[selinux-policy] - New access needed to allow docker + lxc +SELinux to work together - Allow apache to write to the o
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 22 12:00:14 UTC 2014
commit d7f0c3cf5434a1f5e7bf023122ba26de9e098057
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jan 22 13:00:17 2014 +0100
- New access needed to allow docker + lxc +SELinux to work together
- Allow apache to write to the owncloud data directory in /var/www/html...
- Cleanup sandbox X AVC's
- Allow consolekit to create log dir
- Add support for icinga CGI scripts
- Add support for icinga
- Allow kdumpctl_t to create kdump lock file
- Allow kdump to create lnk lock file
- Allow ABRT write core_pattern
- Allwo ABRT to read core_pattern
- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
- Allow nscd_t block_suspen capability
- Allow unconfined domain types to manage own transient unit file
- Allow systemd domains to handle transient init unit files
- No longer need the rpm_script_roles line since rpm_transition_script now does this for us
- Add/fix interfaces for usermodehelper_t
- Add interfaces to handle transient
- Fixes for new usermodehelper and proc_securit_t types
policy-rawhide-base.patch | 192 ++++++++++---
policy-rawhide-contrib.patch | 640 +++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 22 ++-
3 files changed, 674 insertions(+), 180 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0a4d2b3..928ee6c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8705,7 +8705,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..4182845 100644
+index cf04cb5..dfb34a3 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8822,7 +8822,7 @@ index cf04cb5..4182845 100644
')
########################################
-@@ -147,12 +206,18 @@ optional_policy(`
+@@ -147,12 +206,21 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -8833,6 +8833,9 @@ index cf04cb5..4182845 100644
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
++# Allow manage transient unit files
++allow unconfined_domain_type self:service manage_service_perms;
++
# Act upon any other process.
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
@@ -8842,7 +8845,7 @@ index cf04cb5..4182845 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +234,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -14897,7 +14900,7 @@ index 7be4ddf..d5ef507 100644
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..3910ec4 100644
+index e100d88..6f745f0 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -15312,7 +15315,7 @@ index e100d88..3910ec4 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3151,525 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3151,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -15660,12 +15663,8 @@ index e100d88..3910ec4 100644
+## </summary>
+## <desc>
+## <p>
-+## Allow the specified domain to read the securitying
-+## state information. This includes several pieces
-+## of securitying information, such as security interface
-+## names, securityfilter (iptables) statistics, protocol
-+## information, routes, and remote procedure call (RPC)
-+## information.
++## Allow the specified domain to read the security
++## state information.
+## </p>
+## </desc>
+## <param name="domain">
@@ -15689,22 +15688,28 @@ index e100d88..3910ec4 100644
+
+########################################
+## <summary>
-+## Allow caller to read the security state symbolic links.
++## Write the security state information.
+## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to write the security
++## state information.
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <infoflow type="write" weight="10"/>
++## <rolecap/>
+#
-+interface(`kernel_read_security_state_symlinks',`
++interface(`kernel_write_security_state',`
+ gen_require(`
+ type proc_t, proc_security_t;
+ ')
+
-+ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
-+
-+ list_dirs_pattern($1, proc_t, proc_security_t)
++ write_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+')
+
+########################################
@@ -15717,35 +15722,34 @@ index e100d88..3910ec4 100644
+## </summary>
+## </param>
+#
-+interface(`kernel_rw_security_state',`
++interface(`kernel_read_security_state_symlinks',`
+ gen_require(`
+ type proc_t, proc_security_t;
+ ')
+
-+ rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
++ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+ list_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
+## <summary>
-+## Read and write usermodehelper state
++## Allow caller to read the security state symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`kernel_rw_usermodehelper_state',`
++interface(`kernel_rw_security_state',`
+ gen_require(`
-+ type proc_t, usermodehelper_t;
++ type proc_t, proc_security_t;
+ ')
+
-+ dev_search_sysfs($1)
-+ rw_files_pattern($1, proc_t, usermodehelper_t)
-+ list_dirs_pattern($1, proc_t, usermodehelper_t)
++ rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
++
++ list_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
@@ -15838,6 +15842,45 @@ index e100d88..3910ec4 100644
+ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
+
+ list_dirs_pattern($1, proc_t, usermodehelper_t)
++')
++
++########################################
++## <summary>
++## Read and write usermodehelper state
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`kernel_rw_usermodehelper_state',`
++ gen_require(`
++ type proc_t, usermodehelper_t;
++ ')
++
++ dev_search_sysfs($1)
++ rw_files_pattern($1, proc_t, usermodehelper_t)
++ list_dirs_pattern($1, proc_t, usermodehelper_t)
++')
++
++########################################
++## <summary>
++## Relabel to usermodehelper context .
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_relabelto_usermodehelper',`
++ gen_require(`
++ type usermodehelper_t;
++ ')
++
++ allow $1 usermodehelper_t:file relabelto;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..4b6c9ad 100644
@@ -19854,10 +19897,10 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..ca62aef
+index 0000000..dbb8afa
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,339 @@
+@@ -0,0 +1,332 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -20153,7 +20196,6 @@ index 0000000..ca62aef
+')
+
+optional_policy(`
-+# rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t, unconfined_r)
+ rpm_dbus_chat(unconfined_t)
@@ -20186,15 +20228,9 @@ index 0000000..ca62aef
+optional_policy(`
+ xserver_run(unconfined_t, unconfined_r)
+ xserver_manage_home_fonts(unconfined_t)
++ xserver_xsession_entry_type(unconfined_t)
+')
+
-+
-+gen_require(`
-+ attribute_role rpm_script_roles;
-+')
-+
-+roleattribute unconfined_r rpm_script_roles;
-+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
@@ -27754,7 +27790,7 @@ index bc0ffc8..8de430d 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..e1589ac 100644
+index 79a45f6..9a14d49 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -28736,7 +28772,7 @@ index 79a45f6..e1589ac 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2359,360 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2359,432 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -29078,6 +29114,78 @@ index 79a45f6..e1589ac 100644
+
+########################################
+## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_start_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service start;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_stop_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service stop;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_reload_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service reload;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_status_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service status;
++')
++
++########################################
++## <summary>
+## Transition to init named content
+## </summary>
+## <param name="domain">
@@ -38962,10 +39070,10 @@ index 0000000..1d9bdfd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..2109915
+index 0000000..e9b0d55
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,653 @@
+@@ -0,0 +1,659 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -39234,6 +39342,7 @@ index 0000000..2109915
+
+kernel_read_network_state(systemd_tmpfiles_t)
+kernel_request_load_module(systemd_tmpfiles_t)
++kernel_relabelto_usermodehelper(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
+dev_rw_sysfs(systemd_tmpfiles_t)
@@ -39583,6 +39692,7 @@ index 0000000..2109915
+
+kernel_dgram_send(systemd_sysctl_t)
+kernel_rw_all_sysctls(systemd_sysctl_t)
++kernel_write_security_state(systemd_sysctl_t)
+
+files_read_system_conf_files(systemd_sysctl_t)
+
@@ -39607,6 +39717,10 @@ index 0000000..2109915
+files_read_usr_files(systemd_domain)
+
+init_search_pid_dirs(systemd_domain)
++init_start_transient_unit(systemd_domain)
++init_stop_transient_unit(systemd_domain)
++init_status_transient_unit(systemd_domain)
++init_reload_transient_unit(systemd_domain)
+
+logging_stream_connect_syslog(systemd_domain)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 4487f6f..2af1904 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -531,7 +531,7 @@ index 058d908..70eb89d 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..84c5ad6 100644
+index eb50f07..517116e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -672,7 +672,7 @@ index eb50f07..84c5ad6 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -125,23 +132,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,41 +132,47 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -702,9 +702,12 @@ index eb50f07..84c5ad6 100644
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
kernel_request_load_module(abrt_t)
++kernel_rw_usermodehelper_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
++kernel_rw_usermodehelper_state(abrt_t)
-@@ -150,16 +163,14 @@ corecmd_exec_shell(abrt_t)
+ corecmd_exec_bin(abrt_t)
+ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -723,7 +726,7 @@ index eb50f07..84c5ad6 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -176,29 +187,40 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +189,40 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -767,7 +770,7 @@ index eb50f07..84c5ad6 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +228,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +230,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -784,7 +787,7 @@ index eb50f07..84c5ad6 100644
')
optional_policy(`
-@@ -222,6 +240,20 @@ optional_policy(`
+@@ -222,6 +242,20 @@ optional_policy(`
')
optional_policy(`
@@ -805,7 +808,7 @@ index eb50f07..84c5ad6 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -233,6 +265,7 @@ optional_policy(`
+@@ -233,6 +267,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -813,7 +816,7 @@ index eb50f07..84c5ad6 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -243,6 +276,7 @@ optional_policy(`
+@@ -243,6 +278,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -821,7 +824,7 @@ index eb50f07..84c5ad6 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +287,17 @@ optional_policy(`
+@@ -253,9 +289,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -840,7 +843,7 @@ index eb50f07..84c5ad6 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +308,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +310,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -855,7 +858,7 @@ index eb50f07..84c5ad6 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +327,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +329,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -863,7 +866,7 @@ index eb50f07..84c5ad6 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +336,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +338,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -884,7 +887,7 @@ index eb50f07..84c5ad6 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +357,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +359,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -911,7 +914,7 @@ index eb50f07..84c5ad6 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +393,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +395,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -925,7 +928,7 @@ index eb50f07..84c5ad6 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +411,11 @@ optional_policy(`
+@@ -343,10 +413,11 @@ optional_policy(`
#######################################
#
@@ -939,7 +942,7 @@ index eb50f07..84c5ad6 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +434,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +436,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -991,7 +994,7 @@ index eb50f07..84c5ad6 100644
#######################################
#
-@@ -404,7 +483,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +485,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1000,7 +1003,7 @@ index eb50f07..84c5ad6 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +492,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +494,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1044,7 +1047,7 @@ index eb50f07..84c5ad6 100644
')
#######################################
-@@ -430,10 +535,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +537,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -2984,10 +2987,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..3d2065e 100644
+index 7caefc3..536a4bd 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,196 @@
+@@ -1,162 +1,197 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3302,6 +3305,7 @@ index 7caefc3..3d2065e 100644
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -14364,7 +14368,7 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index bd18063..926e314 100644
+index bd18063..0957efc 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,12 +19,16 @@ type consolekit_var_run_t;
@@ -14384,6 +14388,15 @@ index bd18063..926e314 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
+@@ -33,7 +37,7 @@ create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+ append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+ read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+ setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
++logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
+
+ manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+ manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
@@ -54,38 +58,37 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
@@ -22827,10 +22840,10 @@ index c7bb4e7..e6fe2f40 100644
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc
new file mode 100644
-index 0000000..b24266e
+index 0000000..1c4ac02
--- /dev/null
+++ b/docker.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,17 @@
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
@@ -22844,13 +22857,16 @@ index 0000000..b24266e
+
+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
+
-+
++/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..c77a25f
+index 0000000..3061ae5
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,323 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -22932,6 +22948,25 @@ index 0000000..c77a25f
+
+########################################
+## <summary>
++## Read docker share files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_read_share_files',`
++ gen_require(`
++ type docker_share_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, docker_share_t, docker_share_t)
++')
++
++########################################
++## <summary>
+## Manage docker lib files.
+## </summary>
+## <param name="domain">
@@ -23064,6 +23099,53 @@ index 0000000..c77a25f
+ allow $1 docker_t:sem rw_sem_perms;
+')
+
++#######################################
++## <summary>
++## Read and write the docker pty type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_use_ptys',`
++ gen_require(`
++ type docker_devpts_t;
++ ')
++
++ allow $1 docker_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++#######################################
++## <summary>
++## Allow domain to create docker content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_filetrans_named_content',`
++
++ gen_require(`
++ type docker_var_lib_t;
++ type docker_share_t;
++ type docker_log_t;
++ type docker_var_run_t;
++ ')
++
++ files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
++ files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
++ logging_log_filetrans($1, docker_log_t, dir, "lxc")
++ files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -23110,10 +23192,10 @@ index 0000000..c77a25f
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..68c225c
+index 0000000..fa972c0
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,188 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23143,6 +23225,12 @@ index 0000000..68c225c
+type docker_unit_file_t;
+systemd_unit_file(docker_unit_file_t)
+
++type docker_devpts_t;
++term_pty(docker_devpts_t)
++
++type docker_share_t;
++files_type(docker_share_t)
++
+########################################
+#
+# docker local policy
@@ -23167,6 +23255,12 @@ index 0000000..68c225c
+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
+
++manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
++manage_files_pattern(docker_t, docker_share_t, docker_share_t)
++manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
++can_exec(docker_t, docker_share_t)
++docker_filetrans_named_content(docker_t)
++
+manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
@@ -23180,6 +23274,9 @@ index 0000000..68c225c
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
+
++allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++term_create_pty(docker_t, docker_devpts_t)
++
+kernel_read_system_state(docker_t)
+kernel_read_network_state(docker_t)
+kernel_read_all_sysctls(docker_t)
@@ -23280,6 +23377,7 @@ index 0000000..68c225c
+ virt_exec(docker_t)
+ virt_stream_connect(docker_t)
+ virt_stream_connect_sandbox(docker_t)
++ virt_exec_sandbox_files(docker_t)
+ virt_manage_sandbox_files(docker_t)
+ virt_relabel_sandbox_filesystem(docker_t)
+ # for lxc
@@ -26769,6 +26867,224 @@ index 2820368..88c98f4 100644
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+diff --git a/geoclue.fc b/geoclue.fc
+new file mode 100644
+index 0000000..a97f14f
+--- /dev/null
++++ b/geoclue.fc
+@@ -0,0 +1,4 @@
++
++/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
++
++/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0)
+diff --git a/geoclue.if b/geoclue.if
+new file mode 100644
+index 0000000..9e17d3e
+--- /dev/null
++++ b/geoclue.if
+@@ -0,0 +1,158 @@
++
++## <summary>Geoclue is a D-Bus service that provides location information</summary>
++
++########################################
++## <summary>
++## Execute geoclue in the geoclue domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`geoclue_domtrans',`
++ gen_require(`
++ type geoclue_t, geoclue_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, geoclue_exec_t, geoclue_t)
++')
++
++########################################
++## <summary>
++## Search geoclue lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_search_lib',`
++ gen_require(`
++ type geoclue_var_lib_t;
++ ')
++
++ allow $1 geoclue_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read geoclue lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_read_lib_files',`
++ gen_require(`
++ type geoclue_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage geoclue lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_manage_lib_files',`
++ gen_require(`
++ type geoclue_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage geoclue lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_manage_lib_dirs',`
++ gen_require(`
++ type geoclue_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## geoclue over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_dbus_chat',`
++ gen_require(`
++ type geoclue_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 geoclue_t:dbus send_msg;
++ allow geoclue_t $1:dbus send_msg;
++ ps_process_pattern(geoclue_t, $1)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an geoclue environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`geoclue_admin',`
++ gen_require(`
++ type geoclue_t;
++ type geoclue_var_lib_t;
++ ')
++
++ allow $1 geoclue_t:process { signal_perms };
++ ps_process_pattern($1, geoclue_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 geoclue_t:process ptrace;
++ ')
++
++ files_search_var_lib($1)
++ admin_pattern($1, geoclue_var_lib_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/geoclue.te b/geoclue.te
+new file mode 100644
+index 0000000..64faa9e
+--- /dev/null
++++ b/geoclue.te
+@@ -0,0 +1,38 @@
++policy_module(geoclue, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type geoclue_t;
++type geoclue_exec_t;
++application_domain(geoclue_t, geoclue_exec_t)
++role system_r types geoclue_t;
++
++type geoclue_var_lib_t;
++files_type(geoclue_var_lib_t)
++
++########################################
++#
++# geoclue local policy
++#
++
++manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
++manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
++manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
++files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
++
++corenet_tcp_connect_http_port(geoclue_t)
++
++corecmd_exec_bin(geoclue_t)
++
++dev_read_urand(geoclue_t)
++
++miscfiles_read_certs(geoclue_t)
++
++sysnet_dns_name_resolve(geoclue_t)
++
++optional_policy(`
++ dbus_system_domain(geoclue_t, geoclue_exec_t)
++')
diff --git a/gift.te b/gift.te
index 8a820fa..996b30c 100644
--- a/gift.te
@@ -34481,10 +34797,10 @@ index 3a00b3a..21efcc4 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index 715fc21..f6a381c 100644
+index 715fc21..1cbf3be 100644
--- a/kdump.te
+++ b/kdump.te
-@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t)
+@@ -12,35 +12,56 @@ init_system_domain(kdump_t, kdump_exec_t)
type kdump_etc_t;
files_config_file(kdump_etc_t)
@@ -34522,13 +34838,14 @@ index 715fc21..f6a381c 100644
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
-+
-+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-allow kdump_t kdump_etc_t:file read_file_perms;
++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
++
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
-+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file })
++manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
++files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file })
-files_read_etc_files(kdump_t)
files_read_etc_runtime_files(kdump_t)
@@ -34545,7 +34862,7 @@ index 715fc21..f6a381c 100644
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
-@@ -48,22 +68,32 @@ term_use_console(kdump_t)
+@@ -48,22 +69,35 @@ term_use_console(kdump_t)
#######################################
#
@@ -34559,12 +34876,14 @@ index 715fc21..f6a381c 100644
+
allow kdumpctl_t self:capability { dac_override sys_chroot };
allow kdumpctl_t self:process setfscreate;
--allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
++
+ allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-allow kdumpctl_t self:unix_stream_socket { accept listen };
++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
-allow kdumpctl_t kdump_etc_t:file read_file_perms;
-+allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
++manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t)
++files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump")
manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
@@ -34583,7 +34902,7 @@ index 715fc21..f6a381c 100644
kernel_read_system_state(kdumpctl_t)
-@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +105,56 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
@@ -47924,41 +48243,51 @@ index 0000000..0e585e3
+ mysql_tcp_connect(mythtv_script_t)
+')
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..24a2dec 100644
+index d78dfc3..02f18ac 100644
--- a/nagios.fc
+++ b/nagios.fc
-@@ -1,88 +1,97 @@
+@@ -1,88 +1,109 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
++/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
-+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/bin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/sbin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/lib/icinga/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
++
++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
@@ -47978,9 +48307,9 @@ index d78dfc3..24a2dec 100644
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+# mail plugins
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-+
-+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
++
+# system plugins
/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
@@ -48071,10 +48400,11 @@ index d78dfc3..24a2dec 100644
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
--
--/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+
+-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
index 0641e97..d7d9a79 100644
--- a/nagios.if
@@ -51219,7 +51549,7 @@ index 8f2ab09..6ab4ea1 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index bcd7d0a..3878d3c 100644
+index bcd7d0a..8cc5de9 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,33 +4,34 @@ gen_require(`
@@ -51267,7 +51597,11 @@ index bcd7d0a..3878d3c 100644
type nscd_log_t;
logging_log_file(nscd_log_t)
-@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid };
+@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t)
+ #
+
+ allow nscd_t self:capability { kill setgid setuid };
++allow nscd_t self:capability2 block_suspend;
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
@@ -51340,7 +51674,7 @@ index bcd7d0a..3878d3c 100644
corenet_rw_tun_tap_dev(nscd_t)
selinux_get_fs_mount(nscd_t)
-@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t)
+@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
@@ -51365,7 +51699,7 @@ index bcd7d0a..3878d3c 100644
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
-@@ -121,20 +130,31 @@ optional_policy(`
+@@ -121,20 +131,31 @@ optional_policy(`
')
optional_policy(`
@@ -78480,7 +78814,7 @@ index ef3b225..d248cd3 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rpm.te b/rpm.te
-index 6fc360e..8c53520 100644
+index 6fc360e..13ae4ca 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -78820,7 +79154,7 @@ index 6fc360e..8c53520 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +329,51 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -78847,6 +79181,9 @@ index 6fc360e..8c53520 100644
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
++init_disable_services(rpm_script_t)
++init_enable_services(rpm_script_t)
++init_reload_services(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
@@ -78878,7 +79215,7 @@ index 6fc360e..8c53520 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +379,63 @@ ifdef(`distro_redhat',`
+@@ -363,41 +382,67 @@ ifdef(`distro_redhat',`
')
')
@@ -78893,6 +79230,10 @@ index 6fc360e..8c53520 100644
+')
+
+optional_policy(`
++ bind_systemctl(rpm_script_t)
++')
++
++optional_policy(`
+ certmonger_dbus_chat(rpm_script_t)
+')
+
@@ -78953,7 +79294,7 @@ index 6fc360e..8c53520 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +447,6 @@ optional_policy(`
+@@ -409,6 +454,6 @@ optional_policy(`
')
optional_policy(`
@@ -82352,7 +82693,7 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..e45c73a
+index 0000000..e30b346
--- /dev/null
+++ b/sandboxX.if
@@ -0,0 +1,393 @@
@@ -82400,7 +82741,7 @@ index 0000000..e45c73a
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
-+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
++ dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:process { signal sigkill };
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
@@ -82751,7 +83092,7 @@ index 0000000..e45c73a
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..4566e9b
+index 0000000..0161658
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,498 @@
@@ -83038,6 +83379,10 @@ index 0000000..4566e9b
+ fs_exec_fusefs_files(sandbox_x_domain)
+')
+
++optional_policy(`
++ networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
++')
++
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
@@ -83194,10 +83539,6 @@ index 0000000..4566e9b
+')
+
+optional_policy(`
-+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
+ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
@@ -95763,7 +96104,7 @@ index a4f20bc..6351bcb 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..09db35b 100644
+index facdee8..fc7901b 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -96778,7 +97119,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +658,245 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,263 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -96841,12 +97182,10 @@ index facdee8..09db35b 100644
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in virt pid
--## directories with a private type.
++')
++
++########################################
++## <summary>
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
@@ -96866,10 +97205,12 @@ index facdee8..09db35b 100644
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in virt pid
+-## directories with a private type.
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
@@ -96888,6 +97229,24 @@ index facdee8..09db35b 100644
+
+#######################################
+## <summary>
++## Execute Sandbox Files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_exec_sandbox_files',`
++ gen_require(`
++ type svirt_sandbox_file_t;
++ ')
++
++ can_exec($1, svirt_sandbox_file_t)
++')
++
++#######################################
++## <summary>
+## Manage Sandbox Files
## </summary>
## <param name="domain">
@@ -97046,7 +97405,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +904,17 @@ interface(`virt_read_log',`
+@@ -935,19 +922,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -97070,7 +97429,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +922,17 @@ interface(`virt_append_log',`
+@@ -955,20 +940,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -97095,7 +97454,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +940,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +958,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -97118,7 +97477,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +958,57 @@ interface(`virt_search_images',`
+@@ -995,36 +976,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -97195,7 +97554,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1016,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1034,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -97231,7 +97590,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1045,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1063,131 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -97255,7 +97614,7 @@ index facdee8..09db35b 100644
## </summary>
-## <param name="domain">
+## <param name="prefix">
-+## <summary>
+ ## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
@@ -97280,7 +97639,7 @@ index facdee8..09db35b 100644
+## Make the specified type usable as a lxc domain
+## </summary>
+## <param name="type">
- ## <summary>
++## <summary>
+## Type to be used as a lxc domain
+## </summary>
+## </param>
@@ -97377,7 +97736,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1177,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1195,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -97451,7 +97810,7 @@ index facdee8..09db35b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1240,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1258,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -97524,7 +97883,7 @@ index facdee8..09db35b 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..2249f86 100644
+index f03dcf5..215ace6 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,197 @@
@@ -97539,7 +97898,7 @@ index f03dcf5..2249f86 100644
+gen_require(`
+ class passwd rootok;
+ class passwd passwd;
-+ ')
++')
+
+attribute virsh_transition_domain;
+attribute virt_ptynode;
@@ -97708,10 +98067,10 @@ index f03dcf5..2249f86 100644
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
++
++type qemu_exec_t, virt_file_type;
-type virt_cache_t alias svirt_cache_t;
-+type qemu_exec_t, virt_file_type;
-+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -98225,17 +98584,17 @@ index f03dcf5..2249f86 100644
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -98497,13 +98856,7 @@ index f03dcf5..2249f86 100644
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+kernel_read_net_sysctls(virt_domain)
-
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -98513,7 +98866,13 @@ index f03dcf5..2249f86 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
@@ -98640,7 +98999,7 @@ index f03dcf5..2249f86 100644
+ sssd_dontaudit_read_lib(virt_domain)
+ sssd_dontaudit_read_public_files(virt_domain)
+')
-+
+
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
@@ -98658,7 +99017,7 @@ index f03dcf5..2249f86 100644
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
+')
-
++
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
@@ -98970,7 +99329,7 @@ index f03dcf5..2249f86 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1117,274 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1117,275 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -99003,12 +99362,12 @@ index f03dcf5..2249f86 100644
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -99106,15 +99465,6 @@ index f03dcf5..2249f86 100644
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
-+ docker_read_lib_files(svirt_sandbox_domain)
-+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+')
-+
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -99199,17 +99549,27 @@ index f03dcf5..2249f86 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
++ docker_read_share_files(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++ docker_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
')
@@ -99237,6 +99597,10 @@ index f03dcf5..2249f86 100644
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process { execstack execmem };
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -99248,13 +99612,6 @@ index f03dcf5..2249f86 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+ allow svirt_lxc_net_t self:capability sys_admin;
-+')
-
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -99263,13 +99620,16 @@ index f03dcf5..2249f86 100644
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_lxc_net_t)
-+
+
+dev_read_sysfs(svirt_lxc_net_t)
dev_getattr_mtrr_dev(svirt_lxc_net_t)
dev_read_rand(svirt_lxc_net_t)
@@ -99336,11 +99696,11 @@ index f03dcf5..2249f86 100644
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-+
-+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
@@ -99383,7 +99743,7 @@ index f03dcf5..2249f86 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1397,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1398,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -99398,7 +99758,7 @@ index f03dcf5..2249f86 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1415,8 @@ optional_policy(`
+@@ -1192,9 +1416,8 @@ optional_policy(`
########################################
#
@@ -99409,7 +99769,7 @@ index f03dcf5..2249f86 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1429,198 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1430,198 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a4d715c..23f0fd0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 15%{?dist}
+Release: 16%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 22 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-16
+- New access needed to allow docker + lxc +SELinux to work together
+- Allow apache to write to the owncloud data directory in /var/www/html...
+- Cleanup sandbox X AVC's
+- Allow consolekit to create log dir
+- Add support for icinga CGI scripts
+- Add support for icinga
+- Allow kdumpctl_t to create kdump lock file
+- Allow kdump to create lnk lock file
+- Allow ABRT write core_pattern
+- Allwo ABRT to read core_pattern
+- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
+- Allow nscd_t block_suspen capability
+- Allow unconfined domain types to manage own transient unit file
+- Allow systemd domains to handle transient init unit files
+- No longer need the rpm_script_roles line since rpm_transition_script now does this for us
+- Add/fix interfaces for usermodehelper_t
+- Add interfaces to handle transient
+- Fixes for new usermodehelper and proc_securit_t types, added to increase security on /proc and /sys file systems
+
* Mon Jan 20 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-15
- Add cron unconfined role support for uncofined SELinux user
- Call kernel_rw_usermodehelper_state() in init.te
More information about the scm-commits
mailing list