[selinux-policy/f19] * Fri Sep 20 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.5 - Fix label on pam_krb5 helper apps
Lukas Vrabec
lvrabec at fedoraproject.org
Fri Sep 20 11:06:48 UTC 2013
commit c180de6dbcd009ccb8da995d219116f63c2d9cfc
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Fri Sep 20 13:04:36 2013 +0200
* Fri Sep 20 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.5
- Fix label on pam_krb5 helper apps
- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
- Allow init_t to run crash utility
- Fix label on pam_krb5 helper apps
- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t
- Allow init_t to run crash utility
- Call neutron interfaces instead of quantum
- Allow users to communicate with journald using tmpfs files
- Allow nslcd to send signull to itself
- Fix virtd_lxc_t to be able to communicate with hal, need backport to rhel6 ASAP, for docker stuff
- Fix missing types in virt_admin interface
- Dontaudit attempts by sosreport to read shadow_t
- Allow cobbler to exec rsync and communicate with sssd, using nsswitch
- Add new label mpd_home_t
- Label /srv/www/logs as httpd_log_t
- Allow irc_t to use tcp sockets
- Add labels for apache logs under miq package
- Allow fetchmail to send mails
- Allow neutron to connect to amqp ports
- Fix to use quantum port
- Rename quantum to neutron
- Allow virt_qemu_ga_t to read meminfo
- Allow kdump_manage_crash to list the kdump_crash_t directory
- Allow ldconfig to write to kdumpctl fifo files
- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys
policy-f19-base.patch | 212 +++++-----
policy-f19-contrib.patch | 1139 +++++++++++++++++++++++++++-------------------
selinux-policy.spec | 31 ++-
3 files changed, 801 insertions(+), 581 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 2050d8a..151a236 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -3239,7 +3239,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..f9bcd44 100644
+index 644d4d7..6e7dd83 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3423,7 +3423,7 @@ index 644d4d7..f9bcd44 100644
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/security/pam_krb5(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -27602,7 +27602,7 @@ index 24e7804..c4155c7 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..8cda2bb 100644
+index dd3be8d..3ec4566 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27690,16 +27690,7 @@ index dd3be8d..8cda2bb 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +98,8 @@ role system_r types initrc_t;
- # of the below init_upstart tunable
- # but this has a typeattribute in it
- corecmd_shell_entry_type(initrc_t)
-+corecmd_bin_entry_type(initrc_t)
-+corecmd_bin_domtrans(init_t, initrc_t)
-
- type initrc_devpts_t;
- term_pty(initrc_devpts_t)
-@@ -98,7 +132,8 @@ ifdef(`enable_mls',`
+@@ -98,7 +130,8 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -27709,7 +27700,7 @@ index dd3be8d..8cda2bb 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +143,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -27749,7 +27740,7 @@ index dd3be8d..8cda2bb 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +179,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -27768,7 +27759,7 @@ index dd3be8d..8cda2bb 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +197,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -27789,7 +27780,7 @@ index dd3be8d..8cda2bb 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +220,49 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27842,7 +27833,7 @@ index dd3be8d..8cda2bb 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +271,187 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27869,20 +27860,24 @@ index dd3be8d..8cda2bb 100644
+storage_raw_rw_fixed_disk(init_t)
+
+optional_policy(`
++ kdump_read_crash(init_t)
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ iscsi_read_lib_files(init_t)
- ')
-
- optional_policy(`
-+ modutils_domtrans_insmod(init_t)
-+ modutils_list_module_config(init_t)
+')
+
+optional_policy(`
++ modutils_domtrans_insmod(init_t)
++ modutils_list_module_config(init_t)
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -28002,13 +27997,14 @@ index dd3be8d..8cda2bb 100644
+
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
++auth_domtrans_chk_passwd(init_t)
+
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -28016,24 +28012,24 @@ index dd3be8d..8cda2bb 100644
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -216,6 +456,27 @@ optional_policy(`
+@@ -216,6 +459,27 @@ optional_policy(`
')
optional_policy(`
@@ -28061,7 +28057,7 @@ index dd3be8d..8cda2bb 100644
unconfined_domain(init_t)
')
-@@ -225,8 +486,9 @@ optional_policy(`
+@@ -225,8 +489,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28073,7 +28069,7 @@ index dd3be8d..8cda2bb 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +519,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +522,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28090,7 +28086,7 @@ index dd3be8d..8cda2bb 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +547,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28133,7 +28129,7 @@ index dd3be8d..8cda2bb 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +581,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +584,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28145,7 +28141,7 @@ index dd3be8d..8cda2bb 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +593,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +596,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28156,7 +28152,7 @@ index dd3be8d..8cda2bb 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +604,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +607,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28166,7 +28162,7 @@ index dd3be8d..8cda2bb 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +613,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +616,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28174,7 +28170,7 @@ index dd3be8d..8cda2bb 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +623,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28182,7 +28178,7 @@ index dd3be8d..8cda2bb 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +628,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +631,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28200,7 +28196,7 @@ index dd3be8d..8cda2bb 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +646,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +649,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28214,7 +28210,7 @@ index dd3be8d..8cda2bb 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +661,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +664,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28228,7 +28224,7 @@ index dd3be8d..8cda2bb 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +674,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +677,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28236,7 +28232,7 @@ index dd3be8d..8cda2bb 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +686,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +689,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28244,7 +28240,7 @@ index dd3be8d..8cda2bb 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +705,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +708,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28268,7 +28264,7 @@ index dd3be8d..8cda2bb 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +738,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +741,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28276,7 +28272,7 @@ index dd3be8d..8cda2bb 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +775,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28287,7 +28283,7 @@ index dd3be8d..8cda2bb 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +796,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +799,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28296,7 +28292,7 @@ index dd3be8d..8cda2bb 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +811,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +814,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28304,7 +28300,7 @@ index dd3be8d..8cda2bb 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +832,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +835,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28312,7 +28308,7 @@ index dd3be8d..8cda2bb 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +842,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +845,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28357,7 +28353,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -558,14 +887,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +890,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28389,7 +28385,7 @@ index dd3be8d..8cda2bb 100644
')
')
-@@ -576,6 +922,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +925,39 @@ ifdef(`distro_suse',`
')
')
@@ -28429,7 +28425,7 @@ index dd3be8d..8cda2bb 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +967,8 @@ optional_policy(`
+@@ -588,6 +970,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28438,7 +28434,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -609,6 +990,7 @@ optional_policy(`
+@@ -609,6 +993,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28446,7 +28442,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -625,6 +1007,17 @@ optional_policy(`
+@@ -625,6 +1010,17 @@ optional_policy(`
')
optional_policy(`
@@ -28464,7 +28460,7 @@ index dd3be8d..8cda2bb 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1034,13 @@ optional_policy(`
+@@ -641,9 +1037,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28478,7 +28474,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -656,15 +1053,11 @@ optional_policy(`
+@@ -656,15 +1056,11 @@ optional_policy(`
')
optional_policy(`
@@ -28496,7 +28492,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -685,6 +1078,15 @@ optional_policy(`
+@@ -685,6 +1081,15 @@ optional_policy(`
')
optional_policy(`
@@ -28512,7 +28508,7 @@ index dd3be8d..8cda2bb 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1127,7 @@ optional_policy(`
+@@ -725,6 +1130,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28520,7 +28516,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -742,7 +1145,14 @@ optional_policy(`
+@@ -742,7 +1148,14 @@ optional_policy(`
')
optional_policy(`
@@ -28535,7 +28531,7 @@ index dd3be8d..8cda2bb 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1175,10 @@ optional_policy(`
+@@ -765,6 +1178,10 @@ optional_policy(`
')
optional_policy(`
@@ -28546,7 +28542,7 @@ index dd3be8d..8cda2bb 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1188,20 @@ optional_policy(`
+@@ -774,10 +1191,20 @@ optional_policy(`
')
optional_policy(`
@@ -28567,7 +28563,7 @@ index dd3be8d..8cda2bb 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1210,10 @@ optional_policy(`
+@@ -786,6 +1213,10 @@ optional_policy(`
')
optional_policy(`
@@ -28578,7 +28574,7 @@ index dd3be8d..8cda2bb 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1235,6 @@ optional_policy(`
+@@ -807,8 +1238,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28587,7 +28583,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -817,6 +1243,10 @@ optional_policy(`
+@@ -817,6 +1246,10 @@ optional_policy(`
')
optional_policy(`
@@ -28598,7 +28594,7 @@ index dd3be8d..8cda2bb 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1256,12 @@ optional_policy(`
+@@ -826,10 +1259,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28611,7 +28607,7 @@ index dd3be8d..8cda2bb 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1288,27 @@ optional_policy(`
+@@ -856,12 +1291,27 @@ optional_policy(`
')
optional_policy(`
@@ -28640,7 +28636,7 @@ index dd3be8d..8cda2bb 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1318,18 @@ optional_policy(`
+@@ -871,6 +1321,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28659,7 +28655,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -886,6 +1345,10 @@ optional_policy(`
+@@ -886,6 +1348,10 @@ optional_policy(`
')
optional_policy(`
@@ -28670,7 +28666,7 @@ index dd3be8d..8cda2bb 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1359,196 @@ optional_policy(`
+@@ -896,3 +1362,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28917,10 +28913,10 @@ index 662e79b..ef9370d 100644
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..a89c4a2 100644
+index 0d4c8d3..f133407 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',`
+@@ -55,6 +55,63 @@ interface(`ipsec_domtrans_mgmt',`
domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
')
@@ -28972,18 +28968,19 @@ index 0d4c8d3..a89c4a2 100644
+#
+interface(`ipsec_mgmt_read_pid',`
+ gen_require(`
++ type ipsec_var_run_t;
+ type ipsec_mgmt_var_run_t;
+ ')
+
+ files_search_pids($1)
-+ read_files_pattern($1, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
++ read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t)
+')
+
+
########################################
## <summary>
## Connect to racoon using a unix domain stream socket.
-@@ -120,7 +176,6 @@ interface(`ipsec_exec_mgmt',`
+@@ -120,7 +177,6 @@ interface(`ipsec_exec_mgmt',`
## </summary>
## </param>
#
@@ -28991,7 +28988,7 @@ index 0d4c8d3..a89c4a2 100644
interface(`ipsec_signal_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -139,7 +194,6 @@ interface(`ipsec_signal_mgmt',`
+@@ -139,7 +195,6 @@ interface(`ipsec_signal_mgmt',`
## </summary>
## </param>
#
@@ -28999,7 +28996,7 @@ index 0d4c8d3..a89c4a2 100644
interface(`ipsec_signull_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -158,7 +212,6 @@ interface(`ipsec_signull_mgmt',`
+@@ -158,7 +213,6 @@ interface(`ipsec_signull_mgmt',`
## </summary>
## </param>
#
@@ -29007,7 +29004,7 @@ index 0d4c8d3..a89c4a2 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -167,6 +220,60 @@ interface(`ipsec_kill_mgmt',`
+@@ -167,6 +221,60 @@ interface(`ipsec_kill_mgmt',`
allow $1 ipsec_mgmt_t:process sigkill;
')
@@ -29068,7 +29065,7 @@ index 0d4c8d3..a89c4a2 100644
######################################
## <summary>
## Send and receive messages from
-@@ -225,6 +332,7 @@ interface(`ipsec_match_default_spd',`
+@@ -225,6 +333,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -29076,7 +29073,7 @@ index 0d4c8d3..a89c4a2 100644
')
########################################
-@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +478,26 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -29104,7 +29101,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..e324045 100644
+index 9e54bf9..a19c295 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29227,14 +29224,14 @@ index 9e54bf9..e324045 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -206,14 +224,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+@@ -206,14 +224,16 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
-allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
--files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+manage_files_pattern(ipsec_mgmt_t, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
-+files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, { file })
+ files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
++filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -29246,7 +29243,7 @@ index 9e54bf9..e324045 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +265,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +266,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -29263,7 +29260,7 @@ index 9e54bf9..e324045 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +284,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +285,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -29272,7 +29269,7 @@ index 9e54bf9..e324045 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +309,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +310,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -29284,7 +29281,7 @@ index 9e54bf9..e324045 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +322,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +323,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -29308,7 +29305,7 @@ index 9e54bf9..e324045 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +357,10 @@ optional_policy(`
+@@ -322,6 +358,10 @@ optional_policy(`
')
optional_policy(`
@@ -29319,7 +29316,7 @@ index 9e54bf9..e324045 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +374,7 @@ optional_policy(`
+@@ -335,7 +375,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -29328,7 +29325,7 @@ index 9e54bf9..e324045 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +409,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +410,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -29348,7 +29345,7 @@ index 9e54bf9..e324045 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +439,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +440,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -29361,7 +29358,7 @@ index 9e54bf9..e324045 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +477,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -29461,7 +29458,7 @@ index c42fbc3..174cfdb 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..4abf7fd 100644
+index 5dfa44b..cafb28e 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -29572,8 +29569,8 @@ index 5dfa44b..4abf7fd 100644
+')
+
+optional_policy(`
-+ quantum_rw_inherited_pipes(iptables_t)
-+ quantum_sigchld(iptables_t)
++ neutron_rw_inherited_pipes(iptables_t)
++ neutron_sigchld(iptables_t)
')
optional_policy(`
@@ -30960,7 +30957,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..aae7b7d 100644
+index 39ea221..a55b140 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -31262,7 +31259,7 @@ index 39ea221..aae7b7d 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +535,10 @@ init_use_fds(syslogd_t)
+@@ -461,11 +535,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -31273,10 +31270,11 @@ index 39ea221..aae7b7d 100644
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_user_home_dirs(syslogd_t)
+userdom_search_user_home_dirs(syslogd_t)
++userdom_rw_inherited_user_tmpfs_files(syslogd_t)
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +575,40 @@ optional_policy(`
+@@ -502,15 +576,40 @@ optional_policy(`
')
optional_policy(`
@@ -31317,7 +31315,7 @@ index 39ea221..aae7b7d 100644
')
optional_policy(`
-@@ -521,3 +619,26 @@ optional_policy(`
+@@ -521,3 +620,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index f2be4bd..7657ec9 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -2956,10 +2956,10 @@ index 0000000..f44287f
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..53e5708 100644
+index 550a69e..0dfadc0 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,196 @@
+@@ -1,161 +1,197 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3023,6 +3023,7 @@ index 550a69e..53e5708 100644
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
@@ -3229,6 +3230,7 @@ index 550a69e..53e5708 100644
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -3291,7 +3293,6 @@ index 550a69e..53e5708 100644
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
@@ -12275,7 +12276,7 @@ index c223f81..3bcdf6a 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..9f877a1 100644
+index 2a71346..486cdb9 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12315,7 +12316,7 @@ index 2a71346..9f877a1 100644
term_use_console(cobblerd_t)
-+auth_read_passwd(cobblerd_t)
++auth_use_nsswitch(cobblerd_t)
+
logging_send_syslog_msg(cobblerd_t)
@@ -12328,7 +12329,7 @@ index 2a71346..9f877a1 100644
apache_search_sys_content(cobblerd_t)
')
-@@ -188,17 +191,20 @@ optional_policy(`
+@@ -188,17 +191,21 @@ optional_policy(`
')
optional_policy(`
@@ -12340,6 +12341,7 @@ index 2a71346..9f877a1 100644
')
optional_policy(`
++ rsync_exec(cobblerd_t)
rsync_read_config(cobblerd_t)
- rsync_manage_config_files(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
@@ -21508,7 +21510,7 @@ index 19aa0b8..1e8b244 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..0a3179c 100644
+index ba14bcf..a3e6c7c 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21582,10 +21584,10 @@ index ba14bcf..0a3179c 100644
')
+
+optional_policy(`
-+ quantum_manage_lib_files(dnsmasq_t)
-+ quantum_stream_connect(dnsmasq_t)
-+ quantum_rw_fifo_file(dnsmasq_t)
-+ quantum_sigchld(dnsmasq_t)
++ neutron_manage_lib_files(dnsmasq_t)
++ neutron_stream_connect(dnsmasq_t)
++ neutron_rw_fifo_file(dnsmasq_t)
++ neutron_sigchld(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
@@ -23745,7 +23747,7 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..8e7f99e 100644
+index f0388cb..2e94f0e 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
@@ -23787,7 +23789,7 @@ index f0388cb..8e7f99e 100644
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,15 +86,19 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
@@ -23805,6 +23807,10 @@ index f0388cb..8e7f99e 100644
-userdom_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
++ mta_send_mail(fetchmail_t)
++')
++
++optional_policy(`
+ kerberos_use(fetchmail_t)
+')
@@ -30197,7 +30203,7 @@ index ac00fb0..36ef2e5 100644
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index ecad9c7..86d790f 100644
+index ecad9c7..e413e5a 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
@@ -30271,7 +30277,7 @@ index ecad9c7..86d790f 100644
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,13 +120,15 @@ auth_use_nsswitch(irc_t)
+@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
@@ -30288,8 +30294,11 @@ index ecad9c7..86d790f 100644
+userdom_use_inherited_user_terminals(irc_t)
tunable_policy(`irc_use_any_tcp_ports',`
++ allow irc_t self:tcp_socket create_stream_socket_perms;
corenet_sendrecv_all_server_packets(irc_t)
-@@ -122,18 +138,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+ corenet_tcp_bind_all_unreserved_ports(irc_t)
+ corenet_sendrecv_all_client_packets(irc_t)
+@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -31720,7 +31729,7 @@ index a49ae4e..913a0e3 100644
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..73476cb 100644
+index 3a00b3a..bf3d793 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -31791,7 +31800,7 @@ index 3a00b3a..73476cb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,10 +100,66 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -31812,7 +31821,7 @@ index 3a00b3a..73476cb 100644
+
+ files_search_var($1)
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
-+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
@@ -31832,6 +31841,7 @@ index 3a00b3a..73476cb 100644
+
+ files_search_var($1)
+ manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
@@ -31860,7 +31870,7 @@ index 3a00b3a..73476cb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -76,10 +176,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +177,32 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -31882,6 +31892,7 @@ index 3a00b3a..73476cb 100644
+ files_search_tmp($1)
+ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+')
+
@@ -31894,7 +31905,7 @@ index 3a00b3a..73476cb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -88,19 +209,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +211,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
@@ -31924,7 +31935,7 @@ index 3a00b3a..73476cb 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +236,10 @@ interface(`kdump_admin',`
+@@ -110,6 +238,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -40815,10 +40826,16 @@ index 6a306ee..2108bc7 100644
+ fs_manage_dos_files(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
-index 313ce52..6aa46d2 100644
+index 313ce52..ae93e07 100644
--- a/mpd.fc
+++ b/mpd.fc
-@@ -9,3 +9,5 @@
+@@ -1,3 +1,5 @@
++HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0)
++
+ /etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
+
+ /etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
+@@ -9,3 +11,5 @@
/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
@@ -40870,13 +40887,16 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..29d8881 100644
+index 7c8afcc..41f4352 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -62,18 +62,22 @@ files_type(mpd_var_lib_t)
+@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
++type mpd_home_t;
++userdom_user_home_content(mpd_home_t)
++
+type mpd_var_run_t;
+files_pid_file(mpd_var_run_t)
+
@@ -40897,7 +40917,7 @@ index 7c8afcc..29d8881 100644
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -104,13 +108,18 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
@@ -40907,6 +40927,10 @@ index 7c8afcc..29d8881 100644
+manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
+
++manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
++manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t)
++manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
++
kernel_getattr_proc(mpd_t)
kernel_read_system_state(mpd_t)
kernel_read_kernel_sysctls(mpd_t)
@@ -40917,7 +40941,7 @@ index 7c8afcc..29d8881 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,9 +148,9 @@ dev_read_sound(mpd_t)
+@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
@@ -40928,7 +40952,7 @@ index 7c8afcc..29d8881 100644
fs_list_inotifyfs(mpd_t)
fs_rw_anon_inodefs_files(mpd_t)
fs_search_auto_mountpoints(mpd_t)
-@@ -150,7 +159,9 @@ auth_use_nsswitch(mpd_t)
+@@ -150,7 +166,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -40939,7 +40963,7 @@ index 7c8afcc..29d8881 100644
tunable_policy(`mpd_enable_homedirs',`
userdom_search_user_home_dirs(mpd_t)
-@@ -191,7 +202,7 @@ optional_policy(`
+@@ -191,7 +209,7 @@ optional_policy(`
')
optional_policy(`
@@ -40948,7 +40972,7 @@ index 7c8afcc..29d8881 100644
')
optional_policy(`
-@@ -199,6 +210,16 @@ optional_policy(`
+@@ -199,6 +217,16 @@ optional_policy(`
')
optional_policy(`
@@ -48280,7 +48304,7 @@ index 97df768..852d1c6 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..f70a784 100644
+index a3e56f0..2c5b389 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -1,4 +1,4 @@
@@ -48301,7 +48325,7 @@ index a3e56f0..f70a784 100644
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
-+allow nslcd_t self:process { setsched signal };
++allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
@@ -51655,7 +51679,7 @@ index 0000000..fdc4a03
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..9724884
+index 0000000..55c843c
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,549 @@
@@ -52205,7 +52229,7 @@ index 0000000..9724884
+')
+
+optional_policy(`
-+ ssh_exec_keygen(openshift_cron_t)
++ ssh_domtrans_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
diff --git a/openvpn.fc b/openvpn.fc
@@ -65933,26 +65957,45 @@ index 76f5b39..8bb80a2 100644
+')
+
diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..e97da31 100644
+index 70ab68b..1de192b 100644
--- a/quantum.fc
+++ b/quantum.fc
-@@ -1,9 +1,14 @@
-+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
-+
- /etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
-
- /usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:quantum_exec_t,s0)
-
- /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
-
+@@ -1,10 +1,26 @@
+-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+
+-/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
+
+-/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
++/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
++/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
+
+-/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
++/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
++/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
++
++/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
++/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..7b3cfad 100644
+index afc0068..3105104 100644
--- a/quantum.if
+++ b/quantum.if
@@ -2,41 +2,293 @@
@@ -65961,7 +66004,7 @@ index afc0068..7b3cfad 100644
## <summary>
-## All of the rules required to
-## administrate an quantum environment.
-+## Transition to quantum.
++## Transition to neutron.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -65969,77 +66012,78 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_domtrans',`
++interface(`neutron_domtrans',`
+ gen_require(`
-+ type quantum_t, quantum_exec_t;
++ type neutron_t, neutron_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, quantum_exec_t, quantum_t)
++ domtrans_pattern($1, neutron_exec_t, neutron_t)
+')
+
+########################################
+## <summary>
-+## Allow read/write quantum pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
++## Allow read/write neutron pipes
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
-+interface(`quantum_rw_inherited_pipes',`
++interface(`neutron_rw_inherited_pipes',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Send sigchld to quantum.
- ## </summary>
- ## <param name="domain">
++## Send sigchld to neutron.
++## </summary>
++## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="role">
+-## Role allowed access.
++## Domain allowed access.
++## </summary>
++## </param>
+#
+#
-+interface(`quantum_sigchld',`
++interface(`neutron_sigchld',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:process sigchld;
++ allow $1 neutron_t:process sigchld;
+')
+
+########################################
+## <summary>
-+## Read quantum's log files.
++## Read neutron's log files.
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access.
++## <summary>
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
-+interface(`quantum_read_log',`
+-interface(`quantum_admin',`
++interface(`neutron_read_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ read_files_pattern($1, quantum_log_t, quantum_log_t)
++ read_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
-+## Append to quantum log files.
++## Append to neutron log files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66047,18 +66091,18 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_append_log',`
++interface(`neutron_append_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ append_files_pattern($1, quantum_log_t, quantum_log_t)
++ append_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
-+## Manage quantum log files
++## Manage neutron log files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66066,20 +66110,20 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_manage_log',`
++interface(`neutron_manage_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ manage_dirs_pattern($1, quantum_log_t, quantum_log_t)
-+ manage_files_pattern($1, quantum_log_t, quantum_log_t)
-+ manage_lnk_files_pattern($1, quantum_log_t, quantum_log_t)
++ manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
++ manage_files_pattern($1, neutron_log_t, neutron_log_t)
++ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
-+## Search quantum lib directories.
++## Search neutron lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66087,18 +66131,18 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_search_lib',`
++interface(`neutron_search_lib',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
+
-+ allow $1 quantum_var_lib_t:dir search_dir_perms;
++ allow $1 neutron_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
-+## Read quantum lib files.
++## Read neutron lib files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66106,18 +66150,22 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_read_lib_files',`
-+ gen_require(`
-+ type quantum_var_lib_t;
-+ ')
-+
++interface(`neutron_read_lib_files',`
+ gen_require(`
+- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
+- type quantum_var_lib_t, quantum_tmp_t;
++ type neutron_var_lib_t;
+ ')
+
+- allow $1 quantum_t:process { ptrace signal_perms };
+- ps_process_pattern($1, quantum_t)
+ files_search_var_lib($1)
-+ read_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Manage quantum lib files.
++## Manage neutron lib files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66125,18 +66173,22 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_manage_lib_files',`
++interface(`neutron_manage_lib_files',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
-+
+
+- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 quantum_initrc_exec_t system_r;
+- allow $2 system_r;
+ files_search_var_lib($1)
-+ manage_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Manage quantum lib directories.
++## Manage neutron lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66144,18 +66196,18 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_manage_lib_dirs',`
++interface(`neutron_manage_lib_dirs',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Read and write quantum fifo files.
++## Read and write neutron fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66163,17 +66215,17 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_rw_fifo_file',`
++interface(`neutron_rw_fifo_file',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+#####################################
+## <summary>
-+## Connect to quantum over a unix domain
++## Connect to neutron over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
@@ -66182,19 +66234,19 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_stream_connect',`
++interface(`neutron_stream_connect',`
+ gen_require(`
-+ type quantum_t;
-+ type quantum_var_lib_t;
++ type neutron_t;
++ type neutron_var_lib_t;
+ ')
+
+ files_search_pids($1)
-+ stream_connect_pattern($1, quantum_var_lib_t, quantum_var_lib_t, quantum_t )
++ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
+')
+
+########################################
+## <summary>
-+## Execute quantum server in the quantum domain.
++## Execute neutron server in the neutron domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66202,25 +66254,25 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_systemctl',`
++interface(`neutron_systemctl',`
+ gen_require(`
-+ type quantum_t;
-+ type quantum_unit_file_t;
++ type neutron_t;
++ type neutron_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 quantum_unit_file_t:file read_file_perms;
-+ allow $1 quantum_unit_file_t:service manage_service_perms;
++ allow $1 neutron_unit_file_t:file read_file_perms;
++ allow $1 neutron_unit_file_t:service manage_service_perms;
+
-+ ps_process_pattern($1, quantum_t)
++ ps_process_pattern($1, neutron_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
-+## an quantum environment
++## an neutron environment
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66228,92 +66280,204 @@ index afc0068..7b3cfad 100644
+## </summary>
+## </param>
+#
- interface(`quantum_admin',`
- gen_require(`
-- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
-- type quantum_var_lib_t, quantum_tmp_t;
-+ type quantum_t;
-+ type quantum_log_t;
-+ type quantum_var_lib_t;
-+ type quantum_unit_file_t;
- ')
-
- allow $1 quantum_t:process { ptrace signal_perms };
- ps_process_pattern($1, quantum_t)
++interface(`neutron_admin',`
++ gen_require(`
++ type neutron_t;
++ type neutron_log_t;
++ type neutron_var_lib_t;
++ type neutron_unit_file_t;
++ ')
++
++ allow $1 neutron_t:process { ptrace signal_perms };
++ ps_process_pattern($1, neutron_t)
-- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 quantum_initrc_exec_t system_r;
-- allow $2 system_r;
--
logging_search_logs($1)
- admin_pattern($1, quantum_log_t)
+- admin_pattern($1, quantum_log_t)
++ admin_pattern($1, neutron_log_t)
files_search_var_lib($1)
- admin_pattern($1, quantum_var_lib_t)
+- admin_pattern($1, quantum_var_lib_t)
++ admin_pattern($1, neutron_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, quantum_tmp_t)
-+ quantum_systemctl($1)
-+ admin_pattern($1, quantum_unit_file_t)
-+ allow $1 quantum_unit_file_t:service all_service_perms;
++ neutron_systemctl($1)
++ admin_pattern($1, neutron_unit_file_t)
++ allow $1 neutron_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..bf3f16f 100644
+index 769d1fd..801835e 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
- type quantum_var_lib_t;
- files_type(quantum_var_lib_t)
+@@ -1,96 +1,109 @@
+-policy_module(quantum, 1.0.2)
++policy_module(quantum, 1.0.3)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-type quantum_t;
+-type quantum_exec_t;
+-init_daemon_domain(quantum_t, quantum_exec_t)
++type neutron_t alias quantum_t;
++type neutron_exec_t alias quantum_exec_t;
++init_daemon_domain(neutron_t, neutron_exec_t)
+
+-type quantum_initrc_exec_t;
+-init_script_file(quantum_initrc_exec_t)
++type neutron_initrc_exec_t alias qauntum_initrc_exec_t;
++init_script_file(neutron_initrc_exec_t)
+
+-type quantum_log_t;
+-logging_log_file(quantum_log_t)
++type neutron_log_t alias quantum_log_t;
++logging_log_file(neutron_log_t)
+
+-type quantum_tmp_t;
+-files_tmp_file(quantum_tmp_t)
++type neutron_tmp_t alias quantum_tmp_t;
++files_tmp_file(neutron_tmp_t)
-+type quantum_unit_file_t;
-+systemd_unit_file(quantum_unit_file_t)
+-type quantum_var_lib_t;
+-files_type(quantum_var_lib_t)
++type neutron_var_lib_t alias quantum_var_lib_t;
++files_type(neutron_var_lib_t)
+
++type neutron_unit_file_t alias quantum_unit_file_t;
++systemd_unit_file(neutron_unit_file_t)
+
########################################
#
# Local policy
-@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
- corenet_tcp_sendrecv_all_ports(quantum_t)
- corenet_tcp_bind_generic_node(quantum_t)
+ #
-+corenet_tcp_bind_quantum_port(quantum_t)
-+corenet_tcp_connect_keystone_port(quantum_t)
-+corenet_tcp_connect_mysqld_port(quantum_t)
-+
- dev_list_sysfs(quantum_t)
- dev_read_urand(quantum_t)
+-allow quantum_t self:capability { setgid setuid sys_resource };
+-allow quantum_t self:process { setsched setrlimit };
+-allow quantum_t self:fifo_file rw_fifo_file_perms;
+-allow quantum_t self:key manage_key_perms;
+-allow quantum_t self:tcp_socket { accept listen };
+-allow quantum_t self:unix_stream_socket { accept listen };
++allow neutron_t self:capability { setgid setuid sys_resource };
++allow neutron_t self:process { setsched setrlimit };
++allow neutron_t self:fifo_file rw_fifo_file_perms;
++allow neutron_t self:key manage_key_perms;
++allow neutron_t self:tcp_socket { accept listen };
++allow neutron_t self:unix_stream_socket { accept listen };
+
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
++manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
++append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
+
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+
+-can_exec(quantum_t, quantum_tmp_t)
++can_exec(neutron_t, neutron_tmp_t)
+
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
++kernel_read_kernel_sysctls(neutron_t)
++kernel_read_system_state(neutron_t)
+
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
++corecmd_exec_shell(neutron_t)
++corecmd_exec_bin(neutron_t)
+
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
++corenet_all_recvfrom_unlabeled(neutron_t)
++corenet_all_recvfrom_netlabel(neutron_t)
++corenet_tcp_sendrecv_generic_if(neutron_t)
++corenet_tcp_sendrecv_generic_node(neutron_t)
++corenet_tcp_sendrecv_all_ports(neutron_t)
++corenet_tcp_bind_generic_node(neutron_t)
+
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
++corenet_tcp_bind_quantum_port(neutron_t)
++corenet_tcp_connect_keystone_port(neutron_t)
++corenet_tcp_connect_amqp_port(neutron_t)
++corenet_tcp_connect_mysqld_port(neutron_t)
-files_read_usr_files(quantum_t)
--
- auth_use_nsswitch(quantum_t)
++dev_list_sysfs(neutron_t)
++dev_read_urand(neutron_t)
- libs_exec_ldconfig(quantum_t)
-@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
- logging_send_audit_msgs(quantum_t)
- logging_send_syslog_msg(quantum_t)
+-auth_use_nsswitch(quantum_t)
++auth_use_nsswitch(neutron_t)
+
+-libs_exec_ldconfig(quantum_t)
++libs_exec_ldconfig(neutron_t)
+
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
-miscfiles_read_localization(quantum_t)
--
- sysnet_domtrans_ifconfig(quantum_t)
++sysnet_domtrans_ifconfig(neutron_t)
+
+-sysnet_domtrans_ifconfig(quantum_t)
++optional_policy(`
++ brctl_domtrans(neutron_t)
++')
optional_policy(`
-@@ -94,3 +97,12 @@ optional_policy(`
+- brctl_domtrans(quantum_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_config(neutron_t)
++
++ mysql_tcp_connect(neutron_t)
+ ')
- postgresql_tcp_connect(quantum_t)
+ optional_policy(`
+- mysql_stream_connect(quantum_t)
+- mysql_read_config(quantum_t)
++ postgresql_stream_connect(neutron_t)
++ postgresql_unpriv_client(neutron_t)
+
+- mysql_tcp_connect(quantum_t)
++ postgresql_tcp_connect(neutron_t)
')
-+
-+optional_policy(`
-+ openvswitch_domtrans(quantum_t)
-+ openvswitch_stream_connect(quantum_t)
+
+ optional_policy(`
+- postgresql_stream_connect(quantum_t)
+- postgresql_unpriv_client(quantum_t)
++ openvswitch_domtrans(neutron_t)
++ openvswitch_stream_connect(neutron_t)
+')
-+
+
+- postgresql_tcp_connect(quantum_t)
+optional_policy(`
-+ sudo_exec(quantum_t)
-+')
++ sudo_exec(neutron_t)
+ ')
diff --git a/quota.fc b/quota.fc
index cadabe3..0ee2489 100644
--- a/quota.fc
@@ -81937,7 +82101,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..f9d6ed6 100644
+index 703efa3..9610be1 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -82002,7 +82166,7 @@ index 703efa3..f9d6ed6 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,27 +95,41 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +95,42 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -82021,6 +82185,7 @@ index 703efa3..f9d6ed6 100644
+files_read_non_security_files(sosreport_t)
+
auth_use_nsswitch(sosreport_t)
++auth_dontaudit_read_shadow(sosreport_t)
init_domtrans_script(sosreport_t)
+init_getattr_initctl(sosreport_t)
@@ -82046,7 +82211,7 @@ index 703efa3..f9d6ed6 100644
')
optional_policy(`
-@@ -111,6 +141,11 @@ optional_policy(`
+@@ -111,6 +142,11 @@ optional_policy(`
')
optional_policy(`
@@ -90041,7 +90206,7 @@ index c30da4c..459fbcf 100644
+
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..4e31afe 100644
+index 9dec06c..73549fd 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -91056,7 +91221,7 @@ index 9dec06c..4e31afe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,115 +658,245 @@ interface(`virt_read_lib_files',`
+@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -91196,70 +91361,9 @@ index 9dec06c..4e31afe 100644
+ ps_process_pattern(svirt_sandbox_domain, $1)
')
-+
########################################
## <summary>
-## Read virt log files.
-+## All of the rules required to administrate
-+## an virt environment
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
- ## <rolecap/>
- #
--interface(`virt_read_log',`
-+interface(`virt_admin',`
- gen_require(`
-- type virt_log_t;
-+ type virtd_t, virtd_initrc_exec_t;
-+ attribute virt_domain;
-+ type virtd_lxc_t;
-+ type virtd_unit_file_t;
- ')
-
-- logging_search_logs($1)
-- read_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virtd_t:process signal_perms;
-+ ps_process_pattern($1, virtd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 virtd_t:process ptrace;
-+ allow $1 virtd_lxc_t:process ptrace;
-+ ')
-+
-+ allow $1 virtd_lxc_t:process signal_perms;
-+ ps_process_pattern($1, virtd_lxc_t)
-+
-+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 virtd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ virt_manage_pid_files($1)
-+
-+ virt_manage_lib_files($1)
-+
-+ virt_manage_log($1)
-+
-+ virt_manage_images($1)
-+
-+ allow $1 virt_domain:process signal_perms;
-+
-+ virt_systemctl($1)
-+ admin_pattern($1, virtd_unit_file_t)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
- ')
-
- ########################################
- ## <summary>
--## Append virt log files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
## </summary>
@@ -91274,9 +91378,9 @@ index 9dec06c..4e31afe 100644
+## The role to be allowed the sandbox domain.
## </summary>
## </param>
-+## <rolecap/>
+ ## <rolecap/>
#
--interface(`virt_append_log',`
+-interface(`virt_read_log',`
+interface(`virt_transition_svirt',`
gen_require(`
- type virt_log_t;
@@ -91287,7 +91391,7 @@ index 9dec06c..4e31afe 100644
')
- logging_search_logs($1)
-- append_files_pattern($1, virt_log_t, virt_log_t)
+- read_files_pattern($1, virt_log_t, virt_log_t)
+ allow $1 virt_domain:process transition;
+ role $2 types virt_domain;
+ role $2 types virt_bridgehelper_t;
@@ -91306,8 +91410,7 @@ index 9dec06c..4e31afe 100644
########################################
## <summary>
--## Create, read, write, and delete
--## virt log files.
+-## Append virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
## </summary>
## <param name="domain">
@@ -91317,7 +91420,7 @@ index 9dec06c..4e31afe 100644
## </summary>
## </param>
#
--interface(`virt_manage_log',`
+-interface(`virt_append_log',`
+interface(`virt_dontaudit_write_pipes',`
gen_require(`
- type virt_log_t;
@@ -91325,53 +91428,77 @@ index 9dec06c..4e31afe 100644
')
- logging_search_logs($1)
+- append_files_pattern($1, virt_log_t, virt_log_t)
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt log files.
++## Send a sigkill to virtual machines
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -955,20 +848,17 @@ interface(`virt_append_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_log',`
++interface(`virt_kill_svirt',`
+ gen_require(`
+- type virt_log_t;
++ attribute virt_domain;
+ ')
+
+- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++ allow $1 virt_domain:process sigkill;
')
########################################
## <summary>
-## Search virt image directories.
-+## Send a sigkill to virtual machines
++## Send a sigkill to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +904,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +866,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_kill_svirt',`
++interface(`virt_kill',`
gen_require(`
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virtd_t;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virt_domain:process sigkill;
++ allow $1 virtd_t:process sigkill;
')
########################################
## <summary>
-## Read virt image files.
-+## Send a sigkill to virtd daemon.
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +922,35 @@ interface(`virt_search_images',`
+@@ -995,73 +884,75 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ type virtd_t;
++ attribute virt_domain;
')
- virt_search_lib($1)
@@ -91380,7 +91507,7 @@ index 9dec06c..4e31afe 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process signal;
+')
- tunable_policy(`virt_use_nfs',`
@@ -91389,7 +91516,7 @@ index 9dec06c..4e31afe 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
-+## Send a signal to virtual machines
++## Manage virt home files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -91397,9 +91524,9 @@ index 9dec06c..4e31afe 100644
+## </summary>
+## </param>
+#
-+interface(`virt_signal_svirt',`
++interface(`virt_manage_home_files',`
+ gen_require(`
-+ attribute virt_domain;
++ type virt_home_t;
')
- tunable_policy(`virt_use_samba',`
@@ -91407,40 +91534,42 @@ index 9dec06c..4e31afe 100644
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
-+ allow $1 virt_domain:process signal;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
')
########################################
## <summary>
-## Read and write all virt image
-## character files.
-+## Manage virt home files.
++## allow domain to read
++## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,58 +958,57 @@ interface(`virt_read_images',`
+-## Domain allowed access.
++## Domain allowed access
## </summary>
## </param>
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_manage_home_files',`
++interface(`virt_read_tmpfs_files',`
gen_require(`
- attribute virt_image_type;
-+ type virt_home_t;
++ attribute virt_tmpfs_type;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
++ allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## svirt cache files.
-+## allow domain to read
++## allow domain to manage
+## virt tmpfs files
## </summary>
## <param name="domain">
@@ -91453,62 +91582,69 @@ index 9dec06c..4e31afe 100644
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_manage_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
+ ')
+
-+ allow $1 virt_tmpfs_type:file read_file_perms;
++ allow $1 virt_tmpfs_type:file manage_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt cache content.
-+## allow domain to manage
-+## virt tmpfs files
++## Create .virt directory in the user home directory
++## with an correct label.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed access
+@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
-interface(`virt_manage_virt_cache',`
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_filetrans_home_content',`
gen_require(`
- type virt_cache_t;
-+ attribute virt_tmpfs_type;
++ type virt_home_t;
++ type svirt_home_t;
')
- files_search_var($1)
- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
- manage_files_pattern($1, virt_cache_t, virt_cache_t)
- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++
++ optional_policy(`
++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++ gnome_data_filetrans($1, svirt_home_t, dir, "images")
++ ')
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt image files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,95 +1016,169 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
-interface(`virt_manage_images',`
-+interface(`virt_filetrans_home_content',`
++interface(`virt_dontaudit_read_chr_dev',`
gen_require(`
- type virt_var_lib_t;
-- attribute virt_image_type;
-+ type virt_home_t;
-+ type svirt_home_t;
+ attribute virt_image_type;
')
- virt_search_lib($1)
@@ -91517,97 +91653,43 @@ index 9dec06c..4e31afe 100644
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++')
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
-- ')
--
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
-+ optional_policy(`
-+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
- ')
- ')
-
- ########################################
- ## <summary>
--## All of the rules required to
--## administrate an virt environment.
-+## Dontaudit attempts to Read virt_image_type devices.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="role">
-+#
-+interface(`virt_dontaudit_read_chr_dev',`
-+ gen_require(`
-+ attribute virt_image_type;
-+ ')
-+
-+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
-+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## virt_lxc process domain.
+## </summary>
+## <param name="prefix">
- ## <summary>
--## Role allowed access.
++## <summary>
+## Prefix for the domain.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`virt_admin',`
++## </summary>
++## </param>
++#
+template(`virt_sandbox_domain_template',`
- gen_require(`
-- attribute virt_domain, virt_image_type, virt_tmpfs_type;
-- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
-- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
-- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
-- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
-- type virt_var_run_t, virt_tmp_t, virt_log_t;
-- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
-- type virt_etc_t, svirt_cache_t;
++ gen_require(`
+ attribute svirt_sandbox_domain;
')
-- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
-- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
-- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+ role system_r types $1_t;
-
-- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 virtd_initrc_exec_t system_r;
-- allow $2 system_r;
++
+ kernel_read_system_state($1_t)
+')
-
-- fs_search_tmpfs($1)
-- admin_pattern($1, virt_tmpfs_type)
++
+########################################
+## <summary>
+## Make the specified type usable as a lxc domain
@@ -91622,14 +91704,10 @@ index 9dec06c..4e31afe 100644
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
-
-- files_search_tmp($1)
-- admin_pattern($1, { virt_tmp_type virt_tmp_t })
++
+ typeattribute $1 svirt_sandbox_domain;
+')
-
-- files_search_etc($1)
-- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
++
+########################################
+## <summary>
+## Execute a qemu_exec_t in the callers domain
@@ -91644,14 +91722,10 @@ index 9dec06c..4e31afe 100644
+ gen_require(`
+ type qemu_exec_t;
+ ')
-
-- logging_search_logs($1)
-- admin_pattern($1, virt_log_t)
++
+ can_exec($1, qemu_exec_t)
+')
-
-- files_search_pids($1)
-- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
++
+########################################
+## <summary>
+## Transition to virt named content
@@ -91667,16 +91741,12 @@ index 9dec06c..4e31afe 100644
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
+ ')
-
-- files_search_var($1)
-- admin_pattern($1, svirt_cache_t)
++
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
+')
-
-- files_search_var_lib($1)
-- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
++
+########################################
+## <summary>
+## Execute qemu in the svirt domain, and
@@ -91705,9 +91775,7 @@ index 9dec06c..4e31afe 100644
+
+ allow svirt_sandbox_domain $1:process sigchld;
+')
-
-- files_search_locks($1)
-- admin_pattern($1, virt_lock_t)
++
+########################################
+## <summary>
+## Read and write to svirt_image devices.
@@ -91721,17 +91789,97 @@ index 9dec06c..4e31afe 100644
+interface(`virt_rw_svirt_dev',`
+ gen_require(`
+ type svirt_image_t;
+ ')
++
++ allow $1 svirt_image_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an virt environment.
++## All of the rules required to administrate
++## an virt environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',`
+ #
+ interface(`virt_admin',`
+ gen_require(`
+- attribute virt_domain, virt_image_type, virt_tmpfs_type;
+- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
+- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
+- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
+- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
+- type virt_var_run_t, virt_tmp_t, virt_log_t;
+- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
+- type virt_etc_t, svirt_cache_t;
++ attribute virt_domain;
++ attribute virt_system_domain;
++ attribute svirt_file_type;
++ attribute virt_file_type;
++ type virtd_initrc_exec_t;
+ ')
+
+- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
+- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
+- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
++ allow $1 virt_system_domain:process signal_perms;
++ allow $1 virt_domain:process signal_perms;
++ ps_process_pattern($1, virt_system_domain)
++ ps_process_pattern($1, virt_domain)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 virt_system_domain:process ptrace;
++ allow $1 virt_domain:process ptrace;
+ ')
+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 virtd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, virt_tmpfs_type)
+-
+- files_search_tmp($1)
+- admin_pattern($1, { virt_tmp_type virt_tmp_t })
+-
+- files_search_etc($1)
+- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
+-
+- logging_search_logs($1)
+- admin_pattern($1, virt_log_t)
++ allow $1 virt_domain:process signal_perms;
+
+- files_search_pids($1)
+- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+-
+- files_search_var($1)
+- admin_pattern($1, svirt_cache_t)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
+
+- files_search_locks($1)
+- admin_pattern($1, virt_lock_t)
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- dev_list_all_dev_nodes($1)
- allow $1 virt_ptynode:chr_file rw_term_perms;
-+ allow $1 svirt_image_t:chr_file rw_file_perms;
++ virt_stream_connect_sandbox($1)
++ virt_stream_connect_svirt($1)
++ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..89679f0 100644
+index 1f22fba..4c14ed6 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,94 +1,104 @@
+@@ -1,147 +1,166 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -91741,17 +91889,20 @@ index 1f22fba..89679f0 100644
#
+attribute virsh_transition_domain;
+attribute virt_ptynode;
++attribute virt_system_domain;
+attribute virt_domain;
+attribute virt_image_type;
+attribute virt_tmpfs_type;
++attribute svirt_file_type;
++attribute virt_file_type;
+
-+type svirt_tmp_t;
++type svirt_tmp_t, svirt_file_type;
+files_tmp_file(svirt_tmp_t)
+
-+type svirt_tmpfs_t, virt_tmpfs_type;
++type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type;
+files_tmpfs_file(svirt_tmpfs_t)
+
-+type svirt_image_t, virt_image_type;
++type svirt_image_t, virt_image_type, svirt_file_type;
+files_type(svirt_image_t)
+dev_node(svirt_image_t)
+dev_associate_sysfs(svirt_image_t)
@@ -91883,55 +92034,83 @@ index 1f22fba..89679f0 100644
-virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
-+type qemu_exec_t;
++type qemu_exec_t, virt_file_type;
- type virt_cache_t alias svirt_cache_t;
+-type virt_cache_t alias svirt_cache_t;
++type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
-@@ -105,27 +115,25 @@ userdom_user_home_content(virt_home_t)
- type svirt_home_t;
+
+-type virt_etc_t;
++type virt_etc_t, virt_file_type;
+ files_config_file(virt_etc_t)
+
+-type virt_etc_rw_t;
++type virt_etc_rw_t, virt_file_type;
+ files_type(virt_etc_rw_t)
+
+-type virt_home_t;
++type virt_home_t, virt_file_type;
+ userdom_user_home_content(virt_home_t)
+
+-type svirt_home_t;
++type svirt_home_t, svirt_file_type;
userdom_user_home_content(svirt_home_t)
-type svirt_var_run_t;
-files_pid_file(svirt_var_run_t)
-mls_trusted_object(svirt_var_run_t)
-
+-type virt_image_t; # customizable
+# virt Image files
- type virt_image_t; # customizable
++type virt_image_t, virt_file_type; # customizable
virt_image(virt_image_t)
files_mountpoint(virt_image_t)
+-type virt_content_t; # customizable
+# virt Image files
- type virt_content_t; # customizable
++type virt_content_t, virt_file_type; # customizable
virt_image(virt_content_t)
userdom_user_home_content(virt_content_t)
-type virt_lock_t;
-files_lock_file(virt_lock_t)
-+type virt_tmp_t;
++type virt_tmp_t, virt_file_type;
+files_tmp_file(virt_tmp_t)
- type virt_log_t;
+-type virt_log_t;
++type virt_log_t, virt_file_type;
logging_log_file(virt_log_t)
mls_trusted_object(virt_log_t)
-type virt_tmp_t;
-files_tmp_file(virt_tmp_t)
-+type virt_lock_t;
++type virt_lock_t, virt_file_type;
+files_lock_file(virt_lock_t)
- type virt_var_run_t;
+-type virt_var_run_t;
++type virt_var_run_t, virt_file_type;
files_pid_file(virt_var_run_t)
-@@ -139,9 +147,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+
+-type virt_var_lib_t;
++type virt_var_lib_t, virt_file_type;
+ files_mountpoint(virt_var_lib_t)
+
+-type virtd_t;
+-type virtd_exec_t;
++type virtd_t, virt_system_domain;
++type virtd_exec_t, virt_file_type;
+ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
-+type virtd_unit_file_t;
+-type virtd_initrc_exec_t;
++type virtd_unit_file_t, virt_file_type;
+systemd_unit_file(virtd_unit_file_t)
+
- type virtd_initrc_exec_t;
++type virtd_initrc_exec_t, virt_file_type;
init_script_file(virtd_initrc_exec_t)
-+type qemu_var_run_t;
++type qemu_var_run_t, virt_file_type;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
@@ -91939,14 +92118,22 @@ index 1f22fba..89679f0 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +171,134 @@ type virt_qmf_exec_t;
+@@ -150,295 +169,139 @@ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+ ')
+
+-type virt_qmf_t;
+-type virt_qmf_exec_t;
++type virt_qmf_t, virt_system_domain;
++type virt_qmf_exec_t, virt_file_type;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
- type virt_bridgehelper_t;
+-type virt_bridgehelper_t;
-type virt_bridgehelper_exec_t;
++type virt_bridgehelper_t, virt_system_domain;
domain_type(virt_bridgehelper_t)
+
-+type virt_bridgehelper_exec_t;
++type virt_bridgehelper_exec_t, virt_file_type;
domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
+role system_r types virt_bridgehelper_t;
@@ -91955,33 +92142,33 @@ index 1f22fba..89679f0 100644
-type virtd_lxc_exec_t;
-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+# policy for qemu_ga
-+type virt_qemu_ga_t;
-+type virt_qemu_ga_exec_t;
++type virt_qemu_ga_t, virt_system_domain;
++type virt_qemu_ga_exec_t, virt_file_type;
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-type virtd_lxc_var_run_t;
-files_pid_file(virtd_lxc_var_run_t)
-+type virt_qemu_ga_var_run_t;
++type virt_qemu_ga_var_run_t, virt_file_type;
+files_pid_file(virt_qemu_ga_var_run_t)
-type svirt_lxc_file_t;
-files_mountpoint(svirt_lxc_file_t)
-fs_noxattr_type(svirt_lxc_file_t)
-term_pty(svirt_lxc_file_t)
-+type virt_qemu_ga_log_t;
++type virt_qemu_ga_log_t, virt_file_type;
+logging_log_file(virt_qemu_ga_log_t)
-virt_lxc_domain_template(svirt_lxc_net)
-+type virt_qemu_ga_tmp_t;
++type virt_qemu_ga_tmp_t, virt_file_type;
+files_tmp_file(virt_qemu_ga_tmp_t)
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
-+type virt_qemu_ga_data_t;
++type virt_qemu_ga_data_t, virt_file_type;
+files_type(virt_qemu_ga_data_t)
+
-+type virt_qemu_ga_unconfined_exec_t;
++type virt_qemu_ga_unconfined_exec_t, virt_file_type;
+application_executable_file(virt_qemu_ga_unconfined_exec_t)
########################################
@@ -92124,8 +92311,8 @@ index 1f22fba..89679f0 100644
- fs_manage_nfs_named_sockets(virt_domain)
- fs_read_nfs_symlinks(virt_domain)
-')
-+type virtd_lxc_t;
-+type virtd_lxc_exec_t;
++type virtd_lxc_t, virt_system_domain;
++type virtd_lxc_exec_t, virt_file_type;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-tunable_policy(`virt_use_samba',`
@@ -92134,7 +92321,7 @@ index 1f22fba..89679f0 100644
- fs_manage_cifs_named_sockets(virt_domain)
- fs_read_cifs_symlinks(virt_domain)
-')
-+type virt_lxc_var_run_t;
++type virt_lxc_var_run_t, virt_file_type;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
@@ -92142,7 +92329,7 @@ index 1f22fba..89679f0 100644
- dev_rw_sysfs(virt_domain)
-')
+# virt lxc container files
-+type svirt_sandbox_file_t alias svirt_lxc_file_t;
++type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
+files_mountpoint(svirt_sandbox_file_t)
-tunable_policy(`virt_use_usb',`
@@ -92200,7 +92387,9 @@ index 1f22fba..89679f0 100644
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-
@@ -92212,9 +92401,7 @@ index 1f22fba..89679f0 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
@@ -92310,7 +92497,7 @@ index 1f22fba..89679f0 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +308,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +311,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -92357,7 +92544,7 @@ index 1f22fba..89679f0 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +346,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -92372,13 +92559,14 @@ index 1f22fba..89679f0 100644
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
++allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +359,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -92386,7 +92574,7 @@ index 1f22fba..89679f0 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +367,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -92414,13 +92602,14 @@ index 1f22fba..89679f0 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +387,24 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
+# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
++domain_signull_all_domains(virtd_t)
-files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
@@ -92443,7 +92632,7 @@ index 1f22fba..89679f0 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +435,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -92463,7 +92652,7 @@ index 1f22fba..89679f0 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +457,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -92500,7 +92689,7 @@ index 1f22fba..89679f0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +485,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -92509,7 +92698,7 @@ index 1f22fba..89679f0 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +505,12 @@ optional_policy(`
+@@ -658,20 +510,12 @@ optional_policy(`
')
optional_policy(`
@@ -92530,7 +92719,7 @@ index 1f22fba..89679f0 100644
')
optional_policy(`
-@@ -684,14 +523,20 @@ optional_policy(`
+@@ -684,14 +528,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -92553,7 +92742,7 @@ index 1f22fba..89679f0 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +549,13 @@ optional_policy(`
+@@ -704,11 +554,13 @@ optional_policy(`
')
optional_policy(`
@@ -92567,7 +92756,7 @@ index 1f22fba..89679f0 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +566,18 @@ optional_policy(`
+@@ -719,10 +571,18 @@ optional_policy(`
')
optional_policy(`
@@ -92586,7 +92775,7 @@ index 1f22fba..89679f0 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +592,262 @@ optional_policy(`
+@@ -737,44 +597,262 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -92614,15 +92803,14 @@ index 1f22fba..89679f0 100644
-allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
--
--manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
+dontaudit virt_domain virt_content_t:dir write;
-+
+
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -92632,10 +92820,6 @@ index 1f22fba..89679f0 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
-+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -92643,6 +92827,13 @@ index 1f22fba..89679f0 100644
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
++files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -92674,18 +92865,15 @@ index 1f22fba..89679f0 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-+dontaudit virt_domain virt_tmpfs_type:file { read write };
-
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++dontaudit virt_domain virt_tmpfs_type:file { read write };
-allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
++
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -92749,7 +92937,7 @@ index 1f22fba..89679f0 100644
+optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
-+
+
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
@@ -92762,7 +92950,7 @@ index 1f22fba..89679f0 100644
+ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
+')
-
++
+optional_policy(`
+ xserver_rw_shm(virt_domain)
+')
@@ -92823,8 +93011,8 @@ index 1f22fba..89679f0 100644
+#
+# xm local policy
+#
-+type virsh_t;
-+type virsh_exec_t;
++type virsh_t, virt_system_domain;
++type virsh_exec_t, virt_file_type;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
@@ -92872,7 +93060,7 @@ index 1f22fba..89679f0 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +863,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -92899,7 +93087,7 @@ index 1f22fba..89679f0 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +883,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -92931,7 +93119,7 @@ index 1f22fba..89679f0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +911,20 @@ optional_policy(`
+@@ -847,14 +916,20 @@ optional_policy(`
')
optional_policy(`
@@ -92953,7 +93141,7 @@ index 1f22fba..89679f0 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +949,65 @@ optional_policy(`
+@@ -879,49 +954,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93037,7 +93225,7 @@ index 1f22fba..89679f0 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1024,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93057,7 +93245,7 @@ index 1f22fba..89679f0 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1045,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -93081,7 +93269,7 @@ index 1f22fba..89679f0 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1070,251 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93097,22 +93285,26 @@ index 1f22fba..89679f0 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-+')
-miscfiles_read_localization(virtd_lxc_t)
-+optional_policy(`
-+ gnome_read_generic_cache_files(virtd_lxc_t)
++ optional_policy(`
++ hal_dbus_chat(virtd_lxc_t)
++ ')
+')
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
-+ setrans_manage_pid_files(virtd_lxc_t)
++ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
++ setrans_manage_pid_files(virtd_lxc_t)
++')
++
++optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -93410,8 +93602,7 @@ index 1f22fba..89679f0 100644
+allow svirt_qemu_net_t self:rawip_socket create_socket_perms;
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+kernel_read_network_state(svirt_qemu_net_t)
+kernel_read_irq_sysctls(svirt_qemu_net_t)
+
@@ -93429,7 +93620,8 @@ index 1f22fba..89679f0 100644
+corenet_tcp_connect_all_ports(svirt_qemu_net_t)
+
+files_read_kernel_modules(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+fs_noxattr_type(svirt_sandbox_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
@@ -93459,7 +93651,7 @@ index 1f22fba..89679f0 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1327,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93474,7 +93666,7 @@ index 1f22fba..89679f0 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1336,8 @@ optional_policy(`
+@@ -1183,9 +1345,8 @@ optional_policy(`
########################################
#
@@ -93485,7 +93677,7 @@ index 1f22fba..89679f0 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1350,121 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1359,124 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -93517,8 +93709,11 @@ index 1f22fba..89679f0 100644
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
-+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
++logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
++
++kernel_read_system_state(virt_qemu_ga_t)
+
+corecmd_exec_shell(virt_qemu_ga_t)
+corecmd_exec_bin(virt_qemu_ga_t)
@@ -93575,7 +93770,7 @@ index 1f22fba..89679f0 100644
+#
+
+optional_policy(`
-+ type virt_qemu_ga_unconfined_t;
++ type virt_qemu_ga_unconfined_t, virt_domain;
+ domain_type(virt_qemu_ga_unconfined_t)
+
+ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 901bb7b..963aa3c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.4%{?dist}
+Release: 74.5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,33 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Sep 20 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.5
+- Fix label on pam_krb5 helper apps
+- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
+- Allow init_t to run crash utility
+- Fix label on pam_krb5 helper apps
+- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t
+- Allow init_t to run crash utility
+- Call neutron interfaces instead of quantum
+- Allow users to communicate with journald using tmpfs files
+- Allow nslcd to send signull to itself
+- Fix virtd_lxc_t to be able to communicate with hal, need backport to rhel6 ASAP, for docker stuff
+- Fix missing types in virt_admin interface
+- Dontaudit attempts by sosreport to read shadow_t
+- Allow cobbler to exec rsync and communicate with sssd, using nsswitch
+- Add new label mpd_home_t
+- Label /srv/www/logs as httpd_log_t
+- Allow irc_t to use tcp sockets
+- Add labels for apache logs under miq package
+- Allow fetchmail to send mails
+- allow neutron to connect to amqp ports
+- Fix to use quantum port
+- Rename quantum to neutron
+- Allow virt_qemu_ga_t to read meminfo
+- Allow kdump_manage_crash to list the kdump_crash_t directory
+- Allow ldconfig to write to kdumpctl fifo files
+- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys
+
* Mon Sep 16 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.4
- fix bad labels in puppet.if
- Allow tcsd to read utmp file
@@ -546,7 +573,7 @@ SELinux Reference policy mls base module.
- Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config file
- Allow passenger to execute ifconfig
-* Tue Sep 11 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.3
+* Wed Sep 11 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.3
- Treat usr_t just like bin_t for transitions and executions
- Allow memcache to read sysfs data
- openct needs to be able to create netlink_object_uevent_sockets
More information about the scm-commits
mailing list