[selinux-policy] * Fri Nov 27 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-97 - Allow reading of symlinks in /etc/pu
Lukas Vrabec
lvrabec at fedoraproject.org
Fri Nov 28 14:28:34 UTC 2014
commit e4d7a4020d71a7ac1c719e39c12436aa4da6a6fd
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Fri Nov 28 15:28:22 2014 +0100
* Fri Nov 27 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-97
- Allow reading of symlinks in /etc/puppet
- Added TAGS to gitignore
- I guess there can be content under /var/lib/lockdown #1167502
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
- Allow keystone to send a generic signal to own process.
- Allow radius to bind tcp/1812 radius port.
- Dontaudit list user_tmp files for system_mail_t
- label virt-who as virtd_exec_t
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
- Add virt_signull() interface
- Add missing alias for _content_rw_t
- Allow .snapshots to be created in other directories, on all mountpoints
- Allow spamd to access razor-agent.log
- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
- Allow .snapshots to be created in other directories, on all mountpoints
- Label tcp port 5280 as ejabberd port. BZ(1059930)
- Make /usr/bin/vncserver running as unconfined_service_t
- Label /etc/docker/certs.d as cert_t
- Allow all systemd domains to search file systems
policy-rawhide-base.patch | 120 +++++++----
policy-rawhide-contrib.patch | 520 ++++++++++++++++++++++++------------------
selinux-policy.spec | 23 ++-
3 files changed, 400 insertions(+), 263 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 38ad120..c0a639e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5481,7 +5481,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..2f2f2b9 100644
+index b191055..87df0ad 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5659,12 +5659,13 @@ index b191055..2f2f2b9 100644
network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
- network_port(jabber_interserver, tcp,5269,s0)
+-network_port(jabber_interserver, tcp,5269,s0)
-network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
-network_port(kismet, tcp,2501,s0)
++network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0)
+network_port(jabber_router, tcp,5347,s0)
+network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
+network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
@@ -8755,7 +8756,7 @@ index 0b1a871..f260e6f 100644
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..1b9b0b5 100644
+index 6a1e4d1..7ac2831 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8830,7 +8831,33 @@ index 6a1e4d1..1b9b0b5 100644
## Send a stop signal to all domains.
## </summary>
## <param name="domain">
-@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',`
+@@ -571,6 +566,25 @@ interface(`domain_kill_all_domains',`
+
+ ########################################
+ ## <summary>
++## Destroy all domains semaphores
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`domain_destroy_all_semaphores',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:sem destroy;
++')
++
++########################################
++## <summary>
+ ## Search the process state directory (/proc/pid) of all domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -631,7 +645,7 @@ interface(`domain_read_all_domains_state',`
########################################
## <summary>
@@ -8839,7 +8866,7 @@ index 6a1e4d1..1b9b0b5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +669,7 @@ interface(`domain_getattr_all_domains',`
## </summary>
## <param name="domain">
## <summary>
@@ -8848,7 +8875,7 @@ index 6a1e4d1..1b9b0b5 100644
## </summary>
## </param>
#
-@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',`
+@@ -1356,6 +1370,24 @@ interface(`domain_manage_all_entry_files',`
########################################
## <summary>
@@ -8873,7 +8900,7 @@ index 6a1e4d1..1b9b0b5 100644
## Relabel to and from all entry point
## file types.
## </summary>
-@@ -1421,7 +1434,7 @@ interface(`domain_entry_file_spec_domtrans',`
+@@ -1421,7 +1453,7 @@ interface(`domain_entry_file_spec_domtrans',`
## <summary>
## Ability to mmap a low area of the address
## space conditionally, as configured by
@@ -8882,7 +8909,7 @@ index 6a1e4d1..1b9b0b5 100644
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
-@@ -1448,7 +1461,7 @@ interface(`domain_mmap_low',`
+@@ -1448,7 +1480,7 @@ interface(`domain_mmap_low',`
## <summary>
## Ability to mmap a low area of the address
## space unconditionally, as configured
@@ -8891,7 +8918,7 @@ index 6a1e4d1..1b9b0b5 100644
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
-@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',`
+@@ -1508,6 +1540,24 @@ interface(`domain_unconfined_signal',`
########################################
## <summary>
@@ -8916,7 +8943,7 @@ index 6a1e4d1..1b9b0b5 100644
## Unconfined access to domains.
## </summary>
## <param name="domain">
-@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1580,63 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -8981,7 +9008,7 @@ index 6a1e4d1..1b9b0b5 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c2776d0 100644
+index cf04cb5..a0d747a 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9130,7 +9157,7 @@ index cf04cb5..c2776d0 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,356 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9159,6 +9186,10 @@ index cf04cb5..c2776d0 100644
+')
+
+optional_policy(`
++ snapper_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ seutil_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -20428,7 +20459,7 @@ index 0000000..63bc797
+logging_stream_connect_syslog(sysadm_t)
diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
new file mode 100644
-index 0000000..0e8654b
+index 0000000..b680867
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
@@ -20436,7 +20467,7 @@ index 0000000..0e8654b
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++#/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -27255,7 +27286,7 @@ index 2479587..890e1e2 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..f645c21 100644
+index 3efd5b6..9e85ea0 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -27317,7 +27348,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -95,69 +117,68 @@ interface(`auth_use_pam',`
+@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -27375,7 +27406,6 @@ index 3efd5b6..f645c21 100644
mls_file_downgrade($1)
mls_process_set_level($1)
+ mls_process_write_to_clearance($1)
-+ mls_process_write_all_levels($1)
mls_fd_share_all_levels($1)
auth_use_pam($1)
@@ -27427,7 +27457,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -231,6 +252,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@@ -27453,7 +27483,7 @@ index 3efd5b6..f645c21 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -322,6 +362,24 @@ interface(`auth_rw_cache',`
+@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
########################################
## <summary>
@@ -27478,7 +27508,7 @@ index 3efd5b6..f645c21 100644
## Manage authentication cache
## </summary>
## <param name="domain">
-@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -27487,7 +27517,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
########################################
## <summary>
@@ -27512,7 +27542,7 @@ index 3efd5b6..f645c21 100644
## Execute chkpwd programs in the chkpwd domain.
## </summary>
## <param name="domain">
-@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -27538,7 +27568,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -27546,7 +27576,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -664,6 +760,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -27557,7 +27587,7 @@ index 3efd5b6..f645c21 100644
')
#######################################
-@@ -763,7 +863,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -27609,7 +27639,7 @@ index 3efd5b6..f645c21 100644
')
#######################################
-@@ -824,9 +967,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -27640,7 +27670,7 @@ index 3efd5b6..f645c21 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +997,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -27671,7 +27701,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -854,15 +1032,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -27690,7 +27720,7 @@ index 3efd5b6..f645c21 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +1053,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -27728,7 +27758,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -959,9 +1157,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -27762,7 +27792,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -1040,6 +1259,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -27773,7 +27803,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -1176,6 +1399,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -27781,7 +27811,7 @@ index 3efd5b6..f645c21 100644
')
#######################################
-@@ -1576,6 +1800,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -27807,7 +27837,7 @@ index 3efd5b6..f645c21 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1726,24 +1969,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -27833,7 +27863,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -1767,11 +1993,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -27850,7 +27880,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -1805,3 +2033,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -35546,15 +35576,16 @@ index 79048c4..ce6f0ce 100644
udev_read_pid_files(lvm_t)
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..83acb32 100644
+index 9fe8e01..3d71062 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
-@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
# /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/localtime gen_context(system_u:object_r:locale_t,s0)
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
@@ -35565,7 +35596,7 @@ index 9fe8e01..83acb32 100644
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,24 +39,20 @@ ifdef(`distro_redhat',`
+@@ -37,24 +40,20 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -35595,7 +35626,7 @@ index 9fe8e01..83acb32 100644
/usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -77,7 +75,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -35604,7 +35635,7 @@ index 9fe8e01..83acb32 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +88,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -41338,10 +41369,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a75ffd3
+index 0000000..769e942
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,700 @@
+@@ -0,0 +1,703 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41482,6 +41513,7 @@ index 0000000..a75ffd3
+domain_signal_all_domains(systemd_logind_t)
+domain_signull_all_domains(systemd_logind_t)
+domain_kill_all_domains(systemd_logind_t)
++domain_destroy_all_semaphores(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
@@ -42016,6 +42048,8 @@ index 0000000..a75ffd3
+
+dev_read_urand(systemd_domain)
+
++fs_search_all(systemd_domain)
++
+files_read_etc_files(systemd_domain)
+files_read_etc_runtime_files(systemd_domain)
+files_read_usr_files(systemd_domain)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a40dcab..d8016be 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,3 +1,10 @@
+diff --git a/.gitignore b/.gitignore
+new file mode 100644
+index 0000000..bea5755
+--- /dev/null
++++ b/.gitignore
+@@ -0,0 +1 @@
++TAGS
diff --git a/abrt.fc b/abrt.fc
index 1a93dc5..f2b26f5 100644
--- a/abrt.fc
@@ -3635,7 +3642,7 @@ index 7caefc3..3009a35 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..f6d065e 100644
+index f6eb485..dffbc52 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3755,7 +3762,7 @@ index f6eb485..f6d065e 100644
+
+ type $1_rw_content_t; # customizable
+ typeattribute $1_rw_content_t httpd_content_type;
-+ typealias $1_rw_content_t alias { $1_script_rw_t };
++ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+ files_type($1_rw_content_t)
+
+ type $1_ra_content_t, httpd_content_type; # customizable
@@ -40175,7 +40182,7 @@ index e88fb16..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 9929647..3144a89 100644
+index 9929647..c573d0e 100644
--- a/keystone.te
+++ b/keystone.te
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
@@ -40195,7 +40202,7 @@ index 9929647..3144a89 100644
#
# Local policy
#
-+allow keystone_t self:process { getsched setsched };
++allow keystone_t self:process { getsched setsched signal };
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
@@ -50907,7 +50914,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..bc8340d 100644
+index ff1d68c..a2854c1 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -51045,11 +51052,10 @@ index ff1d68c..bc8340d 100644
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
--fs_rw_anon_inodefs_files(system_mail_t)
+ fs_rw_anon_inodefs_files(system_mail_t)
-selinux_getattr_fs(system_mail_t)
-+fs_rw_anon_inodefs_files(system_mail_t)
-
+-
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
@@ -51059,6 +51065,7 @@ index ff1d68c..bc8340d 100644
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
++userdom_dontaudit_list_user_tmp(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@@ -73987,7 +73994,7 @@ index 7cb8b1f..9422c90 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfe..0903e67 100644
+index 618dcfe..4dd18a3 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -74049,7 +74056,7 @@ index 618dcfe..0903e67 100644
type puppetmaster_t;
type puppetmaster_exec_t;
-@@ -56,161 +62,156 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,158 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
@@ -74161,6 +74168,7 @@ index 618dcfe..0903e67 100644
+allow puppetagent_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
++read_lnk_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
@@ -74319,10 +74327,11 @@ index 618dcfe..0903e67 100644
-allow puppetca_t puppet_etc_t:file read_file_perms;
-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
++read_lnk_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +222,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +224,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
@@ -74330,7 +74339,7 @@ index 618dcfe..0903e67 100644
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
-@@ -229,15 +231,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +233,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
@@ -74346,7 +74355,7 @@ index 618dcfe..0903e67 100644
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +245,47 @@ optional_policy(`
+@@ -246,38 +247,48 @@ optional_policy(`
hostname_exec(puppetca_t)
')
@@ -74376,6 +74385,7 @@ index 618dcfe..0903e67 100644
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
++read_lnk_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
@@ -74410,7 +74420,7 @@ index 618dcfe..0903e67 100644
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +297,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +300,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -74441,7 +74451,7 @@ index 618dcfe..0903e67 100644
selinux_validate_context(puppetmaster_t)
-@@ -314,26 +323,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +326,31 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
@@ -74478,7 +74488,7 @@ index 618dcfe..0903e67 100644
')
optional_policy(`
-@@ -342,3 +356,9 @@ optional_policy(`
+@@ -342,3 +359,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -78035,7 +78045,7 @@ index 4460582..60cf556 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..f6923e3 100644
+index 403a4fe..870d7b3 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -78072,7 +78082,7 @@ index 403a4fe..f6923e3 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,6 +75,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,10 +75,14 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
@@ -78082,7 +78092,12 @@ index 403a4fe..f6923e3 100644
corenet_sendrecv_radacct_server_packets(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
-@@ -97,7 +101,6 @@ domain_use_interactive_fds(radiusd_t)
+ corenet_sendrecv_radius_server_packets(radiusd_t)
++corenet_tcp_bind_radius_port(radiusd_t)
+ corenet_udp_bind_radius_port(radiusd_t)
+
+ corenet_sendrecv_snmp_client_packets(radiusd_t)
+@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -78090,7 +78105,7 @@ index 403a4fe..f6923e3 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +112,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -78098,7 +78113,7 @@ index 403a4fe..f6923e3 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
-@@ -122,6 +124,11 @@ optional_policy(`
+@@ -122,6 +125,11 @@ optional_policy(`
')
optional_policy(`
@@ -78110,7 +78125,7 @@ index 403a4fe..f6923e3 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +147,10 @@ optional_policy(`
+@@ -140,5 +148,10 @@ optional_policy(`
')
optional_policy(`
@@ -82440,10 +82455,10 @@ index 0000000..bf11e25
+')
diff --git a/rhev.te b/rhev.te
new file mode 100644
-index 0000000..eeee78a
+index 0000000..8b7aa12
--- /dev/null
+++ b/rhev.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,128 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -82539,6 +82554,10 @@ index 0000000..eeee78a
+')
+
+optional_policy(`
++ udev_read_db(rhev_agentd_t)
++')
++
++optional_policy(`
+ xserver_stream_connect(rhev_agentd_t)
+')
+
@@ -83171,7 +83190,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..a76de40 100644
+index d32e1a2..581e801 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -83210,7 +83229,7 @@ index d32e1a2..a76de40 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,65 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,69 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -83280,6 +83299,10 @@ index d32e1a2..a76de40 100644
+optional_policy(`
+ rpm_manage_db(rhsmcertd_t)
+ rpm_signull(rhsmcertd_t)
++')
++
++optional_policy(`
++ virt_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1..23d579c 100644
@@ -91477,7 +91500,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..1edabdf 100644
+index 299756b..135baca 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -91583,7 +91606,7 @@ index 299756b..1edabdf 100644
')
optional_policy(`
-@@ -117,6 +133,43 @@ optional_policy(`
+@@ -117,6 +133,54 @@ optional_policy(`
# Reposd local policy
#
@@ -91609,12 +91632,15 @@ index 299756b..1edabdf 100644
+fs_tmpfs_filetrans(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, { dir file })
+
+auth_use_nsswitch(sblim_sfcbd_t)
++auth_domtrans_chkpwd(sblim_sfcbd_t)
+
+corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
++corenet_tcp_connect_http_port(sblim_sfcbd_t)
++
+corecmd_exec_shell(sblim_sfcbd_t)
+corecmd_exec_bin(sblim_sfcbd_t)
+
@@ -91624,10 +91650,18 @@ index 299756b..1edabdf 100644
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
+
++logging_send_audit_msgs(sblim_sfcbd_t)
++
+optional_policy(`
+ rpm_exec(sblim_sfcbd_t)
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
++
++optional_policy(`
++ virt_manage_config(sblim_sfcbd_t)
++ virt_stream_connect(sblim_sfcbd_t)
++ virt_search_images(sblim_sfcbd_t)
++')
diff --git a/screen.fc b/screen.fc
index e7c2cf7..435aaa6 100644
--- a/screen.fc
@@ -94582,10 +94616,10 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..e43fdd8
+index 0000000..4f4bdb3
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,14 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
@@ -94593,13 +94627,19 @@ index 0000000..e43fdd8
+
+/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
+
-+/mnt/(.*/)?.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/home/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/home/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
-index 0000000..94105ee
+index 0000000..5a3cb30
--- /dev/null
+++ b/snapper.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,62 @@
+
+## <summary>policy for snapperd</summary>
+
@@ -94642,12 +94682,32 @@ index 0000000..94105ee
+ allow $1 snapperd_t:dbus send_msg;
+ allow snapperd_t $1:dbus send_msg;
+')
++
++#######################################
++## <summary>
++## Allow domain to create .smapshot
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`snapper_filetrans_named_content',`
++
++ gen_require(`
++ type snapperd_data_t;
++ ')
++
++ files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots")
++')
++
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..1da64f9
+index 0000000..90903a9
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,75 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -94686,6 +94746,7 @@ index 0000000..1da64f9
+manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++snapper_filetrans_named_content(snapperd_t)
+
+domain_read_all_domains_state(snapperd_t)
+
@@ -95868,7 +95929,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..025b7d5 100644
+index cc58e35..b1878b4 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@@ -96322,7 +96383,7 @@ index cc58e35..025b7d5 100644
sendmail_stub(spamc_t)
')
-@@ -267,36 +375,38 @@ optional_policy(`
+@@ -267,36 +375,40 @@ optional_policy(`
########################################
#
@@ -96367,6 +96428,8 @@ index cc58e35..025b7d5 100644
-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
+# needed by razor
++list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
++read_lnk_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+can_exec(spamd_t, spamd_compiled_t)
@@ -96378,7 +96441,7 @@ index cc58e35..025b7d5 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +418,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +420,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -96388,7 +96451,7 @@ index cc58e35..025b7d5 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +428,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +430,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -96404,7 +96467,7 @@ index cc58e35..025b7d5 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +443,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +445,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -96508,7 +96571,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -421,21 +514,13 @@ optional_policy(`
+@@ -421,21 +516,13 @@ optional_policy(`
')
optional_policy(`
@@ -96532,7 +96595,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -443,8 +528,8 @@ optional_policy(`
+@@ -443,8 +530,8 @@ optional_policy(`
')
optional_policy(`
@@ -96542,7 +96605,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -455,7 +540,17 @@ optional_policy(`
+@@ -455,7 +542,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -96561,7 +96624,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -463,9 +558,9 @@ optional_policy(`
+@@ -463,9 +560,9 @@ optional_policy(`
')
optional_policy(`
@@ -96572,7 +96635,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -474,32 +569,32 @@ optional_policy(`
+@@ -474,32 +571,32 @@ optional_policy(`
########################################
#
@@ -96615,7 +96678,7 @@ index cc58e35..025b7d5 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +603,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +605,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -102452,7 +102515,7 @@ index 279e511..4f79ad6 100644
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/usbmuxd.fc b/usbmuxd.fc
-index 220f6ad..39b6acf 100644
+index 220f6ad..ccbb5da 100644
--- a/usbmuxd.fc
+++ b/usbmuxd.fc
@@ -1,3 +1,6 @@
@@ -102462,7 +102525,7 @@ index 220f6ad..39b6acf 100644
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
+
-+/var/lib/lockdown -- gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
++/var/lib/lockdown(/.*)? gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
diff --git a/usbmuxd.if b/usbmuxd.if
index 1ec5e99..88e287d 100644
--- a/usbmuxd.if
@@ -103688,10 +103751,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..9ccc90c 100644
+index a4f20bc..88a2dc6 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,97 @@
+@@ -1,51 +1,98 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -103742,6 +103805,7 @@ index a4f20bc..9ccc90c 100644
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
@@ -103828,7 +103892,7 @@ index a4f20bc..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..c7a2d97 100644
+index facdee8..e52b362 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -104877,7 +104941,7 @@ index facdee8..c7a2d97 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +695,266 @@ interface(`virt_read_lib_files',`
+@@ -860,94 +695,266 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -104940,12 +105004,10 @@ index facdee8..c7a2d97 100644
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in virt pid
--## directories with a private type.
++')
++
++########################################
++## <summary>
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
@@ -104965,10 +105027,12 @@ index facdee8..c7a2d97 100644
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in virt pid
+-## directories with a private type.
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
@@ -104988,13 +105052,12 @@ index facdee8..c7a2d97 100644
+#######################################
+## <summary>
+## Execute Sandbox Files
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
@@ -105007,14 +105070,13 @@ index facdee8..c7a2d97 100644
+#######################################
+## <summary>
+## Manage Sandbox Files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The type of the object to be created.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
--## <param name="object">
+-## <param name="private type">
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
@@ -105035,11 +105097,11 @@ index facdee8..c7a2d97 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The type of the object to be created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="object">
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
@@ -105055,16 +105117,14 @@ index facdee8..c7a2d97 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The name of the object being created.
+-## The object class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
+-## <param name="name" optional="true">
++#
+interface(`virt_mounton_sandbox_file',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ type svirt_sandbox_file_t;
+ ')
+
@@ -105076,13 +105136,17 @@ index facdee8..c7a2d97 100644
+## Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`virt_pid_filetrans',`
+interface(`virt_stream_connect_sandbox',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_run_t;
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -105138,89 +105202,72 @@ index facdee8..c7a2d97 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to write virt daemon unnamed pipes.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_dontaudit_write_pipes',`
-+ gen_require(`
-+ type virtd_t;
-+ ')
-+
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
########################################
## <summary>
-## Append virt log files.
-+## Send a sigkill to virtual machines
++## Do not audit attempts to write virt daemon unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +962,17 @@ interface(`virt_read_log',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`virt_append_log',`
-+interface(`virt_kill_svirt',`
++interface(`virt_dontaudit_write_pipes',`
gen_require(`
- type virt_log_t;
-+ attribute virt_domain;
++ type virtd_t;
')
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virt_domain:process sigkill;
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt log files.
-+## Send a sigkill to virtd daemon.
++## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +980,17 @@ interface(`virt_append_log',`
+@@ -955,20 +962,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
-interface(`virt_manage_log',`
-+interface(`virt_kill',`
++interface(`virt_kill_svirt',`
gen_require(`
- type virt_log_t;
-+ type virtd_t;
++ attribute virt_domain;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process sigkill;
')
########################################
## <summary>
-## Search virt image directories.
-+## Send a signal to virtd daemon.
++## Send a sigkill to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +998,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +980,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_signal',`
++interface(`virt_kill',`
gen_require(`
- attribute virt_image_type;
+ type virtd_t;
@@ -105228,26 +105275,26 @@ index facdee8..c7a2d97 100644
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virtd_t:process signal;
++ allow $1 virtd_t:process sigkill;
')
########################################
## <summary>
-## Read virt image files.
-+## Send a signal to virtual machines
++## Send a signal to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -995,57 +1016,75 @@ interface(`virt_search_images',`
+@@ -995,36 +998,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_signal',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virtd_t;
')
- virt_search_lib($1)
@@ -105256,7 +105303,7 @@ index facdee8..c7a2d97 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virt_domain:process signal;
++ allow $1 virtd_t:process signal;
+')
- tunable_policy(`virt_use_nfs',`
@@ -105265,7 +105312,7 @@ index facdee8..c7a2d97 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
-+## Manage virt home files.
++## Send null signal to virtd daemon.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -105273,87 +105320,131 @@ index facdee8..c7a2d97 100644
+## </summary>
+## </param>
+#
-+interface(`virt_manage_home_files',`
++interface(`virt_signull',`
+ gen_require(`
-+ type virt_home_t;
++ type virtd_t;
')
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
-+')
-+
-+########################################
-+## <summary>
-+## allow domain to read
-+## virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access
-+## </summary>
-+## </param>
-+#
-+interface(`virt_read_tmpfs_files',`
-+ gen_require(`
-+ attribute virt_tmpfs_type;
- ')
-+
-+ allow $1 virt_tmpfs_type:file read_file_perms;
+- ')
++ allow $1 virtd_t:process signull;
')
########################################
## <summary>
-## Read and write all virt image
-## character files.
-+## allow domain to manage
-+## virt tmpfs files
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed access
+@@ -1032,20 +1034,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_signal_svirt',`
gen_require(`
- attribute virt_image_type;
-+ attribute virt_tmpfs_type;
++ attribute virt_domain;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ allow $1 virt_domain:process signal;
')
########################################
## <summary>
-## Create, read, write, and delete
-## svirt cache files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## Manage virt home files.
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1092,28 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1052,57 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-+interface(`virt_filetrans_home_content',`
++interface(`virt_manage_home_files',`
+ gen_require(`
+ type virt_home_t;
-+ type svirt_home_t;
+ ')
+
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt cache content.
++## allow domain to read
++## virt tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`virt_read_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file read_file_perms;
++')
++
++########################################
++## <summary>
++## allow domain to manage
++## virt tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`virt_manage_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Create .virt directory in the user home directory
++## with an correct label.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1069,21 +1110,28 @@ interface(`virt_manage_svirt_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
++interface(`virt_filetrans_home_content',`
+ gen_require(`
+- type virt_cache_t;
++ type virt_home_t;
++ type svirt_home_t;
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -105370,33 +105461,37 @@ index facdee8..c7a2d97 100644
########################################
## <summary>
-## Create, read, write, and delete
--## virt cache content.
+-## virt image files.
+## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1121,133 @@ interface(`virt_manage_svirt_cache',`
+@@ -1091,36 +1139,188 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
--interface(`virt_manage_virt_cache',`
+-interface(`virt_manage_images',`
+interface(`virt_dontaudit_read_chr_dev',`
gen_require(`
-- type virt_cache_t;
-+ attribute virt_image_type;
+- type virt_var_lib_t;
+ attribute virt_image_type;
')
-- files_search_var($1)
-- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-- manage_files_pattern($1, virt_cache_t, virt_cache_t)
-- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_type, virt_image_type)
+- manage_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
- ')
++')
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## virt image files.
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
++########################################
++## <summary>
+## Creates types and rules for a basic
+## virt_lxc process domain.
+## </summary>
@@ -105409,8 +105504,12 @@ index facdee8..c7a2d97 100644
+template(`virt_sandbox_domain_template',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
-+ ')
-+
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
@@ -105514,34 +105613,21 @@ index facdee8..c7a2d97 100644
+########################################
+## <summary>
+## Read and write to svirt_image devices.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1091,36 +1255,54 @@ interface(`virt_manage_virt_cache',`
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_images',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_rw_svirt_dev',`
- gen_require(`
-- type virt_var_lib_t;
-- attribute virt_image_type;
++ gen_require(`
+ type svirt_image_t;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- manage_dirs_pattern($1, virt_image_type, virt_image_type)
-- manage_files_pattern($1, virt_image_type, virt_image_type)
-- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ ')
++
+ allow $1 svirt_image_t:chr_file rw_file_perms;
+')
-
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_read_nfs_symlinks($1)
++
+########################################
+## <summary>
+## Read and write to svirt_image devices.
@@ -105555,12 +105641,8 @@ index facdee8..c7a2d97 100644
+interface(`virt_rlimitinh',`
+ gen_require(`
+ type virtd_t;
- ')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
++ ')
++
+ allow $1 virtd_t:process { rlimitinh };
+')
+
@@ -105591,7 +105673,7 @@ index facdee8..c7a2d97 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1318,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1336,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -105633,27 +105715,27 @@ index facdee8..c7a2d97 100644
-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
--
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
+
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
--
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-+ admin_pattern($1, virt_file_type)
-+ admin_pattern($1, svirt_file_type)
-
+-
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+ virt_systemctl($1)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
-
+-
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
+ virt_stream_connect_sandbox($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8b69712..9abfc76 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 96%{?dist}
+Release: 97%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Nov 27 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-97
+- Allow reading of symlinks in /etc/puppet
+- Added TAGS to gitignore
+- I guess there can be content under /var/lib/lockdown #1167502
+- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
+- Allow keystone to send a generic signal to own process.
+- Allow radius to bind tcp/1812 radius port.
+- Dontaudit list user_tmp files for system_mail_t
+- label virt-who as virtd_exec_t
+- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
+- Add virt_signull() interface
+- Add missing alias for _content_rw_t
+- Allow .snapshots to be created in other directories, on all mountpoints
+- Allow spamd to access razor-agent.log
+- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
+- Allow .snapshots to be created in other directories, on all mountpoints
+- Label tcp port 5280 as ejabberd port. BZ(1059930)
+- Make /usr/bin/vncserver running as unconfined_service_t
+- Label /etc/docker/certs.d as cert_t
+- Allow all systemd domains to search file systems
+
* Thu Nov 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-96
- Allow NetworkManager stream connect on openvpn. BZ(1165110)
More information about the scm-commits
mailing list