[selinux-policy/f20] - Add cron unconfined role support for uncofined SELinux user - Call kernel_rw_usermodehelper_state(
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 20 21:37:55 UTC 2014
commit 4e78831f23280183cabda881ae79dd90a35ac3a8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 20 22:37:54 2014 +0100
- Add cron unconfined role support for uncofined SELinux user
- Call kernel_rw_usermodehelper_state() in init.te
- Call corenet_udp_bind_all_ports() in milter.te
- Allow fence_virtd to connect to zented port
- Fix header for mirrormanager_admin()
- Allow dkim-milter to bind udp ports
- Allow milter domains to send signull itself
- Allow block_suspend for yum running as mock_t
- Allow beam.smp to manage couchdb files
- Add couchdb_manage_files()
- Add labeling for /var/log/php_errors.log
- Allow bumblebee to stream connect to xserver
- Allow bumblebee to send a signal to xserver
- gnome-thumbnail to stream connect to bumblebee
- Fix calling usermodehelper to use _state in interface name
- Allow xkbcomp running as bumblebee_t to execute bin_t
- Allow logrotate to read squid.conf
- Additional rules to get docker and lxc to play well with SELinux
- Call kernel_read_usermodhelper/kernel_rw_usermodhelper
- Allow bumbleed to connect to xserver port
- Allow pegasus_openlmi_storage_t to read hwdata
policy-f20-base.patch | 122 +++++++++----
policy-f20-contrib.patch | 436 +++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 25 +++-
3 files changed, 381 insertions(+), 202 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 8ba89c5..4a3079c 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -26925,7 +26925,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..76da5dd 100644
+index 24e7804..197d939 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -27563,69 +27563,113 @@ index 24e7804..76da5dd 100644
')
########################################
-@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',`
+@@ -1314,7 +1593,7 @@ interface(`init_signal_script',`
+
########################################
## <summary>
- ## Send and receive messages from
--## init scripts over dbus.
-+## init over dbus.
+-## Send null signals to init scripts.
++## Send kill signals to init scripts.
## </summary>
## <param name="domain">
## <summary>
-@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',`
+@@ -1322,17 +1601,17 @@ interface(`init_signal_script',`
## </summary>
## </param>
#
--interface(`init_dbus_chat_script',`
-+interface(`init_dbus_chat',`
+-interface(`init_signull_script',`
++interface(`init_sigkill_script',`
gen_require(`
-- type initrc_t;
-+ type init_t;
- class dbus send_msg;
+ type initrc_t;
')
-- allow $1 initrc_t:dbus send_msg;
-- allow initrc_t $1:dbus send_msg;
-+ allow $1 init_t:dbus send_msg;
-+ allow init_t $1:dbus send_msg;
+- allow $1 initrc_t:process signull;
++ allow $1 initrc_t:process sigkill;
')
########################################
## <summary>
--## Read and write the init script pty.
-+## Send and receive messages from
-+## init scripts over dbus.
+-## Read and write init script unnamed pipes.
++## Send null signals to init scripts.
## </summary>
--## <desc>
--## <p>
--## Read and write the init script pty. This
+ ## <param name="domain">
+ ## <summary>
+@@ -1340,17 +1619,17 @@ interface(`init_signull_script',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`init_rw_script_pipes',`
++interface(`init_signull_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+- allow $1 initrc_t:fifo_file { read write };
++ allow $1 initrc_t:process signull;
+ ')
+
+ ########################################
+ ## <summary>
+-## Send UDP network traffic to init scripts. (Deprecated)
++## Read and write init script unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1358,7 +1637,25 @@ interface(`init_rw_script_pipes',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`init_udp_send_script',`
++interface(`init_rw_script_pipes',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ allow $1 initrc_t:fifo_file { read write };
++')
++
++########################################
++## <summary>
++## Send UDP network traffic to init scripts. (Deprecated)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_udp_send_script',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
+@@ -1440,6 +1737,27 @@ interface(`init_dbus_send_script',`
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
++## init over dbus.
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`init_dbus_chat_script',`
++interface(`init_dbus_chat',`
+ gen_require(`
-+ type initrc_t;
++ type init_t;
+ class dbus send_msg;
+ ')
+
-+ allow $1 initrc_t:dbus send_msg;
-+ allow initrc_t $1:dbus send_msg;
++ allow $1 init_t:dbus send_msg;
++ allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
-+## Read and write the init script pty.
-+## </summary>
-+## <desc>
-+## <p>
-+## Read and write the init script pty. This
- ## pty is generally opened by the open_init_pty
- ## portion of the run_init program so that the
- ## daemon does not require direct access to
-@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',`
++## Send and receive messages from
+ ## init scripts over dbus.
+ ## </summary>
+ ## <param name="domain">
+@@ -1526,6 +1844,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -27651,7 +27695,7 @@ index 24e7804..76da5dd 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1921,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -27676,7 +27720,7 @@ index 24e7804..76da5dd 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',`
+@@ -1656,6 +2011,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -27720,7 +27764,7 @@ index 24e7804..76da5dd 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1744,7 +2136,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -27729,7 +27773,7 @@ index 24e7804..76da5dd 100644
')
########################################
-@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2177,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -27863,7 +27907,7 @@ index 24e7804..76da5dd 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2338,360 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index f02fdf7..497806f 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -3067,10 +3067,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..ecca81c 100644
+index 550a69e..fc53125 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,205 @@
+@@ -1,161 +1,206 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3321,6 +3321,7 @@ index 550a69e..ecca81c 100644
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -8415,13 +8416,14 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..1742ebf 100644
+index 2b9a3a1..ab80059 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,71 @@
+@@ -1,54 +1,74 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -8444,12 +8446,14 @@ index 2b9a3a1..1742ebf 100644
+
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
@@ -9992,10 +9996,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..b3aa772
+index 0000000..00e1ff2
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,58 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -10033,6 +10037,7 @@ index 0000000..b3aa772
+kernel_dontaudit_access_check_proc(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
++corecmd_exec_bin(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
@@ -10045,7 +10050,10 @@ index 0000000..b3aa772
+sysnet_dns_name_resolve(bumblebee_t)
+
+xserver_domtrans(bumblebee_t)
++xserver_signal(bumblebee_t)
++xserver_stream_connect(bumblebee_t)
+xserver_manage_xkb_libs(bumblebee_t)
++corenet_tcp_connect_xserver_port(bumblebee_t)
+
+optional_policy(`
+ apm_stream_connect(bumblebee_t)
@@ -14623,7 +14631,7 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..afa2f78 100644
+index 83d6744..36d5a7d 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,6 +2,44 @@
@@ -14671,7 +14679,7 @@ index 83d6744..afa2f78 100644
## All of the rules required to
## administrate an couchdb environment.
## </summary>
-@@ -10,6 +48,127 @@
+@@ -10,6 +48,149 @@
## Domain allowed access.
## </summary>
## </param>
@@ -14761,6 +14769,28 @@ index 83d6744..afa2f78 100644
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
+')
+
++#######################################
++## <summary>
++## Allow domain to manage couchdb content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_manage_files',`
++ gen_require(`
++ type couchdb_var_run_t;
++ type couchdb_log_t;
++ type couchdb_var_lib_t;
++ ')
++
++ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
++')
++
+########################################
+## <summary>
+## Execute couchdb server in the couchdb domain.
@@ -14799,7 +14829,7 @@ index 83d6744..afa2f78 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -19,14 +178,19 @@
+@@ -19,14 +200,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -14820,7 +14850,7 @@ index 83d6744..afa2f78 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +210,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +232,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -22631,10 +22661,10 @@ index ef36d73..fddd51f 100644
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc
new file mode 100644
-index 0000000..484dd44
+index 0000000..b24266e
--- /dev/null
+++ b/docker.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,14 @@
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
@@ -22644,16 +22674,17 @@ index 0000000..484dd44
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
+
++/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
++
+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
+
-+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0)
-\ No newline at end of file
++
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..543baf1
+index 0000000..c77a25f
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,250 @@
+@@ -0,0 +1,257 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -22849,6 +22880,23 @@ index 0000000..543baf1
+ ps_process_pattern($1, docker_t)
+')
+
++########################################
++## <summary>
++## Read and write docker shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_rw_sem',`
++ gen_require(`
++ type docker_t;
++ ')
++
++ allow $1 docker_t:sem rw_sem_perms;
++')
+
+########################################
+## <summary>
@@ -22865,7 +22913,9 @@ index 0000000..543baf1
+ gen_require(`
+ type docker_t;
+ type docker_var_lib_t, docker_var_run_t;
-+ type docker_unit_file_t;
++ type docker_unit_file_t;
++ type docker_lock_t;
++ type docker_log_t;
+ ')
+
+ allow $1 docker_t:process { ptrace signal_perms };
@@ -22877,6 +22927,12 @@ index 0000000..543baf1
+ files_search_pids($1)
+ admin_pattern($1, docker_var_run_t)
+
++ files_search_locks($1)
++ admin_pattern($1, docker_lock_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, docker_log_t)
++
+ docker_systemctl($1)
+ admin_pattern($1, docker_unit_file_t)
+ allow $1 docker_unit_file_t:service all_service_perms;
@@ -22886,30 +22942,12 @@ index 0000000..543baf1
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
-+
-+########################################
-+## <summary>
-+## Read and write docker shared memory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`docker_rw_sem',`
-+ gen_require(`
-+ type docker_t;
-+ ')
-+
-+ allow $1 docker_t:sem rw_sem_perms;
-+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..5c6eaab
+index 0000000..4bfbc19
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,176 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -22924,6 +22962,9 @@ index 0000000..5c6eaab
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
+
++type docker_lock_t;
++files_lock_file(docker_lock_t)
++
+type docker_log_t;
+logging_log_file(docker_log_t)
+
@@ -22946,6 +22987,10 @@ index 0000000..5c6eaab
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
+allow docker_t self:capability2 block_suspend;
+
++manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
++manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
++files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
++
+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
@@ -22989,6 +23034,8 @@ index 0000000..5c6eaab
+
+auth_use_nsswitch(docker_t)
+
++init_read_state(docker_t)
++
+logging_send_audit_msgs(docker_t)
+logging_send_syslog_msg(docker_t)
+
@@ -23012,7 +23059,8 @@ index 0000000..5c6eaab
+#
+
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
-+allow docker_t self:process { getcap setcap setpgid setsched signal_perms };
++allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
++
+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
+allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
+allow docker_t self:unix_dgram_socket create_socket_perms;
@@ -23048,10 +23096,12 @@ index 0000000..5c6eaab
+fs_manage_cgroup_dirs(docker_t)
+fs_manage_cgroup_files(docker_t)
+fs_relabelfrom_xattr_fs(docker_t)
++fs_relabelfrom_tmpfs(docker_t)
+
+term_use_generic_ptys(docker_t)
+term_use_ptmx(docker_t)
+term_getattr_pty_fs(docker_t)
++term_relabel_pty_fs(docker_t)
+
+modutils_domtrans_insmod(docker_t)
+
@@ -23066,6 +23116,13 @@ index 0000000..5c6eaab
+ virt_stream_connect_sandbox(docker_t)
+ virt_manage_sandbox_files(docker_t)
+ virt_relabel_sandbox_filesystem(docker_t)
++ # for lxc
++ virt_transition_svirt_sandbox(docker_t, system_r)
++ virt_mounton_sandbox_file(docker_t)
++')
++
++optional_policy(`
++ unconfined_domain(docker_t)
+')
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
@@ -31626,10 +31683,10 @@ index 0000000..b7ca833
+')
diff --git a/hypervkvp.te b/hypervkvp.te
new file mode 100644
-index 0000000..b2d134d
+index 0000000..97144bc
--- /dev/null
+++ b/hypervkvp.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,79 @@
+policy_module(hypervkvp, 1.0.0)
+
+########################################
@@ -31684,8 +31741,13 @@ index 0000000..b2d134d
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+
++kernel_read_system_state(hypervkvp_t)
++kernel_read_network_state(hypervkvp_t)
++
+files_dontaudit_search_home(hypervkvp_t)
+
++auth_read_passwd(hypervkvp_t)
++
+logging_send_syslog_msg(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
@@ -37683,7 +37745,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..efdfd9d 100644
+index 7bab8e5..5773c24 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,18 @@
@@ -37938,7 +38000,7 @@ index 7bab8e5..efdfd9d 100644
')
optional_policy(`
-@@ -228,10 +257,20 @@ optional_policy(`
+@@ -228,10 +257,21 @@ optional_policy(`
')
optional_policy(`
@@ -37952,6 +38014,7 @@ index 7bab8e5..efdfd9d 100644
+
+optional_policy(`
squid_domtrans(logrotate_t)
++ squid_read_config(logrotate_t)
')
optional_policy(`
@@ -37959,7 +38022,7 @@ index 7bab8e5..efdfd9d 100644
su_exec(logrotate_t)
')
-@@ -241,13 +280,11 @@ optional_policy(`
+@@ -241,13 +281,11 @@ optional_policy(`
#######################################
#
@@ -40308,10 +40371,10 @@ index cba62db..562833a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 92508b2..2213a03 100644
+index 92508b2..9c51c34 100644
--- a/milter.te
+++ b/milter.te
-@@ -1,77 +1,117 @@
+@@ -1,77 +1,121 @@
-policy_module(milter, 1.4.2)
+policy_module(milter, 1.4.0)
@@ -40358,6 +40421,8 @@ index 92508b2..2213a03 100644
allow milter_domains self:fifo_file rw_fifo_file_perms;
-allow milter_domains self:tcp_socket { accept listen };
+
++allow milter_domains self:process signull;
++
+# Allow communication with MTA over a TCP socket
+allow milter_domains self:tcp_socket create_stream_socket_perms;
@@ -40399,6 +40464,8 @@ index 92508b2..2213a03 100644
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
++corenet_udp_bind_all_ports(dkim_milter_t)
++
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
@@ -40457,7 +40524,7 @@ index 92508b2..2213a03 100644
optional_policy(`
mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +119,45 @@ optional_policy(`
+@@ -79,30 +123,45 @@ optional_policy(`
########################################
#
@@ -40655,10 +40722,10 @@ index 0000000..c713b27
+/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
diff --git a/mirrormanager.if b/mirrormanager.if
new file mode 100644
-index 0000000..adf2319
+index 0000000..fbb831d
--- /dev/null
+++ b/mirrormanager.if
-@@ -0,0 +1,243 @@
+@@ -0,0 +1,237 @@
+
+## <summary>policy for mirrormanager</summary>
+
@@ -40866,12 +40933,6 @@ index 0000000..adf2319
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`mirrormanager_admin',`
+ gen_require(`
@@ -41280,10 +41341,10 @@ index 0000000..6568bfe
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..92c3b35
+index 0000000..fc64201
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,275 @@
+@@ -0,0 +1,276 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -41331,6 +41392,7 @@ index 0000000..92c3b35
+#
+
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:capability2 block_suspend;
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
@@ -44098,10 +44160,24 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..33b18c8 100644
+index 7c8afcc..b8c9bf1 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
+@@ -7,6 +7,13 @@ policy_module(mpd, 1.0.4)
+
+ ## <desc>
+ ## <p>
++## Allow mpd execmem/execstack.
++## </p>
++## </desc>
++gen_tunable(mpd_execmem, false)
++
++## <desc>
++## <p>
+ ## Determine whether mpd can traverse
+ ## user home directories.
+ ## </p>
+@@ -62,18 +69,25 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
@@ -44128,7 +44204,7 @@ index 7c8afcc..33b18c8 100644
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+@@ -104,13 +118,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
@@ -44152,7 +44228,7 @@ index 7c8afcc..33b18c8 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
+@@ -139,9 +162,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
@@ -44163,12 +44239,16 @@ index 7c8afcc..33b18c8 100644
fs_list_inotifyfs(mpd_t)
fs_rw_anon_inodefs_files(mpd_t)
fs_search_auto_mountpoints(mpd_t)
-@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
+@@ -150,15 +173,30 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
-miscfiles_read_localization(mpd_t)
+userdom_home_reader(mpd_t)
++
++tunable_policy(`mpd_execmem',`
++ allow mpd_t self:process { execstack execmem };
++')
tunable_policy(`mpd_enable_homedirs',`
- userdom_search_user_home_dirs(mpd_t)
@@ -44192,7 +44272,7 @@ index 7c8afcc..33b18c8 100644
')
tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
-@@ -191,7 +218,7 @@ optional_policy(`
+@@ -191,7 +229,7 @@ optional_policy(`
')
optional_policy(`
@@ -44201,7 +44281,7 @@ index 7c8afcc..33b18c8 100644
')
optional_policy(`
-@@ -199,6 +226,16 @@ optional_policy(`
+@@ -199,6 +237,16 @@ optional_policy(`
')
optional_policy(`
@@ -49265,7 +49345,7 @@ index 0e8508c..ee2e3de 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..34207b9 100644
+index 0b48a30..5863fc0 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -49420,7 +49500,7 @@ index 0b48a30..34207b9 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +149,31 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +149,33 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -49441,6 +49521,8 @@ index 0b48a30..34207b9 100644
init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+init_signull_script(NetworkManager_t)
++init_signal_script(NetworkManager_t)
++init_sigkill_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -49453,7 +49535,7 @@ index 0b48a30..34207b9 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +188,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +190,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -49490,7 +49572,7 @@ index 0b48a30..34207b9 100644
')
optional_policy(`
-@@ -196,10 +229,6 @@ optional_policy(`
+@@ -196,10 +231,6 @@ optional_policy(`
')
optional_policy(`
@@ -49501,7 +49583,7 @@ index 0b48a30..34207b9 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +239,11 @@ optional_policy(`
+@@ -210,16 +241,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -49520,7 +49602,7 @@ index 0b48a30..34207b9 100644
')
')
-@@ -231,18 +255,23 @@ optional_policy(`
+@@ -231,18 +257,23 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -49547,7 +49629,7 @@ index 0b48a30..34207b9 100644
')
optional_policy(`
-@@ -250,6 +279,10 @@ optional_policy(`
+@@ -250,6 +281,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -49558,7 +49640,7 @@ index 0b48a30..34207b9 100644
')
optional_policy(`
-@@ -257,11 +290,14 @@ optional_policy(`
+@@ -257,11 +292,14 @@ optional_policy(`
')
optional_policy(`
@@ -49575,7 +49657,7 @@ index 0b48a30..34207b9 100644
')
optional_policy(`
-@@ -274,10 +310,17 @@ optional_policy(`
+@@ -274,10 +312,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -49593,7 +49675,7 @@ index 0b48a30..34207b9 100644
')
optional_policy(`
-@@ -289,6 +332,7 @@ optional_policy(`
+@@ -289,6 +334,7 @@ optional_policy(`
')
optional_policy(`
@@ -49601,7 +49683,7 @@ index 0b48a30..34207b9 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +340,7 @@ optional_policy(`
+@@ -296,7 +342,7 @@ optional_policy(`
')
optional_policy(`
@@ -49610,7 +49692,7 @@ index 0b48a30..34207b9 100644
')
optional_policy(`
-@@ -307,6 +351,7 @@ optional_policy(`
+@@ -307,6 +353,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -49618,7 +49700,7 @@ index 0b48a30..34207b9 100644
')
optional_policy(`
-@@ -320,13 +365,19 @@ optional_policy(`
+@@ -320,13 +367,19 @@ optional_policy(`
')
optional_policy(`
@@ -49642,7 +49724,7 @@ index 0b48a30..34207b9 100644
')
optional_policy(`
-@@ -356,6 +407,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +409,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -71115,7 +71197,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..136b017 100644
+index 3698b51..a422fca 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -71176,7 +71258,7 @@ index 3698b51..136b017 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +81,49 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -71212,10 +71294,9 @@ index 3698b51..136b017 100644
+logging_send_syslog_msg(rabbitmq_beam_t)
+
+optional_policy(`
++ couchdb_manage_files(rabbitmq_beam_t)
+ couchdb_manage_lib_files(rabbitmq_beam_t)
+ couchdb_read_conf_files(rabbitmq_beam_t)
-+ couchdb_read_log_files(rabbitmq_beam_t)
-+ couchdb_search_pid_dirs(rabbitmq_beam_t)
+')
+
+optional_policy(`
@@ -71231,7 +71312,7 @@ index 3698b51..136b017 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -75020,7 +75101,7 @@ index 56bc01f..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..9b2ddd8 100644
+index 2c2de9a..8ea949c 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -75396,15 +75477,16 @@ index 2c2de9a..9b2ddd8 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -140,6 +425,7 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
+corenet_udp_bind_zented_port(fenced_t)
++corenet_tcp_connect_zented_port(fenced_t)
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +434,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -75415,7 +75497,7 @@ index 2c2de9a..9b2ddd8 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +444,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -75424,7 +75506,7 @@ index 2c2de9a..9b2ddd8 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +466,8 @@ optional_policy(`
+@@ -182,7 +467,8 @@ optional_policy(`
')
optional_policy(`
@@ -75434,7 +75516,7 @@ index 2c2de9a..9b2ddd8 100644
')
optional_policy(`
-@@ -190,12 +475,12 @@ optional_policy(`
+@@ -190,12 +476,12 @@ optional_policy(`
')
optional_policy(`
@@ -75450,7 +75532,7 @@ index 2c2de9a..9b2ddd8 100644
')
optional_policy(`
-@@ -203,6 +488,13 @@ optional_policy(`
+@@ -203,6 +489,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -75464,7 +75546,7 @@ index 2c2de9a..9b2ddd8 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +513,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -75485,7 +75567,7 @@ index 2c2de9a..9b2ddd8 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +551,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -75494,7 +75576,7 @@ index 2c2de9a..9b2ddd8 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +571,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -75536,7 +75618,7 @@ index 2c2de9a..9b2ddd8 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +646,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -78809,7 +78891,7 @@ index 0628d50..e9dbd7e 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..ab091de 100644
+index 5cbe81c..e1d9ae1 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -79150,7 +79232,7 @@ index 5cbe81c..ab091de 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +329,51 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -79177,6 +79259,9 @@ index 5cbe81c..ab091de 100644
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
++init_disable_services(rpm_script_t)
++init_enable_services(rpm_script_t)
++init_reload_services(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
@@ -79208,7 +79293,7 @@ index 5cbe81c..ab091de 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +379,65 @@ ifdef(`distro_redhat',`
+@@ -363,41 +382,69 @@ ifdef(`distro_redhat',`
')
')
@@ -79223,6 +79308,10 @@ index 5cbe81c..ab091de 100644
+')
+
+optional_policy(`
++ bind_systemctl(rpm_script_t)
++')
++
++optional_policy(`
+ certmonger_dbus_chat(rpm_script_t)
+')
+
@@ -79284,7 +79373,7 @@ index 5cbe81c..ab091de 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +449,6 @@ optional_policy(`
+@@ -409,6 +456,6 @@ optional_policy(`
')
optional_policy(`
@@ -93323,10 +93412,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..2ddef5c
+index 0000000..ed78f6f
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,154 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -93442,6 +93531,10 @@ index 0000000..2ddef5c
+xserver_use_user_fonts(thumb_t)
+
+optional_policy(`
++ bumblebee_stream_connect(thumb_t)
++')
++
++optional_policy(`
+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
+ dbus_dontaudit_chat_session_bus(thumb_t)
+')
@@ -96171,7 +96264,7 @@ index c30da4c..6351bcb 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..3ad56e3 100644
+index 9dec06c..09db35b 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -97186,44 +97279,40 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +658,227 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,245 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
-interface(`virt_manage_lib_files',`
+interface(`virt_manage_cache',`
- gen_require(`
-- type virt_var_lib_t;
++ gen_require(`
+ type virt_cache_t;
- ')
-
-- files_search_var_lib($1)
-- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++ ')
++
+ files_search_var($1)
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in virt pid
--## directories with a private type.
++')
++
++########################################
++## <summary>
+## Allow domain to manage virt image files
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`virt_manage_images',`
-+ gen_require(`
-+ type virt_var_lib_t;
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
-+ ')
-+
+ ')
+
+- files_search_var_lib($1)
+- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -97253,10 +97342,12 @@ index 9dec06c..3ad56e3 100644
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in virt pid
+-## directories with a private type.
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
@@ -97283,12 +97374,10 @@ index 9dec06c..3ad56e3 100644
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
++## <summary>
+## Domain allowed to transition.
- ## </summary>
- ## </param>
--## <param name="object">
++## </summary>
++## </param>
+#
+interface(`virt_ptrace',`
+ gen_require(`
@@ -97301,14 +97390,13 @@ index 9dec06c..3ad56e3 100644
+#######################################
+## <summary>
+## Manage Sandbox Files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The object class of the object being created.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="private type">
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
@@ -97326,16 +97414,14 @@ index 9dec06c..3ad56e3 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The name of the object being created.
+-## The type of the object to be created.
+## Domain allowed access.
## </summary>
## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
+-## <param name="object">
++#
+interface(`virt_relabel_sandbox_filesystem',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ type svirt_sandbox_file_t;
+ ')
+
@@ -97344,16 +97430,40 @@ index 9dec06c..3ad56e3 100644
+
+#######################################
+## <summary>
-+## Connect to virt over a unix domain stream socket.
++## Mounton Sandbox Files
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The object class of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+#
-+interface(`virt_stream_connect_sandbox',`
++interface(`virt_mounton_sandbox_file',`
+ gen_require(`
++ type svirt_sandbox_file_t;
++ ')
++
++ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
++')
++
++#######################################
++## <summary>
++## Connect to virt over a unix domain stream socket.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The name of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`virt_pid_filetrans',`
++interface(`virt_stream_connect_sandbox',`
+ gen_require(`
+- type virt_var_run_t;
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -97437,7 +97547,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +886,17 @@ interface(`virt_read_log',`
+@@ -935,19 +904,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -97461,7 +97571,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +904,17 @@ interface(`virt_append_log',`
+@@ -955,20 +922,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -97486,7 +97596,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +922,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +940,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -97509,7 +97619,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +940,57 @@ interface(`virt_search_images',`
+@@ -995,36 +958,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -97586,7 +97696,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +998,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1016,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -97622,7 +97732,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1027,129 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1045,131 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -97646,7 +97756,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
-## <param name="domain">
+## <param name="prefix">
- ## <summary>
++## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
@@ -97671,7 +97781,7 @@ index 9dec06c..3ad56e3 100644
+## Make the specified type usable as a lxc domain
+## </summary>
+## <param name="type">
-+## <summary>
+ ## <summary>
+## Type to be used as a lxc domain
+## </summary>
+## </param>
@@ -97757,7 +97867,9 @@ index 9dec06c..3ad56e3 100644
+ role $2 types svirt_sandbox_domain;
+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+
++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
+ allow svirt_sandbox_domain $1:process sigchld;
++ ps_process_pattern($1, svirt_sandbox_domain)
+')
+
+########################################
@@ -97766,7 +97878,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1157,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1177,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -97840,7 +97952,7 @@ index 9dec06c..3ad56e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1220,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1240,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -97882,7 +97994,8 @@ index 9dec06c..3ad56e3 100644
-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
-
@@ -97891,8 +98004,7 @@ index 9dec06c..3ad56e3 100644
-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7f72cb9..b842728 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 118%{?dist}
+Release: 119%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,29 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 20 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-118
+- Add cron unconfined role support for uncofined SELinux user
+- Call kernel_rw_usermodehelper_state() in init.te
+- Call corenet_udp_bind_all_ports() in milter.te
+- Allow fence_virtd to connect to zented port
+- Fix header for mirrormanager_admin()
+- Allow dkim-milter to bind udp ports
+- Allow milter domains to send signull itself
+- Allow block_suspend for yum running as mock_t
+- Allow beam.smp to manage couchdb files
+- Add couchdb_manage_files()
+- Add labeling for /var/log/php_errors.log
+- Allow bumblebee to stream connect to xserver
+- Allow bumblebee to send a signal to xserver
+- gnome-thumbnail to stream connect to bumblebee
+- Fix calling usermodehelper to use _state in interface name
+- Allow xkbcomp running as bumblebee_t to execute bin_t
+- Allow logrotate to read squid.conf
+- Additional rules to get docker and lxc to play well with SELinux
+- Call kernel_read_usermodhelper/kernel_rw_usermodhelper
+- Allow bumbleed to connect to xserver port
+- Allow pegasus_openlmi_storage_t to read hwdata
+
* Thu Jan 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-118
- Allow init_t to work on transitient and snapshot unit files
- Add logging_manage_syslog_config()
More information about the scm-commits
mailing list