[selinux-policy] * Thu Dec 11 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-100 - Allow admin SELinux users mounting
Lukas Vrabec
lvrabec at fedoraproject.org
Thu Dec 11 15:20:53 UTC 2014
commit e4ea4614c786ac879b677a93f0ecaaf39ace4c0e
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Thu Dec 11 10:20:57 2014 -0500
* Thu Dec 11 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-100
- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS.
- Fix miscfiles_manage_generic_cert_files() to allow manage link files
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
- Add support for /var/run/gluster.
- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
policy-rawhide-base.patch | 210 ++++++++++++++++++--------------
policy-rawhide-contrib.patch | 277 ++++++++++++++++++++++++++++--------------
selinux-policy.spec | 11 ++-
3 files changed, 312 insertions(+), 186 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 3f3451b..50ce6f1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1969,10 +1969,22 @@ index 688abc2..3d89250 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..025c177 100644
+index 03ec5ca..a777e72 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
-@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', `
+@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', `
+ allow $2 $1_su_t:fifo_file rw_file_perms;
+ allow $2 $1_su_t:process sigchld;
+
++ kernel_getattr_core_if($1_su_t)
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
+ kernel_search_key($1_su_t)
+@@ -86,10 +87,10 @@ template(`su_restricted_domain_template', `
+ # Write to utmp.
+ init_rw_utmp($1_su_t)
+ init_search_script_keys($1_su_t)
++ init_getattr_initctl($1_su_t)
logging_send_syslog_msg($1_su_t)
@@ -1980,7 +1992,7 @@ index 03ec5ca..025c177 100644
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
-@@ -119,11 +118,6 @@ template(`su_restricted_domain_template', `
+@@ -119,11 +120,6 @@ template(`su_restricted_domain_template', `
userdom_spec_domtrans_unpriv_users($1_su_t)
')
@@ -1992,7 +2004,7 @@ index 03ec5ca..025c177 100644
optional_policy(`
cron_read_pipes($1_su_t)
')
-@@ -172,14 +166,6 @@ template(`su_role_template',`
+@@ -172,14 +168,6 @@ template(`su_role_template',`
role $2 types $1_su_t;
allow $3 $1_su_t:process signal;
@@ -2007,7 +2019,7 @@ index 03ec5ca..025c177 100644
allow $1_su_t $3:key search;
# Transition from the user domain to this domain.
-@@ -194,125 +180,12 @@ template(`su_role_template',`
+@@ -194,125 +182,12 @@ template(`su_role_template',`
allow $3 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
@@ -35669,7 +35681,7 @@ index 9fe8e01..3d71062 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..faa2281 100644
+index fc28bc3..8828b8a 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@@ -35725,6 +35737,15 @@ index fc28bc3..faa2281 100644
## Manage generic SSL certificates.
## </summary>
## <param name="domain">
+@@ -121,7 +160,7 @@ interface(`miscfiles_manage_generic_cert_files',`
+ ')
+
+ manage_files_pattern($1, cert_t, cert_t)
+- read_lnk_files_pattern($1, cert_t, cert_t)
++ manage_lnk_files_pattern($1, cert_t, cert_t)
+ ')
+
+ ########################################
@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
########################################
@@ -43529,7 +43550,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..2861886 100644
+index 9dc60c6..05274ae 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -45024,7 +45045,7 @@ index 9dc60c6..2861886 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1568,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1568,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -45054,6 +45075,8 @@ index 9dc60c6..2861886 100644
# Relabel almost all files
- files_relabel_non_auth_files($1_t)
+ files_relabel_non_security_files($1_t)
++
++ files_mounton_rootfs($1_t)
init_telinit($1_t)
@@ -45067,7 +45090,7 @@ index 9dc60c6..2861886 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1609,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1611,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -45076,7 +45099,7 @@ index 9dc60c6..2861886 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1618,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1620,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -45099,7 +45122,7 @@ index 9dc60c6..2861886 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1668,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1670,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -45108,7 +45131,7 @@ index 9dc60c6..2861886 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1678,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1680,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -45117,7 +45140,7 @@ index 9dc60c6..2861886 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1692,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1694,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -45129,7 +45152,7 @@ index 9dc60c6..2861886 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1706,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1708,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -45172,7 +45195,7 @@ index 9dc60c6..2861886 100644
')
optional_policy(`
-@@ -1357,14 +1791,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1793,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -45191,7 +45214,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1397,12 +1834,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1836,51 @@ interface(`userdom_user_tmp_file',`
## </param>
#
interface(`userdom_user_tmpfs_file',`
@@ -45244,7 +45267,7 @@ index 9dc60c6..2861886 100644
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
-@@ -1509,11 +1985,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1987,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45276,7 +45299,7 @@ index 9dc60c6..2861886 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2051,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2053,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -45291,7 +45314,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1570,9 +2074,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2076,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -45303,7 +45326,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1613,6 +2119,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2121,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
## <summary>
@@ -45328,7 +45351,7 @@ index 9dc60c6..2861886 100644
## Relabel to user home directories.
## </summary>
## <param name="domain">
-@@ -1629,6 +2153,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2155,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45371,7 +45394,7 @@ index 9dc60c6..2861886 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1708,6 +2268,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2270,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -45380,7 +45403,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1741,10 +2303,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2305,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45395,7 +45418,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1769,7 +2333,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2335,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -45404,7 +45427,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2341,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2343,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45428,7 +45451,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,55 +2359,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2361,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45499,7 +45522,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1853,18 +2415,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2417,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary>
## </param>
#
@@ -45527,7 +45550,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,45 +2435,182 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,41 +2437,178 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
@@ -45579,11 +45602,10 @@ index 9dc60c6..2861886 100644
## <summary>
-## Domain to not audit.
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`userdom_dontaudit_append_user_home_content_files',`
++#
+interface(`userdom_relabel_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
@@ -45719,14 +45741,10 @@ index 9dc60c6..2861886 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_append_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-@@ -1938,7 +2638,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+@@ -1938,7 +2640,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -45735,7 +45753,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2646,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2648,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -45748,7 +45766,7 @@ index 9dc60c6..2861886 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2657,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2659,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -45757,7 +45775,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2665,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2667,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -45826,7 +45844,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2007,8 +2760,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2762,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45836,7 +45854,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2024,20 +2776,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,21 +2778,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45850,18 +45868,19 @@ index 9dc60c6..2861886 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2120,7 +2866,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -2120,7 +2868,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -45870,7 +45889,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2874,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2876,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -45894,7 +45913,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2892,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2894,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -45910,7 +45929,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2388,18 +3132,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3134,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -45968,7 +45987,7 @@ index 9dc60c6..2861886 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3194,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3196,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45977,7 +45996,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2455,6 +3235,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3237,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -46003,7 +46022,7 @@ index 9dc60c6..2861886 100644
########################################
## <summary>
-@@ -2538,7 +3337,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3339,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -46012,7 +46031,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3345,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3347,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -46035,7 +46054,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3365,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3367,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -46058,7 +46077,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,12 +3385,53 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,18 +3387,59 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -46070,12 +46089,13 @@ index 9dc60c6..2861886 100644
- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
-+ files_search_tmp($1)
-+')
-+
+ files_search_tmp($1)
+ ')
+
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Create objects in a user temporary directory
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
@@ -46111,10 +46131,16 @@ index 9dc60c6..2861886 100644
+ ')
+
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
- files_search_tmp($1)
- ')
-
-@@ -2661,6 +3501,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
++## Create objects in a user temporary directory
+ ## with an automatic type transition to
+ ## a specified private type.
+ ## </summary>
+@@ -2661,6 +3503,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -46136,7 +46162,7 @@ index 9dc60c6..2861886 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3527,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3529,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -46158,7 +46184,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3542,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3544,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -46181,7 +46207,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3557,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3559,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -46242,7 +46268,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2814,6 +3701,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3703,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -46267,7 +46293,7 @@ index 9dc60c6..2861886 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3737,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3739,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -46310,7 +46336,7 @@ index 9dc60c6..2861886 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3773,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3775,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -46348,7 +46374,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2882,8 +3818,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3820,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -46378,7 +46404,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2955,69 +3910,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3912,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46479,7 +46505,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +3979,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3981,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -46494,7 +46520,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -3094,7 +4048,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4050,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46503,7 +46529,7 @@ index 9dc60c6..2861886 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4064,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4066,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46537,7 +46563,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -3214,7 +4152,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4154,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46564,7 +46590,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -3269,12 +4225,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4227,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46580,7 +46606,7 @@ index 9dc60c6..2861886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,49 +4239,125 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4241,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -46638,9 +46664,8 @@ index 9dc60c6..2861886 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
- ')
-
-- allow $1 userdomain:process getattr;
++ ')
++
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
@@ -46714,13 +46739,10 @@ index 9dc60c6..2861886 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
- ')
+ ')
- ########################################
-@@ -3382,6 +4415,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process getattr;
+@@ -3382,6 +4417,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -46763,7 +46785,7 @@ index 9dc60c6..2861886 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4471,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4473,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -46824,7 +46846,7 @@ index 9dc60c6..2861886 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4558,1686 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4560,1686 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 821dac3..cb6fa7f 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -10370,16 +10370,18 @@ index c5a9113..1919abd 100644
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/brltty.fc b/brltty.fc
new file mode 100644
-index 0000000..d541924
+index 0000000..0cfe342
--- /dev/null
+++ b/brltty.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0)
+
+/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0)
+
+/var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0)
+
++/var/run/brltty(/.*)? gen_context(system_u:object_r:brltty_var_run_t,s0)
++
diff --git a/brltty.if b/brltty.if
new file mode 100644
index 0000000..968c957
@@ -10468,10 +10470,10 @@ index 0000000..968c957
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
-index 0000000..d1b76d8
+index 0000000..03032f9
--- /dev/null
+++ b/brltty.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,60 @@
+policy_module(brltty, 1.0.0)
+
+########################################
@@ -10486,6 +10488,9 @@ index 0000000..d1b76d8
+type brltty_var_lib_t;
+files_type(brltty_var_lib_t)
+
++type brltty_var_run_t;
++files_pid_file(brltty_var_run_t)
++
+type brltty_unit_file_t;
+systemd_unit_file(brltty_unit_file_t)
+
@@ -10505,6 +10510,11 @@ index 0000000..d1b76d8
+manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
+files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
+
++manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
++manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
++files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file })
++allow brltty_t brltty_var_run_t:dir mounton;
++
+kernel_read_system_state(brltty_t)
+kernel_read_usermodehelper_state(brltty_t)
+
@@ -10515,6 +10525,8 @@ index 0000000..d1b76d8
+dev_read_sysfs(brltty_t)
+dev_getattr_generic_usb_dev(brltty_t)
+
++fs_getattr_all_fs(brltty_t)
++
+logging_send_syslog_msg(brltty_t)
+
+modutils_domtrans_insmod(brltty_t)
@@ -18934,12 +18946,14 @@ index 7de3859..d88194b 100644
type unconfined_cronjob_t;
diff --git a/ctdb.fc b/ctdb.fc
-index 8401fe6..9131995 100644
+index 8401fe6..d58f3e7 100644
--- a/ctdb.fc
+++ b/ctdb.fc
-@@ -2,11 +2,16 @@
+@@ -1,12 +1,18 @@
+ /etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
++/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+
@@ -25111,10 +25125,10 @@ index 0000000..0fa769b
+
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..ed22198
+index 0000000..965df4b
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,293 @@
+@@ -0,0 +1,294 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -25375,6 +25389,7 @@ index 0000000..ed22198
+optional_policy(`
+ dbus_system_bus_client(docker_t)
+ init_dbus_chat(docker_t)
++ init_start_transient_unit(docker_t)
+
+ optional_policy(`
+ systemd_dbus_chat_logind(docker_t)
@@ -30570,10 +30585,10 @@ index 5cd0909..b558e60 100644
+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
-index 0000000..8431a61
+index 0000000..8c8c6c9
--- /dev/null
+++ b/glusterd.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,18 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -30588,6 +30603,7 @@ index 0000000..8431a61
+
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
++/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
@@ -43520,7 +43536,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..01db8ca 100644
+index 4ec0eea..2a6d99e 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -43555,7 +43571,7 @@ index 4ec0eea..01db8ca 100644
########################################
#
# Local policy
-@@ -26,4 +44,50 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,51 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -43571,6 +43587,7 @@ index 4ec0eea..01db8ca 100644
+
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
++allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
@@ -49841,7 +49858,7 @@ index f42896c..bd1eb52 100644
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..837a43a 100644
+index ed81cac..2224799 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -50218,11 +50235,29 @@ index ed81cac..837a43a 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +392,61 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
-## Send kill signals to system mail.
++## Allow role to access system_mail_t.
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_role_access_system_mail',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ role $1 types system_mail_t;
++')
++
++########################################
++## <summary>
+## Send all user mail client a signal
+## </summary>
+## <param name="domain">
@@ -50263,7 +50298,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
+@@ -506,13 +477,32 @@ interface(`mta_sendmail_exec',`
type sendmail_exec_t;
')
@@ -50298,7 +50333,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -528,13 +500,13 @@ interface(`mta_read_config',`
+@@ -528,13 +518,13 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
@@ -50315,7 +50350,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -548,33 +520,31 @@ interface(`mta_write_config',`
+@@ -548,33 +538,31 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -50355,7 +50390,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +570,66 @@ interface(`mta_read_aliases',`
## </summary>
## </param>
#
@@ -50456,7 +50491,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -674,14 +626,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +644,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -50474,7 +50509,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -697,6 +648,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +666,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -50500,7 +50535,7 @@ index ed81cac..837a43a 100644
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -713,8 +683,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +701,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
## <summary>
@@ -50511,7 +50546,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -732,7 +702,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +720,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
## <summary>
@@ -50520,7 +50555,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -753,8 +723,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +741,8 @@ interface(`mta_getattr_spool',`
########################################
## <summary>
@@ -50531,7 +50566,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -775,9 +745,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +763,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
## <summary>
@@ -50543,7 +50578,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -811,7 +780,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +798,7 @@ interface(`mta_spool_filetrans',`
#######################################
## <summary>
@@ -50552,7 +50587,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -819,10 +788,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +806,10 @@ interface(`mta_spool_filetrans',`
## </summary>
## </param>
#
@@ -50567,7 +50602,7 @@ index ed81cac..837a43a 100644
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +799,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +817,7 @@ interface(`mta_read_spool_files',`
########################################
## <summary>
@@ -50576,7 +50611,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -845,13 +814,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +832,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -50594,7 +50629,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -866,13 +836,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +854,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -50612,7 +50647,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -891,8 +862,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +880,7 @@ interface(`mta_delete_spool',`
########################################
## <summary>
@@ -50622,7 +50657,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -911,45 +881,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +899,9 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -50669,7 +50704,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -968,7 +902,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +920,7 @@ interface(`mta_search_queue',`
#######################################
## <summary>
@@ -50678,7 +50713,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -981,13 +915,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +933,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
@@ -50694,7 +50729,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1000,14 +934,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +952,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
@@ -50711,7 +50746,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1027,7 +961,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +979,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
## <summary>
## Create, read, write, and delete
@@ -50720,7 +50755,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1047,6 +981,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +999,41 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -50762,7 +50797,7 @@ index ed81cac..837a43a 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -1055,6 +1024,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1042,7 @@ interface(`mta_manage_queue',`
## </summary>
## </param>
#
@@ -50770,7 +50805,7 @@ index ed81cac..837a43a 100644
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
-@@ -1065,8 +1035,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1053,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
## <summary>
@@ -50781,7 +50816,7 @@ index ed81cac..837a43a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1051,200 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1069,200 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -58503,11 +58538,14 @@ index 8ec7859..719cffd 100644
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
diff --git a/ntp.fc b/ntp.fc
-index af3c91e..2d41c4c 100644
+index af3c91e..3e5f9cf 100644
--- a/ntp.fc
+++ b/ntp.fc
-@@ -13,7 +13,10 @@
+@@ -11,9 +11,13 @@
+
+ /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
++/usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
@@ -62059,7 +62097,7 @@ index 6837e9a..9bac89c 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a3..57fbf6d 100644
+index 63957a3..4b43430 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -62150,7 +62188,7 @@ index 63957a3..57fbf6d 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -132,21 +147,30 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -132,21 +147,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
@@ -62171,6 +62209,7 @@ index 63957a3..57fbf6d 100644
-userdom_use_user_terminals(openvpn_t)
+systemd_passwd_agent_domtrans(openvpn_t)
++systemd_manage_passwd_run(openvpn_t)
+
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
@@ -62184,7 +62223,7 @@ index 63957a3..57fbf6d 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,10 +188,20 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +189,20 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
@@ -62205,7 +62244,7 @@ index 63957a3..57fbf6d 100644
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
-@@ -175,3 +209,27 @@ optional_policy(`
+@@ -175,3 +210,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -63146,10 +63185,10 @@ index 0000000..05648bd
+')
diff --git a/osad.te b/osad.te
new file mode 100644
-index 0000000..1d33fea
+index 0000000..6c2f264
--- /dev/null
+++ b/osad.te
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,56 @@
+policy_module(osad, 1.0.0)
+
+########################################
@@ -63185,6 +63224,8 @@ index 0000000..1d33fea
+
+kernel_read_system_state(osad_t)
+
++corecmd_exec_bin(osad_t)
++
+corenet_tcp_connect_http_port(osad_t)
+corenet_tcp_connect_jabber_client_port(osad_t)
+
@@ -63199,6 +63240,11 @@ index 0000000..1d33fea
+optional_policy(`
+ rhnsd_manage_config(osad_t)
+')
++
++# execute rhn_check
++optional_policy(`
++ rpm_domtrans(osad_t)
++')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56..d4da0b8 100644
--- a/pacemaker.fc
@@ -70985,7 +71031,7 @@ index cd8b8b9..2cfa88a 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index d616ca3..e7f793e 100644
+index d616ca3..6b73bbd 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -71068,7 +71114,8 @@ index d616ca3..e7f793e 100644
+# PPPD Local policy
#
- allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice sys_chroot };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
+dontaudit pppd_t self:capability2 block_suspend;
@@ -86007,7 +86054,7 @@ index ef3b225..d248cd3 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rpm.te b/rpm.te
-index 6fc360e..15fcd26 100644
+index 6fc360e..75415ab 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -86349,7 +86396,7 @@ index 6fc360e..15fcd26 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +331,53 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,73 +331,125 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -86412,7 +86459,9 @@ index 6fc360e..15fcd26 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +386,69 @@ ifdef(`distro_redhat',`
+ mta_send_mail(rpm_script_t)
++ mta_role_access_system_mail(rpm_script_roles)
+ mta_system_content(rpm_var_run_t)
')
')
@@ -86493,7 +86542,7 @@ index 6fc360e..15fcd26 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +460,6 @@ optional_policy(`
+@@ -409,6 +461,6 @@ optional_policy(`
')
optional_policy(`
@@ -87207,13 +87256,14 @@ index abeb302..7c1f218 100644
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
-index 0000000..4552e91
+index 0000000..8d12521
--- /dev/null
+++ b/rtas.fc
-@@ -0,0 +1,13 @@
+@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0)
+
+/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
++/usr/libexec/ppc64-diag/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
+
+/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
@@ -88497,7 +88547,7 @@ index 50d07fb..dc069c8 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..b2692f5 100644
+index 2b7c441..c2cd297 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -89290,7 +89340,7 @@ index 2b7c441..b2692f5 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +682,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +682,13 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -89300,7 +89350,8 @@ index 2b7c441..b2692f5 100644
term_use_console(smbcontrol_t)
-miscfiles_read_localization(smbcontrol_t)
--
++auth_read_passwd(smbcontrol_t)
+
sysnet_use_ldap(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
@@ -89308,7 +89359,7 @@ index 2b7c441..b2692f5 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +694,23 @@ optional_policy(`
+@@ -644,22 +696,23 @@ optional_policy(`
########################################
#
@@ -89340,7 +89391,7 @@ index 2b7c441..b2692f5 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +719,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +721,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -89376,19 +89427,19 @@ index 2b7c441..b2692f5 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +746,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +748,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
-auth_use_nsswitch(smbmount_t)
+corecmd_list_bin(smbmount_t)
-+
+
+-miscfiles_read_localization(smbmount_t)
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t, file)
-
--miscfiles_read_localization(smbmount_t)
++
+auth_use_nsswitch(smbmount_t)
-mount_use_fds(smbmount_t)
@@ -89468,7 +89519,7 @@ index 2b7c441..b2692f5 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +825,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +827,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -89492,7 +89543,7 @@ index 2b7c441..b2692f5 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +839,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +841,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -89535,7 +89586,7 @@ index 2b7c441..b2692f5 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +869,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +871,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -89549,7 +89600,7 @@ index 2b7c441..b2692f5 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +892,20 @@ optional_policy(`
+@@ -840,17 +894,20 @@ optional_policy(`
# Winbind local policy
#
@@ -89575,7 +89626,7 @@ index 2b7c441..b2692f5 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +915,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +917,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -89586,7 +89637,7 @@ index 2b7c441..b2692f5 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +926,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +928,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -89639,7 +89690,7 @@ index 2b7c441..b2692f5 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +968,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +970,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -89698,7 +89749,7 @@ index 2b7c441..b2692f5 100644
')
optional_policy(`
-@@ -959,31 +1029,35 @@ optional_policy(`
+@@ -959,31 +1031,35 @@ optional_policy(`
# Winbind helper local policy
#
@@ -89741,7 +89792,7 @@ index 2b7c441..b2692f5 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1071,38 @@ optional_policy(`
+@@ -997,25 +1073,38 @@ optional_policy(`
########################################
#
@@ -97313,10 +97364,10 @@ index 03472ed..48b5633 100644
+ cron_system_entry(squid_cron_t, squid_cron_exec_t)
+')
diff --git a/sssd.fc b/sssd.fc
-index dbb005a..45291bb 100644
+index dbb005a..5db696e 100644
--- a/sssd.fc
+++ b/sssd.fc
-@@ -1,15 +1,17 @@
+@@ -1,15 +1,19 @@
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
@@ -97329,6 +97380,8 @@ index dbb005a..45291bb 100644
+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
-/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
++/usr/libexec/sssd/selinux_child -- gen_context(system_u:object_r:sssd_selinux_manager_exec_t)
++
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
@@ -97341,7 +97394,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..de2172a 100644
+index a240455..b25b2ce 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -97636,7 +97689,7 @@ index a240455..de2172a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -317,8 +389,46 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +389,65 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
@@ -97678,6 +97731,25 @@ index a240455..de2172a 100644
+ allow sssd_t $1:key manage_key_perms;
+')
+
++#######################################
++## <summary>
++## Allow attempts to read and write to
++## sssd pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_rw_inherited_pipes',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -97685,7 +97757,7 @@ index a240455..de2172a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -327,7 +437,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +456,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -97694,7 +97766,7 @@ index a240455..de2172a 100644
## </summary>
## </param>
## <rolecap/>
-@@ -335,27 +445,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +464,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -97736,16 +97808,21 @@ index a240455..de2172a 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..5bc1bc1 100644
+index 2d8db1f..bce5858 100644
--- a/sssd.te
+++ b/sssd.te
-@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
+@@ -28,9 +28,17 @@ logging_log_file(sssd_var_log_t)
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
+type sssd_unit_file_t;
+systemd_unit_file(sssd_unit_file_t)
+
++type sssd_selinux_manager_t;
++type sssd_selinux_manager_exec_t;
++application_domain(sssd_selinux_manager_t, sssd_selinux_manager_exec_t)
++role system_r types sssd_selinux_manager_t;
++
########################################
#
-# Local policy
@@ -97753,7 +97830,7 @@ index 2d8db1f..5bc1bc1 100644
#
allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
-@@ -38,7 +41,7 @@ allow sssd_t self:capability2 block_suspend;
+@@ -38,7 +46,7 @@ allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
@@ -97762,7 +97839,7 @@ index 2d8db1f..5bc1bc1 100644
read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
-@@ -51,9 +54,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+@@ -51,9 +59,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
@@ -97773,7 +97850,7 @@ index 2d8db1f..5bc1bc1 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +63,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +68,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
@@ -97794,7 +97871,7 @@ index 2d8db1f..5bc1bc1 100644
corecmd_exec_bin(sssd_t)
-@@ -83,28 +79,35 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +84,35 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -97834,7 +97911,7 @@ index 2d8db1f..5bc1bc1 100644
init_read_utmp(sssd_t)
-@@ -112,18 +115,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +120,55 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -97869,11 +97946,30 @@ index 2d8db1f..5bc1bc1 100644
+optional_policy(`
+ ldap_stream_connect(sssd_t)
+ ldap_read_certs(sssd_t)
-+')
+ ')
+
+optional_policy(`
+ systemd_login_read_pid_files(sssd_t)
- ')
++')
++
++########################################
++#
++# sssd SELinux manager local policy
++#
++
++domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
++
++logging_send_audit_msgs(sssd_selinux_manager_t)
++
++seutil_semanage_policy(sssd_selinux_manager_t)
++seutil_manage_file_contexts(sssd_selinux_manager_t)
++seutil_manage_config(sssd_selinux_manager_t)
++seutil_manage_login_config(sssd_selinux_manager_t)
++seutil_manage_default_contexts(sssd_selinux_manager_t)
++
++seutil_exec_setfiles(sssd_selinux_manager_t)
++logging_dontaudit_search_audit_logs(sssd_selinux_manager_t)
++
diff --git a/stapserver.fc b/stapserver.fc
new file mode 100644
index 0000000..0ccce59
@@ -101461,13 +101557,14 @@ index 585a77f..10d7105 100644
optional_policy(`
diff --git a/tomcat.fc b/tomcat.fc
new file mode 100644
-index 0000000..a8385bc
+index 0000000..ae28ea3
--- /dev/null
+++ b/tomcat.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
+
+/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0)
++/usr/libexec/tomcat/server -- gen_context(system_u:object_r:tomcat_exec_t,s0)
+
+/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 26dd6b0..f4d90e6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 99%{?dist}
+Release: 100%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Dec 11 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-100
+- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS.
+- Fix miscfiles_manage_generic_cert_files() to allow manage link files
+- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
+- Add support for /var/run/gluster.
+- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
+
* Fri Dec 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-99
- Add files_dontaudit_list_security_dirs() interface.
- Added seutil_dontaudit_access_check_semanage_module_store interface.
@@ -612,7 +619,7 @@ SELinux Reference policy mls base module.
- dontaudit list security dirs for samba domain
- Dontaudit couchdb to list /var
-* Fri Nov 29 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-98
+* Sat Nov 29 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-98
- Update to have all _systemctl() interface also init_reload_services()
- Dontaudit access check on SELinux module store for sssd.
- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
More information about the scm-commits
mailing list