[selinux-policy] - Allow init_t to setattr/relabelfrom dhcp state files - Allow dmesg to read hwdata and memory dev -
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Apr 18 12:31:34 UTC 2014
commit 7ca2b3072106b420169e64d0a87d2c3178ab82df
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Apr 18 14:31:10 2014 +0200
- Allow init_t to setattr/relabelfrom dhcp state files
- Allow dmesg to read hwdata and memory dev
- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
- Dontaudit antivirus domains read access on all security files by default
- Add missing alias for old amavis_etc_t type
- Additional fixes for instack overcloud
- Allow block_suspend cap for haproxy
- Allow OpenStack to read mysqld_db links and connect to MySQL
- Remove dup filename rules in gnome.te
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
- Add labeling for /lib/systemd/system/thttpd.service
- Allow iscsid to handle own unit files
- Add iscsi_systemctl()
- Allow mongod also create sock_file with correct labeling in /run
- Allow aiccu stream connect to pcscd
- Allow rabbitmq_beam to connect to httpd port
- Allow httpd to send signull to apache script domains and don't audit leaks
- Fix labeling in drbd.fc
- Allow sssd to connect to the smbd port for handing logins using active directory, needs back
- Allow all freeipmi domains to read/write ipmi devices
- Allow rabbitmq_epmd to manage rabbit_var_log_t files
- Allow sblim_sfcbd to use also pegasus-https port
- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
- Add httpd_run_preupgrade boolean
- Add interfaces to access preupgrade_data_t
- Add preupgrade policy
- Add labeling for puppet helper scripts
policy-rawhide-base.patch | 190 +++++++-----
policy-rawhide-contrib.patch | 663 +++++++++++++++++++++++++++++-------------
selinux-policy.spec | 31 ++-
3 files changed, 597 insertions(+), 287 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index f459a64..dc9e64c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1601,7 +1601,7 @@ index d6cc2d9..0685b19 100644
+
+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..17357e5 100644
+index 72bc6d8..bb4a6f0 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -9,6 +9,10 @@ type dmesg_t;
@@ -1615,7 +1615,7 @@ index 72bc6d8..17357e5 100644
########################################
#
# Local policy
-@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config;
+@@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
@@ -1630,15 +1630,17 @@ index 72bc6d8..17357e5 100644
dev_read_sysfs(dmesg_t)
+dev_read_kmsg(dmesg_t)
++dev_read_raw_memory(dmesg_t)
fs_search_auto_mountpoints(dmesg_t)
-@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t)
+@@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t)
logging_send_syslog_msg(dmesg_t)
logging_write_generic_logs(dmesg_t)
-miscfiles_read_localization(dmesg_t)
--
++miscfiles_read_hwdata(dmesg_t)
+
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-userdom_use_user_terminals(dmesg_t)
+userdom_use_inherited_user_terminals(dmesg_t)
@@ -29655,7 +29657,7 @@ index 79a45f6..89b43aa 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..56e006c 100644
+index 17eda24..e5c555c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29925,7 +29927,7 @@ index 17eda24..56e006c 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +301,230 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +301,235 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -30123,6 +30125,11 @@ index 17eda24..56e006c 100644
+ optional_policy(`
+ rpc_manage_nfs_state_data(init_t)
+ ')
++
++ optional_policy(`
++ sysnet_relabelfrom_dhcpc_state(init_t)
++ sysnet_setattr_dhcp_state(init_t)
++ ')
+')
+
+optional_policy(`
@@ -30142,10 +30149,9 @@ index 17eda24..56e006c 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -30155,16 +30161,17 @@ index 17eda24..56e006c 100644
+
+optional_policy(`
+ networkmanager_stream_connect(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+ plymouthd_filetrans_named_content(init_t)
')
optional_policy(`
-@@ -216,7 +532,31 @@ optional_policy(`
+@@ -216,7 +537,31 @@ optional_policy(`
')
optional_policy(`
@@ -30196,7 +30203,7 @@ index 17eda24..56e006c 100644
')
########################################
-@@ -225,9 +565,9 @@ optional_policy(`
+@@ -225,9 +570,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30208,7 +30215,7 @@ index 17eda24..56e006c 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30225,7 +30232,7 @@ index 17eda24..56e006c 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30268,7 +30275,7 @@ index 17eda24..56e006c 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -30280,7 +30287,7 @@ index 17eda24..56e006c 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +672,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +677,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -30291,7 +30298,7 @@ index 17eda24..56e006c 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +683,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +688,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30301,7 +30308,7 @@ index 17eda24..56e006c 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +692,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -30309,7 +30316,7 @@ index 17eda24..56e006c 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -30317,7 +30324,7 @@ index 17eda24..56e006c 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +707,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30335,7 +30342,7 @@ index 17eda24..56e006c 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +725,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30349,7 +30356,7 @@ index 17eda24..56e006c 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +740,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +745,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30363,7 +30370,7 @@ index 17eda24..56e006c 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +753,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +758,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30374,7 +30381,7 @@ index 17eda24..56e006c 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +766,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +771,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -30382,7 +30389,7 @@ index 17eda24..56e006c 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +785,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +790,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -30406,7 +30413,7 @@ index 17eda24..56e006c 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +818,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +823,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -30414,7 +30421,7 @@ index 17eda24..56e006c 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +852,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +857,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30425,7 +30432,7 @@ index 17eda24..56e006c 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +876,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +881,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30434,7 +30441,7 @@ index 17eda24..56e006c 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +891,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +896,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30442,7 +30449,7 @@ index 17eda24..56e006c 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +912,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +917,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30450,7 +30457,7 @@ index 17eda24..56e006c 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +922,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +927,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30495,7 +30502,7 @@ index 17eda24..56e006c 100644
')
optional_policy(`
-@@ -559,14 +967,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +972,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30527,7 +30534,7 @@ index 17eda24..56e006c 100644
')
')
-@@ -577,6 +1002,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1007,39 @@ ifdef(`distro_suse',`
')
')
@@ -30567,7 +30574,7 @@ index 17eda24..56e006c 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1047,8 @@ optional_policy(`
+@@ -589,6 +1052,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30576,7 +30583,7 @@ index 17eda24..56e006c 100644
')
optional_policy(`
-@@ -610,6 +1070,7 @@ optional_policy(`
+@@ -610,6 +1075,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30584,7 +30591,7 @@ index 17eda24..56e006c 100644
')
optional_policy(`
-@@ -626,6 +1087,17 @@ optional_policy(`
+@@ -626,6 +1092,17 @@ optional_policy(`
')
optional_policy(`
@@ -30602,7 +30609,7 @@ index 17eda24..56e006c 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1114,13 @@ optional_policy(`
+@@ -642,9 +1119,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30616,7 +30623,7 @@ index 17eda24..56e006c 100644
')
optional_policy(`
-@@ -657,15 +1133,11 @@ optional_policy(`
+@@ -657,15 +1138,11 @@ optional_policy(`
')
optional_policy(`
@@ -30634,7 +30641,7 @@ index 17eda24..56e006c 100644
')
optional_policy(`
-@@ -686,6 +1158,15 @@ optional_policy(`
+@@ -686,6 +1163,15 @@ optional_policy(`
')
optional_policy(`
@@ -30650,7 +30657,7 @@ index 17eda24..56e006c 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1207,7 @@ optional_policy(`
+@@ -726,6 +1212,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -30658,7 +30665,7 @@ index 17eda24..56e006c 100644
')
optional_policy(`
-@@ -743,7 +1225,13 @@ optional_policy(`
+@@ -743,7 +1230,13 @@ optional_policy(`
')
optional_policy(`
@@ -30673,7 +30680,7 @@ index 17eda24..56e006c 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1254,10 @@ optional_policy(`
+@@ -766,6 +1259,10 @@ optional_policy(`
')
optional_policy(`
@@ -30684,7 +30691,7 @@ index 17eda24..56e006c 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1267,20 @@ optional_policy(`
+@@ -775,10 +1272,20 @@ optional_policy(`
')
optional_policy(`
@@ -30705,7 +30712,7 @@ index 17eda24..56e006c 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1289,10 @@ optional_policy(`
+@@ -787,6 +1294,10 @@ optional_policy(`
')
optional_policy(`
@@ -30716,7 +30723,7 @@ index 17eda24..56e006c 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1314,6 @@ optional_policy(`
+@@ -808,8 +1319,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30725,7 +30732,7 @@ index 17eda24..56e006c 100644
')
optional_policy(`
-@@ -818,6 +1322,10 @@ optional_policy(`
+@@ -818,6 +1327,10 @@ optional_policy(`
')
optional_policy(`
@@ -30736,7 +30743,7 @@ index 17eda24..56e006c 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1335,12 @@ optional_policy(`
+@@ -827,10 +1340,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -30749,7 +30756,7 @@ index 17eda24..56e006c 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1367,60 @@ optional_policy(`
+@@ -857,21 +1372,60 @@ optional_policy(`
')
optional_policy(`
@@ -30811,7 +30818,7 @@ index 17eda24..56e006c 100644
')
optional_policy(`
-@@ -887,6 +1436,10 @@ optional_policy(`
+@@ -887,6 +1441,10 @@ optional_policy(`
')
optional_policy(`
@@ -30822,7 +30829,7 @@ index 17eda24..56e006c 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1450,218 @@ optional_policy(`
+@@ -897,3 +1455,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31289,7 +31296,7 @@ index 0d4c8d3..e6ffda3 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..a97e8da 100644
+index 312cd04..d6d434a 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -31302,7 +31309,7 @@ index 312cd04..a97e8da 100644
type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)
-@@ -72,14 +75,18 @@ role system_r types setkey_t;
+@@ -72,24 +75,32 @@ role system_r types setkey_t;
# ipsec Local policy
#
@@ -31324,8 +31331,10 @@ index 312cd04..a97e8da 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -88,8 +95,11 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+ allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
+ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
++filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -31337,7 +31346,7 @@ index 312cd04..a97e8da 100644
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +120,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -31350,7 +31359,7 @@ index 312cd04..a97e8da 100644
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +138,22 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -31380,7 +31389,7 @@ index 312cd04..a97e8da 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,24 +169,33 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +170,33 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -31415,7 +31424,7 @@ index 312cd04..a97e8da 100644
seutil_sigchld_newrole(ipsec_t)
')
-@@ -187,10 +208,10 @@ optional_policy(`
+@@ -187,10 +209,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -31430,7 +31439,7 @@ index 312cd04..a97e8da 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +230,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -31446,7 +31455,7 @@ index 312cd04..a97e8da 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +270,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -31463,7 +31472,7 @@ index 312cd04..a97e8da 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +289,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -31472,7 +31481,7 @@ index 312cd04..a97e8da 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +313,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -31484,7 +31493,7 @@ index 312cd04..a97e8da 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +324,22 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -31512,7 +31521,7 @@ index 312cd04..a97e8da 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +363,10 @@ optional_policy(`
+@@ -322,6 +364,10 @@ optional_policy(`
')
optional_policy(`
@@ -31523,7 +31532,7 @@ index 312cd04..a97e8da 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +380,7 @@ optional_policy(`
+@@ -335,7 +381,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -31532,7 +31541,7 @@ index 312cd04..a97e8da 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +415,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -31552,7 +31561,7 @@ index 312cd04..a97e8da 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +445,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -31565,7 +31574,7 @@ index 312cd04..a97e8da 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +482,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -37497,7 +37506,7 @@ index 40edc18..a072ac2 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..77f307f 100644
+index 2cea692..1c0de21 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -37777,7 +37786,34 @@ index 2cea692..77f307f 100644
')
########################################
-@@ -711,8 +897,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -647,6 +833,26 @@ interface(`sysnet_search_dhcp_state',`
+ allow $1 dhcp_state_t:dir search_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## Set the attributes of network config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_setattr_dhcp_state',`
++ gen_require(`
++ type dhcp_state_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 dhcp_state_t:file setattr_file_perms;
++')
++
++
+ ########################################
+ ## <summary>
+ ## Create DHCP state data.
+@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -37786,7 +37822,7 @@ index 2cea692..77f307f 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +904,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
@@ -37798,7 +37834,7 @@ index 2cea692..77f307f 100644
sysnet_read_config($1)
optional_policy(`
-@@ -750,8 +937,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -37807,7 +37843,7 @@ index 2cea692..77f307f 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -763,6 +948,9 @@ interface(`sysnet_use_ldap',`
+@@ -763,6 +968,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -37817,7 +37853,7 @@ index 2cea692..77f307f 100644
')
########################################
-@@ -784,7 +972,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +992,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -37825,7 +37861,7 @@ index 2cea692..77f307f 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +983,115 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1003,115 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index aab44a5..a3ec877 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1519,7 +1519,7 @@ index 3b5dcb9..fbe187f 100644
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
-index 5d2b90e..f1cf098 100644
+index 5d2b90e..bb8adeb 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
@@ -1530,7 +1530,7 @@ index 5d2b90e..f1cf098 100644
corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
-@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t)
+@@ -60,17 +59,20 @@ domain_use_interactive_fds(aiccu_t)
dev_read_rand(aiccu_t)
dev_read_urand(aiccu_t)
@@ -1544,6 +1544,16 @@ index 5d2b90e..f1cf098 100644
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
+ ')
+
+ optional_policy(`
++ pcscd_stream_connect(aiccu_t)
++')
++
++optional_policy(`
+ sysnet_dns_name_resolve(aiccu_t)
+ sysnet_domtrans_ifconfig(aiccu_t)
+ ')
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
@@ -2313,10 +2323,10 @@ index 16d0d66..60abfd0 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
-index b098089..258407b 100644
+index b098089..358c9f9 100644
--- a/anaconda.fc
+++ b/anaconda.fc
-@@ -1 +1,7 @@
+@@ -1 +1,11 @@
# No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
@@ -2324,11 +2334,15 @@ index b098089..258407b 100644
+
+/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
++
++/usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0)
++/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
++/var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
diff --git a/anaconda.if b/anaconda.if
-index 14a61b7..21bbf36 100644
+index 14a61b7..76d9329 100644
--- a/anaconda.if
+++ b/anaconda.if
-@@ -1 +1,54 @@
+@@ -1 +1,132 @@
## <summary>Anaconda installer.</summary>
+
+########################################
@@ -2383,8 +2397,86 @@ index 14a61b7..21bbf36 100644
+ ')
+')
+
++########################################
++## <summary>
++## Execute preupgrade in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`anaconda_exec_preupgrade',`
++ gen_require(`
++ type preupgrade_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, preupgrade_exec_t)
++')
++
++########################################
++## <summary>
++## Execute a domain transition to run preupgrade.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`anaconda_domtrans_preupgrade',`
++ gen_require(`
++ type preupgrade_t, preupgrade_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
++')
++
++########################################
++## <summary>
++## Read preupgrade lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`anaconda_read_lib_files_preupgrade',`
++ gen_require(`
++ type preupgrade_data_t;
++ ')
++
++ read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Manage preupgrade lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`anaconda_manage_lib_files_preupgrade',`
++ gen_require(`
++ type preupgrade_data_t;
++ ')
++
++ manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ files_search_var_lib($1)
++')
diff --git a/anaconda.te b/anaconda.te
-index aa44abf..ae0e58f 100644
+index aa44abf..84c95ed 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -2398,7 +2490,7 @@ index aa44abf..ae0e58f 100644
########################################
#
# Declarations
-@@ -16,6 +20,14 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
+@@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
@@ -2410,10 +2502,18 @@ index aa44abf..ae0e58f 100644
+application_domain(install_t, install_exec_t)
+role install_roles types install_t;
+
++type preupgrade_t;
++type preupgrade_exec_t;
++application_domain(preupgrade_t, preupgrade_exec_t)
++role system_r types preupgrade_t;
++
++type preupgrade_data_t;
++files_type(preupgrade_data_t)
++
########################################
#
# Local policy
-@@ -34,8 +46,9 @@ modutils_domtrans_insmod(anaconda_t)
+@@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
@@ -2424,7 +2524,7 @@ index aa44abf..ae0e58f 100644
optional_policy(`
rpm_domtrans(anaconda_t)
-@@ -53,3 +66,34 @@ optional_policy(`
+@@ -53,3 +74,46 @@ optional_policy(`
optional_policy(`
unconfined_domain_noaudit(anaconda_t)
')
@@ -2459,6 +2559,18 @@ index aa44abf..ae0e58f 100644
+')
+
+
++########################################
++#
++# Local policy
++#
++
++manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++
++optional_policy(`
++ unconfined_domain_noaudit(preupgrade_t)
++')
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000..219f32d
@@ -2839,10 +2951,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..8ba9c95
+index 0000000..83590aa
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,273 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2882,7 +2994,7 @@ index 0000000..8ba9c95
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
-+typealias antivirus_conf_t alias { clamd_etc_t };
++typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
@@ -3011,6 +3123,7 @@ index 0000000..8ba9c95
+
+domain_dontaudit_read_all_domains_state(antivirus_domain)
+
++files_dontaudit_read_security_files(antivirus_domain)
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
@@ -3035,8 +3148,6 @@ index 0000000..8ba9c95
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
-+ #files_dontaudit_read_all_non_security_files(antivirus_domain)
-+ files_dontaudit_read_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
+ dev_getattr_all_blk_files(antivirus_domain)
@@ -3118,10 +3229,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..8434d2f 100644
+index 7caefc3..0d9db0a 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,201 @@
+@@ -1,162 +1,202 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3177,6 +3288,7 @@ index 7caefc3..8434d2f 100644
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
@@ -4921,10 +5033,10 @@ index f6eb485..51b128e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..6ae8921 100644
+index 6649962..a25874f 100644
--- a/apache.te
+++ b/apache.te
-@@ -5,280 +5,331 @@ policy_module(apache, 2.7.2)
+@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
# Declarations
#
@@ -5065,55 +5177,73 @@ index 6649962..6ae8921 100644
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
- ## </desc>
--gen_tunable(httpd_can_network_relay, false)
++## </desc>
+gen_tunable(httpd_can_network_memcache, false)
++
++## <desc>
++## <p>
++## Allow httpd to act as a relay
++## </p>
+ ## </desc>
+ gen_tunable(httpd_can_network_relay, false)
## <desc>
-## <p>
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-## </p>
-+## <p>
-+## Allow httpd to act as a relay
-+## </p>
++## <p>
++## Allow http daemon to connect to zabbix
++## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_zabbix, false)
-+gen_tunable(httpd_can_network_relay, false)
++gen_tunable(httpd_can_connect_zabbix, false)
## <desc>
-## <p>
-## Determine whether httpd can send mail.
-## </p>
+## <p>
-+## Allow http daemon to connect to zabbix
++## Allow http daemon to connect to mythtv
+## </p>
++## </desc>
++gen_tunable(httpd_can_connect_mythtv, false)
++
++## <desc>
++## <p>
++## Allow http daemon to check spam
++## </p>
++## </desc>
++gen_tunable(httpd_can_check_spam, false)
++
++## <desc>
++## <p>
++## Allow http daemon to send mail
++## </p>
## </desc>
--gen_tunable(httpd_can_sendmail, false)
-+gen_tunable(httpd_can_connect_zabbix, false)
+ gen_tunable(httpd_can_sendmail, false)
## <desc>
-## <p>
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-## </p>
-+## <p>
-+## Allow http daemon to connect to mythtv
-+## </p>
++## <p>
++## Allow Apache to communicate with avahi service via dbus
++## </p>
## </desc>
--gen_tunable(httpd_dbus_avahi, false)
-+gen_tunable(httpd_can_connect_mythtv, false)
+ gen_tunable(httpd_dbus_avahi, false)
## <desc>
-## <p>
-## Determine wether httpd can use support.
-## </p>
+## <p>
-+## Allow http daemon to check spam
++## Allow Apache to communicate with sssd service via dbus
+## </p>
## </desc>
-gen_tunable(httpd_enable_cgi, false)
-+gen_tunable(httpd_can_check_spam, false)
++gen_tunable(httpd_dbus_sssd, false)
## <desc>
-## <p>
@@ -5121,11 +5251,11 @@ index 6649962..6ae8921 100644
-## FTP server by listening on the ftp port.
-## </p>
+## <p>
-+## Allow http daemon to send mail
++## Allow httpd cgi support
+## </p>
## </desc>
-gen_tunable(httpd_enable_ftp_server, false)
-+gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_enable_cgi, false)
## <desc>
-## <p>
@@ -5133,11 +5263,12 @@ index 6649962..6ae8921 100644
-## user home directories.
-## </p>
+## <p>
-+## Allow Apache to communicate with avahi service via dbus
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
+## </p>
## </desc>
-gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_enable_ftp_server, false)
## <desc>
-## <p>
@@ -5147,23 +5278,24 @@ index 6649962..6ae8921 100644
-## be labeled public_content_rw_t.
-## </p>
+## <p>
-+## Allow Apache to communicate with sssd service via dbus
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
+## </p>
## </desc>
-gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_dbus_sssd, false)
++gen_tunable(httpd_can_connect_ftp, false)
## <desc>
-## <p>
-## Determine whether httpd can execute
-## its temporary content.
-## </p>
-+## <p>
-+## Allow httpd cgi support
-+## </p>
++## <p>
++## Allow httpd to connect to the ldap port
++## </p>
## </desc>
-gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_can_connect_ldap, false)
## <desc>
-## <p>
@@ -5171,12 +5303,11 @@ index 6649962..6ae8921 100644
-## modules can use execmem and execstack.
-## </p>
+## <p>
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow httpd to read home directories
+## </p>
## </desc>
-gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_enable_homedirs, false)
## <desc>
-## <p>
@@ -5184,35 +5315,35 @@ index 6649962..6ae8921 100644
-## to port 80 for graceful shutdown.
-## </p>
+## <p>
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd to read user content
+## </p>
## </desc>
-gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_read_user_content, false)
## <desc>
-## <p>
-## Determine whether httpd can
-## manage IPA content files.
-## </p>
-+## <p>
-+## Allow httpd to connect to the ldap port
-+## </p>
++## <p>
++## Allow Apache to run in stickshift mode, not transition to passenger
++## </p>
## </desc>
-gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_run_stickshift, false)
++
## <desc>
-## <p>
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-## </p>
+## <p>
-+## Allow httpd to read home directories
++## Allow Apache to run preupgrade
+## </p>
## </desc>
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_run_preupgrade, false)
## <desc>
-## <p>
@@ -5220,10 +5351,11 @@ index 6649962..6ae8921 100644
-## generic user home content files.
-## </p>
+## <p>
-+## Allow httpd to read user content
++## Allow Apache to query NS records
+## </p>
## </desc>
- gen_tunable(httpd_read_user_content, false)
+-gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_verify_dns, false)
## <desc>
-## <p>
@@ -5231,20 +5363,6 @@ index 6649962..6ae8921 100644
-## its resource limits.
-## </p>
+## <p>
-+## Allow Apache to run in stickshift mode, not transition to passenger
-+## </p>
-+## </desc>
-+gen_tunable(httpd_run_stickshift, false)
-+
-+## <desc>
-+## <p>
-+## Allow Apache to query NS records
-+## </p>
-+## </desc>
-+gen_tunable(httpd_verify_dns, false)
-+
-+## <desc>
-+## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
## </desc>
@@ -5404,7 +5522,7 @@ index 6649962..6ae8921 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
-@@ -286,15 +337,35 @@ init_script_file(httpd_initrc_exec_t)
+@@ -286,15 +345,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
@@ -5440,7 +5558,7 @@ index 6649962..6ae8921 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -302,10 +373,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +381,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5453,7 +5571,7 @@ index 6649962..6ae8921 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -314,9 +383,19 @@ role system_r types httpd_suexec_t;
+@@ -314,9 +391,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5476,7 +5594,7 @@ index 6649962..6ae8921 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -324,14 +403,21 @@ files_tmp_file(httpd_tmp_t)
+@@ -324,14 +411,21 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
@@ -5499,7 +5617,7 @@ index 6649962..6ae8921 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -346,33 +432,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -346,33 +440,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5544,13 +5662,14 @@ index 6649962..6ae8921 100644
+# Apache server local policy
#
- allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -381,30 +474,38 @@ allow httpd_t self:shm create_shm_perms;
+@@ -381,30 +482,39 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5587,6 +5706,7 @@ index 6649962..6ae8921 100644
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
@@ -5594,7 +5714,7 @@ index 6649962..6ae8921 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,14 +513,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5616,7 +5736,7 @@ index 6649962..6ae8921 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +558,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5854,7 +5974,7 @@ index 6649962..6ae8921 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +734,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5914,7 +6034,7 @@ index 6649962..6ae8921 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +786,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6005,7 +6125,7 @@ index 6649962..6ae8921 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +833,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6026,17 +6146,17 @@ index 6649962..6ae8921 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
+-')
+-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
@@ -6086,7 +6206,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -749,24 +886,32 @@ optional_policy(`
+@@ -749,24 +895,32 @@ optional_policy(`
')
optional_policy(`
@@ -6125,7 +6245,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -775,6 +920,10 @@ optional_policy(`
+@@ -775,6 +929,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6136,7 +6256,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -786,35 +935,55 @@ optional_policy(`
+@@ -786,35 +944,55 @@ optional_policy(`
')
optional_policy(`
@@ -6205,7 +6325,7 @@ index 6649962..6ae8921 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +991,18 @@ optional_policy(`
+@@ -822,8 +1000,18 @@ optional_policy(`
')
optional_policy(`
@@ -6224,7 +6344,7 @@ index 6649962..6ae8921 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1011,7 @@ optional_policy(`
+@@ -832,6 +1020,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6232,7 +6352,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -842,20 +1022,39 @@ optional_policy(`
+@@ -842,20 +1031,39 @@ optional_policy(`
')
optional_policy(`
@@ -6278,7 +6398,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -863,19 +1062,35 @@ optional_policy(`
+@@ -863,19 +1071,35 @@ optional_policy(`
')
optional_policy(`
@@ -6314,7 +6434,7 @@ index 6649962..6ae8921 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1098,173 @@ optional_policy(`
+@@ -883,65 +1107,183 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6382,16 +6502,25 @@ index 6649962..6ae8921 100644
+ ')
+')
+
++optional_policy(`
++ tunable_policy(`httpd_run_preupgrade', `
++ anaconda_manage_lib_files_preupgrade(httpd_t)
++ anaconda_domtrans_preupgrade(httpd_t)
++ ',`
++ anaconda_read_lib_files_preupgrade(httpd_t)
++ anaconda_exec_preupgrade(httpd_t)
++ ')
++')
++
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache PHP script local policy
+#
+
@@ -6450,10 +6579,11 @@ index 6649962..6ae8921 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache suexec local policy
#
@@ -6510,7 +6640,7 @@ index 6649962..6ae8921 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1273,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1292,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6665,7 +6795,7 @@ index 6649962..6ae8921 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1357,106 @@ optional_policy(`
+@@ -1083,172 +1376,106 @@ optional_policy(`
')
')
@@ -6690,11 +6820,11 @@ index 6649962..6ae8921 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
--kernel_dontaudit_search_sysctl(httpd_script_domains)
--kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+allow httpd_sys_script_t self:process getsched;
+-kernel_dontaudit_search_sysctl(httpd_script_domains)
+-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6783,6 +6913,15 @@ index 6649962..6ae8921 100644
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
+-')
+-
+-optional_policy(`
+- mysql_read_config(httpd_script_domains)
+- mysql_stream_connect(httpd_script_domains)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- mysql_tcp_connect(httpd_script_domains)
+- ')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
@@ -6792,21 +6931,12 @@ index 6649962..6ae8921 100644
')
-optional_policy(`
-- mysql_read_config(httpd_script_domains)
-- mysql_stream_connect(httpd_script_domains)
--
-- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-- mysql_tcp_connect(httpd_script_domains)
-- ')
--')
+- postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
--optional_policy(`
-- postgresql_stream_connect(httpd_script_domains)
--
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
- ')
@@ -6843,8 +6973,7 @@ index 6649962..6ae8921 100644
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -6856,7 +6985,8 @@ index 6649962..6ae8921 100644
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -6902,7 +7032,7 @@ index 6649962..6ae8921 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1464,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1483,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6999,7 +7129,7 @@ index 6649962..6ae8921 100644
########################################
#
-@@ -1321,8 +1539,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1558,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7016,7 +7146,7 @@ index 6649962..6ae8921 100644
')
########################################
-@@ -1330,49 +1555,38 @@ optional_policy(`
+@@ -1330,49 +1574,38 @@ optional_policy(`
# User content local policy
#
@@ -7081,7 +7211,7 @@ index 6649962..6ae8921 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1596,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1615,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7142,7 +7272,7 @@ index 6649962..6ae8921 100644
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
-+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
++allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-dev_read_rand(httpd_gpg_t)
@@ -7158,6 +7288,7 @@ index 6649962..6ae8921 100644
-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
++dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
-tunable_policy(`httpd_gpg_anon_write',`
- miscfiles_manage_public_files(httpd_gpg_t)
@@ -8176,7 +8307,7 @@ index f24e369..9bce868 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 27d2f40..5eec4ff 100644
+index 27d2f40..daed3ef 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -8207,7 +8338,15 @@ index 27d2f40..5eec4ff 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -101,7 +104,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
+
+ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
++files_getattr_all_files(automount_t)
+ files_getattr_default_dirs(automount_t)
+ files_getattr_home_dir(automount_t)
+ files_getattr_isid_type_dirs(automount_t)
+@@ -101,7 +105,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
@@ -8215,7 +8354,7 @@ index 27d2f40..5eec4ff 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -113,6 +115,7 @@ fs_manage_autofs_symlinks(automount_t)
+@@ -113,6 +116,7 @@ fs_manage_autofs_symlinks(automount_t)
fs_mount_all_fs(automount_t)
fs_mount_autofs(automount_t)
fs_read_nfs_files(automount_t)
@@ -8223,7 +8362,7 @@ index 27d2f40..5eec4ff 100644
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
-@@ -135,15 +138,18 @@ auth_use_nsswitch(automount_t)
+@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -8246,7 +8385,7 @@ index 27d2f40..5eec4ff 100644
fstools_domtrans(automount_t)
')
-@@ -166,3 +172,8 @@ optional_policy(`
+@@ -166,3 +173,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -11932,7 +12071,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..2ec82ae 100644
+index e5b621c..e7c249d 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -11963,7 +12102,7 @@ index e5b621c..2ec82ae 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,20 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -11971,6 +12110,7 @@ index e5b621c..2ec82ae 100644
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
++dev_read_sysfs(chronyd_t)
+
dev_rw_realtime_clock(chronyd_t)
@@ -24690,6 +24830,19 @@ index 0aabc7e..71459e8 100644
+ # Handle sieve scripts
sendmail_domtrans(dovecot_deliver_t)
')
+diff --git a/drbd.fc b/drbd.fc
+index 671a3fb..c781675 100644
+--- a/drbd.fc
++++ b/drbd.fc
+@@ -3,7 +3,7 @@
+ /sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+ /sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+-/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
++/usr/lib/ocf/resource\.d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+ /usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+ /usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/drbd.if b/drbd.if
index 9a21639..26c5986 100644
--- a/drbd.if
@@ -26838,10 +26991,10 @@ index 0000000..dc94853
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
-index 0000000..43a12cb
+index 0000000..431dda0
--- /dev/null
+++ b/freeipmi.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,73 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
@@ -26881,6 +27034,10 @@ index 0000000..43a12cb
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
++dev_read_rand(freeipmi_domain)
++dev_read_urand(freeipmi_domain)
++dev_rw_ipmi_dev(freeipmi_domain)
++
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
@@ -26891,7 +27048,6 @@ index 0000000..43a12cb
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
-+dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
+
+#######################################
+#
@@ -28531,7 +28687,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index 5cd0909..337e872 100644
+index 5cd0909..a304d35 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
@@ -28565,7 +28721,7 @@ index 5cd0909..337e872 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -28596,8 +28752,14 @@ index 5cd0909..337e872 100644
-
sysnet_dns_name_resolve(glance_domain)
++optional_policy(`
++ mysql_read_db_lnk_files(glance_domain)
++')
++
########################################
-@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+ #
+ # Registry local policy
+@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -28612,7 +28774,7 @@ index 5cd0909..337e872 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -28631,6 +28793,8 @@ index 5cd0909..337e872 100644
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
++corenet_tcp_connect_commplex_main_port(glance_api_t)
++corenet_tcp_connect_http_cache_port(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
@@ -31330,7 +31494,7 @@ index ab09d61..5f39122 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 63893eb..8720f49 100644
+index 63893eb..d759604 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@@ -31369,7 +31533,7 @@ index 63893eb..8720f49 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -31,105 +50,226 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
@@ -31589,7 +31753,6 @@ index 63893eb..8720f49 100644
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-+filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
@@ -34331,7 +34494,7 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..2ea1241 100644
+index 1a35420..a7e1562 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
@@ -34362,7 +34525,7 @@ index 1a35420..2ea1241 100644
## iscsid sempaphores.
## </summary>
## <param name="domain">
-@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',`
+@@ -80,17 +101,53 @@ interface(`iscsi_read_lib_files',`
########################################
## <summary>
@@ -34386,6 +34549,28 @@ index 1a35420..2ea1241 100644
+ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
+')
+
++########################################
++## <summary>
++## Execute iscsi server in the iscsi domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iscsi_systemctl',`
++ gen_require(`
++ type iscsid_t;
++ type iscsi_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 iscsi_unit_file_t:file read_file_perms;
++ allow $1 iscsi_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, iscsid_t)
++')
+
+########################################
+## <summary>
@@ -34399,7 +34584,7 @@ index 1a35420..2ea1241 100644
## </summary>
## </param>
## <rolecap/>
-@@ -99,16 +134,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +156,15 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -34421,7 +34606,7 @@ index 1a35420..2ea1241 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020fa..7f7047f 100644
+index ca020fa..5f1a035 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -34473,7 +34658,7 @@ index ca020fa..7f7047f 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,21 +86,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,21 +86,33 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -34482,6 +34667,9 @@ index ca020fa..7f7047f 100644
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+
++corecmd_exec_bin(iscsid_t)
++corecmd_exec_shell(iscsid_t)
++
+dev_read_urand(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -34500,6 +34688,10 @@ index ca020fa..7f7047f 100644
-miscfiles_read_localization(iscsid_t)
+modutils_read_module_config(iscsid_t)
++
++optional_policy(`
++ iscsi_systemctl(iscsid_t)
++')
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
@@ -37891,7 +38083,7 @@ index e88fb16..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 9929647..b7873e1 100644
+index 9929647..ff98be8 100644
--- a/keystone.te
+++ b/keystone.te
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@@ -37909,7 +38101,7 @@ index 9929647..b7873e1 100644
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,29 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -57,20 +61,30 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
@@ -37933,7 +38125,8 @@ index 9929647..b7873e1 100644
optional_policy(`
mysql_stream_connect(keystone_t)
mysql_tcp_connect(keystone_t)
- ')
++ mysql_read_db_lnk_files(keystone_t)
++')
+
+optional_policy(`
+ postgresql_stream_connect(keystone_t)
@@ -37941,7 +38134,7 @@ index 9929647..b7873e1 100644
+
+optional_policy(`
+ rpm_exec(keystone_t)
-+')
+ ')
diff --git a/kismet.if b/kismet.if
index aa2a337..7ff229f 100644
--- a/kismet.if
@@ -43734,10 +43927,20 @@ index b94102e..25d1d33 100644
+ ')
+')
diff --git a/mongodb.te b/mongodb.te
-index 169f236..9faddc2 100644
+index 169f236..a9a3284 100644
--- a/mongodb.te
+++ b/mongodb.te
-@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
+@@ -41,7 +41,8 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+
+ manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+ manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+-files_pid_filetrans(mongod_t, mongod_var_run_t, dir)
++manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++files_pid_filetrans(mongod_t, mongod_var_run_t, { dir file sock_file })
+
+ kernel_read_system_state(mongod_t)
+
+@@ -49,13 +50,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
corenet_tcp_sendrecv_generic_node(mongod_t)
@@ -48642,7 +48845,7 @@ index 06f8666..4a315d5 100644
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
-index 687af38..404ed6d 100644
+index 687af38..a77dc09 100644
--- a/mysql.if
+++ b/mysql.if
@@ -1,23 +1,4 @@
@@ -48846,7 +49049,28 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',`
+@@ -221,10 +233,28 @@ interface(`mysql_append_db_files',`
+ files_search_var_lib($1)
+ append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+ ')
++#######################################
++## <summary>
++## Read and write to the MySQL database directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_read_db_lnk_files',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
++')
#######################################
## <summary>
@@ -48855,7 +49079,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',`
+@@ -243,8 +273,7 @@ interface(`mysql_rw_db_files',`
#######################################
## <summary>
@@ -48865,7 +49089,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',`
+@@ -263,7 +292,7 @@ interface(`mysql_manage_db_files',`
########################################
## <summary>
@@ -48874,7 +49098,7 @@ index 687af38..404ed6d 100644
## named socket.
## </summary>
## <param name="domain">
-@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',`
+@@ -273,13 +302,18 @@ interface(`mysql_manage_db_files',`
## </param>
#
interface(`mysql_rw_db_sockets',`
@@ -48896,7 +49120,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',`
+@@ -287,86 +321,92 @@ interface(`mysql_rw_db_sockets',`
## </summary>
## </param>
#
@@ -49022,7 +49246,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,18 +396,22 @@ interface(`mysql_write_log',`
+@@ -374,18 +414,22 @@ interface(`mysql_write_log',`
## </summary>
## </param>
#
@@ -49051,7 +49275,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -393,39 +437,37 @@ interface(`mysql_domtrans_mysql_safe',`
## </summary>
## </param>
#
@@ -49103,7 +49327,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',`
+@@ -434,41 +476,52 @@ interface(`mysql_search_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -52388,10 +52612,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..d5b54e5
+index 0000000..bd2f08f
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,318 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -52440,6 +52664,7 @@ index 0000000..d5b54e5
+# nova general domain local policy
+#
+
++allow nova_domain self:process signal_perms;
+allow nova_domain self:fifo_file rw_fifo_file_perms;
+allow nova_domain self:tcp_socket create_stream_socket_perms;
+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
@@ -52470,6 +52695,11 @@ index 0000000..d5b54e5
+libs_exec_ldconfig(nova_domain)
+
+optional_policy(`
++ mysql_stream_connect(nova_domain)
++ mysql_read_db_lnk_files(nova_domain)
++')
++
++optional_policy(`
+ sysnet_read_config(nova_domain)
+ sysnet_exec_ifconfig(nova_domain)
+')
@@ -52536,10 +52766,6 @@ index 0000000..d5b54e5
+miscfiles_read_certs(nova_cert_t)
+
+optional_policy(`
-+ mysql_stream_connect(nova_cert_t)
-+')
-+
-+optional_policy(`
+ postgresql_stream_connect(nova_cert_t)
+')
+
@@ -52570,10 +52796,6 @@ index 0000000..d5b54e5
+
+auth_use_nsswitch(nova_console_t)
+
-+optional_policy(`
-+ mysql_stream_connect(nova_console_t)
-+')
-+
+#######################################
+#
+# nova direct local policy
@@ -57945,7 +58167,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a3..0e675ab 100644
+index 63957a3..69cc01a 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -57962,6 +58184,15 @@ index 63957a3..0e675ab 100644
## <p>
## Determine whether openvpn can
## read generic user home content files.
+@@ -19,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false)
+ ## connect to the TCP network.
+ ## </p>
+ ## </desc>
+-gen_tunable(openvpn_can_network_connect, false)
++gen_tunable(openvpn_can_network_connect, true)
+
+ attribute_role openvpn_roles;
+
@@ -40,6 +47,9 @@ init_script_file(openvpn_initrc_exec_t)
type openvpn_status_t;
logging_log_file(openvpn_status_t)
@@ -72831,10 +73062,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..2ba5770 100644
+index 8644d8b..e95fc34 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,127 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,129 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -72880,7 +73111,8 @@ index 8644d8b..2ba5770 100644
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
+allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin };
-+allow neutron_t self:process { setsched setrlimit };
++allow neutron_t self:capability2 block_suspend;
++allow neutron_t self:process { setsched setrlimit signal_perms };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
@@ -72913,7 +73145,7 @@ index 8644d8b..2ba5770 100644
+can_exec(neutron_t, neutron_tmp_t)
-can_exec(quantum_t, quantum_tmp_t)
-+kernel_read_kernel_sysctls(neutron_t)
++kernel_rw_kernel_sysctl(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
@@ -72942,9 +73174,11 @@ index 8644d8b..2ba5770 100644
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
++corenet_tcp_connect_osapi_compute_port(neutron_t)
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
++domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
-files_read_usr_files(quantum_t)
@@ -72995,18 +73229,17 @@ index 8644d8b..2ba5770 100644
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
+ mysql_stream_connect(neutron_t)
++ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
++ mysql_tcp_connect(neutron_t)
++')
- postgresql_tcp_connect(quantum_t)
-+ mysql_tcp_connect(neutron_t)
- ')
-+
+optional_policy(`
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
-+
+ postgresql_tcp_connect(neutron_t)
-+')
+ ')
+
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
@@ -73461,7 +73694,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..e0806a1 100644
+index dc3b0ed..1bd0827 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -73504,7 +73737,7 @@ index dc3b0ed..e0806a1 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -55,51 +64,64 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
+@@ -55,57 +64,73 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -73533,6 +73766,7 @@ index dc3b0ed..e0806a1 100644
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
++corenet_tcp_connect_http_port(rabbitmq_beam_t)
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
@@ -73585,16 +73819,16 @@ index dc3b0ed..e0806a1 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -107,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
-
- allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
-+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
++allow rabbitmq_epmd_t rabbitmq_var_log_t:file manage_file_perms;
+
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
- corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -117,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -77314,7 +77548,7 @@ index c8bdea2..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..ec50831 100644
+index 6cf79c4..aa30a92 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -77798,7 +78032,7 @@ index 6cf79c4..ec50831 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -77817,6 +78051,7 @@ index 6cf79c4..ec50831 100644
+allow haproxy_t self:capability { dac_override kill };
+
+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
++allow haproxy_t self:capability2 block_suspend;
+allow haproxy_t self:process { fork setrlimit signal_perms };
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -77854,7 +78089,7 @@ index 6cf79c4..ec50831 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -86606,7 +86841,7 @@ index 98c9e0a..d4aa009 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..4c33d02 100644
+index 299756b..99eda9b 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -86712,7 +86947,7 @@ index 299756b..4c33d02 100644
')
optional_policy(`
-@@ -117,6 +133,33 @@ optional_policy(`
+@@ -117,6 +133,35 @@ optional_policy(`
# Reposd local policy
#
@@ -86741,6 +86976,8 @@ index 299756b..4c33d02 100644
+
+corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
++corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
++corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
+dev_read_rand(sblim_sfcbd_t)
+dev_read_urand(sblim_sfcbd_t)
@@ -92527,7 +92764,7 @@ index a240455..16a04bf 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..fb9841f 100644
+index 2d8db1f..8edae62 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -92564,7 +92801,7 @@ index 2d8db1f..fb9841f 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +63,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
@@ -92581,10 +92818,11 @@ index 2d8db1f..fb9841f 100644
corenet_udp_bind_generic_port(sssd_t)
corenet_dontaudit_udp_bind_all_ports(sssd_t)
+corenet_tcp_connect_kerberos_password_port(sssd_t)
++corenet_tcp_connect_smbd_port(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,9 +79,7 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -92594,7 +92832,7 @@ index 2d8db1f..fb9841f 100644
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t)
+@@ -94,14 +88,15 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -92612,7 +92850,7 @@ index 2d8db1f..fb9841f 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +106,34 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +107,34 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -93341,10 +93579,10 @@ index 0000000..df82c36
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..7bef550
+index 0000000..3faae22
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,87 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -93357,7 +93595,10 @@ index 0000000..7bef550
+init_daemon_domain(swift_t, swift_exec_t)
+
+type swift_tmp_t;
-+files_tmpfs_file(swift_tmp_t)
++files_tmp_file(swift_tmp_t)
++
++type swift_tmpfs_t;
++files_tmpfs_file(swift_tmpfs_t)
+
+type swift_var_cache_t;
+files_type(swift_var_cache_t)
@@ -93387,6 +93628,10 @@ index 0000000..7bef550
+manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
+
++manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
++manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
++fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
++
+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0872a60..dfaa269 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 45%{?dist}
+Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,35 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 18 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-46
+- Allow init_t to setattr/relabelfrom dhcp state files
+- Allow dmesg to read hwdata and memory dev
+- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
+- Dontaudit antivirus domains read access on all security files by default
+- Add missing alias for old amavis_etc_t type
+- Additional fixes for instack overcloud
+- Allow block_suspend cap for haproxy
+- Allow OpenStack to read mysqld_db links and connect to MySQL
+- Remove dup filename rules in gnome.te
+- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
+- Add labeling for /lib/systemd/system/thttpd.service
+- Allow iscsid to handle own unit files
+- Add iscsi_systemctl()
+- Allow mongod also create sock_file with correct labeling in /run
+- Allow aiccu stream connect to pcscd
+- Allow rabbitmq_beam to connect to httpd port
+- Allow httpd to send signull to apache script domains and don't audit leaks
+- Fix labeling in drbd.fc
+- Allow sssd to connect to the smbd port for handing logins using active directory, needs back port for rhel7
+- Allow all freeipmi domains to read/write ipmi devices
+- Allow rabbitmq_epmd to manage rabbit_var_log_t files
+- Allow sblim_sfcbd to use also pegasus-https port
+- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
+- Add httpd_run_preupgrade boolean
+- Add interfaces to access preupgrade_data_t
+- Add preupgrade policy
+- Add labeling for puppet helper scripts
+
* Tue Apr 8 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-45
Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
More information about the scm-commits
mailing list