[selinux-policy/f20] - Add labeling for /var/lib/servicelog/servicelog.db-journal - Add support for freeipmi port - Add s
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Dec 19 20:15:20 UTC 2013
commit fccc315ba4fcebea64ea3e2dd7df30688db30ba2
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Dec 19 21:15:16 2013 +0100
- Add labeling for /var/lib/servicelog/servicelog.db-journal
- Add support for freeipmi port
- Add sysadm_u_default_contexts
- Make new type to texlive files in homedir
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Additional fixes for docker.te
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Fix typo in docker.te
- Allow amanda to do backups over UDP
- Allow bumblebee to read /etc/group and clean up bumblebee.te
- type transitions with a filename not allowed inside conditionals
- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7
- Make new type to texlive files in homedir
policy-f20-base.patch | 11 +-
policy-f20-contrib.patch | 890 ++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 21 ++
3 files changed, 721 insertions(+), 201 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index e8b6035..e01726d 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -9333,7 +9333,7 @@ index cf04cb5..7e91ba9 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..52d2b7c 100644
+index c2c6e05..2282452 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9534,7 +9534,7 @@ index c2c6e05..52d2b7c 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +245,24 @@ ifndef(`distro_redhat',`
+@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9552,7 +9552,8 @@ index c2c6e05..52d2b7c 100644
+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
-+/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0)
+
+/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
@@ -9560,7 +9561,7 @@ index c2c6e05..52d2b7c 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9575,7 +9576,7 @@ index c2c6e05..52d2b7c 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -270,3 +293,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +294,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 1f59ff1..9cb2d5a 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2084,7 +2084,7 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index ed45974..ec7bb41 100644
+index ed45974..f367ba0 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2122,7 +2122,7 @@ index ed45974..ec7bb41 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -2134,11 +2134,12 @@ index ed45974..ec7bb41 100644
corenet_tcp_bind_generic_node(amanda_t)
+corenet_tcp_bind_amanda_port(amanda_t)
++corenet_udp_bind_amanda_port(amanda_t)
+
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
@@ -2146,7 +2147,7 @@ index ed45974..ec7bb41 100644
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
-@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -2154,7 +2155,7 @@ index ed45974..ec7bb41 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -4736,7 +4737,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..bfe87eb 100644
+index 1a82e29..9a065a0 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5808,7 +5809,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,66 +821,56 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5843,16 +5844,27 @@ index 1a82e29..bfe87eb 100644
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
-+optional_policy(`
-+ cobbler_list_config(httpd_t)
-+ cobbler_read_config(httpd_t)
-
+-
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
+-
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
+-')
++optional_policy(`
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
+
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_nfs_dirs(httpd_t)
+- fs_manage_nfs_files(httpd_t)
+- fs_manage_nfs_symlinks(httpd_t)
+-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
+',`
@@ -5860,27 +5872,22 @@ index 1a82e29..bfe87eb 100644
+ cobbler_search_lib(httpd_t)
+ ')
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_t)
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_nfs_dirs(httpd_t)
-- fs_manage_nfs_files(httpd_t)
-- fs_manage_nfs_symlinks(httpd_t)
-+optional_policy(`
+ optional_policy(`
+- calamaris_read_www_files(httpd_t)
+ tunable_policy(`httpd_use_sasl',`
+ sasl_connect(httpd_t)
+ ')
')
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_t)
-+optional_policy(`
+ optional_policy(`
+- ccs_read_config(httpd_t)
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
@@ -5889,22 +5896,18 @@ index 1a82e29..bfe87eb 100644
')
optional_policy(`
-@@ -743,14 +873,6 @@ optional_policy(`
- ccs_read_config(httpd_t)
+- clamav_domtrans_clamscan(httpd_t)
++ calamaris_read_www_files(httpd_t)
')
--optional_policy(`
-- clamav_domtrans_clamscan(httpd_t)
--')
--
--optional_policy(`
+ optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
--')
++ ccs_read_config(httpd_t)
+ ')
optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +887,23 @@ optional_policy(`
+@@ -765,6 +886,23 @@ optional_policy(`
')
optional_policy(`
@@ -5928,7 +5931,7 @@ index 1a82e29..bfe87eb 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +920,46 @@ optional_policy(`
+@@ -781,34 +919,51 @@ optional_policy(`
')
optional_policy(`
@@ -5942,6 +5945,11 @@ index 1a82e29..bfe87eb 100644
+')
+
+optional_policy(`
++ mirrormanager_read_lib_files(httpd_t)
++ mirrormanager_read_log(httpd_t)
++')
++
++optional_policy(`
+ jetty_admin(httpd_t)
+')
+
@@ -5986,7 +5994,7 @@ index 1a82e29..bfe87eb 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +967,18 @@ optional_policy(`
+@@ -816,8 +971,18 @@ optional_policy(`
')
optional_policy(`
@@ -6005,7 +6013,7 @@ index 1a82e29..bfe87eb 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +987,7 @@ optional_policy(`
+@@ -826,6 +991,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6013,7 +6021,7 @@ index 1a82e29..bfe87eb 100644
')
optional_policy(`
-@@ -836,20 +998,39 @@ optional_policy(`
+@@ -836,20 +1002,39 @@ optional_policy(`
')
optional_policy(`
@@ -6059,7 +6067,7 @@ index 1a82e29..bfe87eb 100644
')
optional_policy(`
-@@ -857,19 +1038,35 @@ optional_policy(`
+@@ -857,19 +1042,35 @@ optional_policy(`
')
optional_policy(`
@@ -6095,7 +6103,7 @@ index 1a82e29..bfe87eb 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1074,173 @@ optional_policy(`
+@@ -877,65 +1078,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6168,10 +6176,11 @@ index 1a82e29..bfe87eb 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -6230,11 +6239,10 @@ index 1a82e29..bfe87eb 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -6291,7 +6299,7 @@ index 1a82e29..bfe87eb 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1253,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6446,7 +6454,7 @@ index 1a82e29..bfe87eb 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1333,106 @@ optional_policy(`
+@@ -1077,172 +1337,106 @@ optional_policy(`
')
')
@@ -6468,11 +6476,11 @@ index 1a82e29..bfe87eb 100644
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
--append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+allow httpd_sys_script_t self:process getsched;
+-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6683,7 +6691,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1444,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6780,7 +6788,7 @@ index 1a82e29..bfe87eb 100644
########################################
#
-@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1519,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6797,7 +6805,7 @@ index 1a82e29..bfe87eb 100644
')
########################################
-@@ -1324,49 +1531,38 @@ optional_policy(`
+@@ -1324,49 +1535,38 @@ optional_policy(`
# User content local policy
#
@@ -6862,7 +6870,7 @@ index 1a82e29..bfe87eb 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1576,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -9742,10 +9750,10 @@ index 0000000..b5ee23b
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
-index 0000000..23a4f86
+index 0000000..de66654
--- /dev/null
+++ b/bumblebee.if
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,121 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
@@ -9839,11 +9847,6 @@ index 0000000..23a4f86
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
+## <rolecap/>
+#
+interface(`bumblebee_admin',`
@@ -9874,10 +9877,10 @@ index 0000000..23a4f86
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..8d91220
+index 0000000..8c82398
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,44 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -9916,15 +9919,12 @@ index 0000000..8d91220
+
+dev_read_sysfs(bumblebee_t)
+
-+domain_use_interactive_fds(bumblebee_t)
-+
-+files_read_etc_files(bumblebee_t)
++auth_read_passwd(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
+
-+miscfiles_read_localization(bumblebee_t)
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
@@ -18422,8 +18422,19 @@ index 9f34c2e..d084359 100644
udev_read_db(ptal_t)
')
+
+diff --git a/cvs.fc b/cvs.fc
+index 75c8be9..9dcffb2 100644
+--- a/cvs.fc
++++ b/cvs.fc
+@@ -1,3 +1,6 @@
++HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
++/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
++
+ /etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
+
+ /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
diff --git a/cvs.if b/cvs.if
-index 9fa7ffb..fd3262c 100644
+index 9fa7ffb..089c8d4 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
@@ -18450,8 +18461,38 @@ index 9fa7ffb..fd3262c 100644
########################################
## <summary>
## Read CVS data and metadata content.
-@@ -62,9 +80,14 @@ interface(`cvs_admin',`
- type cvs_data_t, cvs_var_run_t;
+@@ -41,6 +59,24 @@ interface(`cvs_exec',`
+
+ ########################################
+ ## <summary>
++## Transition to cvs named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cvs_filetrans_home_content',`
++ gen_require(`
++ type cvs_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an cvs environment
+ ## </summary>
+@@ -59,12 +95,18 @@ interface(`cvs_exec',`
+ interface(`cvs_admin',`
+ gen_require(`
+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+- type cvs_data_t, cvs_var_run_t;
++ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
++ type cvs_home_t;
')
- allow $1 cvs_t:process { ptrace signal_perms };
@@ -18466,8 +18507,16 @@ index 9fa7ffb..fd3262c 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
+@@ -78,4 +120,7 @@ interface(`cvs_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, cvs_var_run_t)
++
++ userdom_search_user_home_dirs($1)
++ admin_pattern($1, cvs_home_t)
+ ')
diff --git a/cvs.te b/cvs.te
-index 53fc3af..897ad64 100644
+index 53fc3af..d7cdaaf 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
@@ -18484,7 +18533,31 @@ index 53fc3af..897ad64 100644
application_executable_file(cvs_exec_t)
type cvs_data_t; # customizable
-@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t)
+@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t)
+ type cvs_var_run_t;
+ files_pid_file(cvs_var_run_t)
+
++type cvs_home_t;
++userdom_user_home_content(cvs_home_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow cvs_t self:capability { setuid setgid };
++allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
++userdom_search_user_home_dirs(cvs_t)
++allow cvs_t cvs_home_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -18500,7 +18573,7 @@ index 53fc3af..897ad64 100644
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t)
+@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -18513,8 +18586,8 @@ index 53fc3af..897ad64 100644
-
mta_send_mail(cvs_t)
- userdom_dontaudit_search_user_home_dirs(cvs_t)
-
+-userdom_dontaudit_search_user_home_dirs(cvs_t)
+-
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
@@ -18522,7 +18595,7 @@ index 53fc3af..897ad64 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -103,4 +113,5 @@ optional_policy(`
+@@ -103,4 +117,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -22408,10 +22481,10 @@ index 0000000..484dd44
\ No newline at end of file
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..d856375
+index 0000000..543baf1
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,250 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -22455,6 +22528,25 @@ index 0000000..d856375
+
+########################################
+## <summary>
++## Execute docker lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_exec_lib',`
++ gen_require(`
++ type docker_var_lib_t;
++ ')
++
++ allow $1 docker_var_lib_t:dir search_dir_perms;
++ can_exec($1, docker_var_lib_t)
++')
++
++########################################
++## <summary>
+## Read docker lib files.
+## </summary>
+## <param name="domain">
@@ -22512,6 +22604,41 @@ index 0000000..d856375
+
+########################################
+## <summary>
++## Create objects in a docker var lib directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`docker_lib_filetrans',`
++ gen_require(`
++ type docker_var_lib_t;
++ ')
++
++ filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
+## Read docker PID files.
+## </summary>
+## <param name="domain">
@@ -22610,7 +22737,7 @@ index 0000000..d856375
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..85e2ddb
+index 0000000..f156949
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,145 @@
@@ -22711,10 +22838,10 @@ index 0000000..85e2ddb
+
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
+allow docker_t self:process { setpgid setsched signal_perms };
-+allow docker_t self:netlink_route_socket nlmsg_write;
-+allow docker_t self:netlink_audit_socket create_netlink_perms;
++allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
++allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
+allow docker_t self:unix_dgram_socket create_socket_perms;
-+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }
++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow docker_t docker_var_lib_t:dir mounton;
+allow docker_t docker_var_lib_t:chr_file mounton;
@@ -40011,10 +40138,10 @@ index 0000000..767bbad
+/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
diff --git a/mip6d.if b/mip6d.if
new file mode 100644
-index 0000000..9e2bf1b
+index 0000000..8169129
--- /dev/null
+++ b/mip6d.if
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,79 @@
+
+## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
+
@@ -40053,7 +40180,7 @@ index 0000000..9e2bf1b
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 mip6d_unit_file_t:file read_file_perms;
+ allow $1 mip6d_unit_file_t:service manage_service_perms;
+
@@ -40071,22 +40198,21 @@ index 0000000..9e2bf1b
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
+## <rolecap/>
+#
+interface(`mip6d_admin',`
+ gen_require(`
+ type mip6d_t;
-+ type mip6d_unit_file_t;
++ type mip6d_unit_file_t;
+ ')
+
-+ allow $1 mip6d_t:process { ptrace signal_perms };
++ allow $1 mip6d_t:process { signal_perms };
+ ps_process_pattern($1, mip6d_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mip6d_t:process ptrace;
++ ')
++
+ mip6d_systemctl($1)
+ admin_pattern($1, mip6d_unit_file_t)
+ allow $1 mip6d_unit_file_t:service all_service_perms;
@@ -40134,6 +40260,300 @@ index 0000000..1d34063
+
+logging_send_syslog_msg(mip6d_t)
+
+diff --git a/mirrormanager.fc b/mirrormanager.fc
+new file mode 100644
+index 0000000..c713b27
+--- /dev/null
++++ b/mirrormanager.fc
+@@ -0,0 +1,7 @@
++/usr/share/mirrormanager/server/mirrormanager -- gen_context(system_u:object_r:mirrormanager_exec_t,s0)
++
++/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
++
++/var/log/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_log_t,s0)
++
++/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
+diff --git a/mirrormanager.if b/mirrormanager.if
+new file mode 100644
+index 0000000..7ba3eed
+--- /dev/null
++++ b/mirrormanager.if
+@@ -0,0 +1,222 @@
++
++## <summary>policy for mirrormanager</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the mirrormanager domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_domtrans',`
++ gen_require(`
++ type mirrormanager_t, mirrormanager_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
++')
++########################################
++## <summary>
++## Read mirrormanager's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mirrormanager_read_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Append to mirrormanager log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_append_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++ manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++ manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Search mirrormanager lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_search_lib',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ allow $1 mirrormanager_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read mirrormanager lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_read_lib_files',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_lib_files',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_lib_dirs',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read mirrormanager PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_read_pid_files',`
++ gen_require(`
++ type mirrormanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mirrormanager environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mirrormanager_admin',`
++ gen_require(`
++ type mirrormanager_t;
++ type mirrormanager_log_t;
++ type mirrormanager_var_lib_t;
++ type mirrormanager_var_run_t;
++ ')
++
++ allow $1 mirrormanager_t:process { signal_perms };
++ ps_process_pattern($1, mirrormanager_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mirrormanager_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, mirrormanager_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, mirrormanager_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, mirrormanager_var_run_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mirrormanager.te b/mirrormanager.te
+new file mode 100644
+index 0000000..a19c096
+--- /dev/null
++++ b/mirrormanager.te
+@@ -0,0 +1,47 @@
++policy_module(mirrormanager, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mirrormanager_t;
++type mirrormanager_exec_t;
++cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
++
++type mirrormanager_log_t;
++logging_log_file(mirrormanager_log_t)
++
++type mirrormanager_var_lib_t;
++files_type(mirrormanager_var_lib_t)
++
++type mirrormanager_var_run_t;
++files_pid_file(mirrormanager_var_run_t)
++
++########################################
++#
++# mirrormanager local policy
++#
++allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
++allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir file lnk_file })
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir file lnk_file })
++
++domain_use_interactive_fds(mirrormanager_t)
++
++files_read_etc_files(mirrormanager_t)
++
++miscfiles_read_localization(mirrormanager_t)
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -84258,20 +84678,24 @@ index 5f35d78..50651d2 100644
+ uucp_domtrans_uux(sendmail_t)
')
diff --git a/sensord.fc b/sensord.fc
-index 8185d5a..719ac47 100644
+index 8185d5a..97926d2 100644
--- a/sensord.fc
+++ b/sensord.fc
-@@ -1,3 +1,5 @@
+@@ -1,5 +1,9 @@
+/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0)
+
/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
+
++/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0)
++
+ /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
-index d204752..5eba5fd 100644
+index d204752..31cc6e6 100644
--- a/sensord.if
+++ b/sensord.if
-@@ -1,35 +1,75 @@
+@@ -1,35 +1,80 @@
-## <summary>Sensor information logging daemon.</summary>
+
+## <summary>Sensor information logging daemon</summary>
@@ -84339,7 +84763,9 @@ index d204752..5eba5fd 100644
gen_require(`
- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t;
+ type sensord_t;
-+ type sensord_unit_file_t;
++ type sensord_unit_file_t;
++ type sensord_log_t;
++ type sensord_var_run_t;
')
allow $1 sensord_t:process { ptrace signal_perms };
@@ -84354,17 +84780,19 @@ index d204752..5eba5fd 100644
+ allow $1 sensord_unit_file_t:service all_service_perms;
- files_search_pids($1)
-- admin_pattern($1, sensord_var_run_t)
++ admin_pattern($1, sensord_log_t)
+ admin_pattern($1, sensord_var_run_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..fa352d8 100644
+index 5e82fd6..f3e5808 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,6 +9,9 @@ type sensord_t;
+@@ -9,12 +9,18 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -84374,7 +84802,24 @@ index 5e82fd6..fa352d8 100644
type sensord_initrc_exec_t;
init_script_file(sensord_initrc_exec_t)
-@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
+ type sensord_var_run_t;
+ files_pid_file(sensord_var_run_t)
+
++type sensord_log_t;
++logging_log_file(sensord_log_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t)
+ allow sensord_t self:fifo_file rw_fifo_file_perms;
+ allow sensord_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t)
++logging_log_filetrans(sensord_t, sensord_log_t, file)
++
+ manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
+ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
dev_read_sysfs(sensord_t)
@@ -86570,7 +87015,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..bdd8566 100644
+index 703efa3..2c05493 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -86732,13 +87177,17 @@ index 703efa3..bdd8566 100644
')
optional_policy(`
-@@ -135,9 +193,21 @@ optional_policy(`
+@@ -135,9 +193,25 @@ optional_policy(`
')
optional_policy(`
- rpm_exec(sosreport_t)
- rpm_dontaudit_manage_db(sosreport_t)
- rpm_read_db(sosreport_t)
++ rhsmcertd_manage_lib_files(sosreport_t)
++')
++
++optional_policy(`
+ rpm_dontaudit_manage_db(sosreport_t)
+ rpm_manage_cache(sosreport_t)
+ rpm_manage_log(sosreport_t)
@@ -96532,10 +96981,10 @@ index 9dec06c..43128c6 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..15485c6 100644
+index 1f22fba..156d389 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,147 +1,173 @@
+@@ -1,147 +1,194 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -96675,9 +97124,6 @@ index 1f22fba..15485c6 100644
-attribute virt_tmpfs_type;
-
-attribute svirt_lxc_domain;
--
--attribute_role virt_domain_roles;
--roleattribute system_r virt_domain_roles;
+## <desc>
+## <p>
+## Allow confined virtual guests to use usb devices
@@ -96685,22 +97131,44 @@ index 1f22fba..15485c6 100644
+## </desc>
+gen_tunable(virt_use_usb, true)
+-attribute_role virt_domain_roles;
+-roleattribute system_r virt_domain_roles;
++## <desc>
++## <p>
++## Allow sandbox containers to send audit messages
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_audit, false)
+
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
-+virt_domain_template(svirt)
-+role system_r types svirt_t;
-+typealias svirt_t alias qemu_t;
++## <desc>
++## <p>
++## Allow sandbox containers to use netlink system calls
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_netlink, false)
-attribute_role svirt_lxc_domain_roles;
-roleattribute system_r svirt_lxc_domain_roles;
-+virt_domain_template(svirt_tcg)
-+role system_r types svirt_tcg_t;
++## <desc>
++## <p>
++## Allow sandbox containers to use sys_admin system calls, for example mount
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_sys_admin, false)
--virt_domain_template(svirt)
+ virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
-+type qemu_exec_t, virt_file_type;
++role system_r types svirt_t;
++typealias svirt_t alias qemu_t;
++
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
-type virt_cache_t alias svirt_cache_t;
++type qemu_exec_t, virt_file_type;
++
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -96782,7 +97250,7 @@ index 1f22fba..15485c6 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -150,295 +176,142 @@ ifdef(`enable_mls',`
+@@ -150,295 +197,142 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -97164,7 +97632,7 @@ index 1f22fba..15485c6 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +321,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +342,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -97211,7 +97679,7 @@ index 1f22fba..15485c6 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +356,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +377,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -97221,19 +97689,19 @@ index 1f22fba..15485c6 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +369,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +390,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -97241,7 +97709,7 @@ index 1f22fba..15485c6 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +377,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +398,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -97269,7 +97737,7 @@ index 1f22fba..15485c6 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +397,27 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +418,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -97302,7 +97770,7 @@ index 1f22fba..15485c6 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +448,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +469,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -97322,7 +97790,7 @@ index 1f22fba..15485c6 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +470,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +491,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -97359,7 +97827,7 @@ index 1f22fba..15485c6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +498,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +519,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -97368,7 +97836,7 @@ index 1f22fba..15485c6 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +523,12 @@ optional_policy(`
+@@ -658,20 +544,12 @@ optional_policy(`
')
optional_policy(`
@@ -97389,7 +97857,7 @@ index 1f22fba..15485c6 100644
')
optional_policy(`
-@@ -684,14 +541,20 @@ optional_policy(`
+@@ -684,14 +562,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -97412,7 +97880,7 @@ index 1f22fba..15485c6 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +567,13 @@ optional_policy(`
+@@ -704,11 +588,13 @@ optional_policy(`
')
optional_policy(`
@@ -97426,7 +97894,7 @@ index 1f22fba..15485c6 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +584,18 @@ optional_policy(`
+@@ -719,10 +605,18 @@ optional_policy(`
')
optional_policy(`
@@ -97445,7 +97913,7 @@ index 1f22fba..15485c6 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +610,264 @@ optional_policy(`
+@@ -737,44 +631,264 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -97473,28 +97941,22 @@ index 1f22fba..15485c6 100644
-allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
--
++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
++read_files_pattern(virt_domain, virt_content_t, virt_content_t)
++dontaudit virt_domain virt_content_t:file write_file_perms;
++dontaudit virt_domain virt_content_t:dir write;
+
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
--
++kernel_read_net_sysctls(virt_domain)
+
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
-+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
-+dontaudit virt_domain virt_content_t:file write_file_perms;
-+dontaudit virt_domain virt_content_t:dir write;
-
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-+kernel_read_net_sysctls(virt_domain)
-
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -97504,13 +97966,14 @@ index 1f22fba..15485c6 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
--can_exec(virsh_t, virsh_exec_t)
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -97541,11 +98004,14 @@ index 1f22fba..15485c6 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-+
+
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+dontaudit virt_domain virt_tmpfs_type:file { read write };
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-+
+
+-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
@@ -97559,7 +98025,7 @@ index 1f22fba..15485c6 100644
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
-
++
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
+dev_dontaudit_getattr_all(virt_domain)
@@ -97696,7 +98162,7 @@ index 1f22fba..15485c6 100644
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
-+
+
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
+can_exec(virsh_t, virsh_exec_t)
@@ -97734,7 +98200,7 @@ index 1f22fba..15485c6 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +878,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +899,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -97761,7 +98227,7 @@ index 1f22fba..15485c6 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +898,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +919,23 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -97794,7 +98260,7 @@ index 1f22fba..15485c6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +933,20 @@ optional_policy(`
+@@ -847,14 +954,20 @@ optional_policy(`
')
optional_policy(`
@@ -97816,7 +98282,7 @@ index 1f22fba..15485c6 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +971,65 @@ optional_policy(`
+@@ -879,49 +992,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -97856,7 +98322,7 @@ index 1f22fba..15485c6 100644
manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
-+allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill };
++allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms };
+
allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
@@ -97900,7 +98366,7 @@ index 1f22fba..15485c6 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1041,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1062,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -97920,7 +98386,7 @@ index 1f22fba..15485c6 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1062,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1083,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -97944,7 +98410,7 @@ index 1f22fba..15485c6 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1087,246 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1108,271 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -97971,11 +98437,15 @@ index 1f22fba..15485c6 100644
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
-+ gnome_read_generic_cache_files(virtd_lxc_t)
++ docker_exec_lib(virtd_lxc_t)
+')
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
++ gnome_read_generic_cache_files(virtd_lxc_t)
++')
++
++optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
+
@@ -98160,17 +98630,22 @@ index 1f22fba..15485c6 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ docker_read_lib_files(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ ssh_use_ptys(svirt_sandbox_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
@@ -98187,7 +98662,7 @@ index 1f22fba..15485c6 100644
+typeattribute svirt_lxc_net_t sandbox_net_domain;
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -98195,15 +98670,18 @@ index 1f22fba..15485c6 100644
-allow svirt_lxc_net_t self:packet_socket create_socket_perms;
-allow svirt_lxc_net_t self:socket create_socket_perms;
-allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-+allow svirt_lxc_net_t self:process { execstack execmem };
- allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
- allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-
+-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+-
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
--
++allow svirt_lxc_net_t self:process { execstack execmem };
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
+
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
@@ -98214,13 +98692,20 @@ index 1f22fba..15485c6 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
++ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++', `
++ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
++')
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
--
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_lxc_net_t)
@@ -98238,22 +98723,25 @@ index 1f22fba..15485c6 100644
fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
+fs_manage_cgroup_files(svirt_lxc_net_t)
-+
+
+-auth_use_nsswitch(svirt_lxc_net_t)
+term_pty(svirt_sandbox_file_t)
- auth_use_nsswitch(svirt_lxc_net_t)
+-logging_send_audit_msgs(svirt_lxc_net_t)
++auth_use_nsswitch(svirt_lxc_net_t)
+-userdom_use_user_ptys(svirt_lxc_net_t)
+rpm_read_db(svirt_lxc_net_t)
-+
- logging_send_audit_msgs(svirt_lxc_net_t)
-
- userdom_use_user_ptys(svirt_lxc_net_t)
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
--')
--
++tunable_policy(`virt_sandbox_use_audit',`
++ logging_send_audit_msgs(svirt_lxc_net_t)
+ ')
+
-#######################################
++userdom_use_user_ptys(svirt_lxc_net_t)
++
+########################################
#
-# Prot exec local policy
@@ -98265,9 +98753,12 @@ index 1f22fba..15485c6 100644
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
+allow svirt_qemu_net_t self:process { execstack execmem };
-+allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
-+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
+
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@@ -98287,10 +98778,10 @@ index 1f22fba..15485c6 100644
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-+
-+kernel_read_irq_sysctls(svirt_qemu_net_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
++kernel_read_irq_sysctls(svirt_qemu_net_t)
++
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
@@ -98309,7 +98800,9 @@ index 1f22fba..15485c6 100644
+
+rpm_read_db(svirt_qemu_net_t)
+
-+logging_send_audit_msgs(svirt_qemu_net_t)
++tunable_policy(`virt_sandbox_use_audit',`
++ logging_send_audit_msgs(svirt_qemu_net_t)
++')
+
+userdom_use_user_ptys(svirt_qemu_net_t)
@@ -98327,7 +98820,7 @@ index 1f22fba..15485c6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1385,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -98342,7 +98835,7 @@ index 1f22fba..15485c6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1357,8 @@ optional_policy(`
+@@ -1183,9 +1403,8 @@ optional_policy(`
########################################
#
@@ -98353,7 +98846,7 @@ index 1f22fba..15485c6 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1371,193 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1417,198 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -98490,9 +98983,12 @@ index 1f22fba..15485c6 100644
+
+allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_kvm_net_t self:capability2 block_suspend;
-+allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
-+allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
++ allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
+
+term_use_generic_ptys(svirt_kvm_net_t)
+term_use_ptmx(svirt_kvm_net_t)
@@ -98527,7 +99023,9 @@ index 1f22fba..15485c6 100644
+
+rpm_read_db(svirt_kvm_net_t)
+
-+logging_send_audit_msgs(svirt_kvm_net_t)
++tunable_policy(`virt_sandbox_use_audit',`
++ logging_send_audit_msgs(svirt_kvm_net_t)
++')
+
+userdom_use_user_ptys(svirt_kvm_net_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 054a5ee..0bda977 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -576,6 +576,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Dec 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-111
+- Add labeling for /var/lib/servicelog/servicelog.db-journal
+- Add support for freeipmi port
+- Add sysadm_u_default_contexts
+- Make new type to texlive files in homedir
+- Allow subscription-manager running as sosreport_t to manage rhsmcertd
+- Additional fixes for docker.te
+- Remove ability to do mount/sys_admin by default in virt_sandbox domains
+- New rules required to run docker images within libivrt
+- Add label for ~/.cvsignore
+- Change mirrormanager to be run by cron
+- Add mirrormanager policy
+- Fixed bumblebee_admin() and mip6d_admin()
+- Add log support for sensord
+- Fix typo in docker.te
+- Allow amanda to do backups over UDP
+- Allow bumblebee to read /etc/group and clean up bumblebee.te
+- type transitions with a filename not allowed inside conditionals
+- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7
+- Make new type to texlive files in homedir
+
* Thu Dec 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-110
- Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
More information about the scm-commits
mailing list