[selinux-policy] - Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t - Allow
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 14 10:01:22 UTC 2014
commit 3f9fe171866df791f6a72d08dc9d756971d2ddd0
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 14 11:01:06 2014 +0100
- Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
- Dontaudit attempts to setsched on the kernel_t threads
- Allow munin mail plugins to read network systcl
- Fix git_system_enable_homedirs boolean
- Make cimtest script 03_defineVS.py of ComputerSystem group working
- Make abrt-java-connector working
- Allow net_admin cap for fence_virtd running as fenced_t
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
policy-rawhide-base.patch | 459 +++++++++++++++++++++++-------------------
policy-rawhide-contrib.patch | 370 ++++++++++++++++++++-------------
selinux-policy.spec | 15 ++-
3 files changed, 490 insertions(+), 354 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index daa1d07..18e996e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -14974,10 +14974,35 @@ index 7be4ddf..d5ef507 100644
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..1c1a61c 100644
+index e100d88..98dc4c1 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
-@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
+@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
+
+ ########################################
+ ## <summary>
++## Dontaudit attempts to set the priority of kernel threads.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_setsched',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:process setsched;
++')
++
++########################################
++## <summary>
+ ## Send a SIGCHLD signal to kernel threads.
+ ## </summary>
+ ## <param name="domain">
+@@ -286,7 +304,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
type kernel_t;
')
@@ -14986,7 +15011,7 @@ index e100d88..1c1a61c 100644
')
########################################
-@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',`
+@@ -762,8 +780,8 @@ interface(`kernel_manage_debugfs',`
')
manage_files_pattern($1, debugfs_t, debugfs_t)
@@ -14996,7 +15021,7 @@ index e100d88..1c1a61c 100644
')
########################################
-@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
+@@ -786,6 +804,24 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
@@ -15021,7 +15046,7 @@ index e100d88..1c1a61c 100644
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
-@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',`
+@@ -804,6 +840,24 @@ interface(`kernel_unmount_proc',`
########################################
## <summary>
@@ -15046,7 +15071,7 @@ index e100d88..1c1a61c 100644
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
-@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1045,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -15062,7 +15087,7 @@ index e100d88..1c1a61c 100644
')
########################################
-@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1076,25 @@ interface(`kernel_write_proc_files',`
########################################
## <summary>
@@ -15088,7 +15113,7 @@ index e100d88..1c1a61c 100644
## Do not audit attempts by caller to
## read system state information in proc.
## </summary>
-@@ -1208,6 +1260,24 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1278,24 @@ interface(`kernel_read_messages',`
########################################
## <summary>
@@ -15113,7 +15138,7 @@ index e100d88..1c1a61c 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </summary>
-@@ -1477,6 +1547,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1565,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -15138,7 +15163,7 @@ index e100d88..1c1a61c 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -1750,16 +1838,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1856,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15156,7 +15181,7 @@ index e100d88..1c1a61c 100644
')
########################################
-@@ -1771,16 +1852,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1870,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15174,7 +15199,7 @@ index e100d88..1c1a61c 100644
')
########################################
-@@ -1792,16 +1866,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1884,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15192,7 +15217,7 @@ index e100d88..1c1a61c 100644
')
########################################
-@@ -1813,16 +1880,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1898,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15210,7 +15235,7 @@ index e100d88..1c1a61c 100644
')
########################################
-@@ -2085,7 +2145,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2163,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -15219,7 +15244,7 @@ index e100d88..1c1a61c 100644
')
########################################
-@@ -2282,6 +2342,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2360,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -15245,7 +15270,7 @@ index e100d88..1c1a61c 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2385,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2403,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -15254,7 +15279,7 @@ index e100d88..1c1a61c 100644
## </summary>
## </param>
#
-@@ -2488,6 +2567,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2585,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -15279,7 +15304,7 @@ index e100d88..1c1a61c 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2622,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2640,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -15304,7 +15329,7 @@ index e100d88..1c1a61c 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2667,6 +2782,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2800,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -15329,7 +15354,7 @@ index e100d88..1c1a61c 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2694,6 +2827,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2845,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -15355,7 +15380,7 @@ index e100d88..1c1a61c 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2803,6 +2955,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2973,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -15389,7 +15414,7 @@ index e100d88..1c1a61c 100644
########################################
## <summary>
-@@ -2958,6 +3137,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3155,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -15414,7 +15439,7 @@ index e100d88..1c1a61c 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3169,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3187,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -39651,10 +39676,10 @@ index 0000000..8bca1d7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d0651a8
+index 0000000..188a153
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,673 @@
+@@ -0,0 +1,677 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -39796,6 +39821,8 @@ index 0000000..d0651a8
+fs_manage_cgroup_files(systemd_logind_t)
+fs_getattr_tmpfs(systemd_logind_t)
+fs_read_tmpfs_symlinks(systemd_logind_t)
++fs_mount_tmpfs(systemd_logind_t)
++userdom_mounton_tmp_dirs(systemd_logind_t)
+
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
@@ -39835,6 +39862,7 @@ index 0000000..d0651a8
+userdom_read_all_users_state(systemd_logind_t)
+userdom_use_user_ttys(systemd_logind_t)
+userdom_manage_all_user_tmp_content(systemd_logind_t)
++userdom_manage_all_user_tmpfs_content(systemd_logind_t)
+
+xserver_dbus_chat(systemd_logind_t)
+
@@ -39879,11 +39907,12 @@ index 0000000..d0651a8
+# systemd-networkd local policy
+#
+
-+allow systemd_networkd_t self:capability { net_admin };
++allow systemd_networkd_t self:capability { net_admin net_raw };
+
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
++allow systemd_networkd_t self:packet_socket create_socket_perms;
+
+kernel_dgram_send(systemd_networkd_t)
+
@@ -41708,7 +41737,7 @@ index db75976..e4eb903 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..3cc8679 100644
+index 9dc60c6..428fe58 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42022,7 +42051,7 @@ index 9dc60c6..3cc8679 100644
')
')
-@@ -273,6 +315,63 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +315,82 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -42081,12 +42110,31 @@ index 9dc60c6..3cc8679 100644
+
+#######################################
+## <summary>
++## Manage user temporary directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolebase/>
++#
++interface(`userdom_mounton_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:dir mounton;
++')
++
++#######################################
++## <summary>
+## Manage user temporary files
+## </summary>
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +386,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +405,66 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -42117,6 +42165,8 @@ index 9dc60c6..3cc8679 100644
+ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+')
+
++
++
+#######################################
+## <summary>
+## Dontaudit search of user bin dirs.
@@ -42156,7 +42206,7 @@ index 9dc60c6..3cc8679 100644
')
#######################################
-@@ -317,11 +463,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +484,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -42188,7 +42238,7 @@ index 9dc60c6..3cc8679 100644
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
-@@ -348,59 +514,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +535,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -42240,9 +42290,7 @@ index 9dc60c6..3cc8679 100644
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
-
+-
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
@@ -42253,7 +42301,9 @@ index 9dc60c6..3cc8679 100644
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
--
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
+
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
@@ -42279,7 +42329,7 @@ index 9dc60c6..3cc8679 100644
')
#######################################
-@@ -431,6 +598,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +619,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -42287,7 +42337,7 @@ index 9dc60c6..3cc8679 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +631,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +652,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -42298,7 +42348,7 @@ index 9dc60c6..3cc8679 100644
')
')
-@@ -491,51 +659,63 @@ template(`userdom_common_user_template',`
+@@ -491,51 +680,63 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -42376,17 +42426,17 @@ index 9dc60c6..3cc8679 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
-+
+
+- fs_rw_cgroup_files($1_t)
+ application_getattr_socket($1_usertype)
+
+ logging_send_syslog_msg($1_t)
-
-- fs_rw_cgroup_files($1_t)
++
+ selinux_get_enforce_mode($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +726,128 @@ template(`userdom_common_user_template',`
+@@ -546,93 +747,128 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -42488,50 +42538,50 @@ index 9dc60c6..3cc8679 100644
+ optional_policy(`
+ geoclue_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ policykit_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
- policykit_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
++ policykit_dbus_chat($1_usertype)
')
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ git_role($1_r, $1_t)
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ git_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
@@ -42553,7 +42603,7 @@ index 9dc60c6..3cc8679 100644
')
optional_policy(`
-@@ -642,23 +857,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +878,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -42582,7 +42632,7 @@ index 9dc60c6..3cc8679 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +884,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +905,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -42591,7 +42641,7 @@ index 9dc60c6..3cc8679 100644
')
optional_policy(`
-@@ -680,9 +893,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +914,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -42604,7 +42654,7 @@ index 9dc60c6..3cc8679 100644
')
')
-@@ -693,32 +906,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +927,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -42614,27 +42664,31 @@ index 9dc60c6..3cc8679 100644
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
++ slrnpull_search_spool($1_usertype)
')
optional_policy(`
@@ -42643,15 +42697,11 @@ index 9dc60c6..3cc8679 100644
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
-+ slrnpull_search_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -743,17 +959,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +980,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -42689,7 +42739,7 @@ index 9dc60c6..3cc8679 100644
userdom_change_password_template($1)
-@@ -761,83 +993,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +1014,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -42833,7 +42883,7 @@ index 9dc60c6..3cc8679 100644
')
#######################################
-@@ -868,6 +1124,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1145,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -42846,7 +42896,7 @@ index 9dc60c6..3cc8679 100644
##############################
#
# Local policy
-@@ -907,57 +1169,141 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1190,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -42900,8 +42950,11 @@ index 9dc60c6..3cc8679 100644
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
-+ ')
-+
+ ')
+
+- optional_policy(`
+- dbus_role_template($1, $1_r, $1_t)
+- dbus_system_bus_client($1_t)
+ # cjp: needed by KDE apps
+ # bug: #682499
+ optional_policy(`
@@ -42912,72 +42965,59 @@ index 9dc60c6..3cc8679 100644
+
+ optional_policy(`
+ obex_role($1_r, $1_t, $1)
- ')
-
- optional_policy(`
-- dbus_role_template($1, $1_r, $1_t)
-- dbus_system_bus_client($1_t)
++ ')
++
++ optional_policy(`
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ accountsd_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- gnome_role_template($1, $1_r, $1_t)
-- wm_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
- ')
-- ')
-
-- optional_policy(`
-- java_role($1_r, $1_t)
-- ')
++ ')
++
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
-
-- optional_policy(`
-- setroubleshoot_dontaudit_stream_connect($1_t)
-- ')
--')
++
+ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ ')
--#######################################
--## <summary>
-+ optional_policy(`
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ realmd_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
-+ gnome_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ gnome_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
-+ wm_role_template($1, $1_r, $1_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
+ wm_role_template($1, $1_r, $1_t)
+ ')
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ policykit_role($1_r, $1_usertype)
+ ')
+
@@ -42992,11 +43032,11 @@ index 9dc60c6..3cc8679 100644
+
+ optional_policy(`
+ systemd_filetrans_home_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ setroubleshoot_dontaudit_stream_connect($1_t)
-+ ')
+ ')
+
+ optional_policy(`
+ setroubleshoot_dontaudit_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db($1_usertype)
@@ -43005,14 +43045,10 @@ index 9dc60c6..3cc8679 100644
+ optional_policy(`
+ xserver_xdm_ioctl_log($1_t)
+ ')
-+')
-+
-+#######################################
-+## <summary>
- ## The template for creating a unprivileged user roughly
- ## equivalent to a regular linux user.
- ## </summary>
-@@ -987,27 +1333,33 @@ template(`userdom_unpriv_user_template', `
+ ')
+
+ #######################################
+@@ -987,27 +1354,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -43050,7 +43086,7 @@ index 9dc60c6..3cc8679 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1370,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1391,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -43102,26 +43138,26 @@ index 9dc60c6..3cc8679 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1432,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -43132,7 +43168,7 @@ index 9dc60c6..3cc8679 100644
')
')
-@@ -1079,7 +1470,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1491,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -43143,7 +43179,7 @@ index 9dc60c6..3cc8679 100644
')
##############################
-@@ -1095,6 +1488,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1509,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -43151,7 +43187,7 @@ index 9dc60c6..3cc8679 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1499,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1520,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -43168,7 +43204,7 @@ index 9dc60c6..3cc8679 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1516,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1537,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -43176,7 +43212,7 @@ index 9dc60c6..3cc8679 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1534,14 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1555,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -43191,7 +43227,7 @@ index 9dc60c6..3cc8679 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1552,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1573,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -43234,7 +43270,7 @@ index 9dc60c6..3cc8679 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1593,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1614,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -43243,7 +43279,7 @@ index 9dc60c6..3cc8679 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1602,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1623,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -43262,7 +43298,7 @@ index 9dc60c6..3cc8679 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1648,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1669,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -43271,7 +43307,7 @@ index 9dc60c6..3cc8679 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1658,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1679,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -43280,7 +43316,7 @@ index 9dc60c6..3cc8679 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1672,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1693,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -43292,7 +43328,7 @@ index 9dc60c6..3cc8679 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1686,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1707,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -43335,7 +43371,7 @@ index 9dc60c6..3cc8679 100644
')
optional_policy(`
-@@ -1357,14 +1771,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1792,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -43354,7 +43390,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -1405,6 +1822,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1405,6 +1843,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -43406,7 +43442,7 @@ index 9dc60c6..3cc8679 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1509,11 +1971,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -43438,7 +43474,7 @@ index 9dc60c6..3cc8679 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2037,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -43453,7 +43489,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -1570,9 +2060,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -43465,7 +43501,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -1629,6 +2121,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2142,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -43508,7 +43544,7 @@ index 9dc60c6..3cc8679 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1708,6 +2236,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2257,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -43517,7 +43553,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -1741,10 +2271,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2292,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -43532,7 +43568,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -1769,7 +2301,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2322,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -43559,7 +43595,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1779,53 +2329,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1779,53 +2350,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -43642,7 +43678,7 @@ index 9dc60c6..3cc8679 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1845,6 +2412,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2433,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -43668,7 +43704,7 @@ index 9dc60c6..3cc8679 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1875,15 +2461,18 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,15 +2482,18 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -43689,7 +43725,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1891,18 +2480,18 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1891,18 +2501,18 @@ interface(`userdom_read_user_home_content_files',`
## </summary>
## </param>
#
@@ -43713,7 +43749,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1910,17 +2499,39 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
+@@ -1910,17 +2520,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
## </summary>
## </param>
#
@@ -43736,13 +43772,14 @@ index 9dc60c6..3cc8679 100644
## <summary>
-## Do not audit attempts to write user home files.
+## Do not audit attempts to append user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1928,7 +2542,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_write_user_home_content_files',`
+interface(`userdom_dontaudit_append_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
@@ -43754,10 +43791,18 @@ index 9dc60c6..3cc8679 100644
+########################################
+## <summary>
+## Do not audit attempts to write user home files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1938,7 +2549,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_write_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+@@ -1938,7 +2570,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -43766,7 +43811,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2557,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2578,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -43779,7 +43824,7 @@ index 9dc60c6..3cc8679 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2568,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2589,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -43788,7 +43833,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2576,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2597,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -43857,7 +43902,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -2007,8 +2671,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2692,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -43867,7 +43912,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -2024,20 +2687,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2708,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -43892,7 +43937,7 @@ index 9dc60c6..3cc8679 100644
########################################
## <summary>
-@@ -2120,7 +2777,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2798,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -43901,7 +43946,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2785,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2806,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -43925,7 +43970,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2803,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2824,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -43941,7 +43986,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -2390,11 +3045,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2390,11 +3066,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -43956,7 +44001,7 @@ index 9dc60c6..3cc8679 100644
files_search_tmp($1)
')
-@@ -2414,7 +3069,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3090,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -43965,7 +44010,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -2661,6 +3316,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3337,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -43991,7 +44036,7 @@ index 9dc60c6..3cc8679 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2677,13 +3351,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3372,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -44007,7 +44052,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2704,7 +3379,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3400,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -44016,7 +44061,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2712,14 +3387,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3408,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -44051,7 +44096,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -2814,6 +3505,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3526,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -44076,7 +44121,7 @@ index 9dc60c6..3cc8679 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3541,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3562,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -44119,7 +44164,7 @@ index 9dc60c6..3cc8679 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3577,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3598,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -44157,7 +44202,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -2882,8 +3622,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3643,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -44187,7 +44232,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -2955,69 +3714,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3735,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -44288,7 +44333,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +3783,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3804,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -44303,7 +44348,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -3094,7 +3852,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +3873,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -44312,7 +44357,7 @@ index 9dc60c6..3cc8679 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +3868,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +3889,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -44346,7 +44391,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -3214,31 +3956,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,31 +3977,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -44403,7 +44448,7 @@ index 9dc60c6..3cc8679 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3269,7 +4029,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -44488,7 +44533,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -3287,7 +4123,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3287,7 +4144,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -44497,7 +44542,7 @@ index 9dc60c6..3cc8679 100644
')
########################################
-@@ -3306,6 +4142,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3306,6 +4163,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -44505,7 +44550,7 @@ index 9dc60c6..3cc8679 100644
kernel_search_proc($1)
')
-@@ -3382,6 +4219,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4240,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -44548,7 +44593,7 @@ index 9dc60c6..3cc8679 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4275,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4296,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -44573,7 +44618,7 @@ index 9dc60c6..3cc8679 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4326,1680 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4347,1680 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index bfcea24..b5ed9ef 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -21386,7 +21386,7 @@ index 8ce99ff..0819898 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 77a5003..73f2867 100644
+index 77a5003..b605240 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@@ -21431,7 +21431,7 @@ index 77a5003..73f2867 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,17 +79,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@@ -21444,6 +21444,14 @@ index 77a5003..73f2867 100644
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
+ kernel_read_system_state(devicekit_disk_t)
+ kernel_read_vm_sysctls(devicekit_disk_t)
+ kernel_request_load_module(devicekit_disk_t)
+-kernel_setsched(devicekit_disk_t)
++kernel_dontaudit_setsched(devicekit_disk_t)
+
+ corecmd_exec_bin(devicekit_disk_t)
+ corecmd_exec_shell(devicekit_disk_t)
@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
@@ -21537,7 +21545,7 @@ index 77a5003..73f2867 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -224,7 +236,7 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
+@@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
@@ -21546,6 +21554,12 @@ index 77a5003..73f2867 100644
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_rw_vm_sysctls(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
+ kernel_write_proc_files(devicekit_power_t)
+-kernel_setsched(devicekit_power_t)
++kernel_dontaudit_setsched(devicekit_power_t)
+
+ corecmd_exec_bin(devicekit_power_t)
+ corecmd_exec_shell(devicekit_power_t)
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
@@ -23578,7 +23592,7 @@ index 0000000..89401fe
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..5e91008
+index 0000000..ea0f2d3
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,260 @@
@@ -23763,7 +23777,7 @@ index 0000000..5e91008
+allow docker_t docker_var_lib_t:chr_file mounton;
+can_exec(docker_t, docker_var_lib_t)
+
-+kernel_setsched(docker_t)
++kernel_dontaudit_setsched(docker_t)
+kernel_get_sysvipc_info(docker_t)
+kernel_request_load_module(docker_t)
+kernel_mounton_messages(docker_t)
@@ -27743,7 +27757,7 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index dc49c71..72aa729 100644
+index dc49c71..3ef1e93 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -27812,17 +27826,18 @@ index dc49c71..72aa729 100644
corenet_all_recvfrom_unlabeled(git_system_t)
corenet_all_recvfrom_netlabel(git_system_t)
corenet_tcp_sendrecv_generic_if(git_system_t)
-@@ -176,6 +172,9 @@ logging_send_syslog_msg(git_system_t)
+@@ -176,6 +172,10 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
+ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
++ list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
+ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -215,48 +214,48 @@ tunable_policy(`git_system_use_nfs',`
+@@ -215,48 +215,48 @@ tunable_policy(`git_system_use_nfs',`
# CGI policy
#
@@ -27893,7 +27908,7 @@ index dc49c71..72aa729 100644
')
########################################
-@@ -266,12 +265,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -266,12 +266,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -32464,7 +32479,7 @@ index e151378..04d173d 100644
fs_getattr_xattr_fs(zookeeper_server_t)
diff --git a/hal.te b/hal.te
-index bbccc79..6c6524a 100644
+index bbccc79..435ac42 100644
--- a/hal.te
+++ b/hal.te
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
@@ -32475,6 +32490,15 @@ index bbccc79..6c6524a 100644
miscfiles_read_localization(hald_domain)
+@@ -116,7 +115,7 @@ kernel_rw_irq_sysctls(hald_t)
+ kernel_rw_vm_sysctls(hald_t)
+ kernel_write_proc_files(hald_t)
+ kernel_rw_net_sysctls(hald_t)
+-kernel_setsched(hald_t)
++kernel_dontaudit_setsched(hald_t)
+ kernel_request_load_module(hald_t)
+
+ corecmd_exec_all_executables(hald_t)
@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
dev_rw_input_dev(hald_keymap_t)
@@ -33790,7 +33814,7 @@ index 1a35420..2ea1241 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020fa..a25fc7f 100644
+index ca020fa..7f7047f 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -33834,7 +33858,8 @@ index ca020fa..a25fc7f 100644
+kernel_request_load_module(iscsid_t)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
- kernel_setsched(iscsid_t)
+-kernel_setsched(iscsid_t)
++kernel_dontaudit_setsched(iscsid_t)
+kernel_request_load_module(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
@@ -44365,7 +44390,7 @@ index 6194b80..03c6414 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..dfd8d3a 100644
+index 11ac8e4..ad56dac 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@@ -44768,34 +44793,34 @@ index 11ac8e4..dfd8d3a 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -44803,7 +44828,7 @@ index 11ac8e4..dfd8d3a 100644
')
optional_policy(`
-@@ -300,259 +324,243 @@ optional_policy(`
+@@ -300,259 +324,247 @@ optional_policy(`
########################################
#
@@ -45066,12 +45091,12 @@ index 11ac8e4..dfd8d3a 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -45095,26 +45120,28 @@ index 11ac8e4..dfd8d3a 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
--
-- fs_search_removable(mozilla_plugin_t)
-- fs_read_removable_files(mozilla_plugin_t)
-- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
-- fs_read_iso9660_files(mozilla_plugin_t)
--')
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_home_manager(mozilla_plugin_t)
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_t self:process execmem;
+- fs_read_iso9660_files(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_t self:process execmem;
++optional_policy(`
++ abrt_stream_connect(mozilla_plugin_t)
+ ')
+
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
@@ -45196,7 +45223,7 @@ index 11ac8e4..dfd8d3a 100644
')
optional_policy(`
-@@ -560,7 +568,11 @@ optional_policy(`
+@@ -560,7 +572,11 @@ optional_policy(`
')
optional_policy(`
@@ -45209,7 +45236,7 @@ index 11ac8e4..dfd8d3a 100644
')
optional_policy(`
-@@ -568,108 +580,131 @@ optional_policy(`
+@@ -568,108 +584,131 @@ optional_policy(`
')
optional_policy(`
@@ -47689,7 +47716,7 @@ index b744fe3..900d083 100644
+ admin_pattern($1, munin_content_t)
')
diff --git a/munin.te b/munin.te
-index b708708..0deb9fa 100644
+index b708708..7bdfb65 100644
--- a/munin.te
+++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@@ -47835,7 +47862,7 @@ index b708708..0deb9fa 100644
####################################
#
# Mail local policy
-@@ -279,27 +273,36 @@ optional_policy(`
+@@ -279,27 +273,38 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -47844,6 +47871,8 @@ index b708708..0deb9fa 100644
+
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
++kernel_read_net_sysctls(mail_munin_plugin_t)
++
dev_read_urand(mail_munin_plugin_t)
logging_read_generic_logs(mail_munin_plugin_t)
@@ -47876,7 +47905,7 @@ index b708708..0deb9fa 100644
')
optional_policy(`
-@@ -339,7 +342,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +344,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -47885,7 +47914,7 @@ index b708708..0deb9fa 100644
')
optional_policy(`
-@@ -361,7 +364,11 @@ optional_policy(`
+@@ -361,7 +366,11 @@ optional_policy(`
')
optional_policy(`
@@ -47898,7 +47927,7 @@ index b708708..0deb9fa 100644
')
optional_policy(`
-@@ -393,6 +400,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +402,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -47906,7 +47935,7 @@ index b708708..0deb9fa 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +429,32 @@ optional_policy(`
+@@ -421,3 +431,32 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -50505,7 +50534,7 @@ index 86dc29d..1cd0d0e 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..5e67bb6 100644
+index 55f2009..bb85ae6 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -50611,7 +50640,7 @@ index 55f2009..5e67bb6 100644
kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
-+kernel_setsched(NetworkManager_t)
++kernel_dontaudit_setsched(NetworkManager_t)
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
@@ -59727,7 +59756,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..100a122 100644
+index 608f454..aa814c8 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -60221,6 +60250,14 @@ index 608f454..100a122 100644
')
optional_policy(`
+@@ -180,6 +493,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_getattr_images(pegasus_t)
+ virt_domtrans(pegasus_t)
+ virt_stream_connect(pegasus_t)
+ virt_manage_config(pegasus_t)
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000..7b54c39
@@ -72534,7 +72571,7 @@ index da64218..3fb8575 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
')
diff --git a/quota.te b/quota.te
-index f47c8e8..a0251fe 100644
+index f47c8e8..3710974 100644
--- a/quota.te
+++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@@ -72570,7 +72607,7 @@ index f47c8e8..a0251fe 100644
allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
-@@ -48,7 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file)
+@@ -48,24 +44,15 @@ files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
@@ -72578,7 +72615,10 @@ index f47c8e8..a0251fe 100644
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
-@@ -58,14 +53,6 @@ dev_read_sysfs(quota_t)
+-kernel_setsched(quota_t)
++kernel_dontaudit_setsched(quota_t)
+
+ dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
dev_getattr_all_chr_files(quota_t)
@@ -73265,7 +73305,7 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index c99753f..c5d944b 100644
+index c99753f..2d260c2 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -73319,7 +73359,7 @@ index c99753f..c5d944b 100644
kernel_read_kernel_sysctls(mdadm_t)
kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
-+kernel_setsched(mdadm_t)
++kernel_dontaudit_setsched(mdadm_t)
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
@@ -76540,7 +76580,7 @@ index c8bdea2..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..e7fe8c7 100644
+index 6cf79c4..8980ac4 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -76899,9 +76939,10 @@ index 6cf79c4..e7fe8c7 100644
# fenced local policy
#
- allow fenced_t self:capability { sys_rawio sys_resource };
+-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
++allow fenced_t self:capability { net_admin sys_rawio sys_resource };
+allow fenced_t self:process { getsched setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
@@ -79132,7 +79173,7 @@ index 0bf13c2..d59aef7 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
-index 2da9fca..2497a03 100644
+index 2da9fca..09e0307 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@@ -79324,7 +79365,8 @@ index 2da9fca..2497a03 100644
+kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
+-kernel_setsched(nfsd_t)
++kernel_dontaudit_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
@@ -85782,7 +85824,7 @@ index 98c9e0a..d4aa009 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..0e798f1 100644
+index 299756b..453eb03 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -85888,7 +85930,7 @@ index 299756b..0e798f1 100644
')
optional_policy(`
-@@ -117,6 +133,32 @@ optional_policy(`
+@@ -117,6 +133,33 @@ optional_policy(`
# Reposd local policy
#
@@ -85916,6 +85958,7 @@ index 299756b..0e798f1 100644
+auth_use_nsswitch(sblim_sfcbd_t)
+
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
++corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
+
+dev_read_rand(sblim_sfcbd_t)
+dev_read_urand(sblim_sfcbd_t)
@@ -97799,7 +97842,7 @@ index a4f20bc..6351bcb 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..fddb027 100644
+index facdee8..f2c0191 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -98250,17 +98293,35 @@ index facdee8..fddb027 100644
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +251,25 @@ interface(`virt_manage_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## virt image files.
+## Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_getattr_content',`
++ gen_require(`
++ type virt_content_t;
++ ')
++
++ allow $1 virt_content_t:file getattr_file_perms;
++')
++
++########################################
++## <summary>
++## Allow domain to manage virt image files
## </summary>
## <param name="domain">
## <summary>
-@@ -450,8 +286,7 @@ interface(`virt_read_content',`
+@@ -450,8 +304,7 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -98270,7 +98331,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,35 +294,17 @@ interface(`virt_read_content',`
+@@ -459,35 +312,17 @@ interface(`virt_read_content',`
## </summary>
## </param>
#
@@ -98309,7 +98370,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +330,37 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@@ -98373,7 +98434,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +368,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@@ -98416,7 +98477,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +390,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary>
## </param>
#
@@ -98465,7 +98526,7 @@ index facdee8..fddb027 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +428,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@@ -98529,7 +98590,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +465,38 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -98596,7 +98657,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +504,58 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
@@ -98635,14 +98696,31 @@ index facdee8..fddb027 100644
-## </summary>
-## </param>
-## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
+## <rolecap/>
++#
++interface(`virt_read_log',`
++ gen_require(`
++ type virt_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, virt_log_t, virt_log_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to append
++## virt log files.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The name of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
#
-interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_read_log',`
++interface(`virt_append_log',`
gen_require(`
- type virt_home_t;
+ type virt_log_t;
@@ -98650,23 +98728,22 @@ index facdee8..fddb027 100644
- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+ logging_search_logs($1)
-+ read_files_pattern($1, virt_log_t, virt_log_t)
++ append_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
-## Read virt pid files.
-+## Allow the specified domain to append
-+## virt log files.
++## Allow domain to manage virt log files
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +563,19 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
-interface(`virt_read_pid_files',`
-+interface(`virt_append_log',`
++interface(`virt_manage_log',`
gen_require(`
- type virt_var_run_t;
+ type virt_log_t;
@@ -98674,34 +98751,34 @@ index facdee8..fddb027 100644
- files_search_pids($1)
- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ logging_search_logs($1)
-+ append_files_pattern($1, virt_log_t, virt_log_t)
++ manage_dirs_pattern($1, virt_log_t, virt_log_t)
++ manage_files_pattern($1, virt_log_t, virt_log_t)
++ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt pid files.
-+## Allow domain to manage virt log files
++## Allow domain to getattr virt image direcories
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +583,18 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
-interface(`virt_manage_pid_files',`
-+interface(`virt_manage_log',`
++interface(`virt_getattr_images',`
gen_require(`
- type virt_var_run_t;
-+ type virt_log_t;
++ attribute virt_image_type;
')
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
-+ manage_files_pattern($1, virt_log_t, virt_log_t)
-+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
++ virt_search_lib($1)
++ allow $1 virt_image_type:file getattr_file_perms;
')
########################################
@@ -98711,7 +98788,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +602,18 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@@ -98735,7 +98812,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +621,73 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@@ -98814,7 +98891,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +658,265 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -98877,10 +98954,12 @@ index facdee8..fddb027 100644
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in virt pid
+-## directories with a private type.
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
@@ -98900,12 +98979,10 @@ index facdee8..fddb027 100644
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in virt pid
--## directories with a private type.
++')
++
++########################################
++## <summary>
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
@@ -98925,12 +99002,13 @@ index facdee8..fddb027 100644
+#######################################
+## <summary>
+## Execute Sandbox Files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
@@ -98943,13 +99021,14 @@ index facdee8..fddb027 100644
+#######################################
+## <summary>
+## Manage Sandbox Files
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## The type of the object to be created.
++## Domain allowed access.
## </summary>
## </param>
--## <param name="private type">
+-## <param name="object">
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
@@ -98969,11 +99048,11 @@ index facdee8..fddb027 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The type of the object to be created.
+-## The object class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="object">
+-## <param name="name" optional="true">
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
@@ -98989,14 +99068,16 @@ index facdee8..fddb027 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
-+#
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`virt_pid_filetrans',`
+interface(`virt_mounton_sandbox_file',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_run_t;
+ type svirt_sandbox_file_t;
+ ')
+
@@ -99008,17 +99089,13 @@ index facdee8..fddb027 100644
+## Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
- ## <summary>
--## The name of the object being created.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
++## </summary>
++## </param>
++#
+interface(`virt_stream_connect_sandbox',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -99074,10 +99151,11 @@ index facdee8..fddb027 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Append virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
@@ -99093,16 +99171,15 @@ index facdee8..fddb027 100644
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Append virt log files.
++')
++
++########################################
++## <summary>
+## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +924,17 @@ interface(`virt_read_log',`
+@@ -935,19 +961,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -99126,7 +99203,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +942,17 @@ interface(`virt_append_log',`
+@@ -955,20 +979,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -99151,7 +99228,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +960,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -99174,7 +99251,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +978,57 @@ interface(`virt_search_images',`
+@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -99251,7 +99328,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1036,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -99287,7 +99364,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1065,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1102,131 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -99433,7 +99510,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1197,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1234,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -99507,7 +99584,7 @@ index facdee8..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1260,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1297,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -99549,8 +99626,7 @@ index facdee8..fddb027 100644
-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
-
@@ -99559,7 +99635,8 @@ index facdee8..fddb027 100644
-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
@@ -99580,7 +99657,7 @@ index facdee8..fddb027 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..1bbfa18 100644
+index f03dcf5..fb96958 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,197 @@
@@ -100274,7 +100351,7 @@ index f03dcf5..1bbfa18 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,16 +370,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +370,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -100296,10 +100373,11 @@ index f03dcf5..1bbfa18 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -520,6 +383,7 @@ kernel_read_kernel_sysctls(virtd_t)
+ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
- kernel_setsched(virtd_t)
+-kernel_setsched(virtd_t)
++kernel_dontaudit_setsched(virtd_t)
+kernel_write_proc_files(virtd_t)
corecmd_exec_bin(virtd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c6ee813..840b31c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 35%{?dist}
+Release: 36%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -580,6 +580,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 14 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-36
+- Add additional fixes for systemd_networkd_t
+- Allow systemd-logind to manage user_tmpfs_t
+- Allow systemd-logind to mount /run/user/1000 to get gdm working
+- Dontaudit attempts to setsched on the kernel_t threads
+- Allow munin mail plugins to read network systcl
+- Fix git_system_enable_homedirs boolean
+- Make cimtest script 03_defineVS.py of ComputerSystem group working
+- Make abrt-java-connector working
+- Allow net_admin cap for fence_virtd running as fenced_t
+- Allow vmtools_helper_t to execute bin_t
+- Add support for /usr/share/joomla
+
* Thu Mar 13 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-35
- sshd to read network sysctls
- Allow vmtools_helper_t to execute bin_t
More information about the scm-commits
mailing list