[selinux-policy] - Add gluster fixes - Remove ability to transition to unconfined_t from confined domains - Additiona
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jan 9 14:11:18 UTC 2014
commit 9b85087129d0153e982438e651c8577e1f0622d0
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jan 9 15:11:05 2014 +0100
- Add gluster fixes
- Remove ability to transition to unconfined_t from confined domains
- Additional allow rules to get libvirt-lxc containers working with docker
policy-rawhide-base.patch | 105 ++++---
policy-rawhide-contrib.patch | 713 +++++++++++++++++++++++++++---------------
selinux-policy.spec | 7 +-
3 files changed, 524 insertions(+), 301 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index fa3531e..d8abe18 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5400,7 +5400,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..4dec289 100644
+index b191055..fd1a0d0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5598,7 +5598,7 @@ index b191055..4dec289 100644
network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
-network_port(milter) # no defined portcon
-+network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon
++network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
network_port(monopd, tcp,1234,s0)
@@ -12850,7 +12850,7 @@ index f962f76..35cd90c 100644
+ allow $1 etc_t:service status;
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..92d1a8f 100644
+index 1a03abd..0335af9 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@@ -13030,9 +13030,12 @@ index 1a03abd..92d1a8f 100644
########################################
#
-@@ -226,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -224,12 +261,13 @@ fs_associate_tmpfs(tmpfsfile)
+ #
+
# Create/access any file in a labeled filesystem;
- allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+-allow files_unconfined_type file_type:{ file chr_file } ~execmod;
++allow files_unconfined_type file_type:{ file chr_file } ~{ execmod entrypoint };
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+allow files_unconfined_type file_type:service *;
@@ -17998,7 +18001,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..de53b7b 100644
+index 2522ca6..9da6c17 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.6.1)
@@ -18409,7 +18412,7 @@ index 2522ca6..de53b7b 100644
')
optional_policy(`
-@@ -356,19 +478,15 @@ optional_policy(`
+@@ -356,19 +478,11 @@ optional_policy(`
')
optional_policy(`
@@ -18422,16 +18425,15 @@ index 2522ca6..de53b7b 100644
optional_policy(`
- uml_role(sysadm_r, sysadm_t)
-+ unconfined_domtrans(sysadm_t)
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
- unconfined_domtrans(sysadm_t)
+ udev_run(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -380,10 +498,6 @@ optional_policy(`
+@@ -380,10 +494,6 @@ optional_policy(`
')
optional_policy(`
@@ -18442,7 +18444,7 @@ index 2522ca6..de53b7b 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +505,9 @@ optional_policy(`
+@@ -391,6 +501,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -18452,7 +18454,7 @@ index 2522ca6..de53b7b 100644
')
optional_policy(`
-@@ -398,31 +515,34 @@ optional_policy(`
+@@ -398,31 +511,34 @@ optional_policy(`
')
optional_policy(`
@@ -18493,7 +18495,7 @@ index 2522ca6..de53b7b 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +555,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +551,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18504,7 +18506,7 @@ index 2522ca6..de53b7b 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +575,75 @@ ifndef(`distro_redhat',`
+@@ -459,15 +571,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19263,7 +19265,7 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..539c163
+index 0000000..993b768
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,328 @@
@@ -19306,7 +19308,7 @@ index 0000000..539c163
+userdom_unpriv_type(unconfined_t)
+
+type unconfined_exec_t;
-+init_system_domain(unconfined_t, unconfined_exec_t)
++application_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
@@ -21883,7 +21885,7 @@ index 8274418..830bb6f 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..5a7e2a4 100644
+index 6bf0ecc..115c533 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -22618,10 +22620,30 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1230,84 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
++## Manage X keyboard extension libraries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_xkb_libs',`
++ gen_require(`
++ type xkb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 xkb_var_lib_t:dir list_dir_perms;
++ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++')
++
++########################################
++## <summary>
+## dontaudit access checks X keyboard extension libraries.
+## </summary>
+## <param name="domain">
@@ -22683,7 +22705,7 @@ index 6bf0ecc..5a7e2a4 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1321,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22692,7 +22714,7 @@ index 6bf0ecc..5a7e2a4 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1383,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -22735,7 +22757,7 @@ index 6bf0ecc..5a7e2a4 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1433,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -22744,7 +22766,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1451,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -22756,7 +22778,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1552,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -22782,7 +22804,7 @@ index 6bf0ecc..5a7e2a4 100644
## Connect to the X server over a unix domain
## stream socket.
## </summary>
-@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1587,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22809,7 +22831,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1632,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -22818,7 +22840,7 @@ index 6bf0ecc..5a7e2a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1642,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -22847,7 +22869,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,624 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -23475,7 +23497,7 @@ index 6bf0ecc..5a7e2a4 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..4a84226 100644
+index 8b40377..326b206 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -24615,7 +24637,7 @@ index 8b40377..4a84226 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,16 +1264,44 @@ optional_policy(`
+@@ -785,17 +1264,44 @@ optional_policy(`
')
optional_policy(`
@@ -24657,11 +24679,12 @@ index 8b40377..4a84226 100644
optional_policy(`
- unconfined_domain_noaudit(xserver_t)
+- unconfined_domtrans(xserver_t)
+ unconfined_domain(xserver_t)
- unconfined_domtrans(xserver_t)
')
-@@ -803,6 +1310,10 @@ optional_policy(`
+ optional_policy(`
+@@ -803,6 +1309,10 @@ optional_policy(`
')
optional_policy(`
@@ -24672,7 +24695,7 @@ index 8b40377..4a84226 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -24686,7 +24709,7 @@ index 8b40377..4a84226 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -24695,7 +24718,7 @@ index 8b40377..4a84226 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1353,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1352,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24730,7 +24753,7 @@ index 8b40377..4a84226 100644
')
optional_policy(`
-@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24739,7 +24762,7 @@ index 8b40377..4a84226 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -24771,7 +24794,7 @@ index 8b40377..4a84226 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -31944,7 +31967,7 @@ index 4e94884..ae63d78 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..b4f9029 100644
+index 59b04c1..7b0ef85 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -31965,7 +31988,7 @@ index 59b04c1..b4f9029 100644
+## Allow syslogd the ability to read/write terminals
+## </p>
+## </desc>
-+gen_tunable(logging_syslogd_use_tty, false)
++gen_tunable(logging_syslogd_use_tty, true)
attribute logfile;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6e8596f..b2be497 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4756,7 +4756,7 @@ index f6eb485..51b128e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..e3e190e 100644
+index 6649962..dd376b5 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
@@ -5415,7 +5415,7 @@ index 6649962..e3e190e 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,6 +499,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,14 +499,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5424,8 +5424,10 @@ index 6649962..e3e190e 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -420,6 +509,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
++allow httpd_t httpd_suexec_exec_t:process { signal signull };
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
@@ -5435,7 +5437,7 @@ index 6649962..e3e190e 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +543,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +544,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5668,7 +5670,7 @@ index 6649962..e3e190e 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +714,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +715,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5728,7 +5730,7 @@ index 6649962..e3e190e 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +766,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +767,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5819,7 +5821,7 @@ index 6649962..e3e190e 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,66 +813,56 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,66 +814,56 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5917,7 +5919,7 @@ index 6649962..e3e190e 100644
')
optional_policy(`
-@@ -770,6 +878,23 @@ optional_policy(`
+@@ -770,6 +879,23 @@ optional_policy(`
')
optional_policy(`
@@ -5941,7 +5943,7 @@ index 6649962..e3e190e 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -786,35 +911,53 @@ optional_policy(`
+@@ -786,35 +912,53 @@ optional_policy(`
')
optional_policy(`
@@ -6008,7 +6010,7 @@ index 6649962..e3e190e 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +965,18 @@ optional_policy(`
+@@ -822,8 +966,18 @@ optional_policy(`
')
optional_policy(`
@@ -6027,7 +6029,7 @@ index 6649962..e3e190e 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +985,7 @@ optional_policy(`
+@@ -832,6 +986,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6035,7 +6037,7 @@ index 6649962..e3e190e 100644
')
optional_policy(`
-@@ -842,20 +996,39 @@ optional_policy(`
+@@ -842,20 +997,39 @@ optional_policy(`
')
optional_policy(`
@@ -6081,7 +6083,7 @@ index 6649962..e3e190e 100644
')
optional_policy(`
-@@ -863,19 +1036,35 @@ optional_policy(`
+@@ -863,19 +1037,35 @@ optional_policy(`
')
optional_policy(`
@@ -6117,7 +6119,7 @@ index 6649962..e3e190e 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1072,173 @@ optional_policy(`
+@@ -883,65 +1073,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6313,7 +6315,7 @@ index 6649962..e3e190e 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1247,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6468,7 +6470,7 @@ index 6649962..e3e190e 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1331,106 @@ optional_policy(`
+@@ -1083,172 +1332,106 @@ optional_policy(`
')
')
@@ -6705,7 +6707,7 @@ index 6649962..e3e190e 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1439,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6802,7 +6804,7 @@ index 6649962..e3e190e 100644
########################################
#
-@@ -1321,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1514,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6819,7 +6821,7 @@ index 6649962..e3e190e 100644
')
########################################
-@@ -1330,49 +1529,38 @@ optional_policy(`
+@@ -1330,49 +1530,38 @@ optional_policy(`
# User content local policy
#
@@ -6884,7 +6886,7 @@ index 6649962..e3e190e 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1570,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1571,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7006,10 +7008,12 @@ index 6649962..e3e190e 100644
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
-index 5ec0e13..274704f 100644
+index 5ec0e13..97c204f 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
-@@ -1,18 +1,21 @@
+@@ -1,18 +1,23 @@
++/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0)
++
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
@@ -7037,7 +7041,7 @@ index 5ec0e13..274704f 100644
+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..9c06313 100644
+index f3c0aba..2b3352b 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
@@ -7113,11 +7117,12 @@ index f3c0aba..9c06313 100644
## All of the rules required to
## administrate an apcupsd environment.
## </summary>
-@@ -144,11 +187,16 @@ interface(`apcupsd_admin',`
+@@ -144,11 +187,17 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+ type apcupsd_unit_file_t;
++ type apcupsd_power_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
@@ -7131,7 +7136,7 @@ index f3c0aba..9c06313 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +213,8 @@ interface(`apcupsd_admin',`
+@@ -165,4 +214,11 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
@@ -7139,33 +7144,42 @@ index f3c0aba..9c06313 100644
+ apcupsd_systemctl($1)
+ admin_pattern($1, apcupsd_unit_file_t)
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
++
++ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
++ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..4b86e25 100644
+index 080bc4d..c85265d 100644
--- a/apcupsd.te
+++ b/apcupsd.te
-@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
+@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
++type apcupsd_power_t;
++files_type(apcupsd_power_t)
++
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
########################################
#
# Local policy
-@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
++manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
++files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
++
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
-@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t)
+@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
@@ -7173,7 +7187,7 @@ index 080bc4d..4b86e25 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,6 +73,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -7182,7 +7196,7 @@ index 080bc4d..4b86e25 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +76,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -7210,7 +7224,7 @@ index 080bc4d..4b86e25 100644
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -101,6 +107,11 @@ optional_policy(`
+@@ -101,6 +113,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
@@ -7222,7 +7236,7 @@ index 080bc4d..4b86e25 100644
########################################
#
# CGI local policy
-@@ -108,20 +119,20 @@ optional_policy(`
+@@ -108,20 +125,20 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
@@ -9999,10 +10013,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..8c82398
+index 0000000..b3aa772
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,54 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -10039,6 +10053,8 @@ index 0000000..8c82398
+kernel_read_system_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
+
++corecmd_exec_shell(bumblebee_t)
++
+dev_read_sysfs(bumblebee_t)
+
+auth_read_passwd(bumblebee_t)
@@ -10047,6 +10063,14 @@ index 0000000..8c82398
+
+modutils_domtrans_insmod(bumblebee_t)
+
++sysnet_dns_name_resolve(bumblebee_t)
++
++xserver_domtrans(bumblebee_t)
++xserver_manage_xkb_libs(bumblebee_t)
++
++optional_policy(`
++ apm_stream_connect(bumblebee_t)
++')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
@@ -10612,7 +10636,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..7124d87 100644
+index 550b287..8dd67f1 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10649,7 +10673,7 @@ index 550b287..7124d87 100644
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,16 +55,23 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -10657,6 +10681,8 @@ index 550b287..7124d87 100644
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
++corenet_tcp_connect_ldap_port(certmonger_t)
++
+corenet_tcp_connect_pki_ca_port(certmonger_t)
corenet_tcp_sendrecv_certmaster_port(certmonger_t)
@@ -10672,7 +10698,7 @@ index 550b287..7124d87 100644
files_list_tmp(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
+@@ -70,16 +83,17 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
@@ -10693,7 +10719,7 @@ index 550b287..7124d87 100644
')
optional_policy(`
-@@ -92,11 +104,47 @@ optional_policy(`
+@@ -92,11 +106,47 @@ optional_policy(`
')
optional_policy(`
@@ -17916,7 +17942,7 @@ index 3023be7..20e370b 100644
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
diff --git a/cups.te b/cups.te
-index c91813c..f31fa44 100644
+index c91813c..ac57f95 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
@@ -18179,12 +18205,13 @@ index c91813c..f31fa44 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,21 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
++libs_exec_ldconfig(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -18205,7 +18232,7 @@ index c91813c..f31fa44 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -272,6 +305,8 @@ optional_policy(`
+@@ -272,6 +306,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -18214,7 +18241,7 @@ index c91813c..f31fa44 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -282,8 +317,10 @@ optional_policy(`
+@@ -282,8 +318,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -18225,7 +18252,7 @@ index c91813c..f31fa44 100644
')
')
-@@ -296,8 +333,8 @@ optional_policy(`
+@@ -296,8 +334,8 @@ optional_policy(`
')
optional_policy(`
@@ -18235,7 +18262,7 @@ index c91813c..f31fa44 100644
')
optional_policy(`
-@@ -306,7 +343,6 @@ optional_policy(`
+@@ -306,7 +344,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -18243,7 +18270,7 @@ index c91813c..f31fa44 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -334,7 +370,11 @@ optional_policy(`
+@@ -334,7 +371,11 @@ optional_policy(`
')
optional_policy(`
@@ -18256,7 +18283,7 @@ index c91813c..f31fa44 100644
')
########################################
-@@ -342,12 +382,11 @@ optional_policy(`
+@@ -342,12 +383,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -18272,7 +18299,7 @@ index c91813c..f31fa44 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +412,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -18293,7 +18320,7 @@ index c91813c..f31fa44 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +430,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -18314,7 +18341,7 @@ index c91813c..f31fa44 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +447,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -18326,7 +18353,7 @@ index c91813c..f31fa44 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +473,12 @@ optional_policy(`
+@@ -449,9 +474,12 @@ optional_policy(`
')
optional_policy(`
@@ -18340,7 +18367,7 @@ index c91813c..f31fa44 100644
')
optional_policy(`
-@@ -487,10 +514,6 @@ optional_policy(`
+@@ -487,10 +515,6 @@ optional_policy(`
# Lpd local policy
#
@@ -18351,7 +18378,7 @@ index c91813c..f31fa44 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +531,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +532,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -18369,7 +18396,7 @@ index c91813c..f31fa44 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +560,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +561,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -18379,7 +18406,7 @@ index c91813c..f31fa44 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +570,6 @@ optional_policy(`
+@@ -550,7 +571,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -18387,7 +18414,7 @@ index c91813c..f31fa44 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +585,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +586,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -18539,7 +18566,7 @@ index c91813c..f31fa44 100644
########################################
#
-@@ -735,7 +629,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +630,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -18547,7 +18574,7 @@ index c91813c..f31fa44 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +638,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +639,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -18561,7 +18588,7 @@ index c91813c..f31fa44 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +650,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +651,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -18570,7 +18597,7 @@ index c91813c..f31fa44 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +662,4 @@ optional_policy(`
+@@ -773,3 +663,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -21081,12 +21108,13 @@ index 77a5003..2728ee6 100644
+')
+
diff --git a/dhcp.fc b/dhcp.fc
-index 8182c48..74d8d39 100644
+index 8182c48..31364a5 100644
--- a/dhcp.fc
+++ b/dhcp.fc
-@@ -1,4 +1,5 @@
+@@ -1,4 +1,6 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
@@ -22973,10 +23001,10 @@ index 0000000..543baf1
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..f156949
+index 0000000..5c6eaab
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,157 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23008,7 +23036,7 @@ index 0000000..f156949
+# docker local policy
+#
+allow docker_t self:capability { chown fowner fsetid mknod net_admin };
-+allow docker_t self:process signal_perms;
++allow docker_t self:process { getattr signal_perms };
+allow docker_t self:fifo_file rw_fifo_file_perms;
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
+allow docker_t self:capability2 block_suspend;
@@ -23046,13 +23074,19 @@ index 0000000..f156949
+corecmd_exec_shell(docker_t)
+
+corenet_tcp_bind_generic_node(docker_t)
++corenet_tcp_connect_http_port(docker_t)
+
+files_read_etc_files(docker_t)
+
+fs_read_cgroup_files(docker_t)
+
++storage_raw_rw_fixed_disk(docker_t)
++
+auth_use_nsswitch(docker_t)
+
++logging_send_audit_msgs(docker_t)
++logging_send_syslog_msg(docker_t)
++
+miscfiles_read_localization(docker_t)
+
+mount_domtrans(docker_t)
@@ -23073,7 +23107,7 @@ index 0000000..f156949
+#
+
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
-+allow docker_t self:process { setpgid setsched signal_perms };
++allow docker_t self:process { getcap setcap setpgid setsched signal_perms };
+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
+allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
+allow docker_t self:unix_dgram_socket create_socket_perms;
@@ -23085,12 +23119,14 @@ index 0000000..f156949
+
+kernel_setsched(docker_t)
+kernel_get_sysvipc_info(docker_t)
++kernel_request_load_module(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
+dev_getattr_sysfs_fs(docker_t)
+dev_read_urand(docker_t)
+dev_read_lvm_control(docker_t)
+dev_read_sysfs(docker_t)
++dev_rw_loop_control(docker_t)
+dev_rw_lvm_control(docker_t)
+
+files_manage_isid_type_dirs(docker_t)
@@ -23106,6 +23142,7 @@ index 0000000..f156949
+fs_remount_all_fs(docker_t)
+fs_manage_cgroup_dirs(docker_t)
+fs_manage_cgroup_files(docker_t)
++fs_relabelfrom_xattr_fs(docker_t)
+
+term_use_generic_ptys(docker_t)
+term_use_ptmx(docker_t)
@@ -23120,8 +23157,11 @@ index 0000000..f156949
+optional_policy(`
+ virt_read_config(docker_t)
+ virt_exec(docker_t)
++ virt_stream_connect(docker_t)
++ virt_stream_connect_sandbox(docker_t)
++ virt_manage_sandbox_files(docker_t)
++ virt_relabel_sandbox_filesystem(docker_t)
+')
-+
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
@@ -25646,7 +25686,7 @@ index 280f875..f3a67c9 100644
## <param name="domain">
## <summary>
diff --git a/firstboot.te b/firstboot.te
-index 5010f04..928215f 100644
+index 5010f04..3b73741 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
@@ -25756,7 +25796,7 @@ index 5010f04..928215f 100644
optional_policy(`
dbus_system_bus_client(firstboot_t)
-@@ -102,20 +105,18 @@ optional_policy(`
+@@ -102,20 +105,17 @@ optional_policy(`
')
optional_policy(`
@@ -25768,7 +25808,7 @@ index 5010f04..928215f 100644
')
optional_policy(`
- unconfined_domtrans(firstboot_t)
+- unconfined_domtrans(firstboot_t)
- unconfined_domain(firstboot_t)
+ # The big hammer
+ unconfined_domain_noaudit(firstboot_t)
@@ -27257,10 +27297,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..4b88195
+index 0000000..3ec9c95
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,201 @@
+policy_module(glusterfs, 1.1.2)
+
+## <desc>
@@ -27459,7 +27499,8 @@ index 0000000..4b88195
+')
+
+optional_policy(`
-+ ssh_exec(glusterd_t)
++ ssh_basic_client_template(glusterd, glusterd_t, system_r)
++# ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
@@ -31642,10 +31683,10 @@ index 6517fad..17c3627 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..ddc67b0 100644
+index 4eb7041..88bd0b2 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,57 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,59 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -31680,7 +31721,7 @@ index 4eb7041..ddc67b0 100644
#
-# Local policy
+# hyperv domain local policy
- #
++#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
@@ -31693,25 +31734,27 @@ index 4eb7041..ddc67b0 100644
+########################################
#
+# hypervkvp local policy
-+#
-+
-+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
-+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
-+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+ #
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
++
+logging_send_syslog_msg(hypervkvp_t)
-logging_send_syslog_msg(hypervkvpd_t)
+sysnet_dns_name_resolve(hypervkvp_t)
-
--miscfiles_read_localization(hypervkvpd_t)
++
+########################################
+#
+# hypervvssd local policy
+#
+-miscfiles_read_localization(hypervkvpd_t)
++allow hypervvssd_t self:capability sys_admin;
+
-sysnet_dns_name_resolve(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
@@ -31872,7 +31915,7 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index c6450df..ea5acd7 100644
+index c6450df..a2a7a78 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -31916,7 +31959,7 @@ index c6450df..ea5acd7 100644
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
-@@ -188,7 +192,7 @@ optional_policy(`
+@@ -188,17 +192,13 @@ optional_policy(`
')
optional_policy(`
@@ -31925,7 +31968,17 @@ index c6450df..ea5acd7 100644
')
optional_policy(`
-@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+ udev_read_db(inetd_t)
+ ')
+
+-optional_policy(`
+- unconfined_domtrans(inetd_t)
+-')
+-
+ ########################################
+ #
+ # Child local policy
+@@ -220,6 +220,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
@@ -31940,7 +31993,7 @@ index c6450df..ea5acd7 100644
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +238,11 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -32083,13 +32136,32 @@ index ca07a87..6ea129c 100644
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
-index a0bfbd0..47f7c75 100644
+index a0bfbd0..a3b02e6 100644
--- a/iodine.if
+++ b/iodine.if
-@@ -2,6 +2,30 @@
+@@ -2,6 +2,49 @@
########################################
## <summary>
++## Execute NetworkManager with a domain transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iodined_domtrans',`
++ gen_require(`
++ type iodined_t, iodined_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, iodined_exec_t, iodined_t)
++')
++
++########################################
++## <summary>
+## Execute iodined server in the iodined domain.
+## </summary>
+## <param name="domain">
@@ -32118,7 +32190,7 @@ index a0bfbd0..47f7c75 100644
## administrate an iodined environment
## </summary>
diff --git a/iodine.te b/iodine.te
-index d443fee..475b7f4 100644
+index d443fee..6cbbf7d 100644
--- a/iodine.te
+++ b/iodine.te
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
@@ -32131,11 +32203,12 @@ index d443fee..475b7f4 100644
########################################
#
# Local policy
-@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t)
+@@ -43,7 +46,7 @@ corenet_udp_sendrecv_dns_port(iodined_t)
corecmd_exec_shell(iodined_t)
-files_read_etc_files(iodined_t)
++auth_use_nsswitch(iodined_t)
logging_send_syslog_msg(iodined_t)
@@ -35235,7 +35308,7 @@ index f6c00d8..c0946cf 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 8833d59..2242f4d 100644
+index 8833d59..3ca9e12 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -35390,7 +35463,7 @@ index 8833d59..2242f4d 100644
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,6 +173,10 @@ optional_policy(`
+@@ -154,11 +173,16 @@ optional_policy(`
')
optional_policy(`
@@ -35401,7 +35474,13 @@ index 8833d59..2242f4d 100644
nis_use_ypbind(kadmind_t)
')
-@@ -174,24 +197,27 @@ optional_policy(`
+ optional_policy(`
+ sssd_read_public_files(kadmind_t)
++ sssd_stream_connect(kadmind_t)
+ ')
+
+ optional_policy(`
+@@ -174,24 +198,27 @@ optional_policy(`
# Krb5kdc local policy
#
@@ -35433,7 +35512,7 @@ index 8833d59..2242f4d 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+@@ -203,54 +230,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
@@ -35499,7 +35578,7 @@ index 8833d59..2242f4d 100644
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +286,11 @@ optional_policy(`
+@@ -261,11 +287,11 @@ optional_policy(`
')
optional_policy(`
@@ -35513,7 +35592,7 @@ index 8833d59..2242f4d 100644
')
optional_policy(`
-@@ -273,6 +298,10 @@ optional_policy(`
+@@ -273,6 +299,10 @@ optional_policy(`
')
optional_policy(`
@@ -35524,7 +35603,7 @@ index 8833d59..2242f4d 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +310,12 @@ optional_policy(`
+@@ -281,10 +311,12 @@ optional_policy(`
# kpropd local policy
#
@@ -35540,7 +35619,7 @@ index 8833d59..2242f4d 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +335,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -36322,7 +36401,7 @@ index 5297064..6ba8108 100644
domain_system_change_exemption($1)
role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
-index 1664036..214a4fb 100644
+index 1664036..d10ed5a 100644
--- a/kudzu.te
+++ b/kudzu.te
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
@@ -36346,7 +36425,7 @@ index 1664036..214a4fb 100644
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
-@@ -122,10 +120,6 @@ optional_policy(`
+@@ -122,17 +120,9 @@ optional_policy(`
')
optional_policy(`
@@ -36357,6 +36436,13 @@ index 1664036..214a4fb 100644
seutil_sigchld_newrole(kudzu_t)
')
+ optional_policy(`
+ udev_read_db(kudzu_t)
+ ')
+-
+-optional_policy(`
+- unconfined_domtrans(kudzu_t)
+-')
diff --git a/l2tp.fc b/l2tp.fc
index d5d1572..82267a7 100644
--- a/l2tp.fc
@@ -41205,10 +41291,10 @@ index 0000000..6568bfe
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..7245033
+index 0000000..92c3b35
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,275 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -41479,6 +41565,8 @@ index 0000000..7245033
+
+libs_exec_ldconfig(mock_build_t)
+
++userdom_use_inherited_user_ptys(mock_build_t)
++
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
+')
@@ -42924,7 +43012,7 @@ index 6194b80..b8952a1 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..058f834 100644
+index 11ac8e4..ea784b3 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@@ -43766,7 +43854,7 @@ index 11ac8e4..058f834 100644
')
optional_policy(`
-@@ -568,108 +578,130 @@ optional_policy(`
+@@ -568,108 +578,131 @@ optional_policy(`
')
optional_policy(`
@@ -43947,6 +44035,7 @@ index 11ac8e4..058f834 100644
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
++ dev_setattr_generic_usb_dev(mozilla_plugin_t)
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
@@ -45471,7 +45560,7 @@ index ed81cac..26c97cd 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..2305a28 100644
+index ff1d68c..d5c4ceb 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -45684,14 +45773,20 @@ index ff1d68c..2305a28 100644
courier_stream_connect_authdaemon(system_mail_t)
')
-@@ -246,6 +269,7 @@ optional_policy(`
+@@ -244,9 +267,10 @@ optional_policy(`
+ ')
+
optional_policy(`
- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- fail2ban_append_log(system_mail_t)
-+ fail2ban_dontaudit_leaks(system_mail_t)
- fail2ban_rw_inherited_tmp_files(system_mail_t)
+- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
+- fail2ban_append_log(system_mail_t)
+- fail2ban_rw_inherited_tmp_files(system_mail_t)
++ fail2ban_append_log(user_mail_domain)
++ fail2ban_dontaudit_leaks(user_mail_domain)
++ fail2ban_rw_inherited_tmp_files(mta_user_agent)
++ fail2ban_rw_inherited_tmp_files(user_mail_domain)
')
+ optional_policy(`
@@ -258,10 +282,15 @@ optional_policy(`
')
@@ -48960,7 +49055,7 @@ index 86dc29d..5b73942 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..076a73e 100644
+index 55f2009..51ec888 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -49112,7 +49207,7 @@ index 55f2009..076a73e 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +152,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +152,31 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -49130,7 +49225,9 @@ index 55f2009..076a73e 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +171,11 @@ init_domtrans_script(NetworkManager_t)
+ init_dontaudit_write_utmp(NetworkManager_t)
+ init_domtrans_script(NetworkManager_t)
++init_signull_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -49143,7 +49240,7 @@ index 55f2009..076a73e 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +190,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +191,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -49180,7 +49277,7 @@ index 55f2009..076a73e 100644
')
optional_policy(`
-@@ -196,10 +231,6 @@ optional_policy(`
+@@ -196,10 +232,6 @@ optional_policy(`
')
optional_policy(`
@@ -49191,7 +49288,7 @@ index 55f2009..076a73e 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +241,11 @@ optional_policy(`
+@@ -210,16 +242,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -49210,7 +49307,7 @@ index 55f2009..076a73e 100644
')
')
-@@ -231,18 +257,19 @@ optional_policy(`
+@@ -231,18 +258,23 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -49230,10 +49327,14 @@ index 55f2009..076a73e 100644
optional_policy(`
- howl_signal(NetworkManager_t)
+ gnome_dontaudit_search_config(NetworkManager_t)
++')
++
++optional_policy(`
++ iodined_domtrans(NetworkManager_t)
')
optional_policy(`
-@@ -250,6 +277,10 @@ optional_policy(`
+@@ -250,6 +282,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -49244,7 +49345,7 @@ index 55f2009..076a73e 100644
')
optional_policy(`
-@@ -257,11 +288,10 @@ optional_policy(`
+@@ -257,11 +293,10 @@ optional_policy(`
')
optional_policy(`
@@ -49260,7 +49361,7 @@ index 55f2009..076a73e 100644
')
optional_policy(`
-@@ -274,10 +304,17 @@ optional_policy(`
+@@ -274,10 +309,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -49278,7 +49379,7 @@ index 55f2009..076a73e 100644
')
optional_policy(`
-@@ -289,6 +326,7 @@ optional_policy(`
+@@ -289,6 +331,7 @@ optional_policy(`
')
optional_policy(`
@@ -49286,7 +49387,7 @@ index 55f2009..076a73e 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +334,7 @@ optional_policy(`
+@@ -296,7 +339,7 @@ optional_policy(`
')
optional_policy(`
@@ -49295,7 +49396,7 @@ index 55f2009..076a73e 100644
')
optional_policy(`
-@@ -307,6 +345,7 @@ optional_policy(`
+@@ -307,6 +350,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -49303,7 +49404,7 @@ index 55f2009..076a73e 100644
')
optional_policy(`
-@@ -320,14 +359,20 @@ optional_policy(`
+@@ -320,14 +364,20 @@ optional_policy(`
')
optional_policy(`
@@ -49329,7 +49430,7 @@ index 55f2009..076a73e 100644
')
optional_policy(`
-@@ -357,6 +402,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +407,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -53631,7 +53732,7 @@ index c87bd2a..7de054a 100644
+ ')
')
diff --git a/oddjob.te b/oddjob.te
-index e403097..868981b 100644
+index e403097..6f7b99d 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
@@ -53688,8 +53789,14 @@ index e403097..868981b 100644
locallogin_dontaudit_use_fds(oddjob_t)
-@@ -71,13 +71,13 @@ optional_policy(`
+@@ -65,19 +65,15 @@ optional_policy(`
+ dbus_connect_system_bus(oddjob_t)
+ ')
+-optional_policy(`
+- unconfined_domtrans(oddjob_t)
+-')
+-
########################################
#
-# Mkhomedir local policy
@@ -53704,7 +53811,7 @@ index e403097..868981b 100644
kernel_read_system_state(oddjob_mkhomedir_t)
-@@ -85,7 +85,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t)
+@@ -85,7 +81,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t)
logging_send_syslog_msg(oddjob_mkhomedir_t)
@@ -53712,7 +53819,7 @@ index e403097..868981b 100644
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
-@@ -98,8 +97,11 @@ seutil_read_config(oddjob_mkhomedir_t)
+@@ -98,8 +93,11 @@ seutil_read_config(oddjob_mkhomedir_t)
seutil_read_file_contexts(oddjob_mkhomedir_t)
seutil_read_default_contexts(oddjob_mkhomedir_t)
@@ -57249,12 +57356,15 @@ index 43d50f9..7f77d32 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index 1fb1964..f92c71a 100644
+index 1fb1964..c5ec0c4 100644
--- a/pcscd.te
+++ b/pcscd.te
-@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+ #
+
allow pcscd_t self:capability { dac_override dac_read_search fsetid };
- allow pcscd_t self:process signal;
+-allow pcscd_t self:process signal;
++allow pcscd_t self:process { signal signull };
allow pcscd_t self:fifo_file rw_fifo_file_perms;
-allow pcscd_t self:unix_stream_socket { accept listen };
-allow pcscd_t self:tcp_socket { accept listen };
@@ -57298,10 +57408,10 @@ index 1fb1964..f92c71a 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..4694942 100644
+index dfd46e4..fabf59e 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,29 @@
+@@ -1,15 +1,30 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -57339,6 +57449,7 @@ index dfd46e4..4694942 100644
+/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
@@ -57440,7 +57551,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..938df5d 100644
+index 608f454..b4c36a9 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -57459,7 +57570,7 @@ index 608f454..938df5d 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,288 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,290 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -57615,6 +57726,8 @@ index 608f454..938df5d 100644
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
++systemd_config_power_services(pegasus_openlmi_system_t)
++
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_system_t)
+')
@@ -57753,7 +57866,7 @@ index 608f454..938df5d 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +321,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +323,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -57784,7 +57897,7 @@ index 608f454..938df5d 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +347,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +349,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -57817,7 +57930,7 @@ index 608f454..938df5d 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +375,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +377,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -57829,7 +57942,7 @@ index 608f454..938df5d 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +391,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +393,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -57865,7 +57978,7 @@ index 608f454..938df5d 100644
')
optional_policy(`
-@@ -151,16 +425,24 @@ optional_policy(`
+@@ -151,16 +427,24 @@ optional_policy(`
')
optional_policy(`
@@ -57894,7 +58007,7 @@ index 608f454..938df5d 100644
')
optional_policy(`
-@@ -168,7 +450,7 @@ optional_policy(`
+@@ -168,7 +452,7 @@ optional_policy(`
')
optional_policy(`
@@ -59653,7 +59766,7 @@ index 30e751f..78fb7c6 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..c1a1267 100644
+index 3078ce9..d0cdb5d 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@@ -59665,7 +59778,7 @@ index 3078ce9..c1a1267 100644
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
-@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t)
+@@ -28,13 +28,14 @@ files_pid_file(plymouthd_var_run_t)
########################################
#
@@ -59678,9 +59791,11 @@ index 3078ce9..c1a1267 100644
allow plymouthd_t self:capability2 block_suspend;
+dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:process { signal getsched };
++allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+
+@@ -48,9 +49,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
@@ -59691,7 +59806,7 @@ index 3078ce9..c1a1267 100644
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
@@ -59723,7 +59838,7 @@ index 3078ce9..c1a1267 100644
')
optional_policy(`
-@@ -90,35 +96,33 @@ optional_policy(`
+@@ -90,35 +97,33 @@ optional_policy(`
')
optional_policy(`
@@ -69691,10 +69806,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..b744b5d 100644
+index 8644d8b..9a3a093 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,105 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,119 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -69739,55 +69854,49 @@ index 8644d8b..b744b5d 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { setgid setuid sys_resource };
++allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin };
+allow neutron_t self:process { setsched setrlimit };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen };
-
--manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
--append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--logging_log_filetrans(quantum_t, quantum_log_t, dir)
++
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
-
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
--manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
--can_exec(quantum_t, quantum_tmp_t)
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+can_exec(neutron_t, neutron_tmp_t)
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+kernel_read_kernel_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
++kernel_read_network_state(neutron_t)
++kernel_request_load_module(neutron_t)
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
+-can_exec(quantum_t, quantum_tmp_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
@@ -69795,65 +69904,85 @@ index 8644d8b..b744b5d 100644
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
--files_read_usr_files(quantum_t)
-+dev_list_sysfs(neutron_t)
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
++domain_named_filetrans(neutron_t)
+
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
++dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
++dev_mounton_sysfs(neutron_t)
++dev_mount_sysfs_fs(neutron_t)
--auth_use_nsswitch(quantum_t)
+-files_read_usr_files(quantum_t)
+auth_use_nsswitch(neutron_t)
--libs_exec_ldconfig(quantum_t)
+-auth_use_nsswitch(quantum_t)
+libs_exec_ldconfig(neutron_t)
--logging_send_audit_msgs(quantum_t)
--logging_send_syslog_msg(quantum_t)
+-libs_exec_ldconfig(quantum_t)
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
--miscfiles_read_localization(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
+sysnet_exec_ifconfig(neutron_t)
--sysnet_domtrans_ifconfig(quantum_t)
+-miscfiles_read_localization(quantum_t)
+optional_policy(`
+ brctl_domtrans(neutron_t)
+')
+-sysnet_domtrans_ifconfig(quantum_t)
++optional_policy(`
++ dnsmasq_domtrans(neutron_t)
++')
+
optional_policy(`
- brctl_domtrans(quantum_t)
-+ mysql_stream_connect(neutron_t)
-+ mysql_read_config(neutron_t)
-+
-+ mysql_tcp_connect(neutron_t)
++ iptables_domtrans(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ postgresql_stream_connect(neutron_t)
-+ postgresql_unpriv_client(neutron_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_config(neutron_t)
- mysql_tcp_connect(quantum_t)
-+ postgresql_tcp_connect(neutron_t)
++ mysql_tcp_connect(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
-+ openvswitch_domtrans(neutron_t)
-+ openvswitch_stream_connect(neutron_t)
++ postgresql_stream_connect(neutron_t)
++ postgresql_unpriv_client(neutron_t)
++
++ postgresql_tcp_connect(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+optional_policy(`
-+ sudo_exec(neutron_t)
++ openvswitch_domtrans(neutron_t)
++ openvswitch_stream_connect(neutron_t)
')
++
++optional_policy(`
++ sudo_exec(neutron_t)
++')
diff --git a/quota.fc b/quota.fc
index cadabe3..54ba01d 100644
--- a/quota.fc
@@ -73248,10 +73377,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..98a4280 100644
+index 47de2d6..a7e8263 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,85 @@
+@@ -1,31 +1,86 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -73333,6 +73462,7 @@ index 47de2d6..98a4280 100644
+/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
@@ -76540,7 +76670,7 @@ index 0bf13c2..d59aef7 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
-index 2da9fca..b96da60 100644
+index 2da9fca..11e7bfe 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@@ -76807,6 +76937,15 @@ index 2da9fca..b96da60 100644
')
########################################
+@@ -270,7 +287,7 @@ optional_policy(`
+ # GSSD local policy
+ #
+
+-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
++allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+ allow gssd_t self:fifo_file rw_fifo_file_perms;
+
@@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -76815,7 +76954,7 @@ index 2da9fca..b96da60 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +306,29 @@ kernel_signal(gssd_t)
+@@ -288,25 +306,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -76837,6 +76976,7 @@ index 2da9fca..b96da60 100644
miscfiles_read_generic_certs(gssd_t)
userdom_signal_all_users(gssd_t)
++userdom_read_all_users_keys(gssd_t)
-tunable_policy(`allow_gssd_read_tmp',`
+tunable_policy(`gssd_read_tmp',`
@@ -76848,7 +76988,7 @@ index 2da9fca..b96da60 100644
')
optional_policy(`
-@@ -314,9 +336,12 @@ optional_policy(`
+@@ -314,9 +337,12 @@ optional_policy(`
')
optional_policy(`
@@ -77757,7 +77897,7 @@ index ef3b225..064712b 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rpm.te b/rpm.te
-index 6fc360e..dfa0f04 100644
+index 6fc360e..955caa1 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -78137,11 +78277,11 @@ index 6fc360e..dfa0f04 100644
logging_send_syslog_msg(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
--
--modutils_run_depmod(rpm_script_t, rpm_roles)
--modutils_run_insmod(rpm_script_t, rpm_roles)
+miscfiles_filetrans_named_content(rpm_script_t)
+-modutils_run_depmod(rpm_script_t, rpm_roles)
+-modutils_run_insmod(rpm_script_t, rpm_roles)
+-
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
@@ -78155,7 +78295,7 @@ index 6fc360e..dfa0f04 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +379,61 @@ ifdef(`distro_redhat',`
+@@ -363,41 +379,59 @@ ifdef(`distro_redhat',`
')
')
@@ -78220,14 +78360,13 @@ index 6fc360e..dfa0f04 100644
')
optional_policy(`
+- unconfined_domtrans(rpm_script_t)
+ unconfined_domain_noaudit(rpm_script_t)
- unconfined_domtrans(rpm_script_t)
+ domain_named_filetrans(rpm_script_t)
-+
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +445,6 @@ optional_policy(`
+@@ -409,6 +443,6 @@ optional_policy(`
')
optional_policy(`
@@ -81486,10 +81625,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..577dfa7
+index 0000000..8a6ad19
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,56 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -81520,6 +81659,7 @@ index 0000000..577dfa7
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_domain $1:process signal;
++ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
@@ -82022,10 +82162,10 @@ index 0000000..e45c73a
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..9ba5803
+index 0000000..4566e9b
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,488 @@
+@@ -0,0 +1,498 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -82260,6 +82400,8 @@ index 0000000..9ba5803
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
++ gnome_dontaudit_rw_inherited_config(sandbox_x_domain)
++ gnome_dontaudit_rw_inherited_config(sandbox_xserver_t)
+')
+
+optional_policy(`
@@ -82328,6 +82470,10 @@ index 0000000..9ba5803
+logging_send_syslog_msg(sandbox_x_client_t)
+
+optional_policy(`
++ avahi_dbus_chat(sandbox_x_client_t)
++')
++
++optional_policy(`
+ colord_dbus_chat(sandbox_x_client_t)
+')
+
@@ -82439,6 +82585,10 @@ index 0000000..9ba5803
+')
+
+optional_policy(`
++ avahi_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
@@ -86503,7 +86653,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..10b5705 100644
+index f2f507d..065cb98 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -86588,7 +86738,7 @@ index f2f507d..10b5705 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -92,25 +113,34 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -92,25 +113,35 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -86615,6 +86765,7 @@ index f2f507d..10b5705 100644
+init_stream_connect(sosreport_t)
libs_domtrans_ldconfig(sosreport_t)
++libs_use_ld_so(sosreport_t)
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
@@ -86626,7 +86777,7 @@ index f2f507d..10b5705 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -119,6 +149,10 @@ optional_policy(`
+@@ -119,6 +150,10 @@ optional_policy(`
')
optional_policy(`
@@ -86637,7 +86788,7 @@ index f2f507d..10b5705 100644
cups_stream_connect(sosreport_t)
')
-@@ -127,6 +161,15 @@ optional_policy(`
+@@ -127,6 +162,15 @@ optional_policy(`
')
optional_policy(`
@@ -86653,7 +86804,7 @@ index f2f507d..10b5705 100644
fstools_domtrans(sosreport_t)
')
-@@ -136,6 +179,10 @@ optional_policy(`
+@@ -136,6 +180,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(sosreport_t)
')
@@ -86664,7 +86815,7 @@ index f2f507d..10b5705 100644
')
optional_policy(`
-@@ -151,9 +198,25 @@ optional_policy(`
+@@ -151,9 +199,25 @@ optional_policy(`
')
optional_policy(`
@@ -89489,7 +89640,7 @@ index 2ac91b6..dd2ac36 100644
')
+
diff --git a/svnserve.te b/svnserve.te
-index 49d688d..f1c6367 100644
+index 49d688d..f07cc80 100644
--- a/svnserve.te
+++ b/svnserve.te
@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
@@ -89533,12 +89684,16 @@ index 49d688d..f1c6367 100644
corenet_all_recvfrom_unlabeled(svnserve_t)
corenet_all_recvfrom_netlabel(svnserve_t)
corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
+@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
+ corenet_udp_bind_svn_port(svnserve_t)
+ corenet_udp_sendrecv_svn_port(svnserve_t)
- logging_send_syslog_msg(svnserve_t)
+-logging_send_syslog_msg(svnserve_t)
++dev_read_urand(svnserve_t)
-miscfiles_read_localization(svnserve_t)
--
++logging_send_syslog_msg(svnserve_t)
+
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
@@ -93210,7 +93365,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 393a330..3e41bff 100644
+index 393a330..44b286b 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -93223,7 +93378,7 @@ index 393a330..3e41bff 100644
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
-@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t)
# Local policy
#
@@ -93236,10 +93391,11 @@ index 393a330..3e41bff 100644
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow tuned_t self:netlink_socket create_socket_perms;
+allow tuned_t self:udp_socket create_socket_perms;
++allow tuned_t self:socket create_socket_perms;
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+@@ -41,14 +48,19 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -93258,11 +93414,12 @@ index 393a330..3e41bff 100644
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
++allow tuned_t tuned_var_run_t:file relabel_file_perms;
+can_exec(tuned_t, tuned_var_run_t)
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
-@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +69,8 @@ kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
kernel_rw_hotplug_sysctls(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
@@ -93271,7 +93428,7 @@ index 393a330..3e41bff 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +76,57 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +78,57 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -94979,7 +95136,7 @@ index a4f20bc..9bad8b9 100644
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..43128c6 100644
+index facdee8..3ad56e3 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -95994,7 +96151,7 @@ index facdee8..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +658,189 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,227 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -96068,12 +96225,10 @@ index facdee8..43128c6 100644
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
++## <summary>
+## Domain allowed to transition.
- ## </summary>
- ## </param>
--## <param name="object">
++## </summary>
++## </param>
+#
+interface(`virt_systemctl',`
+ gen_require(`
@@ -96094,11 +96249,11 @@ index facdee8..43128c6 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The type of the object to be created.
+## Domain allowed to transition.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="object">
+#
+interface(`virt_ptrace',`
+ gen_require(`
@@ -96110,7 +96265,29 @@ index facdee8..43128c6 100644
+
+#######################################
+## <summary>
-+## Connect to virt over a unix domain stream socket.
++## Manage Sandbox Files
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The object class of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
++#
++interface(`virt_manage_sandbox_files',`
++ gen_require(`
++ type svirt_sandbox_file_t;
++ ')
++
++ manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++')
++
++#######################################
++## <summary>
++## Relabel Sandbox File systems
+## </summary>
+## <param name="domain">
## <summary>
@@ -96121,9 +96298,27 @@ index facdee8..43128c6 100644
-## <infoflow type="write" weight="10"/>
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_stream_connect_sandbox',`
++interface(`virt_relabel_sandbox_filesystem',`
gen_require(`
- type virt_var_run_t;
++ type svirt_sandbox_file_t;
++ ')
++
++ allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
++')
++
++#######################################
++## <summary>
++## Connect to virt over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_stream_connect_sandbox',`
++ gen_require(`
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -96179,11 +96374,10 @@ index facdee8..43128c6 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
- ')
-
- ########################################
- ## <summary>
--## Append virt log files.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
@@ -96199,15 +96393,16 @@ index facdee8..43128c6 100644
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Append virt log files.
+## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +848,17 @@ interface(`virt_read_log',`
+@@ -935,19 +886,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -96231,7 +96426,7 @@ index facdee8..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +866,17 @@ interface(`virt_append_log',`
+@@ -955,20 +904,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -96256,7 +96451,7 @@ index facdee8..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +884,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +922,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -96279,7 +96474,7 @@ index facdee8..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +902,57 @@ interface(`virt_search_images',`
+@@ -995,36 +940,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -96356,7 +96551,7 @@ index facdee8..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +960,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +998,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -96392,7 +96587,7 @@ index facdee8..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +989,129 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1027,129 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -96536,7 +96731,7 @@ index facdee8..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1119,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1157,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -96610,7 +96805,7 @@ index facdee8..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1182,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1220,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -96658,11 +96853,11 @@ index facdee8..43128c6 100644
-
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
@@ -96683,7 +96878,7 @@ index facdee8..43128c6 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..eeb0c89 100644
+index f03dcf5..11a3c6f 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,197 @@
@@ -98380,7 +98575,7 @@ index f03dcf5..eeb0c89 100644
+typeattribute svirt_lxc_net_t sandbox_net_domain;
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid setfcap sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cc10110..bc8d8e5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 9 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-12
+- Add gluster fixes
+- Remove ability to transition to unconfined_t from confined domains
+- Additional allow rules to get libvirt-lxc containers working with docker
+
* Mon Jan 6 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-11
- passwd to create gnome-keyring passwd socket
- systemd_systemctl needs sys_admin capability
More information about the scm-commits
mailing list