
files_getattr_generic_locks(dhcpc_t)
+files_rw_inherited_tmp_file(dhcpc_t)
++files_dontaudit_rw_inherited_locks(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -35179,7 +35375,7 @@ index b7686d5..7a9577f 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',`
+@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -35195,7 +35391,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -174,10 +204,6 @@ optional_policy(`
+@@ -174,10 +205,6 @@ optional_policy(`
')
optional_policy(`
@@ -35206,7 +35402,7 @@ index b7686d5..7a9577f 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -190,23 +216,36 @@ optional_policy(`
+@@ -190,23 +217,36 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -35243,7 +35439,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -216,7 +255,11 @@ optional_policy(`
+@@ -216,7 +256,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -35256,7 +35452,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -228,6 +271,10 @@ optional_policy(`
+@@ -228,6 +272,10 @@ optional_policy(`
')
optional_policy(`
@@ -35267,7 +35463,7 @@ index b7686d5..7a9577f 100644
vmware_append_log(dhcpc_t)
')
-@@ -259,12 +306,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -35291,7 +35487,7 @@ index b7686d5..7a9577f 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +332,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -35312,6 +35508,7 @@ index b7686d5..7a9577f 100644
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
+files_dontaudit_rw_inherited_pipes(ifconfig_t)
++files_dontaudit_rw_inherited_locks(ifconfig_t)
+files_dontaudit_read_root_files(ifconfig_t)
+files_rw_inherited_tmp_file(ifconfig_t)
+
@@ -35321,7 +35518,7 @@ index b7686d5..7a9577f 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +367,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -35349,7 +35546,7 @@ index b7686d5..7a9577f 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +391,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -35372,7 +35569,7 @@ index b7686d5..7a9577f 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +417,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -35386,7 +35583,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -339,7 +430,15 @@ optional_policy(`
+@@ -339,7 +432,15 @@ optional_policy(`
')
optional_policy(`
@@ -35403,7 +35600,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -360,3 +459,13 @@ optional_policy(`
+@@ -360,3 +461,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -38804,7 +39001,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..5dc956a 100644
+index 3c5dba7..fc2fb65 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39366,7 +39563,7 @@ index 3c5dba7..5dc956a 100644
##############################
#
-@@ -501,41 +632,52 @@ template(`userdom_common_user_template',`
+@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -39389,7 +39586,6 @@ index 3c5dba7..5dc956a 100644
- kernel_read_device_sysctls($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-+ kernel_stream_connect($1_usertype)
- corecmd_exec_bin($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
@@ -39442,7 +39638,7 @@ index 3c5dba7..5dc956a 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +688,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +687,120 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -39601,7 +39797,7 @@ index 3c5dba7..5dc956a 100644
')
optional_policy(`
-@@ -642,23 +811,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +810,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -39630,7 +39826,7 @@ index 3c5dba7..5dc956a 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +838,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +837,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -39639,7 +39835,7 @@ index 3c5dba7..5dc956a 100644
')
optional_policy(`
-@@ -680,9 +847,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +846,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -39652,7 +39848,7 @@ index 3c5dba7..5dc956a 100644
')
')
-@@ -693,32 +860,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +859,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -39699,7 +39895,7 @@ index 3c5dba7..5dc956a 100644
')
')
-@@ -743,17 +913,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -39737,7 +39933,7 @@ index 3c5dba7..5dc956a 100644
userdom_change_password_template($1)
-@@ -761,82 +947,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -39873,22 +40069,24 @@ index 3c5dba7..5dc956a 100644
')
')
-@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+
-+ seutil_read_file_contexts($1_t)
-+ seutil_read_default_contexts($1_t)
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
+
##############################
#
# Local policy
-@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',`
+ #
# Local policy
#
++ kernel_stream_connect($1_usertype)
- auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
@@ -40118,20 +40316,20 @@ index 3c5dba7..5dc956a 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
@@ -40831,7 +41029,7 @@ index 3c5dba7..5dc956a 100644
')
########################################
-@@ -2027,21 +2632,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2632,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -40845,18 +41043,17 @@ index 3c5dba7..5dc956a 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6927ccb..aa2e445 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2023,7 +2023,7 @@ index 7f4dfbc..4d750fa 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index ed45974..95b56a6 100644
+index ed45974..cd5a4fa 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles;
@@ -2033,7 +2033,7 @@ index ed45974..95b56a6 100644
+type amanda_exec_t;
type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
-+init_daemon_domain(amanda_t, amanda_exec_t)
++init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
-type amanda_exec_t;
@@ -24947,7 +24947,7 @@ index 1e29af1..c67e44e 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..eafea5b 100644
+index 93b0301..11a76a5 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -24965,13 +24965,7 @@ index 93b0301..eafea5b 100644
## Determine whether Git system daemon
## can search home directories.
## </p>
-@@ -87,15 +79,16 @@ apache_content_template(git)
- type git_system_t, git_daemon;
- type gitd_exec_t;
- inetd_service_domain(git_system_t, gitd_exec_t)
-+init_domain(git_system_t, gitd_exec_t)
-
- type git_session_t, git_daemon;
+@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
@@ -24984,7 +24978,7 @@ index 93b0301..eafea5b 100644
userdom_user_home_content(git_user_content_t)
########################################
-@@ -109,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -24993,7 +24987,7 @@ index 93b0301..eafea5b 100644
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
-@@ -129,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
@@ -25004,7 +24998,7 @@ index 93b0301..eafea5b 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -157,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -157,6 +149,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
@@ -25014,7 +25008,7 @@ index 93b0301..eafea5b 100644
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
-@@ -255,12 +251,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -255,12 +250,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -29958,14 +29952,16 @@ index 05387d1..08a489c 100644
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
diff --git a/inetd.if b/inetd.if
-index fbb54e7..b347964 100644
+index fbb54e7..05c3777 100644
--- a/inetd.if
+++ b/inetd.if
-@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
+@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
domtrans_pattern(inetd_t, $2, $1)
allow inetd_t $1:process { siginh sigkill };
+
++ init_domain($1, $2)
++
+ optional_policy(`
+ abrt_stream_connect($1)
+ ')
@@ -36154,7 +36150,7 @@ index b9270f7..15f3748 100644
')
diff --git a/lsm.fc b/lsm.fc
new file mode 100644
-index 0000000..711c04b
+index 0000000..81cd4e0
--- /dev/null
+++ b/lsm.fc
@@ -0,0 +1,5 @@
@@ -36162,7 +36158,7 @@ index 0000000..711c04b
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
-+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
++/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
new file mode 100644
index 0000000..e8d4ce2
@@ -50590,10 +50586,17 @@ index 296a1d3..edc3e32 100644
+userdom_stream_connect(oddjob_mkhomedir_t)
+
diff --git a/openct.te b/openct.te
-index 8467596..66f068f 100644
+index 8467596..428ae48 100644
--- a/openct.te
+++ b/openct.te
-@@ -28,12 +28,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t)
+
+ dontaudit openct_t self:capability sys_tty_config;
+ allow openct_t self:process signal_perms;
++allow openct_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
@@ -50608,7 +50611,7 @@ index 8467596..66f068f 100644
dev_read_sysfs(openct_t)
dev_rw_usbfs(openct_t)
dev_rw_smartcard(openct_t)
-@@ -41,15 +41,12 @@ dev_rw_generic_usb_dev(openct_t)
+@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t)
@@ -72017,18 +72020,10 @@ index 050479d..0e1b364 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d34cdec..eeeee9b 100644
+index d34cdec..f41c9c5 100644
--- a/rlogin.te
+++ b/rlogin.te
-@@ -9,6 +9,7 @@ type rlogind_t;
- type rlogind_exec_t;
- auth_login_pgm_domain(rlogind_t)
- inetd_service_domain(rlogind_t, rlogind_exec_t)
-+init_daemon_domain(rlogind_t, rlogind_exec_t)
-
- type rlogind_devpts_t;
- term_login_pty(rlogind_devpts_t)
-@@ -30,7 +31,9 @@ files_pid_file(rlogind_var_run_t)
+@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
@@ -72039,7 +72034,7 @@ index d34cdec..eeeee9b 100644
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
-@@ -39,7 +42,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
+@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -72047,7 +72042,7 @@ index d34cdec..eeeee9b 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -50,7 +52,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
@@ -72055,7 +72050,7 @@ index d34cdec..eeeee9b 100644
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t)
+@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -72063,7 +72058,7 @@ index d34cdec..eeeee9b 100644
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t)
+@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
@@ -74938,7 +74933,7 @@ index f1140ef..ebc2190 100644
+ files_etc_filetrans($1, rsync_etc_t, $2, $3)
')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..0820cb2 100644
+index e3e7c96..ec50426 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -74947,7 +74942,7 @@ index e3e7c96..0820cb2 100644
########################################
#
-@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2)
+@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2)
#
## <desc>
@@ -75023,7 +75018,6 @@ index e3e7c96..0820cb2 100644
-init_daemon_domain(rsync_t, rsync_exec_t)
-application_domain(rsync_t, rsync_exec_t)
-role rsync_roles types rsync_t;
-+init_domain(rsync_t, rsync_exec_t)
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
@@ -75035,7 +75029,7 @@ index e3e7c96..0820cb2 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -75066,7 +75060,7 @@ index e3e7c96..0820cb2 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -82402,10 +82396,25 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..e3580b2 100644
+index 703efa3..f9d6ed6 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -33,6 +33,8 @@ allow sosreport_t self:process { setsched signull };
+@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
+ type sosreport_tmpfs_t;
+ files_tmpfs_file(sosreport_tmpfs_t)
+
++type sosreport_var_run_t;
++files_pid_file(sosreport_var_run_t)
++
+ optional_policy(`
+ pulseaudio_tmpfs_content(sosreport_tmpfs_t)
+ ')
+@@ -29,10 +32,13 @@ optional_policy(`
+ #
+
+ allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
++dontaudit sosreport_t self:capability { sys_ptrace };
+ allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
@@ -82414,16 +82423,37 @@ index 703efa3..e3580b2 100644
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
-@@ -58,6 +60,8 @@ dev_read_rand(sosreport_t)
+@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+ files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
+ files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+
++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
++
+ manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+ fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+
+@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
++dev_rw_generic_usb_dev(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -70,7 +74,6 @@ files_list_all(sosreport_t)
+@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t)
+ domain_getattr_all_pipes(sosreport_t)
+
+ files_getattr_all_sockets(sosreport_t)
++files_getattr_all_files(sosreport_t)
++files_getattr_all_pipes(sosreport_t)
+ files_exec_etc_files(sosreport_t)
+ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -82431,7 +82461,7 @@ index 703efa3..e3580b2 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,23 +82,31 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +95,41 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -82443,6 +82473,7 @@ index 703efa3..e3580b2 100644
+term_getattr_pty_fs(sosreport_t)
+term_getattr_all_ptys(sosreport_t)
++term_use_generic_ptys(sosreport_t)
+
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
@@ -82465,18 +82496,16 @@ index 703efa3..e3580b2 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -103,6 +114,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ brctl_domtrans(sosreport_t)
+ abrt_manage_cache(sosreport_t)
++ abrt_stream_connect(sosreport_t)
+')
+
+optional_policy(`
- cups_stream_connect(sosreport_t)
++ brctl_domtrans(sosreport_t)
')
-@@ -111,6 +126,11 @@ optional_policy(`
+ optional_policy(`
+@@ -111,6 +141,11 @@ optional_policy(`
')
optional_policy(`
@@ -87240,7 +87269,7 @@ index 5406b6e..dc5b46e 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
-index c93c973..b04d201 100644
+index c93c973..4ec1eb0 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@@ -87252,7 +87281,7 @@ index c93c973..b04d201 100644
allow tgtd_t self:capability2 block_suspend;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t)
+@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
@@ -87260,7 +87289,11 @@ index c93c973..b04d201 100644
corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
-@@ -69,16 +68,16 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+
+ corenet_sendrecv_iscsi_server_packets(tgtd_t)
+ corenet_tcp_bind_iscsi_port(tgtd_t)
++corenet_tcp_connect_isns_port(tgtd_t)
+ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
dev_read_sysfs(tgtd_t)
@@ -92140,7 +92173,7 @@ index 9dec06c..4e31afe 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..a4ae8e0 100644
+index 1f22fba..d48d354 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -92999,7 +93032,7 @@ index 1f22fba..a4ae8e0 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +592,261 @@ optional_policy(`
+@@ -737,44 +592,262 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -93020,6 +93053,7 @@ index 1f22fba..a4ae8e0 100644
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
++allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
@@ -93283,7 +93317,7 @@ index 1f22fba..a4ae8e0 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +857,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -93310,7 +93344,7 @@ index 1f22fba..a4ae8e0 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +877,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -93342,7 +93376,7 @@ index 1f22fba..a4ae8e0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +910,20 @@ optional_policy(`
+@@ -847,14 +911,20 @@ optional_policy(`
')
optional_policy(`
@@ -93364,7 +93398,7 @@ index 1f22fba..a4ae8e0 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +948,65 @@ optional_policy(`
+@@ -879,49 +949,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93448,7 +93482,7 @@ index 1f22fba..a4ae8e0 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1018,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93468,7 +93502,7 @@ index 1f22fba..a4ae8e0 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1039,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -93492,7 +93526,7 @@ index 1f22fba..a4ae8e0 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1064,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93870,7 +93904,7 @@ index 1f22fba..a4ae8e0 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1317,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93885,7 +93919,7 @@ index 1f22fba..a4ae8e0 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1335,8 @@ optional_policy(`
+@@ -1183,9 +1336,8 @@ optional_policy(`
########################################
#
@@ -93896,7 +93930,7 @@ index 1f22fba..a4ae8e0 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1349,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 78f2179..609d27e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -92,7 +92,7 @@ fi;
exit 0
%preun sandbox
-semodule -n -r sandbox 2>/dev/null
+semodule -n -d sandbox 2>/dev/null
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
fi;exit 0
@@ -569,6 +569,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Sep 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-76
+- Cleanup related to init_domain()+inetd_domain fixes
+- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
+- svirt domains neeed to create kobject_uevint_sockets
+- Lots of new access required for sosreport
+- Allow tgtd_t to connect to isns ports
+- Allow init_t to transition to all inetd domains:
+- openct needs to be able to create netlink_object_uevent_sockets
+- Dontaudit leaks into ldconfig_t
+- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
+- Move kernel_stream_connect into all Xwindow using users
+- Dontaudit inherited lock files in ifconfig o dhcpc_t
+
* Tue Sep 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-75
- Also sock_file trans rule is needed in lsm
- Fix labeling for fetchmail pid files/dirs
More information about the scm-commits
mailing list