[selinux-policy] - Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unrese
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jul 31 18:55:13 UTC 2014
commit 540429c2f10af846131df9ec9ac0b0403c8fb30f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jul 31 20:52:26 2014 +0200
- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow user
- Allow smokeping cgi scripts to accept connection on httpd stream socket.
- docker does a getattr on all file systems
- Label all abort-dump programs
- Allow alsa to create lock file to see if it fixes.
- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running with
- Add interface for journalctl_exec
- Add labels also for glusterd sockets.
- Change virt.te to match default docker capabilies
- Add additional booleans for turning on mknod or all caps.
- Also add interface to allow users to write policy that matches docker defaults
- for capabilies.
- Label dhcpd6 unit file.
- Add support also for dhcp IPv6 services.
- Added support for dhcrelay service
- Additional access for bluejeans
- docker needs more access, need back port to RHEL7
- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
- Allow bacula manage bacula_log_t dirs
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
- Fix mistakes keystone and quantum
- Label neutron var run dir
- Label keystone var run dir
- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
- Dontaudit attempts to access check cert dirs/files for sssd.
- Allow sensord to send a signal.
- Allow certmonger to stream connect to dirsrv to make ipa-server-install working.
- Label zabbix_var_lib_t directories
- Label conmans pid file as conman_var_run_t
- Label also /var/run/glusterd.socket file as gluster_var_run_t
- Fix policy for pkcsslotd from opencryptoki
- Update cockpik policy from cockpit usptream.
- Allow certmonger to exec ldconfig to make ipa-server-install working.
- Added support for Naemon policy
- Allow keepalived manage snmp files
- Add setpgid process to mip6d
- remove duplicate rule
- Allow postfix_smtpd to stream connect to antivirus
- Dontaudit list /tmp for icecast
- Allow zabbix domains to access /proc//net/dev.
Conflicts:
selinux-policy.spec
policy-rawhide-base.patch | 213 +++++++------
policy-rawhide-contrib.patch | 748 ++++++++++++++++++++++++++++--------------
selinux-policy.spec | 47 +++-
3 files changed, 657 insertions(+), 351 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e5d0790..53b2a80 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9321,7 +9321,7 @@ index cf04cb5..32d58ca 100644
+ unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..0f99fae 100644
+index b876c48..d8cdd96 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9486,7 +9486,7 @@ index b876c48..0f99fae 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +208,10 @@ ifdef(`distro_debian',`
+@@ -194,9 +208,11 @@ ifdef(`distro_debian',`
#
# /usr
#
@@ -9495,10 +9495,11 @@ index b876c48..0f99fae 100644
/usr/.* gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
+/export(/.*)? gen_context(system_u:object_r:usr_t,s0)
++/ostree(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +219,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +220,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -9515,7 +9516,7 @@ index b876c48..0f99fae 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +229,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +230,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -9524,7 +9525,7 @@ index b876c48..0f99fae 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +236,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +237,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -9533,7 +9534,7 @@ index b876c48..0f99fae 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +244,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9560,7 +9561,7 @@ index b876c48..0f99fae 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9575,14 +9576,14 @@ index b876c48..0f99fae 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -271,3 +294,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +295,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..1f7b192 100644
+index f962f76..d12f46e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -15299,7 +15300,7 @@ index f962f76..1f7b192 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6386,132 +8439,206 @@ interface(`files_search_spool',`
+@@ -6386,132 +8439,207 @@ interface(`files_search_spool',`
## </summary>
## </param>
#
@@ -15400,6 +15401,7 @@ index f962f76..1f7b192 100644
+ files_root_filetrans($1, mnt_t, dir, "net")
+ files_root_filetrans($1, usr_t, dir, "export")
+ files_root_filetrans($1, usr_t, dir, "opt")
++ files_root_filetrans($1, usr_t, dir, "ostree")
+ files_root_filetrans($1, usr_t, dir, "emul")
+ files_root_filetrans($1, var_t, dir, "srv")
+ files_root_filetrans($1, var_run_t, dir, "run")
@@ -15557,7 +15559,7 @@ index f962f76..1f7b192 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6519,53 +8646,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8647,17 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -15615,7 +15617,7 @@ index f962f76..1f7b192 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +8664,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8665,10 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -20999,10 +21001,10 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..45ee29f 100644
+index 0fef1fc..75442d6 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
+@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -21035,6 +21037,7 @@ index 0fef1fc..45ee29f 100644
+dev_read_kmsg(staff_t)
+
+domain_read_all_domains_state(staff_t)
++domain_getcap_all_domains(staff_t)
+domain_getsched_all_domains(staff_t)
+domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
@@ -21074,7 +21077,7 @@ index 0fef1fc..45ee29f 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +82,115 @@ optional_policy(`
+@@ -23,11 +83,115 @@ optional_policy(`
')
optional_policy(`
@@ -21191,7 +21194,7 @@ index 0fef1fc..45ee29f 100644
')
optional_policy(`
-@@ -35,15 +198,31 @@ optional_policy(`
+@@ -35,15 +199,31 @@ optional_policy(`
')
optional_policy(`
@@ -21225,7 +21228,7 @@ index 0fef1fc..45ee29f 100644
')
optional_policy(`
-@@ -52,11 +231,60 @@ optional_policy(`
+@@ -52,11 +232,60 @@ optional_policy(`
')
optional_policy(`
@@ -21287,7 +21290,7 @@ index 0fef1fc..45ee29f 100644
')
ifndef(`distro_redhat',`
-@@ -65,10 +293,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +294,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21298,7 +21301,7 @@ index 0fef1fc..45ee29f 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +302,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +303,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -21309,7 +21312,7 @@ index 0fef1fc..45ee29f 100644
')
optional_policy(`
-@@ -101,10 +321,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +322,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21320,7 +21323,7 @@ index 0fef1fc..45ee29f 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +341,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +342,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21331,7 +21334,7 @@ index 0fef1fc..45ee29f 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +353,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +354,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21342,7 +21345,7 @@ index 0fef1fc..45ee29f 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +384,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +385,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -21394,7 +21397,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..d58ced2 100644
+index 2522ca6..4786c5e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,86 @@ policy_module(sysadm, 2.6.1)
@@ -21547,7 +21550,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -122,11 +170,25 @@ optional_policy(`
+@@ -122,11 +170,27 @@ optional_policy(`
')
optional_policy(`
@@ -21567,6 +21570,8 @@ index 2522ca6..d58ced2 100644
+optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+
++ dontaudit sysadm_dbusd_t self:capability net_admin;
++
+ optional_policy(`
+ systemd_dbus_chat_timedated(sysadm_t)
+ systemd_dbus_chat_hostnamed(sysadm_t)
@@ -21575,7 +21580,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -140,6 +202,10 @@ optional_policy(`
+@@ -140,6 +204,10 @@ optional_policy(`
')
optional_policy(`
@@ -21586,7 +21591,7 @@ index 2522ca6..d58ced2 100644
dmesg_exec(sysadm_t)
')
-@@ -156,6 +222,10 @@ optional_policy(`
+@@ -156,6 +224,10 @@ optional_policy(`
')
optional_policy(`
@@ -21597,7 +21602,7 @@ index 2522ca6..d58ced2 100644
fstools_run(sysadm_t, sysadm_r)
')
-@@ -175,6 +245,13 @@ optional_policy(`
+@@ -175,6 +247,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -21611,7 +21616,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -182,15 +259,20 @@ optional_policy(`
+@@ -182,15 +261,20 @@ optional_policy(`
')
optional_policy(`
@@ -21635,7 +21640,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -210,22 +292,20 @@ optional_policy(`
+@@ -210,22 +294,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -21664,7 +21669,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -237,14 +317,27 @@ optional_policy(`
+@@ -237,14 +319,27 @@ optional_policy(`
')
optional_policy(`
@@ -21692,7 +21697,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -252,10 +345,20 @@ optional_policy(`
+@@ -252,10 +347,20 @@ optional_policy(`
')
optional_policy(`
@@ -21713,7 +21718,7 @@ index 2522ca6..d58ced2 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +369,41 @@ optional_policy(`
+@@ -266,35 +371,41 @@ optional_policy(`
')
optional_policy(`
@@ -21762,7 +21767,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -308,6 +417,7 @@ optional_policy(`
+@@ -308,6 +419,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -21770,7 +21775,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -315,12 +425,20 @@ optional_policy(`
+@@ -315,12 +427,20 @@ optional_policy(`
')
optional_policy(`
@@ -21792,7 +21797,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -345,7 +463,18 @@ optional_policy(`
+@@ -345,7 +465,18 @@ optional_policy(`
')
optional_policy(`
@@ -21812,7 +21817,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -356,19 +485,11 @@ optional_policy(`
+@@ -356,19 +487,11 @@ optional_policy(`
')
optional_policy(`
@@ -21833,7 +21838,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -380,10 +501,6 @@ optional_policy(`
+@@ -380,10 +503,6 @@ optional_policy(`
')
optional_policy(`
@@ -21844,7 +21849,7 @@ index 2522ca6..d58ced2 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +508,9 @@ optional_policy(`
+@@ -391,6 +510,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -21854,7 +21859,7 @@ index 2522ca6..d58ced2 100644
')
optional_policy(`
-@@ -398,31 +518,34 @@ optional_policy(`
+@@ -398,31 +520,34 @@ optional_policy(`
')
optional_policy(`
@@ -21895,7 +21900,7 @@ index 2522ca6..d58ced2 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +558,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +560,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21906,7 +21911,7 @@ index 2522ca6..d58ced2 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +578,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +580,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22693,7 +22698,7 @@ index 0000000..b1163a6
+')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..13a745c
+index 0000000..45aab67
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,339 @@
@@ -22892,10 +22897,10 @@ index 0000000..13a745c
+
+optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
-+ role system_r types unconfined_dbusd_t;
++ role system_r types unconfined_dbusd_t;
+
+ optional_policy(`
-+ unconfined_domain(unconfined_dbusd_t)
++ unconfined_domain_noaudit(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
@@ -32323,7 +32328,7 @@ index 79a45f6..532ded5 100644
+ files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..84a3fcf 100644
+index 17eda24..8e4c2d4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -32599,7 +32604,7 @@ index 17eda24..84a3fcf 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +307,237 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +307,241 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -32634,6 +32639,10 @@ index 17eda24..84a3fcf 100644
+')
+
+optional_policy(`
++ journalctl_exec(init_t)
++')
++
++optional_policy(`
+ kdump_read_crash(init_t)
+ kdump_read_config(init_t)
+')
@@ -32641,14 +32650,15 @@ index 17eda24..84a3fcf 100644
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ iscsi_read_lib_files(init_t)
+ iscsi_manage_lock(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
+')
@@ -32808,14 +32818,13 @@ index 17eda24..84a3fcf 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -32846,7 +32855,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -216,7 +545,31 @@ optional_policy(`
+@@ -216,7 +549,31 @@ optional_policy(`
')
optional_policy(`
@@ -32878,7 +32887,7 @@ index 17eda24..84a3fcf 100644
')
########################################
-@@ -225,9 +578,9 @@ optional_policy(`
+@@ -225,9 +582,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -32890,7 +32899,7 @@ index 17eda24..84a3fcf 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +611,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +615,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -32907,7 +32916,7 @@ index 17eda24..84a3fcf 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +636,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +640,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -32950,7 +32959,7 @@ index 17eda24..84a3fcf 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +673,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +677,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -32962,7 +32971,7 @@ index 17eda24..84a3fcf 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +685,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +689,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -32973,7 +32982,7 @@ index 17eda24..84a3fcf 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +696,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +700,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -32983,7 +32992,7 @@ index 17eda24..84a3fcf 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +705,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +709,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -32991,7 +33000,7 @@ index 17eda24..84a3fcf 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +712,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +716,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -32999,7 +33008,7 @@ index 17eda24..84a3fcf 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +720,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +724,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -33017,7 +33026,7 @@ index 17eda24..84a3fcf 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +738,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +742,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -33031,7 +33040,7 @@ index 17eda24..84a3fcf 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +753,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +757,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -33045,7 +33054,7 @@ index 17eda24..84a3fcf 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +766,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +770,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -33056,7 +33065,7 @@ index 17eda24..84a3fcf 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +779,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +783,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -33064,7 +33073,7 @@ index 17eda24..84a3fcf 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +798,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +802,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -33088,7 +33097,7 @@ index 17eda24..84a3fcf 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +831,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +835,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -33096,7 +33105,7 @@ index 17eda24..84a3fcf 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +865,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +869,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -33107,7 +33116,7 @@ index 17eda24..84a3fcf 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +889,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +893,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -33116,7 +33125,7 @@ index 17eda24..84a3fcf 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +904,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +908,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -33124,7 +33133,7 @@ index 17eda24..84a3fcf 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +925,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +929,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -33132,7 +33141,7 @@ index 17eda24..84a3fcf 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +935,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +939,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -33177,7 +33186,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -559,14 +980,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +984,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -33209,7 +33218,7 @@ index 17eda24..84a3fcf 100644
')
')
-@@ -577,6 +1015,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1019,39 @@ ifdef(`distro_suse',`
')
')
@@ -33249,7 +33258,7 @@ index 17eda24..84a3fcf 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1060,8 @@ optional_policy(`
+@@ -589,6 +1064,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -33258,7 +33267,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -610,6 +1083,7 @@ optional_policy(`
+@@ -610,6 +1087,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -33266,7 +33275,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -626,6 +1100,17 @@ optional_policy(`
+@@ -626,6 +1104,17 @@ optional_policy(`
')
optional_policy(`
@@ -33284,7 +33293,7 @@ index 17eda24..84a3fcf 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1127,13 @@ optional_policy(`
+@@ -642,9 +1131,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -33298,7 +33307,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -657,15 +1146,11 @@ optional_policy(`
+@@ -657,15 +1150,11 @@ optional_policy(`
')
optional_policy(`
@@ -33316,7 +33325,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -686,6 +1171,15 @@ optional_policy(`
+@@ -686,6 +1175,15 @@ optional_policy(`
')
optional_policy(`
@@ -33332,7 +33341,7 @@ index 17eda24..84a3fcf 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1220,7 @@ optional_policy(`
+@@ -726,6 +1224,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -33340,7 +33349,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -743,7 +1238,13 @@ optional_policy(`
+@@ -743,7 +1242,13 @@ optional_policy(`
')
optional_policy(`
@@ -33355,7 +33364,7 @@ index 17eda24..84a3fcf 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1267,10 @@ optional_policy(`
+@@ -766,6 +1271,10 @@ optional_policy(`
')
optional_policy(`
@@ -33366,7 +33375,7 @@ index 17eda24..84a3fcf 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1280,20 @@ optional_policy(`
+@@ -775,10 +1284,20 @@ optional_policy(`
')
optional_policy(`
@@ -33387,7 +33396,7 @@ index 17eda24..84a3fcf 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1302,10 @@ optional_policy(`
+@@ -787,6 +1306,10 @@ optional_policy(`
')
optional_policy(`
@@ -33398,7 +33407,7 @@ index 17eda24..84a3fcf 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1327,6 @@ optional_policy(`
+@@ -808,8 +1331,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -33407,7 +33416,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -818,6 +1335,10 @@ optional_policy(`
+@@ -818,6 +1339,10 @@ optional_policy(`
')
optional_policy(`
@@ -33418,7 +33427,7 @@ index 17eda24..84a3fcf 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1348,12 @@ optional_policy(`
+@@ -827,10 +1352,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -33431,14 +33440,14 @@ index 17eda24..84a3fcf 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1380,60 @@ optional_policy(`
+@@ -857,21 +1384,60 @@ optional_policy(`
')
optional_policy(`
+ virt_read_config(init_t)
+ virt_stream_connect(init_t)
-+ virt_noatsecure(init_t)
-+ virt_rlimitinh(init_t)
++ virt_noatsecure(init_t)
++ virt_rlimitinh(init_t)
+')
+
+optional_policy(`
@@ -33493,7 +33502,7 @@ index 17eda24..84a3fcf 100644
')
optional_policy(`
-@@ -887,6 +1449,10 @@ optional_policy(`
+@@ -887,6 +1453,10 @@ optional_policy(`
')
optional_policy(`
@@ -33504,7 +33513,7 @@ index 17eda24..84a3fcf 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1463,218 @@ optional_policy(`
+@@ -897,3 +1467,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ef9b85a..b67a506 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,5 +1,5 @@
diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..36f5a1f 100644
+index 1a93dc5..dc1d24c 100644
--- a/abrt.fc
+++ b/abrt.fc
@@ -1,31 +1,44 @@
@@ -14,7 +14,7 @@ index 1a93dc5..36f5a1f 100644
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
-+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
@@ -1850,16 +1850,18 @@ index 0000000..a95a4ad
+')
+
diff --git a/alsa.fc b/alsa.fc
-index 33d9d31..03a150d 100644
+index 33d9d31..58bf182 100644
--- a/alsa.fc
+++ b/alsa.fc
-@@ -23,4 +23,8 @@ ifdef(`distro_debian',`
+@@ -23,4 +23,10 @@ ifdef(`distro_debian',`
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
++/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_lock_t,s0)
++
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
@@ -1979,10 +1981,20 @@ index ca8d8cf..2cc5ce6 100644
#########################################
diff --git a/alsa.te b/alsa.te
-index 4b153f1..9b67ee0 100644
+index 4b153f1..a799cd3 100644
--- a/alsa.te
+++ b/alsa.te
-@@ -24,16 +24,23 @@ files_tmpfs_file(alsa_tmpfs_t)
+@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
+ type alsa_etc_rw_t;
+ files_config_file(alsa_etc_rw_t)
+
++type alsa_lock_t;
++files_lock_file(alsa_lock_t)
++
+ type alsa_tmp_t;
+ files_tmp_file(alsa_tmp_t)
+
+@@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
@@ -2008,7 +2020,17 @@ index 4b153f1..9b67ee0 100644
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
-@@ -57,7 +64,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
+@@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+
+ can_exec(alsa_t, alsa_exec_t)
+
++manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
++files_lock_filetrans(alsa_t, alsa_lock_t, file)
++
+ manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+ files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
@@ -2022,7 +2044,7 @@ index 4b153f1..9b67ee0 100644
corecmd_exec_bin(alsa_t)
-@@ -67,7 +80,6 @@ dev_read_sysfs(alsa_t)
+@@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t)
dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
@@ -2030,7 +2052,7 @@ index 4b153f1..9b67ee0 100644
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
-@@ -80,8 +92,6 @@ init_use_fds(alsa_t)
+@@ -80,8 +98,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@@ -3578,7 +3600,7 @@ index 7caefc3..7e70f67 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..61f36b6 100644
+index f6eb485..9eba5f5 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3727,7 +3749,7 @@ index f6eb485..61f36b6 100644
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
-+ allow $1_script_t httpd_t:unix_stream_socket { getattr read write };
++ allow $1_script_t httpd_t:unix_stream_socket { accept getattr read write };
+
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
@@ -8655,10 +8677,10 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index f16b000..941d3fd 100644
+index f16b000..373576e 100644
--- a/bacula.te
+++ b/bacula.te
-@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
+@@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t;
# Local policy
#
@@ -8667,7 +8689,18 @@ index f16b000..941d3fd 100644
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
-@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
+
+ read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+
++manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
+ append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+ create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+ setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
++logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
+
+ manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+ manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+@@ -88,6 +90,10 @@ corenet_udp_bind_generic_node(bacula_t)
corenet_sendrecv_generic_server_packets(bacula_t)
corenet_udp_bind_generic_port(bacula_t)
@@ -8678,7 +8711,7 @@ index f16b000..941d3fd 100644
corenet_sendrecv_hplip_server_packets(bacula_t)
corenet_tcp_bind_hplip_port(bacula_t)
corenet_udp_bind_hplip_port(bacula_t)
-@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
+@@ -105,6 +111,7 @@ files_read_all_symlinks(bacula_t)
fs_getattr_xattr_fs(bacula_t)
fs_list_all(bacula_t)
@@ -8686,7 +8719,7 @@ index f16b000..941d3fd 100644
auth_read_shadow(bacula_t)
logging_send_syslog_msg(bacula_t)
-@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -148,9 +155,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@@ -11136,7 +11169,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..0b1d596 100644
+index 550b287..3ad65da 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -11225,7 +11258,7 @@ index 550b287..0b1d596 100644
')
optional_policy(`
-@@ -92,11 +109,51 @@ optional_policy(`
+@@ -92,11 +109,52 @@ optional_policy(`
')
optional_policy(`
@@ -11233,6 +11266,7 @@ index 550b287..0b1d596 100644
+ dirsrv_manage_config(certmonger_t)
+ dirsrv_signal(certmonger_t)
+ dirsrv_signull(certmonger_t)
++ dirsrv_stream_connect(certmonger_t)
+')
+
+optional_policy(`
@@ -11575,15 +11609,16 @@ index 80a88a2..ec869f5 100644
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
-index 0000000..d020d89
+index 0000000..5c6bdb6
--- /dev/null
+++ b/chrome.fc
-@@ -0,0 +1,10 @@
-+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+@@ -0,0 +1,11 @@
++/opt/google/chrome[^/]*/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++/opt/google/chrome[^/]*/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
@@ -14998,10 +15033,10 @@ index ce9f040..32ebb0c 100644
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
-index 0000000..5f97ba9
+index 0000000..d2f5c80
--- /dev/null
+++ b/conman.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
@@ -15009,6 +15044,7 @@ index 0000000..5f97ba9
+/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+
++/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0)
diff --git a/conman.if b/conman.if
new file mode 100644
index 0000000..54b4b04
@@ -15159,10 +15195,10 @@ index 0000000..54b4b04
+')
diff --git a/conman.te b/conman.te
new file mode 100644
-index 0000000..d6b0314
+index 0000000..ccff09f
--- /dev/null
+++ b/conman.te
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,55 @@
+policy_module(conman, 1.0.0)
+
+########################################
@@ -15177,6 +15213,9 @@ index 0000000..d6b0314
+type conman_log_t;
+logging_log_file(conman_log_t)
+
++type conman_var_run_t;
++files_pid_file(conman_var_run_t)
++
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
@@ -15196,13 +15235,16 @@ index 0000000..d6b0314
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
++manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
++files_pid_filetrans(conman_t, conman_var_run_t, file)
++
++auth_read_passwd(conman_t)
++
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corecmd_exec_bin(conman_t)
+
-+auth_read_passwd(conman_t)
-+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
@@ -22444,16 +22486,24 @@ index 77a5003..b605240 100644
+')
+
diff --git a/dhcp.fc b/dhcp.fc
-index 8182c48..31364a5 100644
+index 8182c48..0b9bb97 100644
--- a/dhcp.fc
+++ b/dhcp.fc
-@@ -1,4 +1,6 @@
+@@ -1,6 +1,13 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/dhcrelay(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
+-/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++/usr/lib/systemd/system/dhcpd6.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++/usr/lib/systemd/system/dhcrelay.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++
++/usr/sbin/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
++/usr/sbin/dhcrelay(6)? -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
- /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
-
+ /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/dhcp.if b/dhcp.if
index c697edb..31d45bf 100644
--- a/dhcp.if
@@ -24485,10 +24535,10 @@ index 0000000..76eb32e
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..47c8698
+index 0000000..96c47ea
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,273 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -24605,6 +24655,7 @@ index 0000000..47c8698
+kernel_read_network_state(docker_t)
+kernel_read_all_sysctls(docker_t)
+kernel_rw_net_sysctls(docker_t)
++kernel_setsched(docker_t)
+
+domain_use_interactive_fds(docker_t)
+
@@ -24628,6 +24679,7 @@ index 0000000..47c8698
+
+fs_read_cgroup_files(docker_t)
+fs_read_tmpfs_symlinks(docker_t)
++fs_search_all(docker_t)
+fs_getattr_all_fs(docker_t)
+
+storage_raw_rw_fixed_disk(docker_t)
@@ -24645,6 +24697,7 @@ index 0000000..47c8698
+mount_domtrans(docker_t)
+
+seutil_read_default_contexts(docker_t)
++seutil_read_config(docker_t)
+
+sysnet_dns_name_resolve(docker_t)
+sysnet_exec_ifconfig(docker_t)
@@ -29608,10 +29661,10 @@ index 5cd0909..e405249 100644
+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
-index 0000000..9614520
+index 0000000..8431a61
--- /dev/null
+++ b/glusterd.fc
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,17 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -29627,7 +29680,8 @@ index 0000000..9614520
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 0000000..1ed97fe
@@ -36622,10 +36676,10 @@ index 0000000..f270652
+/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0)
diff --git a/journalctl.if b/journalctl.if
new file mode 100644
-index 0000000..9d32f23
+index 0000000..17126b6
--- /dev/null
+++ b/journalctl.if
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,95 @@
+
+## <summary>policy for journalctl</summary>
+
@@ -36648,6 +36702,25 @@ index 0000000..9d32f23
+ domtrans_pattern($1, journalctl_exec_t, journalctl_t)
+')
+
++######################################
++## <summary>
++## Execute journalctl in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`journalctl_exec',`
++ gen_require(`
++ type journalctl_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, journalctl_exec_t)
++')
++
+########################################
+## <summary>
+## Execute journalctl in the journalctl domain, and
@@ -38768,7 +38841,7 @@ index 628b78b..fe65617 100644
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
-index b273d80..186cd86 100644
+index b273d80..6a07210 100644
--- a/keystone.fc
+++ b/keystone.fc
@@ -1,3 +1,5 @@
@@ -38777,6 +38850,12 @@ index b273d80..186cd86 100644
/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
+@@ -5,3 +7,5 @@
+ /var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
+
+ /var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
++
++/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
index e88fb16..f20248c 100644
--- a/keystone.if
@@ -39016,10 +39095,16 @@ index e88fb16..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 9929647..4b6faae 100644
+index 9929647..eea253d 100644
--- a/keystone.te
+++ b/keystone.te
-@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
+@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
+ type keystone_var_lib_t;
+ files_type(keystone_var_lib_t)
+
++type keystone_var_run_t;
++files_pid_file(keystone_var_run_t)
++
type keystone_tmp_t;
files_tmp_file(keystone_tmp_t)
@@ -39034,7 +39119,18 @@ index 9929647..4b6faae 100644
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -45,6 +52,10 @@ manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
+ manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
+ files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir)
+
++manage_dirs_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
++manage_files_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
++files_pid_filetrans(keystone_t, keystone_var_run_t, { dir })
++
+ can_exec(keystone_t, keystone_tmp_t)
+
+ kernel_read_system_state(keystone_t)
+@@ -57,20 +68,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
@@ -46390,10 +46486,10 @@ index 6194b80..7490fe3 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..07b06e1 100644
+index 11ac8e4..372b342 100644
--- a/mozilla.te
+++ b/mozilla.te
-@@ -6,17 +6,48 @@ policy_module(mozilla, 2.8.0)
+@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
#
## <desc>
@@ -46410,6 +46506,14 @@ index 11ac8e4..07b06e1 100644
+
+## <desc>
+## <p>
++## Allow mozilla plugin domain to bind unreserved tcp/udp ports.
++## </p>
++## </desc>
++
++gen_tunable(mozilla_plugin_bind_unreserved_ports, false)
++
++## <desc>
++## <p>
+## Allow mozilla plugin to support spice protocols.
+## </p>
+## </desc>
@@ -46447,7 +46551,7 @@ index 11ac8e4..07b06e1 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +55,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +63,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
@@ -46457,7 +46561,7 @@ index 11ac8e4..07b06e1 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,28 +65,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,28 +73,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -46491,7 +46595,7 @@ index 11ac8e4..07b06e1 100644
role mozilla_plugin_config_roles types mozilla_plugin_config_t;
type mozilla_tmp_t;
-@@ -63,10 +93,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +101,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -46502,7 +46606,7 @@ index 11ac8e4..07b06e1 100644
########################################
#
# Local policy
-@@ -75,27 +101,30 @@ optional_policy(`
+@@ -75,27 +109,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -46546,7 +46650,7 @@ index 11ac8e4..07b06e1 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +132,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +140,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -46654,7 +46758,7 @@ index 11ac8e4..07b06e1 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +203,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +211,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -46662,8 +46766,7 @@ index 11ac8e4..07b06e1 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
@@ -46672,7 +46775,8 @@ index 11ac8e4..07b06e1 100644
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -46765,7 +46869,7 @@ index 11ac8e4..07b06e1 100644
')
optional_policy(`
-@@ -244,19 +283,12 @@ optional_policy(`
+@@ -244,19 +291,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -46787,7 +46891,7 @@ index 11ac8e4..07b06e1 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +297,32 @@ optional_policy(`
+@@ -265,33 +305,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -46800,34 +46904,34 @@ index 11ac8e4..07b06e1 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -46835,7 +46939,7 @@ index 11ac8e4..07b06e1 100644
')
optional_policy(`
-@@ -300,259 +331,249 @@ optional_policy(`
+@@ -300,259 +339,249 @@ optional_policy(`
########################################
#
@@ -46917,12 +47021,12 @@ index 11ac8e4..07b06e1 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -47100,12 +47204,12 @@ index 11ac8e4..07b06e1 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -47231,7 +47335,7 @@ index 11ac8e4..07b06e1 100644
')
optional_policy(`
-@@ -560,7 +581,11 @@ optional_policy(`
+@@ -560,7 +589,11 @@ optional_policy(`
')
optional_policy(`
@@ -47244,7 +47348,7 @@ index 11ac8e4..07b06e1 100644
')
optional_policy(`
-@@ -568,108 +593,137 @@ optional_policy(`
+@@ -568,108 +601,144 @@ optional_policy(`
')
optional_policy(`
@@ -47370,27 +47474,25 @@ index 11ac8e4..07b06e1 100644
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
-
--userdom_use_user_ptys(mozilla_plugin_config_t)
++
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
-
--mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
++
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
+')
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_config_t self:process execmem;
+-userdom_use_user_ptys(mozilla_plugin_config_t)
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
+')
-+
+
+-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
- ')
++')
--tunable_policy(`mozilla_execstack',`
-- allow mozilla_plugin_config_t self:process { execmem execstack };
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_config_t self:process execmem;
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -47401,10 +47503,8 @@ index 11ac8e4..07b06e1 100644
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mozilla_plugin_config_t)
-- fs_manage_nfs_files(mozilla_plugin_config_t)
-- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`mozilla_execstack',`
+- allow mozilla_plugin_config_t self:process { execmem execstack };
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
@@ -47417,29 +47517,40 @@ index 11ac8e4..07b06e1 100644
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_config_t)
-- fs_manage_cifs_files(mozilla_plugin_config_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_plugin_config_t)
+- fs_manage_nfs_files(mozilla_plugin_config_t)
+- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
+ dev_setattr_generic_usb_dev(mozilla_plugin_t)
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
--optional_policy(`
-- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_gps',`
+ fs_manage_dos_dirs(mozilla_plugin_t)
+ fs_manage_dos_files(mozilla_plugin_t)
')
-optional_policy(`
-- xserver_use_user_fonts(mozilla_plugin_config_t)
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_bluejeans',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+ corenet_tcp_connect_commplex_main_port(mozilla_plugin_t)
++ corenet_dontaudit_udp_bind_all_ports(mozilla_plugin_t)
++ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
+ ')
+
+-optional_policy(`
+- xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_bind_unreserved_ports',`
++ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
++ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..ae93e07 100644
@@ -58159,7 +58270,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..418db16
+index 0000000..ba329e2
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,28 @@
@@ -58185,7 +58296,7 @@ index 0000000..418db16
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_script_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -63601,11 +63712,45 @@ index 0000000..a989aea
+corecmd_exec_shell(piranha_domain)
+
+sysnet_read_config(piranha_domain)
+diff --git a/pkcs.fc b/pkcs.fc
+index 9a72226..0351b1e 100644
+--- a/pkcs.fc
++++ b/pkcs.fc
+@@ -4,4 +4,6 @@
+
+ /var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
+
++/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_lock_t,s0)
++
+ /var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
+diff --git a/pkcs.if b/pkcs.if
+index 69be2aa..2d7b3f6 100644
+--- a/pkcs.if
++++ b/pkcs.if
+@@ -19,7 +19,7 @@
+ #
+ interface(`pkcs_admin_slotd',`
+ gen_require(`
+- type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t;
++ type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t, pkcs_slotd_lock_t;
+ type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
+ ')
+
+@@ -34,6 +34,9 @@ interface(`pkcs_admin_slotd',`
+ files_search_var_lib($1)
+ admin_pattern($1, pkcs_slotd_var_lib_t)
+
++ files_search_locks($1)
++ admin_pattern($1, pkcs_slotd_lock_t)
++
+ files_search_pids($1)
+ admin_pattern($1, pkcs_slotd_var_run_t)
+
diff --git a/pkcs.te b/pkcs.te
-index 8eb3f7b..1ff0fe3 100644
+index 8eb3f7b..b0fc2a7 100644
--- a/pkcs.te
+++ b/pkcs.te
-@@ -7,21 +7,27 @@ policy_module(pkcs, 1.0.1)
+@@ -7,21 +7,30 @@ policy_module(pkcs, 1.0.1)
type pkcs_slotd_t;
type pkcs_slotd_exec_t;
@@ -63620,6 +63765,9 @@ index 8eb3f7b..1ff0fe3 100644
+typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t;
files_type(pkcs_slotd_var_lib_t)
++type pkcs_slotd_lock_t;
++files_lock_file(pkcs_slotd_lock_t)
++
type pkcs_slotd_var_run_t;
+typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
files_pid_file(pkcs_slotd_var_run_t)
@@ -63633,12 +63781,27 @@ index 8eb3f7b..1ff0fe3 100644
files_tmpfs_file(pkcs_slotd_tmpfs_t)
########################################
-@@ -53,8 +59,6 @@ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
+@@ -40,6 +49,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+ manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+ files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
+
++manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
++
+ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
+ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
+ manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
+@@ -51,10 +62,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
+
+ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
- fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
+-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
++fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { file dir })
++
++auth_read_passwd(pkcs_slotd_t)
-files_read_etc_files(pkcs_slotd_t)
--
++files_search_locks(pkcs_slotd_t)
+
logging_send_syslog_msg(pkcs_slotd_t)
-miscfiles_read_localization(pkcs_slotd_t)
@@ -74463,10 +74626,10 @@ index 83eb09e..b48c931 100644
+')
+
diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..2a8e41b 100644
+index 70ab68b..b985b65 100644
--- a/quantum.fc
+++ b/quantum.fc
-@@ -1,10 +1,31 @@
+@@ -1,10 +1,34 @@
-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
@@ -74505,6 +74668,9 @@ index 70ab68b..2a8e41b 100644
+
+/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
++
++/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
++/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
diff --git a/quantum.if b/quantum.if
index afc0068..97bbea4 100644
--- a/quantum.if
@@ -74822,10 +74988,10 @@ index afc0068..97bbea4 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..d31e341 100644
+index 8644d8b..e8c81df 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,166 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,173 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -74864,6 +75030,9 @@ index 8644d8b..d31e341 100644
+type neutron_var_lib_t alias quantum_var_lib_t;
+files_type(neutron_var_lib_t)
+
++type neutron_var_run_t alias quantum_var_run_t;
++files_pid_file(neutron_var_run_t)
++
+type neutron_unit_file_t alias quantum_unit_file_t;
+systemd_unit_file(neutron_unit_file_t)
@@ -74935,6 +75104,10 @@ index 8644d8b..d31e341 100644
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
+
++manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
++manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
++files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
++
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
@@ -76081,7 +76254,7 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index c99753f..2d260c2 100644
+index c99753f..91ab9f7 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -76100,7 +76273,7 @@ index c99753f..2d260c2 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,44 +34,64 @@ dev_associate(mdadm_var_run_t)
+@@ -25,44 +34,66 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -76136,6 +76309,8 @@ index c99753f..2d260c2 100644
kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
+kernel_dontaudit_setsched(mdadm_t)
++kernel_signal(mdadm_t)
++kernel_stream_connect(mdadm_t)
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
@@ -76174,7 +76349,7 @@ index c99753f..2d260c2 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +102,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -76196,7 +76371,7 @@ index c99753f..2d260c2 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +124,38 @@ optional_policy(`
+@@ -90,17 +126,38 @@ optional_policy(`
')
optional_policy(`
@@ -90005,10 +90180,10 @@ index d204752..31cc6e6 100644
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..f3e5808 100644
+index 5e82fd6..64e130f 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,12 +9,18 @@ type sensord_t;
+@@ -9,27 +9,35 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -90027,7 +90202,10 @@ index 5e82fd6..f3e5808 100644
########################################
#
# Local policy
-@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t)
+ #
+
++allow sensord_t self:process signal;
++
allow sensord_t self:fifo_file rw_fifo_file_perms;
allow sensord_t self:unix_stream_socket create_stream_socket_perms;
@@ -94803,7 +94981,7 @@ index a240455..16a04bf 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..83033bf 100644
+index 2d8db1f..1f205fe 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -94894,11 +95072,12 @@ index 2d8db1f..83033bf 100644
init_read_utmp(sssd_t)
-@@ -112,18 +109,34 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +109,35 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
-miscfiles_read_localization(sssd_t)
++miscfiles_dontaudit_access_check_cert(sssd_t)
sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t)
@@ -101033,7 +101212,7 @@ index a4f20bc..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..88dcafb 100644
+index facdee8..d179539 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -102342,11 +102521,10 @@ index facdee8..88dcafb 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
- ')
-
- ########################################
- ## <summary>
--## Append virt log files.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
@@ -102362,10 +102540,11 @@ index facdee8..88dcafb 100644
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Append virt log files.
+## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
@@ -102777,7 +102956,7 @@ index facdee8..88dcafb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -102816,44 +102995,60 @@ index facdee8..88dcafb 100644
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
+
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
--
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+ admin_pattern($1, virt_file_type)
-+ admin_pattern($1, svirt_file_type)
-
+-
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
-+ virt_systemctl($1)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
-
-- dev_list_all_dev_nodes($1)
-- allow $1 virt_ptynode:chr_file rw_term_perms;
+ virt_stream_connect_sandbox($1)
+ virt_stream_connect_svirt($1)
+ virt_stream_connect($1)
++')
++#######################################
++## <summary>
++## Getattr on virt executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`virt_default_capabilities',`
++ gen_require(`
++ attribute sandbox_caps_domain;
++ ')
+
+- dev_list_all_dev_nodes($1)
+- allow $1 virt_ptynode:chr_file rw_term_perms;
++ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..67904c0 100644
+index f03dcf5..f5766e6 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,150 +1,212 @@
+@@ -1,150 +1,227 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -102876,6 +103071,7 @@ index f03dcf5..67904c0 100644
+attribute svirt_file_type;
+attribute virt_file_type;
+attribute sandbox_net_domain;
++attribute sandbox_caps_domain;
+
+type svirt_tmp_t, svirt_file_type;
+files_tmp_file(svirt_tmp_t)
@@ -103011,35 +103207,49 @@ index f03dcf5..67904c0 100644
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_samba, false)
++
++## <desc>
++## <p>
++## Allow sandbox containers to send audit messages
++
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_audit, true)
-attribute svirt_lxc_domain;
+## <desc>
+## <p>
-+## Allow sandbox containers to send audit messages
++## Allow sandbox containers to use netlink system calls
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_netlink, false)
-attribute_role virt_domain_roles;
-roleattribute system_r virt_domain_roles;
++## <desc>
++## <p>
++## Allow sandbox containers to use sys_admin system calls, for example mount
+## </p>
+## </desc>
-+gen_tunable(virt_sandbox_use_audit, true)
++gen_tunable(virt_sandbox_use_sys_admin, false)
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
+## <desc>
+## <p>
-+## Allow sandbox containers to use netlink system calls
++## Allow sandbox containers to use mknod system calls
+## </p>
+## </desc>
-+gen_tunable(virt_sandbox_use_netlink, false)
++gen_tunable(virt_sandbox_use_mknod, false)
-attribute_role svirt_lxc_domain_roles;
-roleattribute system_r svirt_lxc_domain_roles;
+## <desc>
+## <p>
-+## Allow sandbox containers to use sys_admin system calls, for example mount
++## Allow sandbox containers to use all capabilities
+## </p>
+## </desc>
-+gen_tunable(virt_sandbox_use_sys_admin, false)
++gen_tunable(virt_sandbox_use_all_caps, false)
virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
@@ -103136,7 +103346,7 @@ index f03dcf5..67904c0 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -153,299 +215,132 @@ ifdef(`enable_mls',`
+@@ -153,299 +230,132 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -103399,16 +103609,16 @@ index f03dcf5..67904c0 100644
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
@@ -103511,7 +103721,7 @@ index f03dcf5..67904c0 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +350,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +365,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -103558,24 +103768,24 @@ index f03dcf5..67904c0 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +385,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +400,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -103589,7 +103799,7 @@ index f03dcf5..67904c0 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +406,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +421,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -103617,7 +103827,7 @@ index f03dcf5..67904c0 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,22 +426,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,22 +441,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -103650,7 +103860,7 @@ index f03dcf5..67904c0 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -601,15 +477,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +492,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -103670,7 +103880,7 @@ index f03dcf5..67904c0 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +499,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +514,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -103707,7 +103917,7 @@ index f03dcf5..67904c0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +527,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +542,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -103716,7 +103926,7 @@ index f03dcf5..67904c0 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +552,12 @@ optional_policy(`
+@@ -665,20 +567,12 @@ optional_policy(`
')
optional_policy(`
@@ -103737,7 +103947,7 @@ index f03dcf5..67904c0 100644
')
optional_policy(`
-@@ -691,20 +570,26 @@ optional_policy(`
+@@ -691,20 +585,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -103768,7 +103978,7 @@ index f03dcf5..67904c0 100644
')
optional_policy(`
-@@ -712,11 +597,18 @@ optional_policy(`
+@@ -712,11 +612,18 @@ optional_policy(`
')
optional_policy(`
@@ -103787,7 +103997,7 @@ index f03dcf5..67904c0 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +619,18 @@ optional_policy(`
+@@ -727,10 +634,18 @@ optional_policy(`
')
optional_policy(`
@@ -103806,7 +104016,7 @@ index f03dcf5..67904c0 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +646,277 @@ optional_policy(`
+@@ -746,44 +661,277 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -103844,7 +104054,13 @@ index f03dcf5..67904c0 100644
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
-+
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -103854,17 +104070,15 @@ index f03dcf5..67904c0 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
+
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -103896,18 +104110,14 @@ index f03dcf5..67904c0 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-allow virsh_t svirt_lxc_domain:process transition;
+dontaudit virt_domain virt_tmpfs_type:file { read write };
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
--can_exec(virsh_t, virsh_exec_t)
++
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -104046,7 +104256,7 @@ index f03dcf5..67904c0 100644
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
+')
-
++
+optional_policy(`
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
@@ -104070,7 +104280,7 @@ index f03dcf5..67904c0 100644
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
-+
+
+can_exec(virsh_t, virsh_exec_t)
virt_domtrans(virsh_t)
virt_manage_images(virsh_t)
@@ -104106,7 +104316,7 @@ index f03dcf5..67904c0 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +927,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +942,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -104133,7 +104343,7 @@ index f03dcf5..67904c0 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +947,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +962,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -104167,7 +104377,7 @@ index f03dcf5..67904c0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +984,20 @@ optional_policy(`
+@@ -856,14 +999,20 @@ optional_policy(`
')
optional_policy(`
@@ -104189,7 +104399,7 @@ index f03dcf5..67904c0 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1022,65 @@ optional_policy(`
+@@ -888,49 +1037,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -104273,7 +104483,7 @@ index f03dcf5..67904c0 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1092,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1107,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -104293,7 +104503,7 @@ index f03dcf5..67904c0 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1113,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1128,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -104317,7 +104527,7 @@ index f03dcf5..67904c0 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1138,308 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1153,316 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -104455,28 +104665,6 @@ index f03dcf5..67904c0 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ docker_manage_lib_files(svirt_lxc_net_t)
-+ docker_manage_lib_dirs(svirt_lxc_net_t)
-+ docker_read_share_files(svirt_sandbox_domain)
-+ docker_exec_lib(svirt_sandbox_domain)
-+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+ docker_use_ptys(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ gear_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -104561,17 +104749,39 @@ index f03dcf5..67904c0 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
++ docker_manage_lib_files(svirt_lxc_net_t)
++ docker_manage_lib_dirs(svirt_lxc_net_t)
++ docker_read_share_files(svirt_sandbox_domain)
++ docker_exec_lib(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++ docker_use_ptys(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ gear_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -104594,11 +104804,11 @@ index f03dcf5..67904c0 100644
-# Lxc net local policy
+# svirt_lxc_net_t local policy
#
+-
+-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+virt_sandbox_domain_template(svirt_lxc_net)
++virt_default_capabilities(svirt_lxc_net_t)
+typeattribute svirt_lxc_net_t sandbox_net_domain;
-
--allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -104613,6 +104823,10 @@ index f03dcf5..67904c0 100644
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process { execstack execmem };
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -104624,8 +104838,13 @@ index f03dcf5..67904c0 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+ allow svirt_lxc_net_t self:capability sys_admin;
++tunable_policy(`virt_sandbox_use_mknod',`
++ allow svirt_lxc_net_t self:capability mknod;
++')
++
++tunable_policy(`virt_sandbox_use_all_caps',`
++ allow svirt_lxc_net_t self:capability all_capability_perms;
++ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
+')
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
@@ -104638,15 +104857,15 @@ index f03dcf5..67904c0 100644
+', `
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
-
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_lxc_net_t)
+kernel_read_messages(svirt_lxc_net_t)
-+
+
+dev_read_sysfs(svirt_lxc_net_t)
dev_getattr_mtrr_dev(svirt_lxc_net_t)
dev_read_rand(svirt_lxc_net_t)
@@ -104717,7 +104936,8 @@ index f03dcf5..67904c0 100644
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
@@ -104726,8 +104946,7 @@ index f03dcf5..67904c0 100644
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+files_read_kernel_modules(svirt_qemu_net_t)
+
+fs_noxattr_type(svirt_sandbox_file_t)
@@ -104763,7 +104982,7 @@ index f03dcf5..67904c0 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1452,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1475,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -104778,7 +104997,7 @@ index f03dcf5..67904c0 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1470,8 @@ optional_policy(`
+@@ -1192,9 +1493,8 @@ optional_policy(`
########################################
#
@@ -104789,7 +105008,7 @@ index f03dcf5..67904c0 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1484,216 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1507,218 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -105008,6 +105227,8 @@ index f03dcf5..67904c0 100644
+optional_policy(`
+ systemd_dbus_chat_logind(sandbox_net_domain)
+')
++
++allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
diff --git a/vlock.te b/vlock.te
index 6b72968..de409cc 100644
--- a/vlock.te
@@ -108106,10 +108327,10 @@ index 2695db2..123c042 100644
userdom_search_user_home_dirs(yam_t)
diff --git a/zabbix.fc b/zabbix.fc
-index c3b5a81..6ebb8d6 100644
+index c3b5a81..c384947 100644
--- a/zabbix.fc
+++ b/zabbix.fc
-@@ -4,12 +4,17 @@
+@@ -4,12 +4,22 @@
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
@@ -108123,9 +108344,14 @@ index c3b5a81..6ebb8d6 100644
+/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++
++/usr/lib/zabbix/externalscripts(/.*)? gen_context(system_u:object_r:zabbix_script_exec_t,s0)
++
++/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
++/var/lib/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
++/var/lib/zabbix/externalscripts(/.*)? gen_context(system_u:object_r:zabbix_script_exec_t,s0)
-/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
-+/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
+/var/log/zabbix.* gen_context(system_u:object_r:zabbix_log_t,s0)
/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0)
@@ -108292,7 +108518,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..11bcf63 100644
+index 7f496c6..d594e47 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@@ -108331,7 +108557,7 @@ index 7f496c6..11bcf63 100644
type zabbix_log_t;
logging_log_file(zabbix_log_t)
-@@ -36,27 +41,54 @@ files_tmp_file(zabbix_tmp_t)
+@@ -36,27 +41,61 @@ files_tmp_file(zabbix_tmp_t)
type zabbix_tmpfs_t;
files_tmpfs_file(zabbix_tmpfs_t)
@@ -108341,8 +108567,15 @@ index 7f496c6..11bcf63 100644
type zabbix_var_run_t;
files_pid_file(zabbix_var_run_t)
- ########################################
- #
++type zabbix_script_t;
++type zabbix_script_exec_t;
++domain_type(zabbix_script_t)
++domain_entry_file(zabbix_script_t, zabbix_script_exec_t)
++application_executable_file(zabbix_script_exec_t)
++role system_r types zabbix_script_t;
++
++########################################
++#
+# zabbix domain local policy
+#
+
@@ -108367,8 +108600,8 @@ index 7f496c6..11bcf63 100644
+dev_read_sysfs(zabbix_domain)
+dev_read_urand(zabbix_domain)
+
-+########################################
-+#
+ ########################################
+ #
# Local policy
#
@@ -108398,7 +108631,7 @@ index 7f496c6..11bcf63 100644
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -70,13 +102,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -70,13 +109,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
kernel_read_system_state(zabbix_t)
@@ -108412,7 +108645,7 @@ index 7f496c6..11bcf63 100644
corenet_sendrecv_ftp_client_packets(zabbix_t)
corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -85,24 +113,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+@@ -85,24 +120,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
corenet_sendrecv_http_client_packets(zabbix_t)
corenet_tcp_connect_http_port(zabbix_t)
corenet_tcp_sendrecv_http_port(zabbix_t)
@@ -108440,7 +108673,7 @@ index 7f496c6..11bcf63 100644
tunable_policy(`zabbix_can_network',`
corenet_sendrecv_all_client_packets(zabbix_t)
corenet_tcp_connect_all_ports(zabbix_t)
-@@ -110,12 +132,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +139,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
@@ -108455,7 +108688,7 @@ index 7f496c6..11bcf63 100644
')
optional_policy(`
-@@ -125,6 +146,7 @@ optional_policy(`
+@@ -125,6 +153,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@@ -108463,7 +108696,7 @@ index 7f496c6..11bcf63 100644
')
########################################
-@@ -132,18 +154,7 @@ optional_policy(`
+@@ -132,18 +161,7 @@ optional_policy(`
# Agent local policy
#
@@ -108483,7 +108716,7 @@ index 7f496c6..11bcf63 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +162,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +169,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
@@ -108503,7 +108736,7 @@ index 7f496c6..11bcf63 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,21 +185,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +192,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
@@ -108536,6 +108769,27 @@ index 7f496c6..11bcf63 100644
+optional_policy(`
+ hostname_exec(zabbix_agent_t)
+')
++
++########################################
++#
++# zabbix_script_t local policy
++#
++
++domtrans_pattern(zabbix_t, zabbix_script_exec_t, zabbix_script_t)
++
++allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
++allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
++allow zabbix_t zabbix_script_exec_t:file ioctl;
++
++init_domtrans_script(zabbix_script_t)
++
++optional_policy(`
++ mta_send_mail(zabbix_script_t)
++')
++
++optional_policy(`
++ unconfined_domain(zabbix_script_t)
++')
diff --git a/zarafa.fc b/zarafa.fc
index faf99ed..44e94fa 100644
--- a/zarafa.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9c6e386..f91be52 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 67%{?dist}
+Release: 68%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -600,7 +600,50 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Thu Jul 24 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-67
+* Thu Jul 31 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-68
+- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow users to use these plugins properly using this boolean. (#1109681)
+- Allow smokeping cgi scripts to accept connection on httpd stream socket.
+- docker does a getattr on all file systems
+- Label all abort-dump programs
+- Allow alsa to create lock file to see if it fixes.
+- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running without unconfined domains. The default location of these scripts is /usr/lib/zabbix/externalscripts. If a user change DATADIR in CONFIG_EXTERNALSCRIPTS then he needs to set labeling for this new location.
+- Add interface for journalctl_exec
+- Add labels also for glusterd sockets.
+- Change virt.te to match default docker capabilies
+- Add additional booleans for turning on mknod or all caps.
+- Also add interface to allow users to write policy that matches docker defaults
+- for capabilies.
+- Label dhcpd6 unit file.
+- Add support also for dhcp IPv6 services.
+- Added support for dhcrelay service
+- Additional access for bluejeans
+- docker needs more access, need back port to RHEL7
+- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
+- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
+- Allow bacula manage bacula_log_t dirs
+- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
+- Fix mistakes keystone and quantum
+- Label neutron var run dir
+- Label keystone var run dir
+- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
+- Dontaudit attempts to access check cert dirs/files for sssd.
+- Allow sensord to send a signal.
+- Allow certmonger to stream connect to dirsrv to make ipa-server-install working.
+- Label zabbix_var_lib_t directories
+- Label conmans pid file as conman_var_run_t
+- Label also /var/run/glusterd.socket file as gluster_var_run_t
+- Fix policy for pkcsslotd from opencryptoki
+- Update cockpik policy from cockpit usptream.
+- Allow certmonger to exec ldconfig to make ipa-server-install working.
+- Added support for Naemon policy
+- Allow keepalived manage snmp files
+- Add setpgid process to mip6d
+- remove duplicate rule
+- Allow postfix_smtpd to stream connect to antivirus
+- Dontaudit list /tmp for icecast
+- Allow zabbix domains to access /proc//net/dev.
+
+* Wed Jul 23 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-67
- Allow zabbix domains to access /proc//net/dev.
- Dontaudit list /tmp for icecast (#894387)
- Allow postfix_smtpd to stream connect to antivirus (#1105889)
More information about the scm-commits
mailing list