[selinux-policy/f20] * Mon May 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-162 - More rules needed for openshift/gea
Lukas Vrabec
lvrabec at fedoraproject.org
Mon May 12 15:48:00 UTC 2014
commit 64225d38c2bda9c93eb8ee9c48b805a3a59a1194
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon May 12 17:47:10 2014 +0200
* Mon May 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-162
- More rules needed for openshift/gear in rhel7
- svirt sandbox domains to read gear content in /run. Allow gear_t to
manage openshift files
- Allow mozilla plugins to use /dev/sr0
- Dontaudit logrotate executing systemctl command attempting to
net_admin
- Allow neutron execute arping in neutron_t
- Allow nova-scheduler to read passwd file
- Fix zabbix_can_network boolean to have this boolean for all zabbix
domains
- Allow openwsman to execute chkpwd and make this domain as unconfined
for F20.
- Add openwsman_tmp_t rules
- Allow ulogd to request the kernel to load a module
- Add support for /usr/local/Brother labeling. We removed
/usr/local equiv.
- Systectl_net_t can be a lnk_file
- Fix path to mmap_min_addr
- Any app that executes systemctl will attempt a net_admin
policy-f20-base.patch | 419 +++++++++++++++++++++++++++------------------
policy-f20-contrib.patch | 241 +++++++++++++++++----------
selinux-policy.spec | 18 ++-
3 files changed, 424 insertions(+), 254 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index cda5ab2..aea367d 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -8742,7 +8742,7 @@ index 6529bd9..b31a5e8 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..84e8030 100644
+index 6a1e4d1..1b9b0b5 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8860,6 +8860,24 @@ index 6a1e4d1..84e8030 100644
## Relabel to and from all entry point
## file types.
## </summary>
+@@ -1421,7 +1434,7 @@ interface(`domain_entry_file_spec_domtrans',`
+ ## <summary>
+ ## Ability to mmap a low area of the address
+ ## space conditionally, as configured by
+-## /proc/sys/kernel/mmap_min_addr.
++## /proc/sys/vm/mmap_min_addr.
+ ## Preventing such mappings helps protect against
+ ## exploiting null deref bugs in the kernel.
+ ## </summary>
+@@ -1448,7 +1461,7 @@ interface(`domain_mmap_low',`
+ ## <summary>
+ ## Ability to mmap a low area of the address
+ ## space unconditionally, as configured
+-## by /proc/sys/kernel/mmap_min_addr.
++## by /proc/sys/vm/mmap_min_addr.
+ ## Preventing such mappings helps protect against
+ ## exploiting null deref bugs in the kernel.
+ ## </summary>
@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',`
########################################
@@ -8950,10 +8968,10 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..e739a3a 100644
+index cf04cb5..974c2ca 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
-@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
+@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
#
# Declarations
#
@@ -8983,7 +9001,12 @@ index cf04cb5..e739a3a 100644
## <desc>
## <p>
-@@ -15,6 +38,7 @@ gen_tunable(mmap_low_allowed, false)
+ ## Control the ability to mmap a low area of the address space,
+-## as configured by /proc/sys/kernel/mmap_min_addr.
++## as configured by /proc/sys/vm/mmap_min_addr.
+ ## </p>
+ ## </desc>
+ gen_tunable(mmap_low_allowed, false)
# Mark process types as domains
attribute domain;
@@ -9682,7 +9705,7 @@ index c2c6e05..7996499 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..8a14ff2 100644
+index 64ff4d7..ac39d88 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10477,7 +10500,7 @@ index 64ff4d7..8a14ff2 100644
')
########################################
-@@ -1928,6 +2425,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2425,42 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10499,10 +10522,28 @@ index 64ff4d7..8a14ff2 100644
+
+########################################
+## <summary>
++## Mount a filesystem on the root file system
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_mounton_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir mounton;
++')
++
++########################################
++## <summary>
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2163,6 +2678,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2696,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10527,7 +10568,7 @@ index 64ff4d7..8a14ff2 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2627,6 +3160,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3178,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10552,7 +10593,7 @@ index 64ff4d7..8a14ff2 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3249,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3267,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10560,7 +10601,7 @@ index 64ff4d7..8a14ff2 100644
')
########################################
-@@ -2706,7 +3258,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3276,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10569,7 +10610,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## </param>
#
-@@ -2762,6 +3314,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3332,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10595,7 +10636,7 @@ index 64ff4d7..8a14ff2 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3351,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3369,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10620,7 +10661,7 @@ index 64ff4d7..8a14ff2 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3534,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,26 +3552,8 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10642,10 +10683,14 @@ index 64ff4d7..8a14ff2 100644
-
-########################################
-## <summary>
- ## Read files in /etc that are dynamically
- ## created on boot, such as mtab.
+-## Read files in /etc that are dynamically
+-## created on boot, such as mtab.
++## Read files in /etc that are dynamically
++## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3574,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ## <p>
+@@ -3003,9 +3592,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10656,7 +10701,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3582,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3600,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10678,7 +10723,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3610,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3628,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -10705,7 +10750,7 @@ index 64ff4d7..8a14ff2 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3647,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3665,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10713,7 +10758,7 @@ index 64ff4d7..8a14ff2 100644
')
########################################
-@@ -3080,6 +3669,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3687,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10721,7 +10766,7 @@ index 64ff4d7..8a14ff2 100644
')
########################################
-@@ -3132,6 +3722,44 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3740,44 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -10766,7 +10811,7 @@ index 64ff4d7..8a14ff2 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3205,6 +3833,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3851,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -10829,7 +10874,7 @@ index 64ff4d7..8a14ff2 100644
########################################
## <summary>
-@@ -3246,6 +3930,25 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3246,6 +3948,25 @@ interface(`files_mounton_isid_type_dirs',`
########################################
## <summary>
@@ -10855,7 +10900,7 @@ index 64ff4d7..8a14ff2 100644
## Read files on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3455,6 +4158,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +4176,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -10881,7 +10926,7 @@ index 64ff4d7..8a14ff2 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4518,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4536,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10925,7 +10970,7 @@ index 64ff4d7..8a14ff2 100644
')
########################################
-@@ -4199,192 +4939,215 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,192 +4957,215 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11237,7 +11282,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4392,53 +5155,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4392,53 +5173,56 @@ interface(`files_manage_generic_tmp_dirs',`
## </summary>
## </param>
#
@@ -11306,7 +11351,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4446,77 +5212,92 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,77 +5230,92 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -11423,7 +11468,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4524,110 +5305,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4524,110 +5323,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
## </summary>
## </param>
#
@@ -11562,7 +11607,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4635,22 +5404,17 @@ interface(`files_tmp_filetrans',`
+@@ -4635,22 +5422,17 @@ interface(`files_tmp_filetrans',`
## </summary>
## </param>
#
@@ -11589,7 +11634,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4658,17 +5422,17 @@ interface(`files_purge_tmp',`
+@@ -4658,17 +5440,17 @@ interface(`files_purge_tmp',`
## </summary>
## </param>
#
@@ -11611,7 +11656,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4676,18 +5440,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4676,18 +5458,17 @@ interface(`files_setattr_usr_dirs',`
## </summary>
## </param>
#
@@ -11634,7 +11679,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4695,35 +5458,35 @@ interface(`files_search_usr',`
+@@ -4695,35 +5476,35 @@ interface(`files_search_usr',`
## </summary>
## </param>
#
@@ -11679,7 +11724,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4731,36 +5494,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4731,36 +5512,35 @@ interface(`files_dontaudit_write_usr_dirs',`
## </summary>
## </param>
#
@@ -11725,7 +11770,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4768,17 +5530,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4768,17 +5548,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
## </summary>
## </param>
#
@@ -11747,7 +11792,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4786,73 +5548,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4786,73 +5566,59 @@ interface(`files_delete_usr_dirs',`
## </summary>
## </param>
#
@@ -11840,7 +11885,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4860,55 +5608,58 @@ interface(`files_read_usr_files',`
+@@ -4860,55 +5626,58 @@ interface(`files_read_usr_files',`
## </summary>
## </param>
#
@@ -11915,7 +11960,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4916,67 +5667,70 @@ interface(`files_manage_usr_files',`
+@@ -4916,67 +5685,70 @@ interface(`files_manage_usr_files',`
## </summary>
## </param>
#
@@ -12004,7 +12049,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -4985,35 +5739,50 @@ interface(`files_read_usr_symlinks',`
+@@ -4985,35 +5757,50 @@ interface(`files_read_usr_symlinks',`
## </summary>
## </param>
#
@@ -12064,7 +12109,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5021,20 +5790,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5021,20 +5808,17 @@ interface(`files_dontaudit_search_src',`
## </summary>
## </param>
#
@@ -12089,7 +12134,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5042,20 +5808,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5042,20 +5826,18 @@ interface(`files_getattr_usr_src_files',`
## </summary>
## </param>
#
@@ -12114,7 +12159,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5063,38 +5827,35 @@ interface(`files_read_usr_src_files',`
+@@ -5063,38 +5845,35 @@ interface(`files_read_usr_src_files',`
## </summary>
## </param>
#
@@ -12162,7 +12207,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5102,37 +5863,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5102,37 +5881,36 @@ interface(`files_create_kernel_symbol_table',`
## </summary>
## </param>
#
@@ -12210,7 +12255,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5140,35 +5900,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5140,35 +5918,35 @@ interface(`files_delete_kernel_symbol_table',`
## </summary>
## </param>
#
@@ -12255,7 +12300,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5176,36 +5936,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5176,36 +5954,55 @@ interface(`files_dontaudit_write_var_dirs',`
## </summary>
## </param>
#
@@ -12321,7 +12366,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5213,36 +5992,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5213,36 +6010,37 @@ interface(`files_dontaudit_search_var',`
## </summary>
## </param>
#
@@ -12369,7 +12414,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5250,17 +6030,17 @@ interface(`files_manage_var_dirs',`
+@@ -5250,17 +6048,17 @@ interface(`files_manage_var_dirs',`
## </summary>
## </param>
#
@@ -12391,7 +12436,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5268,17 +6048,17 @@ interface(`files_read_var_files',`
+@@ -5268,17 +6066,17 @@ interface(`files_read_var_files',`
## </summary>
## </param>
#
@@ -12413,7 +12458,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5286,73 +6066,86 @@ interface(`files_append_var_files',`
+@@ -5286,73 +6084,86 @@ interface(`files_append_var_files',`
## </summary>
## </param>
#
@@ -12520,7 +12565,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5360,50 +6153,41 @@ interface(`files_read_var_symlinks',`
+@@ -5360,50 +6171,41 @@ interface(`files_read_var_symlinks',`
## </summary>
## </param>
#
@@ -12585,7 +12630,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5411,69 +6195,56 @@ interface(`files_var_filetrans',`
+@@ -5411,69 +6213,56 @@ interface(`files_var_filetrans',`
## </summary>
## </param>
#
@@ -12670,7 +12715,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5481,17 +6252,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5481,17 +6270,18 @@ interface(`files_dontaudit_search_var_lib',`
## </summary>
## </param>
#
@@ -12694,7 +12739,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5499,70 +6271,54 @@ interface(`files_list_var_lib',`
+@@ -5499,70 +6289,54 @@ interface(`files_list_var_lib',`
## </summary>
## </param>
#
@@ -12778,7 +12823,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5570,41 +6326,36 @@ interface(`files_read_var_lib_files',`
+@@ -5570,41 +6344,36 @@ interface(`files_read_var_lib_files',`
## </summary>
## </param>
#
@@ -12830,7 +12875,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5612,36 +6363,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5612,36 +6381,36 @@ interface(`files_manage_urandom_seed',`
## </summary>
## </param>
#
@@ -12877,7 +12922,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,38 +6400,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5649,38 +6418,35 @@ interface(`files_setattr_lock_dirs',`
## </summary>
## </param>
#
@@ -12925,7 +12970,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,19 +6436,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,19 +6454,17 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -12949,7 +12994,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5708,60 +6454,54 @@ interface(`files_list_locks',`
+@@ -5708,60 +6472,54 @@ interface(`files_list_locks',`
## </summary>
## </param>
#
@@ -13025,7 +13070,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,20 +6509,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,20 +6527,18 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -13051,7 +13096,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5790,185 +6528,207 @@ interface(`files_getattr_generic_locks',`
+@@ -5790,185 +6546,207 @@ interface(`files_getattr_generic_locks',`
## </summary>
## </param>
#
@@ -13336,7 +13381,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5976,39 +6736,37 @@ interface(`files_setattr_pid_dirs',`
+@@ -5976,39 +6754,37 @@ interface(`files_setattr_pid_dirs',`
## </summary>
## </param>
#
@@ -13387,7 +13432,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6016,18 +6774,21 @@ interface(`files_dontaudit_search_pids',`
+@@ -6016,18 +6792,21 @@ interface(`files_dontaudit_search_pids',`
## </summary>
## </param>
#
@@ -13414,45 +13459,36 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6035,19 +6796,19 @@ interface(`files_list_pids',`
+@@ -6035,19 +6814,1112 @@ interface(`files_list_pids',`
## </summary>
## </param>
#
-interface(`files_read_generic_pids',`
+interface(`files_manage_urandom_seed',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## Write named generic process ID pipes
++')
++
++########################################
++## <summary>
+## Allow domain to manage mount tables
+## necessary for rpcd, nfsd, etc.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6055,58 +6816,1223 @@ interface(`files_read_generic_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_write_generic_pid_pipes',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_manage_mounttab',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_lib_t, var_lib_t)
+')
@@ -13988,38 +14024,12 @@ index 64ff4d7..8a14ff2 100644
+
+ files_search_pids($1)
+ allow $1 var_run_t:fifo_file write;
- ')
-
- ########################################
- ## <summary>
- ## Create an object in the process ID directory, with a private type.
- ## </summary>
--## <desc>
--## <p>
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--## </p>
--## <p>
--## Related interfaces:
--## </p>
--## <ul>
--## <li>files_pid_file()</li>
--## </ul>
--## <p>
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--## </p>
--## <p>
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
--## </p>
--## </desc>
++')
++
++########################################
++## <summary>
++## Create an object in the process ID directory, with a private type.
++## </summary>
+## <desc>
+## <p>
+## Create an object in the process ID directory (e.g., /var/run)
@@ -14548,35 +14558,45 @@ index 64ff4d7..8a14ff2 100644
+## <rolecap/>
+#
+interface(`files_relabel_all_spool_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ attribute spoolfile;
+ type var_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Write named generic process ID pipes
+## Search the contents of generic spool
+## directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6055,58 +7927,130 @@ interface(`files_read_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
+interface(`files_search_spool',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the process ID directory, with a private type.
+## Do not audit attempts to search generic
+## spool directories.
+## </summary>
@@ -14598,7 +14618,33 @@ index 64ff4d7..8a14ff2 100644
+## <summary>
+## List the contents of generic spool
+## (/var/spool) directories.
-+## </summary>
+ ## </summary>
+-## <desc>
+-## <p>
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
+-## private PID files in /var/run with the private type instead
+-## of the general PID file type. To accomplish this goal,
+-## either the program must be SELinux-aware, or use this interface.
+-## </p>
+-## <p>
+-## Related interfaces:
+-## </p>
+-## <ul>
+-## <li>files_pid_file()</li>
+-## </ul>
+-## <p>
+-## Example usage with a domain that can create and
+-## write its PID file with a private PID file type in the
+-## /var/run directory:
+-## </p>
+-## <p>
+-## type mypidfile_t;
+-## files_pid_file(mypidfile_t)
+-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-## files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-## </p>
+-## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -14698,7 +14744,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -6114,44 +8040,165 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6114,44 +8058,165 @@ interface(`files_write_generic_pid_pipes',`
## The name of the object being created.
## </summary>
## </param>
@@ -14883,7 +14929,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6159,20 +8206,18 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6159,20 +8224,18 @@ interface(`files_pid_filetrans_lock_dir',`
## </summary>
## </param>
#
@@ -14909,7 +14955,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6180,19 +8225,17 @@ interface(`files_rw_generic_pids',`
+@@ -6180,19 +8243,17 @@ interface(`files_rw_generic_pids',`
## </summary>
## </param>
#
@@ -14933,7 +14979,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6200,18 +8243,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6200,18 +8261,17 @@ interface(`files_dontaudit_getattr_all_pids',`
## </summary>
## </param>
#
@@ -14956,7 +15002,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6219,41 +8261,43 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6219,41 +8279,43 @@ interface(`files_dontaudit_write_all_pids',`
## </summary>
## </param>
#
@@ -15014,7 +15060,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6262,67 +8306,55 @@ interface(`files_read_all_pids',`
+@@ -6262,67 +8324,55 @@ interface(`files_read_all_pids',`
## </param>
## <rolecap/>
#
@@ -15099,7 +15145,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,37 +8362,37 @@ interface(`files_manage_all_pids',`
+@@ -6330,37 +8380,37 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -15148,7 +15194,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6368,132 +8400,206 @@ interface(`files_search_spool',`
+@@ -6368,132 +8418,206 @@ interface(`files_search_spool',`
## </summary>
## </param>
#
@@ -15406,7 +15452,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6501,53 +8607,17 @@ interface(`files_spool_filetrans',`
+@@ -6501,53 +8625,17 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -15464,7 +15510,7 @@ index 64ff4d7..8a14ff2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6555,10 +8625,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6555,10 +8643,10 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -17265,7 +17311,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..3270372 100644
+index 649e458..4a102cb 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -17430,7 +17476,33 @@ index 649e458..3270372 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -2085,7 +2174,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -1672,7 +1761,7 @@ interface(`kernel_read_net_sysctls',`
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+-
++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -1693,7 +1782,7 @@ interface(`kernel_rw_net_sysctls',`
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+-
++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -1715,7 +1804,6 @@ interface(`kernel_read_unix_sysctls',`
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+-
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -2085,7 +2173,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -17439,7 +17511,7 @@ index 649e458..3270372 100644
')
########################################
-@@ -2282,6 +2371,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2370,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -17465,7 +17537,7 @@ index 649e458..3270372 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2414,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2413,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -17474,7 +17546,7 @@ index 649e458..3270372 100644
## </summary>
## </param>
#
-@@ -2488,6 +2596,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2595,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -17499,7 +17571,7 @@ index 649e458..3270372 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2651,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2650,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -17524,7 +17596,7 @@ index 649e458..3270372 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2632,7 +2776,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2775,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -17533,7 +17605,7 @@ index 649e458..3270372 100644
')
########################################
-@@ -2670,6 +2814,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2813,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -17558,7 +17630,7 @@ index 649e458..3270372 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2697,6 +2859,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2858,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -17584,7 +17656,7 @@ index 649e458..3270372 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2806,6 +2987,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2986,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -17618,7 +17690,7 @@ index 649e458..3270372 100644
########################################
## <summary>
-@@ -2961,6 +3169,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3168,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -17643,7 +17715,7 @@ index 649e458..3270372 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2975,5 +3201,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3200,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -18642,7 +18714,7 @@ index 81440c5..a02d444 100644
')
+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index 522ab32..cb9c3a2 100644
+index 522ab32..85f484d 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
@@ -18666,6 +18738,15 @@ index 522ab32..cb9c3a2 100644
########################################
#
+@@ -52,7 +53,7 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
+ allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+
+ # Access the security API.
+-allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
++allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
@@ -60,11 +61,28 @@ ifdef(`distro_rhel4',`
')
@@ -40175,10 +40256,10 @@ index 0000000..e9f1096
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..24b2af3
+index 0000000..d2a8fc7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1458 @@
+@@ -0,0 +1,1460 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -40277,6 +40358,8 @@ index 0000000..24b2af3
+ systemd_login_list_pid_dirs($1)
+ systemd_login_read_pid_files($1)
+ systemd_passwd_agent_exec($1)
++
++ dontaudit $1 self:capability net_admin;
+')
+
+#######################################
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 7734ed6..4380e89 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -18291,10 +18291,10 @@ index 6ce66e7..7725178 100644
optional_policy(`
diff --git a/cups.fc b/cups.fc
-index 949011e..afe482b 100644
+index 949011e..9437dbe 100644
--- a/cups.fc
+++ b/cups.fc
-@@ -1,77 +1,87 @@
+@@ -1,77 +1,91 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
@@ -18392,23 +18392,23 @@ index 949011e..afe482b 100644
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-+
-+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
-+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
@@ -18422,10 +18422,14 @@ index 949011e..afe482b 100644
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
@@ -27863,16 +27867,16 @@ index fc3b036..10a1bbe 100644
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
-index 0000000..5eabf35
+index 0000000..98c012c
--- /dev/null
+++ b/gear.fc
@@ -0,0 +1,7 @@
+/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
+
-+/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
-+
-+/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
++/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
+
++/var/lib/containers(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
++/var/lib/containers/units(/.*)? gen_context(system_u:object_r:gear_unit_file_t,s0)
+/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
@@ -28170,10 +28174,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
-index 0000000..db1c340
+index 0000000..781c76d
--- /dev/null
+++ b/gear.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,122 @@
+policy_module(gear, 1.0.0)
+
+########################################
@@ -28259,6 +28263,7 @@ index 0000000..db1c340
+
+init_read_state(gear_t)
+init_dbus_chat(gear_t)
++init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
+
@@ -28273,16 +28278,27 @@ index 0000000..db1c340
+
+sysnet_dns_name_resolve(gear_t)
+
-+sysnet_domtrans_ifconfig(gear_t)
++sysnet_exec_ifconfig(gear_t)
++sysnet_manage_ifconfig_run(gear_t)
+
+systemd_manage_all_unit_files(gear_t)
+
+optional_policy(`
++ hostname_exec(gear_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(gear_t)
++')
++
++optional_policy(`
+ docker_stream_connect(gear_t)
+')
+
+optional_policy(`
++ openshift_manage_lib_dirs(gear_t)
+ openshift_manage_lib_files(gear_t)
++ openshift_relabelfrom_lib(gear_t)
+')
diff --git a/gift.te b/gift.te
index 395238e..af76abb 100644
@@ -39834,7 +39850,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..f8c5464 100644
+index 7bab8e5..17ea89c 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,26 @@
@@ -39885,7 +39901,7 @@ index 7bab8e5..f8c5464 100644
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
-+dontaudit logrotate_t self:capability sys_resource;
++dontaudit logrotate_t self:capability { sys_resource net_admin };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
@@ -45193,7 +45209,7 @@ index 6194b80..cafb2b0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..39094ea 100644
+index 6a306ee..a4f86f5 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -45467,12 +45483,12 @@ index 6a306ee..39094ea 100644
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -45639,7 +45655,7 @@ index 6a306ee..39094ea 100644
')
optional_policy(`
-@@ -300,259 +326,251 @@ optional_policy(`
+@@ -300,259 +326,255 @@ optional_policy(`
########################################
#
@@ -45872,14 +45888,17 @@ index 6a306ee..39094ea 100644
fs_getattr_all_fs(mozilla_plugin_t)
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
-fs_search_auto_mountpoints(mozilla_plugin_t)
--
--term_getattr_all_ttys(mozilla_plugin_t)
--term_getattr_all_ptys(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
+-term_getattr_all_ttys(mozilla_plugin_t)
+-term_getattr_all_ptys(mozilla_plugin_t)
++storage_raw_read_removable_device(mozilla_plugin_t)
++fs_read_removable_files(mozilla_plugin_t)
++fs_read_removable_symlinks(mozilla_plugin_t)
+
application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
@@ -46038,7 +46057,7 @@ index 6a306ee..39094ea 100644
')
optional_policy(`
-@@ -560,7 +578,11 @@ optional_policy(`
+@@ -560,7 +582,11 @@ optional_policy(`
')
optional_policy(`
@@ -46051,7 +46070,7 @@ index 6a306ee..39094ea 100644
')
optional_policy(`
-@@ -568,108 +590,131 @@ optional_policy(`
+@@ -568,108 +594,131 @@ optional_policy(`
')
optional_policy(`
@@ -52822,10 +52841,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..bd2f08f
+index 0000000..2d9ab86
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,318 @@
+@@ -0,0 +1,320 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -53096,6 +53115,8 @@ index 0000000..bd2f08f
+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+allow nova_scheduler_t self:udp_socket create_socket_perms;
+
++auth_read_passwd(nova_scheduler_t)
++
+#optional_policy(`
+# unconfined_domain(nova_scheduler_t)
+#')
@@ -56729,7 +56750,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..1d4e039
+index 0000000..95b6381
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,28 @@
@@ -56740,7 +56761,7 @@ index 0000000..1d4e039
+
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
-+/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++/var/lib/containers/home(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
@@ -56763,10 +56784,10 @@ index 0000000..1d4e039
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..9451b83
+index 0000000..a472b52
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,702 @@
+@@ -0,0 +1,721 @@
+
+## <summary> policy for openshift </summary>
+
@@ -57131,6 +57152,26 @@ index 0000000..9451b83
+ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
+')
+
++########################################
++## <summary>
++## Relabel openshift library files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_relabelfrom_lib',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
+#######################################
+## <summary>
+## Create private objects in the
@@ -57185,7 +57226,6 @@ index 0000000..9451b83
+ allow $1 openshift_var_run_t:file read_file_perms;
+')
+
-+
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -57471,10 +57511,10 @@ index 0000000..9451b83
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..ebd0c68
+index 0000000..93fd0ea
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,575 @@
+@@ -0,0 +1,579 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -57798,6 +57838,10 @@ index 0000000..ebd0c68
+')
+
+optional_policy(`
++ gear_search_lib(openshift_domain)
++')
++
++optional_policy(`
+ gpg_entry_type(openshift_domain)
+')
+
@@ -59115,10 +59159,10 @@ index 0000000..42ed4ba
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
-index 0000000..49dc5ef
+index 0000000..79ad541
--- /dev/null
+++ b/openwsman.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,60 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
@@ -59130,6 +59174,9 @@ index 0000000..49dc5ef
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
++type openwsman_tmp_t;
++files_tmp_file(openwsman_tmp_t)
++
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
@@ -59143,10 +59190,17 @@ index 0000000..49dc5ef
+#
+# openwsman local policy
+#
++
++allow openwsman_t self:capability setuid;
++
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
-+allow openwsman_t self:tcp_socket { create_socket_perms listen };
++allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
++
++manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
++manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
++files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
@@ -59155,12 +59209,19 @@ index 0000000..49dc5ef
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
++auth_domtrans_chkpwd(openwsman_t)
+
++corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
++logging_send_audit_msgs(openwsman_t)
++
++optional_policy(`
++ unconfined_domain(openwsman_t)
++')
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
@@ -73746,10 +73807,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..375e2e3 100644
+index 769d1fd..1dbc6aa 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,139 @@
+@@ -1,96 +1,143 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -73801,7 +73862,7 @@ index 769d1fd..375e2e3 100644
-allow quantum_t self:unix_stream_socket { accept listen };
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
-+allow neutron_t self:process { setsched setrlimit signal_perms };
++allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
@@ -73809,6 +73870,7 @@ index 769d1fd..375e2e3 100644
+allow neutron_t self:unix_stream_socket { accept listen };
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:rawip_socket create_socket_perms;
++allow neutron_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@@ -73897,45 +73959,48 @@ index 769d1fd..375e2e3 100644
+logging_send_syslog_msg(neutron_t)
-sysnet_domtrans_ifconfig(quantum_t)
++netutils_exec(neutron_t)
++
++# need to stay in neutron
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
++
++optional_policy(`
++ brctl_domtrans(neutron_t)
++')
optional_policy(`
- brctl_domtrans(quantum_t)
-+ brctl_domtrans(neutron_t)
++ dnsmasq_domtrans(neutron_t)
++ dnsmasq_signal(neutron_t)
++ dnsmasq_kill(neutron_t)
++ dnsmasq_read_state(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ dnsmasq_domtrans(neutron_t)
-+ dnsmasq_signal(neutron_t)
-+ dnsmasq_kill(neutron_t)
-+ dnsmasq_read_state(neutron_t)
++ iptables_domtrans(neutron_t)
+')
- mysql_tcp_connect(quantum_t)
+optional_policy(`
-+ iptables_domtrans(neutron_t)
- ')
-
- optional_policy(`
-- postgresql_stream_connect(quantum_t)
-- postgresql_unpriv_client(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
-+')
+ ')
-- postgresql_tcp_connect(quantum_t)
-+optional_policy(`
+ optional_policy(`
+- postgresql_stream_connect(quantum_t)
+- postgresql_unpriv_client(quantum_t)
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
+')
-+
+
+- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
@@ -98406,7 +98471,7 @@ index 9b95c3e..a892845 100644
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
-index c6acbbe..bd23e7f 100644
+index c6acbbe..022c367 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t)
@@ -98430,8 +98495,9 @@ index c6acbbe..bd23e7f 100644
-files_read_etc_files(ulogd_t)
-files_read_usr_files(ulogd_t)
-
+-
-miscfiles_read_localization(ulogd_t)
++kernel_request_load_module(ulogd_t)
sysnet_dns_name_resolve(ulogd_t)
@@ -101767,7 +101833,7 @@ index 9dec06c..88dcafb 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..0fd2172 100644
+index 1f22fba..1df2084 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,209 @@
@@ -103213,7 +103279,7 @@ index 1f22fba..0fd2172 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1126,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1126,300 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -103450,6 +103516,10 @@ index 1f22fba..0fd2172 100644
+')
+
+optional_policy(`
++ gear_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
@@ -103501,10 +103571,6 @@ index 1f22fba..0fd2172 100644
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process { execstack execmem };
-+
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+ allow svirt_lxc_net_t self:capability sys_admin;
-+')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -103516,6 +103582,13 @@ index 1f22fba..0fd2172 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
+
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -103524,14 +103597,11 @@ index 1f22fba..0fd2172 100644
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
-
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
++
+kernel_read_irq_sysctls(svirt_lxc_net_t)
+dev_read_sysfs(svirt_lxc_net_t)
@@ -103612,7 +103682,8 @@ index 1f22fba..0fd2172 100644
+dev_read_urand(svirt_qemu_net_t)
+
+files_read_kernel_modules(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+fs_noxattr_type(svirt_sandbox_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
@@ -103621,8 +103692,7 @@ index 1f22fba..0fd2172 100644
+term_pty(svirt_sandbox_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+rpm_read_db(svirt_qemu_net_t)
+
+logging_send_syslog_msg(svirt_qemu_net_t)
@@ -103647,7 +103717,7 @@ index 1f22fba..0fd2172 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1428,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1432,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -103662,7 +103732,7 @@ index 1f22fba..0fd2172 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1446,8 @@ optional_policy(`
+@@ -1183,9 +1450,8 @@ optional_policy(`
########################################
#
@@ -103673,7 +103743,7 @@ index 1f22fba..0fd2172 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1460,218 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1464,216 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -103892,8 +103962,6 @@ index 1f22fba..0fd2172 100644
+optional_policy(`
+ systemd_dbus_chat_logind(sandbox_net_domain)
+')
-+
-+
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
--- a/vlock.te
@@ -107114,7 +107182,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..614e66c 100644
+index 46e4cd3..551c4e9 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
@@ -107233,7 +107301,7 @@ index 46e4cd3..614e66c 100644
corenet_sendrecv_ftp_client_packets(zabbix_t)
corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+@@ -85,37 +112,30 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
corenet_sendrecv_http_client_packets(zabbix_t)
corenet_tcp_connect_http_port(zabbix_t)
corenet_tcp_sendrecv_http_port(zabbix_t)
@@ -107259,9 +107327,12 @@ index 46e4cd3..614e66c 100644
+logging_send_syslog_msg(zabbix_t)
+
tunable_policy(`zabbix_can_network',`
- corenet_sendrecv_all_client_packets(zabbix_t)
- corenet_tcp_connect_all_ports(zabbix_t)
-@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',`
+- corenet_sendrecv_all_client_packets(zabbix_t)
+- corenet_tcp_connect_all_ports(zabbix_t)
+- corenet_tcp_sendrecv_all_ports(zabbix_t)
++ corenet_sendrecv_all_client_packets(zabbix_domain)
++ corenet_tcp_connect_all_ports(zabbix_domain)
++ corenet_tcp_sendrecv_all_ports(zabbix_domain)
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5e6222d..4091b31 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 161%{?dist}
+Release: 162%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon May 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-162
+- More rules needed for openshift/gear in rhel7
+- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files
+- Allow mozilla plugins to use /dev/sr0
+- Dontaudit logrotate executing systemctl command attempting to net_admin
+- Allow neutron execute arping in neutron_t
+- Allow nova-scheduler to read passwd file
+- Fix zabbix_can_network boolean to have this boolean for all zabbix domains
+- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
+- Add openwsman_tmp_t rules
+- Allow ulogd to request the kernel to load a module
+- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
+- Systectl_net_t can be a lnk_file
+- Fix path to mmap_min_addr
+- Any app that executes systemctl will attempt a net_admin
+
* Wed May 07 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-161
- Allow keystone to connect to ldap servers
- Add additional caps for neutron_t
More information about the scm-commits
mailing list