[selinux-policy] - If I can create a socket I need to be able to set the attributes - Add tcp/8775 port as neutron po
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jul 4 16:51:24 UTC 2014
commit 682896c0a1dd2d7ff4d0ba609260aa87a8e1412d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jul 4 18:51:18 2014 +0200
- If I can create a socket I need to be able to set the attributes
- Add tcp/8775 port as neutron port
- Add additional ports for swift ports
- Added changes to fedora from bug bz#1082183
- Add support for tcp/6200 port
- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
- Update neutron_manage_lib_files() interface
- Allow glustered to connect to ephemeral ports
- Allow apache to search ipa lib files by default
- Allow neutron to domtrans to haproxy
- Add rhcs_domtrans_haproxy()
- Add support for openstack-glance-* unit files
- Add initial support for /usr/bin/glance-scrubber
- Allow swift to connect to keystone and memcache ports.
- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
- Add policies for openstack-cinder
- Add support for /usr/bin/nova-conductor
- Add neutron_can_network boolean
- Allow neutron to connet to neutron port
- Allow glance domain to use syslog
- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
policy-rawhide-base.patch | 119 ++++----
policy-rawhide-contrib.patch | 700 ++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 25 ++-
3 files changed, 632 insertions(+), 212 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e55c97c..94e6adf 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5452,7 +5452,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..dab9975 100644
+index b191055..a19d634 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5724,7 +5724,7 @@ index b191055..dab9975 100644
network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
-+network_port(neutron, tcp,9696,s0, tcp,9697,s0)
++network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
@@ -5770,7 +5770,7 @@ index b191055..dab9975 100644
network_port(svn, tcp,3690,s0, udp,3690,s0)
network_port(svrloc, tcp,427,s0, udp,427,s0)
network_port(swat, tcp,901,s0)
-+network_port(swift, tcp,6200,s0)
++network_port(swift, tcp,6200-6203,s0)
network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
-network_port(syslogd, udp,514,s0)
+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
@@ -22165,7 +22165,7 @@ index fe0c682..eb9cefe 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..bdb6d0e 100644
+index cc877c7..b4e231c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
@@ -22673,7 +22673,7 @@ index cc877c7..bdb6d0e 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +517,140 @@ optional_policy(`
+@@ -341,3 +517,147 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -22728,6 +22728,9 @@ index cc877c7..bdb6d0e 100644
+
+corecmd_exec_shell(chroot_user_t)
+
++domain_subj_id_change_exemption(chroot_user_t)
++domain_role_change_exemption(chroot_user_t)
++
+term_search_ptys(chroot_user_t)
+term_use_ptmx(chroot_user_t)
+
@@ -22777,6 +22780,10 @@ index cc877c7..bdb6d0e 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
+
++optional_policy(`
++ unconfined_shell_domtrans(chroot_user_t)
++')
++
+######################################
+#
+# ssh_agent_type common policy local policy
@@ -29913,7 +29920,7 @@ index 79a45f6..89b43aa 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..7c66e96 100644
+index 17eda24..84a3fcf 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -30034,7 +30041,7 @@ index 17eda24..7c66e96 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -108,14 +157,42 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +157,43 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms;
@@ -30072,6 +30079,7 @@ index 17eda24..7c66e96 100644
+manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t)
+files_pid_filetrans(init_t, init_var_run_t, { dir file })
+allow init_t init_var_run_t:dir mounton;
+allow init_t init_var_run_t:sock_file relabelto;
@@ -30083,7 +30091,7 @@ index 17eda24..7c66e96 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +202,22 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +203,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -30097,6 +30105,7 @@ index 17eda24..7c66e96 100644
+corenet_tcp_bind_all_ports(init_t)
+corenet_udp_bind_all_ports(init_t)
+
++dev_create_all_chr_files(init_t)
+dev_rw_sysfs(init_t)
+dev_read_urand(init_t)
+dev_read_raw_memory(init_t)
@@ -30107,7 +30116,7 @@ index 17eda24..7c66e96 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +225,22 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +227,22 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -30130,7 +30139,7 @@ index 17eda24..7c66e96 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +250,53 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +252,53 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -30187,7 +30196,7 @@ index 17eda24..7c66e96 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +305,237 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +307,237 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -30434,7 +30443,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -216,7 +543,31 @@ optional_policy(`
+@@ -216,7 +545,31 @@ optional_policy(`
')
optional_policy(`
@@ -30466,7 +30475,7 @@ index 17eda24..7c66e96 100644
')
########################################
-@@ -225,9 +576,9 @@ optional_policy(`
+@@ -225,9 +578,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30478,7 +30487,7 @@ index 17eda24..7c66e96 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +609,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +611,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30495,7 +30504,7 @@ index 17eda24..7c66e96 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +634,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +636,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30538,7 +30547,7 @@ index 17eda24..7c66e96 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +671,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +673,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -30550,7 +30559,7 @@ index 17eda24..7c66e96 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +683,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +685,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -30561,7 +30570,7 @@ index 17eda24..7c66e96 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +694,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +696,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30571,7 +30580,7 @@ index 17eda24..7c66e96 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +703,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +705,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -30579,7 +30588,7 @@ index 17eda24..7c66e96 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +710,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +712,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -30587,7 +30596,7 @@ index 17eda24..7c66e96 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +718,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +720,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30605,7 +30614,7 @@ index 17eda24..7c66e96 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +736,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +738,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30619,7 +30628,7 @@ index 17eda24..7c66e96 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +751,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +753,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30633,7 +30642,7 @@ index 17eda24..7c66e96 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +764,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +766,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30644,7 +30653,7 @@ index 17eda24..7c66e96 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +777,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +779,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -30652,7 +30661,7 @@ index 17eda24..7c66e96 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +796,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +798,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -30676,7 +30685,7 @@ index 17eda24..7c66e96 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +829,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +831,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -30684,7 +30693,7 @@ index 17eda24..7c66e96 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +863,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +865,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30695,7 +30704,7 @@ index 17eda24..7c66e96 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +887,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +889,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30704,7 +30713,7 @@ index 17eda24..7c66e96 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +902,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +904,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30712,7 +30721,7 @@ index 17eda24..7c66e96 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +923,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +925,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30720,7 +30729,7 @@ index 17eda24..7c66e96 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +933,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +935,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30765,7 +30774,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -559,14 +978,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +980,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30797,7 +30806,7 @@ index 17eda24..7c66e96 100644
')
')
-@@ -577,6 +1013,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1015,39 @@ ifdef(`distro_suse',`
')
')
@@ -30837,7 +30846,7 @@ index 17eda24..7c66e96 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1058,8 @@ optional_policy(`
+@@ -589,6 +1060,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30846,7 +30855,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -610,6 +1081,7 @@ optional_policy(`
+@@ -610,6 +1083,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30854,7 +30863,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -626,6 +1098,17 @@ optional_policy(`
+@@ -626,6 +1100,17 @@ optional_policy(`
')
optional_policy(`
@@ -30872,7 +30881,7 @@ index 17eda24..7c66e96 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1125,13 @@ optional_policy(`
+@@ -642,9 +1127,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30886,7 +30895,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -657,15 +1144,11 @@ optional_policy(`
+@@ -657,15 +1146,11 @@ optional_policy(`
')
optional_policy(`
@@ -30904,7 +30913,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -686,6 +1169,15 @@ optional_policy(`
+@@ -686,6 +1171,15 @@ optional_policy(`
')
optional_policy(`
@@ -30920,7 +30929,7 @@ index 17eda24..7c66e96 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1218,7 @@ optional_policy(`
+@@ -726,6 +1220,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -30928,7 +30937,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -743,7 +1236,13 @@ optional_policy(`
+@@ -743,7 +1238,13 @@ optional_policy(`
')
optional_policy(`
@@ -30943,7 +30952,7 @@ index 17eda24..7c66e96 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1265,10 @@ optional_policy(`
+@@ -766,6 +1267,10 @@ optional_policy(`
')
optional_policy(`
@@ -30954,7 +30963,7 @@ index 17eda24..7c66e96 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1278,20 @@ optional_policy(`
+@@ -775,10 +1280,20 @@ optional_policy(`
')
optional_policy(`
@@ -30975,7 +30984,7 @@ index 17eda24..7c66e96 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1300,10 @@ optional_policy(`
+@@ -787,6 +1302,10 @@ optional_policy(`
')
optional_policy(`
@@ -30986,7 +30995,7 @@ index 17eda24..7c66e96 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1325,6 @@ optional_policy(`
+@@ -808,8 +1327,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30995,7 +31004,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -818,6 +1333,10 @@ optional_policy(`
+@@ -818,6 +1335,10 @@ optional_policy(`
')
optional_policy(`
@@ -31006,7 +31015,7 @@ index 17eda24..7c66e96 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1346,12 @@ optional_policy(`
+@@ -827,10 +1348,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -31019,7 +31028,7 @@ index 17eda24..7c66e96 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1378,60 @@ optional_policy(`
+@@ -857,21 +1380,60 @@ optional_policy(`
')
optional_policy(`
@@ -31081,7 +31090,7 @@ index 17eda24..7c66e96 100644
')
optional_policy(`
-@@ -887,6 +1447,10 @@ optional_policy(`
+@@ -887,6 +1449,10 @@ optional_policy(`
')
optional_policy(`
@@ -31092,7 +31101,7 @@ index 17eda24..7c66e96 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1461,218 @@ optional_policy(`
+@@ -897,3 +1463,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -47757,7 +47766,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..018d0a6 100644
+index 6e91317..8fc985f 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -47819,16 +47828,18 @@ index 6e91317..018d0a6 100644
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
-define(`rw_sock_file_perms',`{ getattr open read write append }')
+-define(`create_sock_file_perms',`{ getattr create open }')
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
- define(`create_sock_file_perms',`{ getattr create open }')
++define(`create_sock_file_perms',`{ getattr setattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
+ define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 78d8b8e..0c4c893 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5037,7 +5037,7 @@ index f6eb485..61f36b6 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..2a768b5 100644
+index 6649962..df59f52 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -6260,7 +6260,7 @@ index 6649962..2a768b5 100644
')
optional_policy(`
-@@ -786,35 +944,55 @@ optional_policy(`
+@@ -786,35 +944,59 @@ optional_policy(`
')
optional_policy(`
@@ -6283,6 +6283,10 @@ index 6649962..2a768b5 100644
- ldap_tcp_connect(httpd_t)
- ')
+optional_policy(`
++ ipa_search_lib(httpd_t)
++')
++
++optional_policy(`
+ mirrormanager_manage_pid_files(httpd_t)
+ mirrormanager_read_lib_files(httpd_t)
+ mirrormanager_read_log(httpd_t)
@@ -6329,7 +6333,7 @@ index 6649962..2a768b5 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1000,18 @@ optional_policy(`
+@@ -822,8 +1004,18 @@ optional_policy(`
')
optional_policy(`
@@ -6348,7 +6352,7 @@ index 6649962..2a768b5 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1020,7 @@ optional_policy(`
+@@ -832,6 +1024,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6356,7 +6360,7 @@ index 6649962..2a768b5 100644
')
optional_policy(`
-@@ -842,20 +1031,40 @@ optional_policy(`
+@@ -842,20 +1035,40 @@ optional_policy(`
')
optional_policy(`
@@ -6391,19 +6395,19 @@ index 6649962..2a768b5 100644
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
++ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
-+ pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
-@@ -863,19 +1072,35 @@ optional_policy(`
+@@ -863,19 +1076,35 @@ optional_policy(`
')
optional_policy(`
@@ -6439,7 +6443,7 @@ index 6649962..2a768b5 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1108,189 @@ optional_policy(`
+@@ -883,65 +1112,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6651,7 +6655,7 @@ index 6649962..2a768b5 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1299,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1303,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6806,7 +6810,7 @@ index 6649962..2a768b5 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1383,106 @@ optional_policy(`
+@@ -1083,172 +1387,106 @@ optional_policy(`
')
')
@@ -6826,13 +6830,13 @@ index 6649962..2a768b5 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
--
++allow httpd_sys_script_t self:process getsched;
+
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6978,10 +6982,10 @@ index 6649962..2a768b5 100644
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
+-
+-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
--allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
--
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
@@ -7043,7 +7047,7 @@ index 6649962..2a768b5 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1490,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1494,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7140,7 +7144,7 @@ index 6649962..2a768b5 100644
########################################
#
-@@ -1321,8 +1565,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1569,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7157,7 +7161,7 @@ index 6649962..2a768b5 100644
')
########################################
-@@ -1330,49 +1581,38 @@ optional_policy(`
+@@ -1330,49 +1585,38 @@ optional_policy(`
# User content local policy
#
@@ -7222,7 +7226,7 @@ index 6649962..2a768b5 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1622,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1626,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -12207,6 +12211,264 @@ index e5b621c..e7c249d 100644
-optional_policy(`
- mta_send_mail(chronyd_t)
-')
+diff --git a/cinder.fc b/cinder.fc
+new file mode 100644
+index 0000000..4b318b7
+--- /dev/null
++++ b/cinder.fc
+@@ -0,0 +1,16 @@
++
++/usr/bin/cinder-api -- gen_context(system_u:object_r:cinder_api_exec_t,s0)
++/usr/bin/cinder-backup -- gen_context(system_u:object_r:cinder_backup_exec_t,s0)
++/usr/bin/cinder-scheduler -- gen_context(system_u:object_r:cinder_scheduler_exec_t,s0)
++/usr/bin/cinder-volume -- gen_context(system_u:object_r:cinder_volume_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-cinder-api.* -- gen_context(system_u:object_r:cinder_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-backup.* -- gen_context(system_u:object_r:cinder_backup_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-scheduler.* -- gen_context(system_u:object_r:cinder_scheduler_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-volume.* -- gen_context(system_u:object_r:cinder_volume_unit_file_t,s0)
++
++/var/lib/cinder(/.*)? gen_context(system_u:object_r:cinder_var_lib_t,s0)
++
++/var/log/cinder(/.*)? gen_context(system_u:object_r:cinder_log_t,s0)
++
++/var/run/cinder(/.*)? gen_context(system_u:object_r:cinder_var_run_t,s0)
+diff --git a/cinder.if b/cinder.if
+new file mode 100644
+index 0000000..fc9cae7
+--- /dev/null
++++ b/cinder.if
+@@ -0,0 +1,57 @@
++## <summary>openstack-cinder</summary>
++
++######################################
++## <summary>
++## Manage cinder lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cinder_manage_lib_files',`
++ gen_require(`
++ type cinder_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Creates types and rules for a basic
++## openstack-cinder systemd daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`cinder_domain_template',`
++ gen_require(`
++ attribute cinder_domain;
++ ')
++
++ type cinder_$1_t, cinder_domain;
++ type cinder_$1_exec_t;
++ init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
++
++ type cinder_$1_unit_file_t;
++ systemd_unit_file(cinder_$1_unit_file_t)
++
++ type cinder_$1_tmp_t;
++ files_tmp_file(cinder_$1_tmp_t)
++
++ manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
++ manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
++ files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
++ can_exec(cinder_$1_t, cinder_$1_tmp_t)
++
++ kernel_read_system_state(cinder_$1_t)
++
++ logging_send_syslog_msg(cinder_$1_t)
++
++')
+diff --git a/cinder.te b/cinder.te
+new file mode 100644
+index 0000000..f257547
+--- /dev/null
++++ b/cinder.te
+@@ -0,0 +1,167 @@
++policy_module(cinder, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++#
++# cinder-stack daemons contain security issue with using sudo in the code
++# we make this policy as unconfined until this issue is fixed
++#
++
++attribute cinder_domain;
++
++cinder_domain_template(api)
++cinder_domain_template(backup)
++cinder_domain_template(scheduler)
++cinder_domain_template(volume)
++
++type cinder_log_t;
++logging_log_file(cinder_log_t)
++
++type cinder_var_lib_t;
++files_type(cinder_var_lib_t)
++
++type cinder_var_run_t;
++files_pid_file(cinder_var_run_t)
++
++######################################
++#
++# cinder general domain local policy
++#
++
++allow cinder_domain self:process signal_perms;
++allow cinder_domain self:fifo_file rw_fifo_file_perms;
++allow cinder_domain self:tcp_socket create_stream_socket_perms;
++allow cinder_domain self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(cinder_domain, cinder_log_t, cinder_log_t)
++manage_files_pattern(cinder_domain, cinder_log_t, cinder_log_t)
++
++manage_dirs_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
++manage_files_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
++
++manage_dirs_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
++manage_files_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
++
++corenet_tcp_connect_amqp_port(cinder_domain)
++corenet_tcp_connect_mysqld_port(cinder_domain)
++
++kernel_read_network_state(cinder_domain)
++
++corecmd_exec_bin(cinder_domain)
++corecmd_exec_shell(cinder_domain)
++corenet_tcp_connect_mysqld_port(cinder_domain)
++
++auth_read_passwd(cinder_domain)
++
++dev_read_sysfs(cinder_domain)
++dev_read_urand(cinder_domain)
++
++fs_getattr_xattr_fs(cinder_domain)
++
++init_read_utmp(cinder_domain)
++
++libs_exec_ldconfig(cinder_domain)
++
++optional_policy(`
++ mysql_stream_connect(cinder_domain)
++ mysql_read_db_lnk_files(cinder_domain)
++')
++
++optional_policy(`
++ sysnet_read_config(cinder_domain)
++ sysnet_exec_ifconfig(cinder_domain)
++')
++
++#######################################
++#
++# cinder api local policy
++#
++
++allow cinder_api_t self:process setfscreate;
++allow cinder_api_t self:key write;
++allow cinder_api_t self:netlink_route_socket r_netlink_socket_perms;
++allow cinder_api_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(cinder_api_t)
++
++corenet_tcp_bind_generic_node(cinder_api_t)
++corenet_udp_bind_generic_node(cinder_api_t)
++# should be add to booleans
++corenet_tcp_connect_all_ports(cinder_api_t)
++corenet_tcp_bind_all_unreserved_ports(cinder_api_t)
++
++auth_read_passwd(cinder_api_t)
++
++logging_send_syslog_msg(cinder_api_t)
++
++miscfiles_read_certs(cinder_api_t)
++
++optional_policy(`
++ iptables_domtrans(cinder_api_t)
++')
++
++optional_policy(`
++ ssh_exec_keygen(cinder_api_t)
++')
++
++optional_policy(`
++ gnome_dontaudit_search_config(cinder_api_t)
++')
++
++optional_policy(`
++ unconfined_domain(cinder_api_t)
++')
++
++#######################################
++#
++# cinder backup local policy
++#
++
++allow cinder_backup_t self:udp_socket create_socket_perms;
++
++auth_use_nsswitch(cinder_backup_t)
++
++optional_policy(`
++ unconfined_domain(cinder_backup_t)
++')
++
++#######################################
++#
++# cinder scheduler local policy
++#
++
++allow cinder_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
++allow cinder_scheduler_t self:udp_socket create_socket_perms;
++
++auth_read_passwd(cinder_scheduler_t)
++
++init_read_utmp(cinder_scheduler_t)
++
++optional_policy(`
++ unconfined_domain(cinder_scheduler_t)
++')
++
++#######################################
++#
++# cinder volume local policy
++#
++
++allow cinder_volume_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow cinder_volume_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(cinder_volume_t)
++
++logging_send_syslog_msg(cinder_volume_t)
++
++optional_policy(`
++ lvm_domtrans(cinder_volume_t)
++')
++
++optional_policy(`
++ unconfined_domain(cinder_volume_t)
++')
++
diff --git a/cipe.te b/cipe.te
index a0aa693..af571ed 100644
--- a/cipe.te
@@ -13768,7 +14030,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..36c3464 100644
+index 6471fa8..e6d320a 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t)
@@ -13801,7 +14063,7 @@ index 6471fa8..36c3464 100644
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +56,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +56,29 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
@@ -13831,13 +14093,14 @@ index 6471fa8..36c3464 100644
-files_read_usr_files(collectd_t)
fs_getattr_all_fs(collectd_t)
++fs_getattr_all_dirs(collectd_t)
-miscfiles_read_localization(collectd_t)
+init_read_utmp(collectd_t)
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +90,31 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +91,31 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
@@ -29074,11 +29337,31 @@ index 582db0a..d77a1a5 100644
sysnet_read_config(gitosis_t)
tunable_policy(`gitosis_can_sendmail',`
+diff --git a/glance.fc b/glance.fc
+index c21a528..a746a2b 100644
+--- a/glance.fc
++++ b/glance.fc
+@@ -1,8 +1,14 @@
+ /etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/openstack-glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)
+
+-/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
++/usr/lib/systemd/system/openstack-glance-api.* -- gen_context(system_u:object_r:glance_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-glance-registry.* -- gen_context(system_u:object_r:glance_registry_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-glance-scrubber.* -- gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)
++
++/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
+ /usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
++/usr/bin/glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_exec_t,s0)
+
+ /var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
+
diff --git a/glance.if b/glance.if
-index 9eacb2c..229782f 100644
+index 9eacb2c..2f3fa34 100644
--- a/glance.if
+++ b/glance.if
-@@ -1,5 +1,30 @@
+@@ -1,5 +1,36 @@
## <summary>OpenStack image registry and delivery service.</summary>
+#######################################
@@ -29100,16 +29383,22 @@ index 9eacb2c..229782f 100644
+ type $1_t, glance_domain;
+ type $1_exec_t;
+
++ type $1_unit_file_t;
++ systemd_unit_file($1_unit_file_t)
++
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
++
++ logging_send_syslog_msg($1_t)
++
+')
+
########################################
## <summary>
## Execute a domain transition to
-@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',`
+@@ -26,9 +57,9 @@ interface(`glance_domtrans_registry',`
## run glance api.
## </summary>
## <param name="domain">
@@ -29121,7 +29410,7 @@ index 9eacb2c..229782f 100644
## </param>
#
interface(`glance_domtrans_api',`
-@@ -242,8 +267,13 @@ interface(`glance_admin',`
+@@ -242,8 +273,13 @@ interface(`glance_admin',`
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
')
@@ -29138,7 +29427,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index 5cd0909..1464b4d 100644
+index 5cd0909..f07f415 100644
--- a/glance.te
+++ b/glance.te
@@ -5,10 +5,16 @@ policy_module(glance, 1.1.0)
@@ -29160,7 +29449,7 @@ index 5cd0909..1464b4d 100644
init_daemon_domain(glance_registry_t, glance_registry_exec_t)
type glance_registry_initrc_exec_t;
-@@ -17,8 +23,10 @@ init_script_file(glance_registry_initrc_exec_t)
+@@ -17,13 +23,21 @@ init_script_file(glance_registry_initrc_exec_t)
type glance_registry_tmp_t;
files_tmp_file(glance_registry_tmp_t)
@@ -29173,7 +29462,18 @@ index 5cd0909..1464b4d 100644
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
-@@ -41,6 +49,7 @@ files_pid_file(glance_var_run_t)
+ init_script_file(glance_api_initrc_exec_t)
+
++glance_basic_types_template(glance_scrubber)
++init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)
++
++type glance_scrubber_initrc_exec_t;
++init_script_file(glance_scrubber_initrc_exec_t)
++
+ type glance_log_t;
+ logging_log_file(glance_log_t)
+
+@@ -41,6 +55,7 @@ files_pid_file(glance_var_run_t)
# Common local policy
#
@@ -29181,7 +29481,7 @@ index 5cd0909..1464b4d 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,29 +65,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +71,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -29228,7 +29528,7 @@ index 5cd0909..1464b4d 100644
########################################
#
# Registry local policy
-@@ -88,8 +106,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +112,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -29243,7 +29543,7 @@ index 5cd0909..1464b4d 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +132,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +138,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -29453,10 +29753,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..c63f92f
+index 0000000..fbc6a67
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,201 @@
+policy_module(glusterfs, 1.1.2)
+
+## <desc>
@@ -29598,6 +29898,7 @@ index 0000000..c63f92f
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
++corenet_tcp_connect_all_ephemeral_ports(glusterd_t)
+corenet_tcp_connect_ssh_port(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
@@ -34595,10 +34896,10 @@ index 0000000..48d7322
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..a2af18e
+index 0000000..123e906
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,94 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@@ -34647,6 +34948,24 @@ index 0000000..a2af18e
+## </summary>
+## </param>
+#
++interface(`ipa_search_lib',`
++ gen_require(`
++ type ipa_var_lib_t;
++ ')
++
++ search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
++########################################
++## <summary>
++## Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`ipa_manage_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
@@ -53359,16 +53678,17 @@ index 3a6b035..b9887c1 100644
sysnet_read_config(ypxfr_t)
diff --git a/nova.fc b/nova.fc
new file mode 100644
-index 0000000..02dc6dc
+index 0000000..d6de5b6
--- /dev/null
+++ b/nova.fc
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
+
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0)
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0)
++/usr/bin/nova-conductor -- gen_context(system_u:object_r:nova_conductor_exec_t,s0)
+/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0)
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
@@ -53460,10 +53780,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..87072c4
+index 0000000..271f4b6
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,318 @@
+@@ -0,0 +1,328 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -53482,6 +53802,7 @@ index 0000000..87072c4
+nova_domain_template(ajax)
+nova_domain_template(api)
+nova_domain_template(cert)
++nova_domain_template(conductor)
+nova_domain_template(compute)
+nova_domain_template(console)
+nova_domain_template(direct)
@@ -53627,6 +53948,15 @@ index 0000000..87072c4
+
+#######################################
+#
++# nova conductor local policy
++#
++
++optional_policy(`
++ unconfined_domain(nova_conductor_t)
++')
++
++#######################################
++#
+# nova compute local policy
+#
+
@@ -73678,10 +74008,10 @@ index 70ab68b..2a8e41b 100644
+/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..3105104 100644
+index afc0068..97bbea4 100644
--- a/quantum.if
+++ b/quantum.if
-@@ -2,41 +2,293 @@
+@@ -2,41 +2,294 @@
########################################
## <summary>
@@ -73867,6 +74197,7 @@ index afc0068..3105104 100644
- allow $2 system_r;
+ files_search_var_lib($1)
+ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
++ manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
@@ -73993,37 +74324,45 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..ddc4c31 100644
+index 8644d8b..543bfbc 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,146 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,165 @@ policy_module(quantum, 1.1.0)
# Declarations
#
-type quantum_t;
-type quantum_exec_t;
-init_daemon_domain(quantum_t, quantum_exec_t)
-+type neutron_t alias quantum_t;
-+type neutron_exec_t alias quantum_exec_t;
-+init_daemon_domain(neutron_t, neutron_exec_t)
++## <desc>
++## <p>
++## Determine whether neutron can
++## connect to all TCP ports
++## </p>
++## </desc>
++gen_tunable(neutron_can_network, false)
-type quantum_initrc_exec_t;
-init_script_file(quantum_initrc_exec_t)
-+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
-+init_script_file(neutron_initrc_exec_t)
++type neutron_t alias quantum_t;
++type neutron_exec_t alias quantum_exec_t;
++init_daemon_domain(neutron_t, neutron_exec_t)
-type quantum_log_t;
-logging_log_file(quantum_log_t)
-+type neutron_log_t alias quantum_log_t;
-+logging_log_file(neutron_log_t)
++type neutron_initrc_exec_t alias quantum_initrc_exec_t;
++init_script_file(neutron_initrc_exec_t)
-type quantum_tmp_t;
-files_tmp_file(quantum_tmp_t)
-+type neutron_tmp_t alias quantum_tmp_t;
-+files_tmp_file(neutron_tmp_t)
++type neutron_log_t alias quantum_log_t;
++logging_log_file(neutron_log_t)
-type quantum_var_lib_t;
-files_type(quantum_var_lib_t)
++type neutron_tmp_t alias quantum_tmp_t;
++files_tmp_file(neutron_tmp_t)
++
+type neutron_var_lib_t alias quantum_var_lib_t;
+files_type(neutron_var_lib_t)
+
@@ -74041,6 +74380,41 @@ index 8644d8b..ddc4c31 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
+-
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+-
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+-
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+-
+-can_exec(quantum_t, quantum_tmp_t)
+-
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+-
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+-
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
+-
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
+-
+-files_read_usr_files(quantum_t)
+-
+-auth_use_nsswitch(quantum_t)
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
@@ -74058,141 +74432,127 @@ index 8644d8b..ddc4c31 100644
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
-
--manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
--append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--logging_log_filetrans(quantum_t, quantum_log_t, dir)
++
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
-
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
-
--manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
++
+can_exec(neutron_t, neutron_tmp_t)
-
--can_exec(quantum_t, quantum_tmp_t)
++
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
-
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
++
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
-
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
++
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
+corenet_tcp_sendrecv_generic_node(neutron_t)
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
-
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
++
+corenet_tcp_bind_neutron_port(neutron_t)
++corenet_tcp_connect_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
-
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
++
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
-
--files_read_usr_files(quantum_t)
++
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
-
--auth_use_nsswitch(quantum_t)
++
+files_mounton_non_security(neutron_t)
-
--libs_exec_ldconfig(quantum_t)
++
+auth_use_nsswitch(neutron_t)
-
--logging_send_audit_msgs(quantum_t)
--logging_send_syslog_msg(quantum_t)
++
+libs_exec_ldconfig(neutron_t)
-
--miscfiles_read_localization(quantum_t)
++
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
-
--sysnet_domtrans_ifconfig(quantum_t)
++
+netutils_exec(neutron_t)
+
+# need to stay in neutron
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
++
++tunable_policy(`neutron_can_network',`
++ corenet_sendrecv_all_client_packets(neutron_t)
++ corenet_tcp_connect_all_ports(neutron_t)
++ corenet_tcp_sendrecv_all_ports(neutron_t)
++')
- optional_policy(`
-- brctl_domtrans(quantum_t)
+-libs_exec_ldconfig(quantum_t)
++optional_policy(`
+ brctl_domtrans(neutron_t)
- ')
++')
- optional_policy(`
-- mysql_stream_connect(quantum_t)
-- mysql_read_config(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
++optional_policy(`
+ dnsmasq_domtrans(neutron_t)
+ dnsmasq_signal(neutron_t)
+ dnsmasq_read_state(neutron_t)
+')
-- mysql_tcp_connect(quantum_t)
+-miscfiles_read_localization(quantum_t)
++optional_policy(`
++ rhcs_domtrans_haproxy(neutron_t)
++')
+
+-sysnet_domtrans_ifconfig(quantum_t)
+optional_policy(`
+ iptables_domtrans(neutron_t)
- ')
++')
optional_policy(`
-- postgresql_stream_connect(quantum_t)
-- postgresql_unpriv_client(quantum_t)
+- brctl_domtrans(quantum_t)
+ modutils_domtrans_insmod(neutron_t)
-+')
+ ')
-- postgresql_tcp_connect(quantum_t)
-+optional_policy(`
+ optional_policy(`
+- mysql_stream_connect(quantum_t)
+- mysql_read_config(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
- ')
-+
++')
+
+- mysql_tcp_connect(quantum_t)
+optional_policy(`
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- postgresql_stream_connect(quantum_t)
+- postgresql_unpriv_client(quantum_t)
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
+')
-+
+
+- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ sudo_exec(neutron_t)
-+')
+ ')
+
+optional_policy(`
+ udev_domtrans(neutron_t)
@@ -74789,18 +75149,20 @@ index dc3b0ed..20f9ced 100644
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
-index d447e85..008ee02 100644
+index d447e85..76ed794 100644
--- a/radius.fc
+++ b/radius.fc
-@@ -9,6 +9,8 @@
+@@ -9,7 +9,9 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+-/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0)
+
- /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
++/var/lib/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+ /var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
diff --git a/radius.if b/radius.if
index 4460582..60cf556 100644
--- a/radius.if
@@ -77737,7 +78099,7 @@ index 47de2d6..5ad36aa 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..1337d42 100644
+index c8bdea2..abc53b9 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -77912,8 +78274,29 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -223,8 +214,7 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -221,10 +212,28 @@ interface(`rhcs_stream_connect_fenced',`
+ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
+ ')
++######################################
++## <summary>
++## Execute a domain transition to run fenced.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rhcs_domtrans_haproxy',`
++ gen_require(`
++ type haproxy_t, haproxy_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, haproxy_exec_t, haproxy_t)
++')
++
#####################################
## <summary>
-## Execute a domain transition
@@ -77922,7 +78305,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -243,7 +233,7 @@ interface(`rhcs_domtrans_gfs_controld',`
+@@ -243,7 +252,7 @@ interface(`rhcs_domtrans_gfs_controld',`
####################################
## <summary>
@@ -77931,7 +78314,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -264,7 +254,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
+@@ -264,7 +273,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
########################################
## <summary>
@@ -77940,7 +78323,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -285,8 +275,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -285,8 +294,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
#####################################
## <summary>
@@ -77950,7 +78333,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -324,8 +313,8 @@ interface(`rhcs_domtrans_groupd',`
+@@ -324,8 +332,8 @@ interface(`rhcs_domtrans_groupd',`
#####################################
## <summary>
@@ -77961,7 +78344,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -342,10 +350,51 @@ interface(`rhcs_stream_connect_groupd',`
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
')
@@ -78015,7 +78398,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',`
+@@ -366,8 +415,7 @@ interface(`rhcs_rw_cluster_shm',`
####################################
## <summary>
@@ -78025,7 +78408,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -383,9 +431,10 @@ interface(`rhcs_rw_cluster_semaphores',`
allow $1 cluster_domain:sem { rw_sem_perms destroy };
')
@@ -78038,7 +78421,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,20 +423,44 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +442,44 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
@@ -78089,7 +78472,7 @@ index c8bdea2..1337d42 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -414,15 +468,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+@@ -414,15 +487,12 @@ interface(`rhcs_rw_groupd_semaphores',`
## </summary>
## </param>
#
@@ -78108,7 +78491,7 @@ index c8bdea2..1337d42 100644
')
######################################
-@@ -446,52 +497,361 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +516,361 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -78159,11 +78542,7 @@ index c8bdea2..1337d42 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
++
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
@@ -78178,15 +78557,15 @@ index c8bdea2..1337d42 100644
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
-
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
++
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
@@ -78207,8 +78586,8 @@ index c8bdea2..1337d42 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+######################################
+## <summary>
+## Execute a domain transition to run cluster administrative domain.
@@ -78224,14 +78603,14 @@ index c8bdea2..1337d42 100644
+ type cluster_t, cluster_exec_t;
+ ')
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+#######################################
+## <summary>
+## Execute cluster init scripts in
@@ -78247,10 +78626,14 @@ index c8bdea2..1337d42 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
-+
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+#####################################
+## <summary>
+## Execute cluster in the caller domain.
@@ -94552,10 +94935,10 @@ index 49d688d..f07cc80 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
-index 0000000..b07d112
+index 0000000..7e59e7e
--- /dev/null
+++ b/swift.fc
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -94569,6 +94952,7 @@ index 0000000..b07d112
+
+/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-object-expirer -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -94751,10 +95135,10 @@ index 0000000..6a1f575
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..3d21c49
+index 0000000..43a0495
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,128 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -94847,6 +95231,8 @@ index 0000000..3d21c49
+
+corenet_tcp_connect_xserver_port(swift_t)
+corenet_tcp_connect_swift_port(swift_t)
++corenet_tcp_connect_keystone_port(swift_t)
++corenet_tcp_connect_memcache_port(swift_t)
+
+corecmd_exec_shell(swift_t)
+corecmd_exec_bin(swift_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 86a801c..2c877f6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 62%{?dist}
+Release: 63%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -600,6 +600,29 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jul 4 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-63
+- If I can create a socket I need to be able to set the attributes
+- Add tcp/8775 port as neutron port
+- Add additional ports for swift ports
+- Added changes to fedora from bug bz#1082183
+- Add support for tcp/6200 port
+- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
+- Update neutron_manage_lib_files() interface
+- Allow glustered to connect to ephemeral ports
+- Allow apache to search ipa lib files by default
+- Allow neutron to domtrans to haproxy
+- Add rhcs_domtrans_haproxy()
+- Add support for openstack-glance-* unit files
+- Add initial support for /usr/bin/glance-scrubber
+- Allow swift to connect to keystone and memcache ports.
+- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
+- Add policies for openstack-cinder
+- Add support for /usr/bin/nova-conductor
+- Add neutron_can_network boolean
+- Allow neutron to connet to neutron port
+- Allow glance domain to use syslog
+- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
+
* Wed Jun 25 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-62
- Allow swift to use tcp/6200 swift port
- ALlow swift to search apache configs
More information about the scm-commits
mailing list