[selinux-policy] - Added iotop policy. Thanks William Brown - Allow spamc to read .pyzor located in /var/spool/spampd
Miroslav Grepl
mgrepl at fedoraproject.org
Tue May 13 06:14:05 UTC 2014
commit dbf4ab85b0bb90b8ecb0a452668c38e572d9aee1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue May 13 08:13:43 2014 +0200
- Added iotop policy. Thanks William Brown
- Allow spamc to read .pyzor located in /var/spool/spampd
- Allow spamc to create home content with correct labeling
- Allow logwatch_mail_t to create dead.letter with correct labelign
- Add labeling for min-cloud-agent
- Allow geoclue to read unix in proc.
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
- add support for min-cloud-agent
- Allow ulogd to request the kernel to load a module
- remove unconfined_domain for openwsman_t
- Add openwsman_tmp_t rules
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
- Allow nova-scheduler to read passwd file
- Allow neutron execute arping in neutron_t
- Dontaudit logrotate executing systemctl command attempting to net_admin
- Allow mozilla plugins to use /dev/sr0
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift file
- Any app that executes systemctl will attempt a net_admin
- Fix path to mmap_min_addr
policy-rawhide-base.patch | 354 +++++++++++++++++++++++------------------
policy-rawhide-contrib.patch | 364 +++++++++++++++++++++++++++++-------------
selinux-policy.spec | 19 +++
3 files changed, 470 insertions(+), 267 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 04c0ead..b42061d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8587,7 +8587,7 @@ index 0b1a871..2844021 100644
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..84e8030 100644
+index 6a1e4d1..1b9b0b5 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8705,6 +8705,24 @@ index 6a1e4d1..84e8030 100644
## Relabel to and from all entry point
## file types.
## </summary>
+@@ -1421,7 +1434,7 @@ interface(`domain_entry_file_spec_domtrans',`
+ ## <summary>
+ ## Ability to mmap a low area of the address
+ ## space conditionally, as configured by
+-## /proc/sys/kernel/mmap_min_addr.
++## /proc/sys/vm/mmap_min_addr.
+ ## Preventing such mappings helps protect against
+ ## exploiting null deref bugs in the kernel.
+ ## </summary>
+@@ -1448,7 +1461,7 @@ interface(`domain_mmap_low',`
+ ## <summary>
+ ## Ability to mmap a low area of the address
+ ## space unconditionally, as configured
+-## by /proc/sys/kernel/mmap_min_addr.
++## by /proc/sys/vm/mmap_min_addr.
+ ## Preventing such mappings helps protect against
+ ## exploiting null deref bugs in the kernel.
+ ## </summary>
@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',`
########################################
@@ -8795,10 +8813,10 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..71f4c33 100644
+index cf04cb5..b9da2b3 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
-@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
+@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
#
# Declarations
#
@@ -8828,7 +8846,12 @@ index cf04cb5..71f4c33 100644
## <desc>
## <p>
-@@ -15,6 +38,7 @@ gen_tunable(mmap_low_allowed, false)
+ ## Control the ability to mmap a low area of the address space,
+-## as configured by /proc/sys/kernel/mmap_min_addr.
++## as configured by /proc/sys/vm/mmap_min_addr.
+ ## </p>
+ ## </desc>
+ gen_tunable(mmap_low_allowed, false)
# Mark process types as domains
attribute domain;
@@ -9534,7 +9557,7 @@ index b876c48..bbd0e79 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..ec9e64a 100644
+index f962f76..002283d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10304,7 +10327,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -1946,6 +2425,24 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2425,42 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10326,10 +10349,28 @@ index f962f76..ec9e64a 100644
+
+########################################
+## <summary>
++## Mount a filesystem on the root file system
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_mounton_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir mounton;
++')
++
++########################################
++## <summary>
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2181,6 +2678,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2696,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10354,7 +10395,7 @@ index f962f76..ec9e64a 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3160,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3178,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10379,7 +10420,7 @@ index f962f76..ec9e64a 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2716,6 +3249,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3267,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10387,7 +10428,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -2724,7 +3258,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3276,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10396,7 +10437,7 @@ index f962f76..ec9e64a 100644
## </summary>
## </param>
#
-@@ -2780,6 +3314,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3332,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10422,7 +10463,7 @@ index f962f76..ec9e64a 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2798,6 +3351,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3369,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10447,7 +10488,7 @@ index f962f76..ec9e64a 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2963,24 +3534,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3552,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10472,7 +10513,7 @@ index f962f76..ec9e64a 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3021,9 +3574,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3592,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10483,7 +10524,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3031,18 +3582,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3600,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10505,24 +10546,20 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3060,23 +3610,44 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3628,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
--## Read and write files in /etc that are dynamically
+## Do not audit attempts to read files
+## in /etc that are dynamically
- ## created on boot, such as mtab.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## created on boot, such as mtab.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_rw_etc_runtime_files',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
@@ -10533,20 +10570,10 @@ index f962f76..ec9e64a 100644
+
+########################################
+## <summary>
-+## Read and write files in /etc that are dynamically
-+## created on boot, such as mtab.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_rw_etc_runtime_files',`
- gen_require(`
- type etc_t, etc_runtime_t;
- ')
+ ## Read and write files in /etc that are dynamically
+ ## created on boot, such as mtab.
+ ## </summary>
+@@ -3077,6 +3665,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10554,7 +10581,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3098,6 +3669,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3687,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10562,7 +10589,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3142,10 +3714,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3732,48 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -10613,7 +10640,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3161,10 +3771,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3789,10 @@ interface(`files_getattr_isid_type_dirs',`
#
interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
@@ -10626,7 +10653,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3180,10 +3790,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3808,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
#
interface(`files_list_isid_type_dirs',`
gen_require(`
@@ -10639,7 +10666,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3199,10 +3809,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3827,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -10652,7 +10679,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3218,10 +3828,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3846,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -10721,7 +10748,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3237,10 +3903,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3921,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -10734,7 +10761,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3256,10 +3922,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +3940,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -10766,7 +10793,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3275,10 +3960,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +3978,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -10779,7 +10806,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3294,10 +3979,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +3997,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -10792,7 +10819,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3313,10 +3998,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4016,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -10805,7 +10832,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3332,10 +4017,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4035,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -10818,7 +10845,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3351,10 +4036,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4054,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -10831,7 +10858,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3370,10 +4055,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4073,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -10844,7 +10871,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3389,10 +4074,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4092,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -10857,7 +10884,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3408,10 +4093,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4111,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -10870,7 +10897,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3427,10 +4112,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4130,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -10883,7 +10910,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3446,10 +4131,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4149,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -10896,15 +10923,14 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3465,10 +4150,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4168,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
- ')
-
-- allow $1 file_t:blk_file rw_blk_file_perms;
++ ')
++
+ allow $1 unlabeled_t:blk_file rw_blk_file_perms;
+')
+
@@ -10922,13 +10948,14 @@ index f962f76..ec9e64a 100644
+interface(`files_rw_inherited_isid_type_files',`
+ gen_require(`
+ type unlabeled_t;
-+ ')
-+
+ ')
+
+- allow $1 file_t:blk_file rw_blk_file_perms;
+ allow $1 unlabeled_t:file rw_inherited_file_perms;
')
########################################
-@@ -3484,10 +4188,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4206,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -10941,7 +10968,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3503,10 +4207,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4225,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -10954,7 +10981,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -3814,20 +4518,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4536,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10998,7 +11025,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -4217,6 +4939,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4957,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11171,7 +11198,7 @@ index f962f76..ec9e64a 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4239,6 +5127,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5145,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -11198,7 +11225,7 @@ index f962f76..ec9e64a 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4252,17 +5160,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5178,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -11237,7 +11264,7 @@ index f962f76..ec9e64a 100644
## </summary>
## </param>
#
-@@ -4289,6 +5217,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5235,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11245,7 +11272,7 @@ index f962f76..ec9e64a 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5254,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5272,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11253,7 +11280,7 @@ index f962f76..ec9e64a 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5264,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5282,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -11262,19 +11289,15 @@ index f962f76..ec9e64a 100644
## </summary>
## </param>
#
-@@ -4346,13 +5276,32 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5294,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
--########################################
+#######################################
- ## <summary>
--## Remove entries from the tmp directory.
++## <summary>
+## Allow read and write to the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
@@ -11289,17 +11312,10 @@ index f962f76..ec9e64a 100644
+ allow $1 tmp_t:dir rw_dir_perms;
+')
+
-+########################################
-+## <summary>
-+## Remove entries from the tmp directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -4361,6 +5310,7 @@ interface(`files_delete_tmp_dir_entry',`
+ ########################################
+ ## <summary>
+ ## Remove entries from the tmp directory.
+@@ -4361,6 +5328,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11307,7 +11323,7 @@ index f962f76..ec9e64a 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5352,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5370,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -11340,7 +11356,7 @@ index f962f76..ec9e64a 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4456,6 +5432,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5450,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -11383,7 +11399,7 @@ index f962f76..ec9e64a 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4474,6 +5486,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5504,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -11444,7 +11460,7 @@ index f962f76..ec9e64a 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4519,7 +5585,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5603,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -11453,7 +11469,7 @@ index f962f76..ec9e64a 100644
## </summary>
## </param>
#
-@@ -4579,7 +5645,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5663,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11462,7 +11478,7 @@ index f962f76..ec9e64a 100644
## </summary>
## </param>
#
-@@ -4611,6 +5677,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5695,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -11507,7 +11523,7 @@ index f962f76..ec9e64a 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4664,6 +5768,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5786,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11524,7 +11540,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -5112,6 +6226,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6244,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
## <summary>
@@ -11549,7 +11565,7 @@ index f962f76..ec9e64a 100644
## Read system.map in the /boot directory.
## </summary>
## <param name="domain">
-@@ -5241,6 +6373,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6391,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11574,7 +11590,7 @@ index f962f76..ec9e64a 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5328,7 +6478,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6496,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -11583,7 +11599,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -5527,6 +6677,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6695,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
@@ -11609,7 +11625,7 @@ index f962f76..ec9e64a 100644
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
-@@ -5596,6 +6765,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6783,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11635,7 +11651,7 @@ index f962f76..ec9e64a 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6829,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6847,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11644,7 +11660,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +6837,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6855,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11660,7 +11676,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -5672,6 +6861,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6879,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11668,7 +11684,7 @@ index f962f76..ec9e64a 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6888,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6906,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11696,7 +11712,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +6915,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6933,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11713,7 +11729,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -5731,7 +6939,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6957,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11722,7 +11738,7 @@ index f962f76..ec9e64a 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6972,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6990,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11730,7 +11746,7 @@ index f962f76..ec9e64a 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6986,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7004,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11739,7 +11755,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +6994,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7012,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11774,7 +11790,7 @@ index f962f76..ec9e64a 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7036,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7054,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11792,7 +11808,7 @@ index f962f76..ec9e64a 100644
')
########################################
-@@ -5834,9 +7060,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7078,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11803,7 +11819,7 @@ index f962f76..ec9e64a 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7102,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7120,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11813,7 +11829,7 @@ index f962f76..ec9e64a 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7124,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7142,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11823,7 +11839,7 @@ index f962f76..ec9e64a 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7161,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7179,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11833,7 +11849,7 @@ index f962f76..ec9e64a 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7200,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7218,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11842,7 +11858,7 @@ index f962f76..ec9e64a 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7220,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7238,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11891,7 +11907,7 @@ index f962f76..ec9e64a 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,6 +7284,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7302,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11917,7 +11933,7 @@ index f962f76..ec9e64a 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6039,7 +7317,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7335,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11926,7 +11942,7 @@ index f962f76..ec9e64a 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7336,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7354,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11935,7 +11951,7 @@ index f962f76..ec9e64a 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7356,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7374,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11944,7 +11960,7 @@ index f962f76..ec9e64a 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7418,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7436,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11952,7 +11968,7 @@ index f962f76..ec9e64a 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7446,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7464,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11977,7 +11993,7 @@ index f962f76..ec9e64a 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6182,7 +7477,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7495,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11986,7 +12002,7 @@ index f962f76..ec9e64a 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7544,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7562,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -12049,7 +12065,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6305,42 +7588,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7606,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -12099,7 +12115,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6348,18 +7624,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7642,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -12123,7 +12139,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6367,37 +7643,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7661,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -12175,7 +12191,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6405,18 +7684,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7702,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -12198,7 +12214,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6424,18 +7702,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7720,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -12222,7 +12238,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6443,19 +7721,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7739,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -12247,7 +12263,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6463,55 +7740,43 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7758,43 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -12318,7 +12334,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6519,53 +7784,68 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +7802,68 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -12425,7 +12441,7 @@ index f962f76..ec9e64a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +7853,784 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7871,784 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -15030,7 +15046,7 @@ index 7be4ddf..d5ef507 100644
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..98dc4c1 100644
+index e100d88..fb8a1f1 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -15219,7 +15235,33 @@ index e100d88..98dc4c1 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -1750,16 +1856,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1672,7 +1778,7 @@ interface(`kernel_read_net_sysctls',`
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+-
++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -1693,7 +1799,7 @@ interface(`kernel_rw_net_sysctls',`
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+-
++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -1715,7 +1821,6 @@ interface(`kernel_read_unix_sysctls',`
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+-
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -1750,16 +1855,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15237,7 +15279,7 @@ index e100d88..98dc4c1 100644
')
########################################
-@@ -1771,16 +1870,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1869,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15255,7 +15297,7 @@ index e100d88..98dc4c1 100644
')
########################################
-@@ -1792,16 +1884,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1883,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15273,7 +15315,7 @@ index e100d88..98dc4c1 100644
')
########################################
-@@ -1813,16 +1898,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1897,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15291,7 +15333,7 @@ index e100d88..98dc4c1 100644
')
########################################
-@@ -2085,7 +2163,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2162,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -15300,7 +15342,7 @@ index e100d88..98dc4c1 100644
')
########################################
-@@ -2282,6 +2360,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2359,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -15326,7 +15368,7 @@ index e100d88..98dc4c1 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2403,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2402,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -15335,7 +15377,7 @@ index e100d88..98dc4c1 100644
## </summary>
## </param>
#
-@@ -2488,6 +2585,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2584,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -15360,7 +15402,7 @@ index e100d88..98dc4c1 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2640,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2639,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -15385,7 +15427,7 @@ index e100d88..98dc4c1 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2667,6 +2800,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2799,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -15410,7 +15452,7 @@ index e100d88..98dc4c1 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2694,6 +2845,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2844,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -15436,7 +15478,7 @@ index e100d88..98dc4c1 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2803,6 +2973,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2972,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -15470,7 +15512,7 @@ index e100d88..98dc4c1 100644
########################################
## <summary>
-@@ -2958,6 +3155,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3154,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -15495,7 +15537,7 @@ index e100d88..98dc4c1 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3187,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3186,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -38519,10 +38561,10 @@ index 0000000..916c8ed
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..24b2af3
+index 0000000..d2a8fc7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1458 @@
+@@ -0,0 +1,1460 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -38621,6 +38663,8 @@ index 0000000..24b2af3
+ systemd_login_list_pid_dirs($1)
+ systemd_login_read_pid_files($1)
+ systemd_passwd_agent_exec($1)
++
++ dontaudit $1 self:capability net_admin;
+')
+
+#######################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 89479f4..617cd04 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12652,14 +12652,15 @@ index 4a5b3d1..cd146bd 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..d0501e3
+index 0000000..53f5265
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,19 @@
+@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+
@@ -12668,6 +12669,7 @@ index 0000000..d0501e3
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
++/var/lib/min-cloud-agent(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+
@@ -18437,10 +18439,10 @@ index 001b502..3ceae52 100644
optional_policy(`
diff --git a/cups.fc b/cups.fc
-index 949011e..afe482b 100644
+index 949011e..9437dbe 100644
--- a/cups.fc
+++ b/cups.fc
-@@ -1,77 +1,87 @@
+@@ -1,77 +1,91 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
@@ -18538,23 +18540,23 @@ index 949011e..afe482b 100644
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-+
-+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
-+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
@@ -18568,10 +18570,14 @@ index 949011e..afe482b 100644
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
@@ -28271,10 +28277,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
-index 0000000..75d7bc3
+index 0000000..781c76d
--- /dev/null
+++ b/gear.te
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,122 @@
+policy_module(gear, 1.0.0)
+
+########################################
@@ -28393,6 +28399,7 @@ index 0000000..75d7bc3
+')
+
+optional_policy(`
++ openshift_manage_lib_dirs(gear_t)
+ openshift_manage_lib_files(gear_t)
+ openshift_relabelfrom_lib(gear_t)
+')
@@ -28572,10 +28579,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..7106428
+index 0000000..351f145
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,53 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -28608,6 +28615,8 @@ index 0000000..7106428
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
++kernel_read_network_state(geoclue_t)
++
+auth_read_passwd(geoclue_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
@@ -34333,6 +34342,108 @@ index d443fee..6cbbf7d 100644
logging_send_syslog_msg(iodined_t)
+diff --git a/iotop.fc b/iotop.fc
+new file mode 100644
+index 0000000..c8d2dea
+--- /dev/null
++++ b/iotop.fc
+@@ -0,0 +1 @@
++/usr/sbin/iotop -- gen_context(system_u:object_r:iotop_exec_t,s0)
+diff --git a/iotop.if b/iotop.if
+new file mode 100644
+index 0000000..7fc3464
+--- /dev/null
++++ b/iotop.if
+@@ -0,0 +1,46 @@
++## <summary>Simple top-like I/O monitor</summary>
++
++########################################
++## <summary>
++## Allow execution of iotop in the iotop domain from the target domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition to iotop.
++## </summary>
++## </param>
++#
++interface(`iotop_domtrans',`
++ gen_require(`
++ type iotop_t, iotop_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, iotop_exec_t, iotop_t)
++')
++
++########################################
++## <summary>
++## Execute iotop in the iotop domain, and
++## allow the specified role to access the iotop domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed into the iotop domain.
++## </summary>
++## </param>
++#
++interface(`iotop_run',`
++ gen_require(`
++ type iotop_t;
++ attribute_role iotop_roles;
++ ')
++
++ iotop_domtrans($1)
++ roleattribute $2 iotop_roles;
++')
+diff --git a/iotop.te b/iotop.te
+new file mode 100644
+index 0000000..51d7e34
+--- /dev/null
++++ b/iotop.te
+@@ -0,0 +1,37 @@
++policy_module(iotop, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++attribute_role iotop_roles;
++roleattribute system_r iotop_roles;
++
++type iotop_t;
++type iotop_exec_t;
++application_domain(iotop_t, iotop_exec_t)
++
++role iotop_roles types iotop_t;
++
++########################################
++#
++# iotop local policy
++#
++
++allow iotop_t self:capability net_admin;
++allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
++
++kernel_read_system_state(iotop_t)
++
++auth_use_nsswitch(iotop_t)
++
++dev_read_urand(iotop_t)
++
++domain_getsched_all_domains(iotop_t)
++domain_read_all_domains_state(iotop_t)
++
++corecmd_exec_bin(iotop_t)
++
++miscfiles_read_localization(iotop_t)
++
++userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000..48d7322
@@ -40137,7 +40248,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..1859690 100644
+index be0ab84..9321951 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@@ -40183,7 +40294,7 @@ index be0ab84..1859690 100644
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
-+dontaudit logrotate_t self:capability sys_resource;
++dontaudit logrotate_t self:capability { sys_resource net_admin };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
@@ -40418,7 +40529,7 @@ index be0ab84..1859690 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index ab65034..c76dbda 100644
+index ab65034..28f63b5 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
@@ -40503,11 +40614,13 @@ index ab65034..c76dbda 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -187,6 +192,17 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +192,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
+mta_read_home(logwatch_mail_t)
++mta_filetrans_home_content(logwatch_mail_t)
++mta_filetrans_admin_home_content(logwatch_mail_t)
+
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
@@ -45601,7 +45714,7 @@ index 6194b80..cafb2b0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..7bb38c6 100644
+index 11ac8e4..633063d 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@@ -46039,7 +46152,7 @@ index 11ac8e4..7bb38c6 100644
')
optional_policy(`
-@@ -300,259 +324,248 @@ optional_policy(`
+@@ -300,259 +324,252 @@ optional_policy(`
########################################
#
@@ -46272,14 +46385,17 @@ index 11ac8e4..7bb38c6 100644
fs_getattr_all_fs(mozilla_plugin_t)
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
-fs_search_auto_mountpoints(mozilla_plugin_t)
--
--term_getattr_all_ttys(mozilla_plugin_t)
--term_getattr_all_ptys(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
+-term_getattr_all_ttys(mozilla_plugin_t)
+-term_getattr_all_ptys(mozilla_plugin_t)
++storage_raw_read_removable_device(mozilla_plugin_t)
++fs_read_removable_files(mozilla_plugin_t)
++fs_read_removable_symlinks(mozilla_plugin_t)
+
application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
@@ -46435,7 +46551,7 @@ index 11ac8e4..7bb38c6 100644
')
optional_policy(`
-@@ -560,7 +573,11 @@ optional_policy(`
+@@ -560,7 +577,11 @@ optional_policy(`
')
optional_policy(`
@@ -46448,7 +46564,7 @@ index 11ac8e4..7bb38c6 100644
')
optional_policy(`
-@@ -568,108 +585,131 @@ optional_policy(`
+@@ -568,108 +589,131 @@ optional_policy(`
')
optional_policy(`
@@ -53019,10 +53135,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..f429163
+index 0000000..f691a30
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,311 @@
+@@ -0,0 +1,310 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -53302,7 +53418,6 @@ index 0000000..f429163
+# nova vncproxy local policy
+#
+
-+
+#######################################
+#
+# nova volume local policy
@@ -59264,10 +59379,10 @@ index 0000000..42ed4ba
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
-index 0000000..49dc5ef
+index 0000000..a0161d5
--- /dev/null
+++ b/openwsman.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,56 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
@@ -59279,6 +59394,9 @@ index 0000000..49dc5ef
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
++type openwsman_tmp_t;
++files_tmp_file(openwsman_tmp_t)
++
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
@@ -59292,10 +59410,17 @@ index 0000000..49dc5ef
+#
+# openwsman local policy
+#
++
++allow openwsman_t self:capability setuid;
++
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
-+allow openwsman_t self:tcp_socket { create_socket_perms listen };
++allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
++
++manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
++manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
++files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
@@ -59304,12 +59429,15 @@ index 0000000..49dc5ef
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
++auth_domtrans_chkpwd(openwsman_t)
+
++corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
++logging_send_audit_msgs(openwsman_t)
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
@@ -73504,10 +73632,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..d76fab5 100644
+index 8644d8b..9494e23 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,132 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,136 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -73554,7 +73682,7 @@ index 8644d8b..d76fab5 100644
-allow quantum_t self:unix_stream_socket { accept listen };
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
-+allow neutron_t self:process { setsched setrlimit signal_perms };
++allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
@@ -73562,46 +73690,45 @@ index 8644d8b..d76fab5 100644
+allow neutron_t self:unix_stream_socket { accept listen };
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:rawip_socket create_socket_perms;
++allow neutron_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
++
++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
-+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
-+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++can_exec(neutron_t, neutron_tmp_t)
+
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
-+can_exec(neutron_t, neutron_tmp_t)
-
--can_exec(quantum_t, quantum_tmp_t)
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
+-can_exec(quantum_t, quantum_tmp_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
@@ -73609,83 +73736,88 @@ index 8644d8b..d76fab5 100644
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
--files_read_usr_files(quantum_t)
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
--auth_use_nsswitch(quantum_t)
+-files_read_usr_files(quantum_t)
+files_mounton_non_security(neutron_t)
--libs_exec_ldconfig(quantum_t)
+-auth_use_nsswitch(quantum_t)
+auth_use_nsswitch(neutron_t)
--logging_send_audit_msgs(quantum_t)
--logging_send_syslog_msg(quantum_t)
+-libs_exec_ldconfig(quantum_t)
+libs_exec_ldconfig(neutron_t)
--miscfiles_read_localization(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
+-miscfiles_read_localization(quantum_t)
++netutils_exec(neutron_t)
+
-sysnet_domtrans_ifconfig(quantum_t)
++# need to stay in neutron
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
-+
-+optional_policy(`
-+ brctl_domtrans(neutron_t)
-+')
optional_policy(`
- brctl_domtrans(quantum_t)
-+ dnsmasq_domtrans(neutron_t)
-+ dnsmasq_signal(neutron_t)
-+ dnsmasq_read_state(neutron_t)
++ brctl_domtrans(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ iptables_domtrans(neutron_t)
++ dnsmasq_domtrans(neutron_t)
++ dnsmasq_signal(neutron_t)
++ dnsmasq_read_state(neutron_t)
+')
- mysql_tcp_connect(quantum_t)
+optional_policy(`
-+ mysql_stream_connect(neutron_t)
-+ mysql_read_db_lnk_files(neutron_t)
-+ mysql_read_config(neutron_t)
-+ mysql_tcp_connect(neutron_t)
++ iptables_domtrans(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_db_lnk_files(neutron_t)
++ mysql_read_config(neutron_t)
++ mysql_tcp_connect(neutron_t)
++')
+
+- postgresql_tcp_connect(quantum_t)
++optional_policy(`
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
+')
-
-- postgresql_tcp_connect(quantum_t)
++
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
@@ -91614,7 +91746,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..4f35a1b 100644
+index cc58e35..de9c4d9 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@@ -91918,7 +92050,7 @@ index cc58e35..4f35a1b 100644
')
########################################
-@@ -167,72 +248,85 @@ optional_policy(`
+@@ -167,72 +248,90 @@ optional_policy(`
# Client local policy
#
@@ -91958,6 +92090,8 @@ index cc58e35..4f35a1b 100644
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_append_user_home_content_files(spamc_t)
++spamassassin_filetrans_home_content(spamc_t)
++spamassassin_filetrans_admin_home_content(spamc_t)
+# for /root/.pyzor
+allow spamc_t self:capability dac_override;
@@ -91965,6 +92099,9 @@ index cc58e35..4f35a1b 100644
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
++read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
++list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
++
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
@@ -92035,7 +92172,7 @@ index cc58e35..4f35a1b 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +337,7 @@ optional_policy(`
+@@ -243,6 +342,7 @@ optional_policy(`
')
optional_policy(`
@@ -92043,7 +92180,7 @@ index cc58e35..4f35a1b 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,10 +346,16 @@ optional_policy(`
+@@ -251,10 +351,16 @@ optional_policy(`
')
optional_policy(`
@@ -92061,7 +92198,7 @@ index cc58e35..4f35a1b 100644
sendmail_stub(spamc_t)
')
-@@ -267,36 +368,38 @@ optional_policy(`
+@@ -267,36 +373,38 @@ optional_policy(`
########################################
#
@@ -92088,17 +92225,17 @@ index cc58e35..4f35a1b 100644
allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
-+allow spamd_t self:unix_stream_socket connectto;
-+allow spamd_t self:tcp_socket create_stream_socket_perms;
-+allow spamd_t self:udp_socket create_socket_perms;
-
+-
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
--
++allow spamd_t self:unix_stream_socket connectto;
++allow spamd_t self:tcp_socket create_stream_socket_perms;
++allow spamd_t self:udp_socket create_socket_perms;
+
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@@ -92117,7 +92254,7 @@ index cc58e35..4f35a1b 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +411,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +416,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -92127,7 +92264,7 @@ index cc58e35..4f35a1b 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +421,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +426,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -92143,7 +92280,7 @@ index cc58e35..4f35a1b 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +436,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +441,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -92247,7 +92384,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
-@@ -421,21 +507,13 @@ optional_policy(`
+@@ -421,21 +512,13 @@ optional_policy(`
')
optional_policy(`
@@ -92271,7 +92408,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
-@@ -443,8 +521,8 @@ optional_policy(`
+@@ -443,8 +526,8 @@ optional_policy(`
')
optional_policy(`
@@ -92281,7 +92418,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
-@@ -455,7 +533,17 @@ optional_policy(`
+@@ -455,7 +538,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -92300,7 +92437,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
-@@ -463,9 +551,9 @@ optional_policy(`
+@@ -463,9 +556,9 @@ optional_policy(`
')
optional_policy(`
@@ -92311,7 +92448,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
-@@ -474,32 +562,32 @@ optional_policy(`
+@@ -474,32 +567,32 @@ optional_policy(`
########################################
#
@@ -92354,7 +92491,7 @@ index cc58e35..4f35a1b 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +601,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -97873,7 +98010,7 @@ index 9b95c3e..a892845 100644
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
-index de35e5f..436d24c 100644
+index de35e5f..51f2763 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t)
@@ -97894,8 +98031,9 @@ index de35e5f..436d24c 100644
-files_read_etc_files(ulogd_t)
-files_read_usr_files(ulogd_t)
-
+-
-miscfiles_read_localization(ulogd_t)
++kernel_request_load_module(ulogd_t)
sysnet_dns_name_resolve(ulogd_t)
@@ -101214,7 +101352,7 @@ index facdee8..88dcafb 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..a26950d 100644
+index f03dcf5..0b4a6fa 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,212 @@
@@ -102678,7 +102816,7 @@ index f03dcf5..a26950d 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1133,299 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1133,303 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -102912,21 +103050,25 @@ index f03dcf5..a26950d 100644
+')
+
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ gear_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -102991,12 +103133,12 @@ index f03dcf5..a26950d 100644
+', `
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
++
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
-+
+kernel_read_irq_sysctls(svirt_lxc_net_t)
+dev_read_sysfs(svirt_lxc_net_t)
@@ -103073,7 +103215,8 @@ index f03dcf5..a26950d 100644
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
@@ -103085,8 +103228,7 @@ index f03dcf5..a26950d 100644
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+term_pty(svirt_sandbox_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
@@ -103115,7 +103257,7 @@ index f03dcf5..a26950d 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1438,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1442,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -103130,7 +103272,7 @@ index f03dcf5..a26950d 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1456,8 @@ optional_policy(`
+@@ -1192,9 +1460,8 @@ optional_policy(`
########################################
#
@@ -103141,7 +103283,7 @@ index f03dcf5..a26950d 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1470,218 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1474,216 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -103360,8 +103502,6 @@ index f03dcf5..a26950d 100644
+optional_policy(`
+ systemd_dbus_chat_logind(sandbox_net_domain)
+')
-+
-+
diff --git a/vlock.te b/vlock.te
index 6b72968..de409cc 100644
--- a/vlock.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6e5a903..c7e40ed 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -590,6 +590,25 @@ SELinux Reference policy mls base module.
%changelog
* Wed May 7 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-52
- More rules for gears and openshift
+- Added iotop policy. Thanks William Brown
+- Allow spamc to read .pyzor located in /var/spool/spampd
+- Allow spamc to create home content with correct labeling
+- Allow logwatch_mail_t to create dead.letter with correct labelign
+- Add labeling for min-cloud-agent
+- Allow geoclue to read unix in proc.
+- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
+- add support for min-cloud-agent
+- Allow ulogd to request the kernel to load a module
+- remove unconfined_domain for openwsman_t
+- Add openwsman_tmp_t rules
+- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
+- Allow nova-scheduler to read passwd file
+- Allow neutron execute arping in neutron_t
+- Dontaudit logrotate executing systemctl command attempting to net_admin
+- Allow mozilla plugins to use /dev/sr0
+- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files
+- Any app that executes systemctl will attempt a net_admin
+- Fix path to mmap_min_addr
* Wed May 7 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-51
- Add gear fixes from dwalsh
More information about the scm-commits
mailing list