[selinux-policy/f21] * Thu Jan 29 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.1 - Add unconfined_setsched() interfa
Lukas Vrabec
lvrabec at fedoraproject.org
Thu Jan 29 16:22:15 UTC 2015
commit ef908f68c4f2db58f7c975dd0a9455acfb32f3ff
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Thu Jan 29 17:21:13 2015 +0100
* Thu Jan 29 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.1
- Add unconfined_setsched() interface
- Add ipsec_rw_inherited_pipes() interface.
- Update seutil_manage_config() interface.
- journald now reads the netlink audit socket
- Update ipsec_manage_pid() interface.
- Allow netutils chown capability to make tcpdump working with -w
- Label /ostree/deploy/rhel-atomic-host/deploy directory as
system_conf_t.
- Allow ipsec to execute _updown.netkey script to run unbound-control.
- Add auditing support for ipsec.
- Allow nut_upsmon_t to read random_device_t. BZ(1186072)
- Allow fowner capability for sssd because of selinux_child handling.
- ALlow bind to read/write inherited ipsec pipes
- Allow hypervkvp to read /dev/urandom and read addition
states/config files.
- Allow cluster domain to dbus chat with systemd-logind.
- Allow gluster rpm scripletto create glusterd socket with correct
labeling. This is a workaround until we get fix in glusterd
- Add glusterd_filetrans_named_pid() interface.
- Allow radiusd to connect to radsec ports.
- Allow setuid/setgid for selinux_child.
- Allow pingd to read /dev/urandom. BZ(1181831)
- Allow lsmd plugin to connect to tcp/5989 by default.
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
- Allow docker_t to changes it rlimit
- Allow docker to setsched on unconfined_t user
- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
- Call correct macro in virt_read_content().
- Allow neutron to read rpm DB.
- Add labeling for pacemaker.log.
- Allow radius to connect/bind radsec ports.
- Allow pm-suspend running as virt_qemu_ga to read
/var/log/pm-suspend.log.
- Add devicekit_read_log_files()
- Allow virt_qemu_ga to dbus chat with rpm.
- Update virt_read_content() interface to allow read also char
devices.
policy-f21-base.patch | 195 ++++++++----
policy-f21-contrib.patch | 780 ++++++++++++++++++++++++++++------------------
selinux-policy.spec | 36 ++-
3 files changed, 639 insertions(+), 372 deletions(-)
---
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 78c6710..68be974 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -1784,7 +1784,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..c7fe2c6 100644
+index c44c359..ec441aa 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -1800,6 +1800,15 @@ index c44c359..c7fe2c6 100644
type netutils_t;
type netutils_exec_t;
+@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
+ #
+
+ # Perform network administration operations and have raw access to the network.
+-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
++allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot };
+ dontaudit netutils_t self:capability { dac_override sys_tty_config };
+ allow netutils_t self:process { setcap signal_perms };
+ allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
@@ -9542,7 +9551,7 @@ index cf04cb5..7fad46c 100644
+ unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..ad25566 100644
+index b876c48..6bfb954 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9562,7 +9571,7 @@ index b876c48..ad25566 100644
/boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>>
/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-@@ -38,27 +39,35 @@ ifdef(`distro_suse',`
+@@ -38,27 +39,36 @@ ifdef(`distro_suse',`
#
# /emul
#
@@ -9602,10 +9611,11 @@ index b876c48..ad25566 100644
+/etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
+
+/ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
++/ostree/deploy/rhel-atomic-host/deploy(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -70,7 +79,10 @@ ifdef(`distro_suse',`
+@@ -70,7 +80,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9617,7 +9627,7 @@ index b876c48..ad25566 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +90,6 @@ ifdef(`distro_gentoo', `
+@@ -78,10 +91,6 @@ ifdef(`distro_gentoo', `
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -9628,7 +9638,7 @@ index b876c48..ad25566 100644
ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +112,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -104,7 +113,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -9637,7 +9647,7 @@ index b876c48..ad25566 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -125,10 +133,13 @@ ifdef(`distro_debian',`
+@@ -125,10 +134,13 @@ ifdef(`distro_debian',`
#
# Mount points; do not relabel subdirectories, since
# we don't want to change any removable media by default.
@@ -9652,7 +9662,7 @@ index b876c48..ad25566 100644
#
# /misc
-@@ -138,7 +149,7 @@ ifdef(`distro_debian',`
+@@ -138,7 +150,7 @@ ifdef(`distro_debian',`
#
# /mnt
#
@@ -9661,7 +9671,7 @@ index b876c48..ad25566 100644
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/mnt/[^/]*/.* <<none>>
-@@ -150,10 +161,10 @@ ifdef(`distro_debian',`
+@@ -150,10 +162,10 @@ ifdef(`distro_debian',`
#
# /opt
#
@@ -9674,7 +9684,7 @@ index b876c48..ad25566 100644
#
# /proc
-@@ -161,6 +172,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +173,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -9687,7 +9697,7 @@ index b876c48..ad25566 100644
#
# /run
#
-@@ -169,6 +186,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +187,7 @@ ifdef(`distro_debian',`
/run/.*\.*pid <<none>>
/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
@@ -9695,7 +9705,7 @@ index b876c48..ad25566 100644
#
# /selinux
#
-@@ -178,13 +196,14 @@ ifdef(`distro_debian',`
+@@ -178,13 +197,14 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -9712,7 +9722,7 @@ index b876c48..ad25566 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +213,11 @@ ifdef(`distro_debian',`
+@@ -194,9 +214,11 @@ ifdef(`distro_debian',`
#
# /usr
#
@@ -9725,7 +9735,7 @@ index b876c48..ad25566 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +225,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +226,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -9742,7 +9752,7 @@ index b876c48..ad25566 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +235,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +236,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -9751,7 +9761,7 @@ index b876c48..ad25566 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +242,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +243,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -9760,7 +9770,7 @@ index b876c48..ad25566 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +250,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +251,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9787,7 +9797,7 @@ index b876c48..ad25566 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +283,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9802,7 +9812,7 @@ index b876c48..ad25566 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -271,3 +300,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -20585,10 +20595,10 @@ index 0000000..b680867
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..0573c76
+index 0000000..60a9dbd
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,653 @@
+@@ -0,0 +1,671 @@
+## <summary>Unconfined user role</summary>
+
+########################################
@@ -20845,6 +20855,24 @@ index 0000000..0573c76
+
+########################################
+## <summary>
++## Send generic signals to the unconfined domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_setsched',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process setsched;
++')
++
++########################################
++## <summary>
+## Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
@@ -32438,10 +32466,35 @@ index 662e79b..ad9ef4e 100644
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..9395313 100644
+index 0d4c8d3..83a71d8 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',`
+@@ -18,6 +18,24 @@ interface(`ipsec_domtrans',`
+ domtrans_pattern($1, ipsec_exec_t, ipsec_t)
+ ')
+
++#######################################
++## <summary>
++## Allow read/write ipsec pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_rw_inherited_pipes',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Connect to IPSEC using a unix domain stream socket.
+@@ -55,6 +73,64 @@ interface(`ipsec_domtrans_mgmt',`
domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
')
@@ -32506,7 +32559,7 @@ index 0d4c8d3..9395313 100644
########################################
## <summary>
## Connect to racoon using a unix domain stream socket.
-@@ -120,7 +178,6 @@ interface(`ipsec_exec_mgmt',`
+@@ -120,7 +196,6 @@ interface(`ipsec_exec_mgmt',`
## </summary>
## </param>
#
@@ -32514,7 +32567,7 @@ index 0d4c8d3..9395313 100644
interface(`ipsec_signal_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -139,7 +196,6 @@ interface(`ipsec_signal_mgmt',`
+@@ -139,7 +214,6 @@ interface(`ipsec_signal_mgmt',`
## </summary>
## </param>
#
@@ -32522,7 +32575,7 @@ index 0d4c8d3..9395313 100644
interface(`ipsec_signull_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -158,7 +214,6 @@ interface(`ipsec_signull_mgmt',`
+@@ -158,7 +232,6 @@ interface(`ipsec_signull_mgmt',`
## </summary>
## </param>
#
@@ -32530,7 +32583,7 @@ index 0d4c8d3..9395313 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -167,6 +222,60 @@ interface(`ipsec_kill_mgmt',`
+@@ -167,6 +240,60 @@ interface(`ipsec_kill_mgmt',`
allow $1 ipsec_mgmt_t:process sigkill;
')
@@ -32591,7 +32644,7 @@ index 0d4c8d3..9395313 100644
######################################
## <summary>
## Send and receive messages from
-@@ -225,6 +334,7 @@ interface(`ipsec_match_default_spd',`
+@@ -225,6 +352,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -32599,7 +32652,15 @@ index 0d4c8d3..9395313 100644
')
########################################
-@@ -369,3 +479,27 @@ interface(`ipsec_run_setkey',`
+@@ -282,6 +410,7 @@ interface(`ipsec_manage_pid',`
+
+ files_search_pids($1)
+ manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
++ manage_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+ ')
+
+ ########################################
+@@ -369,3 +498,27 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -32628,7 +32689,7 @@ index 0d4c8d3..9395313 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..1cce3ba 100644
+index 312cd04..dd6638a 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -32722,7 +32783,7 @@ index 312cd04..1cce3ba 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,24 +170,33 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +170,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -32737,11 +32798,11 @@ index 312cd04..1cce3ba 100644
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
-+logging_read_all_logs(ipsec_mgmt_t)
++logging_send_audit_msgs(ipsec_t)
logging_send_syslog_msg(ipsec_t)
-miscfiles_read_localization(ipsec_t)
-
+-
sysnet_domtrans_ifconfig(ipsec_t)
+sysnet_manage_config(ipsec_t)
+sysnet_etc_filetrans_config(ipsec_t)
@@ -32757,7 +32818,7 @@ index 312cd04..1cce3ba 100644
seutil_sigchld_newrole(ipsec_t)
')
-@@ -187,10 +209,10 @@ optional_policy(`
+@@ -187,10 +208,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -32772,7 +32833,7 @@ index 312cd04..1cce3ba 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -208,12 +230,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -32788,7 +32849,7 @@ index 312cd04..1cce3ba 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +270,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -32805,7 +32866,7 @@ index 312cd04..1cce3ba 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +289,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -32814,7 +32875,7 @@ index 312cd04..1cce3ba 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +305,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +304,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -32822,7 +32883,7 @@ index 312cd04..1cce3ba 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +315,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -32834,16 +32895,17 @@ index 312cd04..1cce3ba 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +326,23 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +325,25 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
-logging_send_syslog_msg(ipsec_mgmt_t)
+-
+-miscfiles_read_localization(ipsec_mgmt_t)
+ipsec_mgmt_systemctl(ipsec_mgmt_t)
--miscfiles_read_localization(ipsec_mgmt_t)
--
-seutil_dontaudit_search_config(ipsec_mgmt_t)
++logging_read_all_logs(ipsec_mgmt_t)
+logging_send_syslog_msg(ipsec_mgmt_t)
sysnet_manage_config(ipsec_mgmt_t)
@@ -32856,6 +32918,7 @@ index 312cd04..1cce3ba 100644
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
+
+optional_policy(`
++ bind_domtrans(ipsec_mgmt_t)
+ bind_read_dnssec_keys(ipsec_mgmt_t)
+ bind_read_config(ipsec_mgmt_t)
+ bind_read_state(ipsec_mgmt_t)
@@ -32863,7 +32926,7 @@ index 312cd04..1cce3ba 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +366,10 @@ optional_policy(`
+@@ -322,6 +367,10 @@ optional_policy(`
')
optional_policy(`
@@ -32874,7 +32937,7 @@ index 312cd04..1cce3ba 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +383,7 @@ optional_policy(`
+@@ -335,7 +384,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -32883,7 +32946,7 @@ index 312cd04..1cce3ba 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +418,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +419,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -32903,7 +32966,7 @@ index 312cd04..1cce3ba 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +448,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +449,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -32916,7 +32979,7 @@ index 312cd04..1cce3ba 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +485,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +486,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -34703,7 +34766,7 @@ index 4e94884..8de26ad 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..077c808 100644
+index 59b04c1..89471ff 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -34926,18 +34989,19 @@ index 59b04c1..077c808 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,8 +412,11 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
+allow syslogd_t self:rawip_socket create_socket_perms;
++allow syslogd_t self:netlink_audit_socket r_netlink_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +435,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -34987,7 +35051,7 @@ index 59b04c1..077c808 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -34996,7 +35060,7 @@ index 59b04c1..077c808 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -35024,7 +35088,7 @@ index 59b04c1..077c808 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -35042,7 +35106,7 @@ index 59b04c1..077c808 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +550,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +551,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -35057,7 +35121,7 @@ index 59b04c1..077c808 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -497,6 +581,7 @@ optional_policy(`
+@@ -497,6 +582,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -35065,7 +35129,7 @@ index 59b04c1..077c808 100644
')
optional_policy(`
-@@ -507,15 +592,40 @@ optional_policy(`
+@@ -507,15 +593,40 @@ optional_policy(`
')
optional_policy(`
@@ -35106,7 +35170,7 @@ index 59b04c1..077c808 100644
')
optional_policy(`
-@@ -526,3 +636,26 @@ optional_policy(`
+@@ -526,3 +637,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -37467,7 +37531,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..a7912c5 100644
+index 3822072..0bd60a7 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -37710,15 +37774,16 @@ index 3822072..a7912c5 100644
## Do not audit attempts to search the SELinux
## configuration directory (/etc/selinux).
## </summary>
-@@ -680,10 +848,115 @@ interface(`seutil_manage_config',`
+@@ -680,8 +848,113 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
manage_files_pattern($1, selinux_config_t, selinux_config_t)
- read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
-
+- read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
++ manage_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
++')
++
+######################################
+## <summary>
+## Create, read, write, and delete
@@ -37821,11 +37886,9 @@ index 3822072..a7912c5 100644
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 selinux_login_config_t:dir list_dir_perms;
+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+')
-+
+ ')
+
#######################################
- ## <summary>
- ## Create, read, write, and delete
@@ -694,15 +967,62 @@ interface(`seutil_manage_config',`
## Domain allowed access.
## </summary>
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index e62038c..2b9a313 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -9267,7 +9267,7 @@ index 531a8f2..0b86f2f 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..4569bde 100644
+index 1241123..e196b89 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9347,17 +9347,21 @@ index 1241123..4569bde 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,7 +202,9 @@ optional_policy(`
+@@ -187,7 +202,13 @@ optional_policy(`
')
optional_policy(`
++ ipsec_rw_inherited_pipes(named_t)
++')
++
++optional_policy(`
+ kerberos_filetrans_named_content(named_t)
kerberos_read_keytab(named_t)
+ kerberos_read_host_rcache(named_t)
kerberos_use(named_t)
')
-@@ -215,7 +232,8 @@ optional_policy(`
+@@ -215,7 +236,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9367,7 +9371,7 @@ index 1241123..4569bde 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +247,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +251,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9379,7 +9383,7 @@ index 1241123..4569bde 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +259,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +263,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9389,7 +9393,7 @@ index 1241123..4569bde 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +277,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +281,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -16384,7 +16388,7 @@ index 715a826..a1cbdb2 100644
+ ')
')
diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..a3af6c9 100644
+index ae1c1b1..81803f9 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
@@ -16427,7 +16431,7 @@ index ae1c1b1..a3af6c9 100644
corecmd_exec_bin(couchdb_t)
corecmd_exec_shell(couchdb_t)
-@@ -75,14 +80,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +80,25 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
corenet_tcp_sendrecv_couchdb_port(couchdb_t)
@@ -16440,6 +16444,8 @@ index ae1c1b1..a3af6c9 100644
+files_getattr_lost_found_dirs(couchdb_t)
+files_dontaudit_list_var(couchdb_t)
+
++gnome_dontaudit_search_config(couchdb_t)
++
dev_list_sysfs(couchdb_t)
dev_read_sysfs(couchdb_t)
dev_read_urand(couchdb_t)
@@ -22493,7 +22499,7 @@ index 583a527..1053281 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.if b/devicekit.if
-index 8ce99ff..0819898 100644
+index 8ce99ff..1bc5d3a 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
@@ -22629,7 +22635,7 @@ index 8ce99ff..0819898 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -149,40 +165,78 @@ interface(`devicekit_use_fds_power',`
+@@ -149,40 +165,97 @@ interface(`devicekit_use_fds_power',`
## </summary>
## </param>
#
@@ -22689,26 +22695,44 @@ index 8ce99ff..0819898 100644
## <summary>
-## Create, read, write, and delete
-## devicekit log files.
-+## Do not audit attempts to write the devicekit
-+## log files.
++## Allow read devicekit log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
## </param>
#
-interface(`devicekit_manage_log_files',`
-+interface(`devicekit_dontaudit_rw_log',`
++interface(`devicekit_read_log_files',`
gen_require(`
type devicekit_var_log_t;
')
-- logging_search_logs($1)
+ logging_search_logs($1)
- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++ allow $1 devicekit_var_log_t:file read_file_perms;
++')
++
++#######################################
++## <summary>
++## Do not audit attempts to write the devicekit
++## log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`devicekit_dontaudit_rw_log',`
++ gen_require(`
++ type devicekit_var_log_t;
++ ')
++
+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
')
@@ -22719,7 +22743,7 @@ index 8ce99ff..0819898 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -190,13 +244,13 @@ interface(`devicekit_manage_log_files',`
+@@ -190,13 +263,13 @@ interface(`devicekit_manage_log_files',`
## </summary>
## </param>
#
@@ -22737,7 +22761,7 @@ index 8ce99ff..0819898 100644
')
########################################
-@@ -220,11 +274,30 @@ interface(`devicekit_read_pid_files',`
+@@ -220,11 +293,30 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -22769,7 +22793,7 @@ index 8ce99ff..0819898 100644
## Domain allowed access.
## </summary>
## </param>
-@@ -235,22 +308,59 @@ interface(`devicekit_manage_pid_files',`
+@@ -235,22 +327,59 @@ interface(`devicekit_manage_pid_files',`
')
files_search_pids($1)
@@ -22833,7 +22857,7 @@ index 8ce99ff..0819898 100644
## </summary>
## </param>
## <rolecap/>
-@@ -259,21 +369,48 @@ interface(`devicekit_admin',`
+@@ -259,21 +388,48 @@ interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
@@ -25221,10 +25245,10 @@ index 0000000..c8e5981
+
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..08cf151
+index 0000000..671f440
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,300 @@
+@@ -0,0 +1,301 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -25291,7 +25315,7 @@ index 0000000..08cf151
+# docker local policy
+#
+allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap };
-+allow docker_t self:process { getattr signal_perms };
++allow docker_t self:process { getattr signal_perms setrlimit };
+allow docker_t self:fifo_file rw_fifo_file_perms;
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
+allow docker_t self:tcp_socket create_stream_socket_perms;
@@ -25524,6 +25548,7 @@ index 0000000..08cf151
+tunable_policy(`docker_transition_unconfined',`
+ unconfined_transition(docker_t, docker_share_t)
+ unconfined_transition(docker_t, docker_var_lib_t)
++ unconfined_setsched(docker_t)
+')
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
@@ -30520,7 +30545,7 @@ index 9eacb2c..7b19ad2 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index 5cd0909..a0b3bfb 100644
+index 5cd0909..cdba87f 100644
--- a/glance.te
+++ b/glance.te
@@ -5,10 +5,31 @@ policy_module(glance, 1.1.0)
@@ -30638,7 +30663,7 @@ index 5cd0909..a0b3bfb 100644
########################################
#
# Registry local policy
-@@ -88,8 +129,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +129,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -30650,10 +30675,12 @@ index 5cd0909..a0b3bfb 100644
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
++
++corenet_tcp_connect_keystone_port(glance_registry_t)
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +155,37 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +157,37 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -30722,10 +30749,10 @@ index 0000000..8c8c6c9
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
-index 0000000..1ed97fe
+index 0000000..c62ad86
--- /dev/null
+++ b/glusterd.if
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,166 @@
+
+## <summary>policy for glusterd</summary>
+
@@ -30768,7 +30795,6 @@ index 0000000..1ed97fe
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
-+
+########################################
+## <summary>
+## Read glusterd's log files.
@@ -30808,6 +30834,23 @@ index 0000000..1ed97fe
+ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
++#######################################
++## <summary>
++## Transition content labels to glusterd named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glusterd_filetrans_named_pid',`
++ gen_require(`
++ type glusterd_var_run_t;
++ ')
++ files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
++')
++
+########################################
+## <summary>
+## Manage glusterd log files
@@ -35140,10 +35183,43 @@ index bbccc79..435ac42 100644
logging_search_logs(hald_keymap_t)
diff --git a/hddtemp.if b/hddtemp.if
-index 1728071..77e71ea 100644
+index 1728071..6e2d333 100644
--- a/hddtemp.if
+++ b/hddtemp.if
-@@ -60,9 +60,13 @@ interface(`hddtemp_admin',`
+@@ -19,6 +19,32 @@ interface(`hddtemp_domtrans',`
+ domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
+ ')
+
++########################################
++## <summary>
++## Execute hddtemp in the hddtemp domain, and
++## allow the specified role the hddtemp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`hddtemp_run',`
++ gen_require(`
++ type hddtemp_t;
++ attribute_role hddtemp_roles;
++ ')
++
++ hddtemp_domtrans($1)
++ roleattribute $2 hddtemp_roles;
++')
++
+ ######################################
+ ## <summary>
+ ## Execute hddtemp in the caller domain.
+@@ -60,9 +86,13 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
@@ -35159,10 +35235,23 @@ index 1728071..77e71ea 100644
domain_system_change_exemption($1)
role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
-index 9e11b98..29065e6 100644
+index 9e11b98..6338ea7 100644
--- a/hddtemp.te
+++ b/hddtemp.te
-@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
+@@ -4,10 +4,12 @@ policy_module(hddtemp, 1.2.0)
+ #
+ # Declarations
+ #
++attribute_role hddtemp_roles;
+
+ type hddtemp_t;
+ type hddtemp_exec_t;
+ init_daemon_domain(hddtemp_t, hddtemp_exec_t)
++role hddtemp_roles types hddtemp_t;
+
+ type hddtemp_initrc_exec_t;
+ init_script_file(hddtemp_initrc_exec_t)
+@@ -26,7 +28,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
@@ -35170,7 +35259,7 @@ index 9e11b98..29065e6 100644
corenet_all_recvfrom_netlabel(hddtemp_t)
corenet_tcp_sendrecv_generic_if(hddtemp_t)
corenet_tcp_sendrecv_generic_node(hddtemp_t)
-@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
+@@ -36,9 +37,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
@@ -35180,7 +35269,7 @@ index 9e11b98..29065e6 100644
storage_raw_read_fixed_disk(hddtemp_t)
storage_raw_read_removable_device(hddtemp_t)
-@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t)
+@@ -46,4 +44,3 @@ auth_use_nsswitch(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
@@ -35377,10 +35466,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..85c5155 100644
+index 4eb7041..0b16b07 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,84 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,121 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -35404,6 +35493,9 @@ index 4eb7041..85c5155 100644
+type hypervkvp_var_lib_t;
+files_type(hypervkvp_var_lib_t)
+
++type hypervkvp_tmp_t;
++files_tmpfs_file(hypervkvp_tmp_t)
++
+type hypervvssd_t, hyperv_domain;
+type hypervvssd_exec_t;
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
@@ -35415,7 +35507,7 @@ index 4eb7041..85c5155 100644
#
-# Local policy
+# hyperv domain local policy
- #
++#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
@@ -35429,40 +35521,74 @@ index 4eb7041..85c5155 100644
+dev_read_sysfs(hyperv_domain)
+
+########################################
-+#
+ #
+# hypervkvp local policy
#
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
++
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+
++manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
++manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
++files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir })
++
++kernel_read_system_state(hypervkvp_t)
++kernel_read_network_state(hypervkvp_t)
++kernel_read_net_sysctls(hypervkvp_t)
++
+domain_read_all_domains_state(hypervkvp_t)
+
++dev_read_urand(hypervkvp_t)
++
+files_dontaudit_search_home(hypervkvp_t)
+
+auth_use_nsswitch(hypervkvp_t)
+
+logging_send_syslog_msg(hypervkvp_t)
++logging_read_syslog_config(hypervkvp_t)
++
++libs_exec_ldconfig(hypervkvp_t)
++
++modutils_domtrans_insmod(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
+sysnet_domtrans_dhcpc(hypervkvp_t)
++sysnet_domtrans_ifconfig(hypervkvp_t)
++sysnet_manage_config(hypervkvp_t)
++sysnet_read_dhcpc_state(hypervkvp_t)
++sysnet_read_dhcp_config(hypervkvp_t)
++sysnet_etc_filetrans_config(hypervkvp_t)
+
+systemd_exec_systemctl(hypervkvp_t)
+
+userdom_dontaudit_search_admin_dir(hypervkvp_t)
+
+optional_policy(`
++ dbus_read_pid_files(hypervkvp_t)
++')
++
++optional_policy(`
+ netutils_domtrans_ping(hypervkvp_t)
+ netutils_domtrans(hypervkvp_t)
+')
+
+optional_policy(`
++ networkmanager_read_pid_files(hypervkvp_t)
++')
++
++optional_policy(`
+ sysnet_exec_ifconfig(hypervkvp_t)
+')
+
++optional_policy(`
++ rpm_exec(hypervkvp_t)
++')
++
+########################################
+#
+# hypervvssd local policy
@@ -43677,7 +43803,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..930b3f2 100644
+index 4ec0eea..6ad3121 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -43712,7 +43838,7 @@ index 4ec0eea..930b3f2 100644
########################################
#
# Local policy
-@@ -26,4 +44,54 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,56 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -43757,6 +43883,8 @@ index 4ec0eea..930b3f2 100644
+corenet_tcp_connect_http_port(lsmd_plugin_t)
+corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
+corenet_tcp_connect_lsm_plugin_port(lsmd_plugin_t)
++corenet_tcp_connect_pegasus_https_port(lsmd_plugin_t)
++corenet_tcp_connect_pegasus_http_port(lsmd_plugin_t)
+corenet_tcp_connect_ssh_port(lsmd_plugin_t)
+
+init_stream_connect(lsmd_plugin_t)
@@ -50006,7 +50134,7 @@ index f42896c..bd1eb52 100644
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..2224799 100644
+index ed81cac..80e6086 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -50538,7 +50666,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -582,84 +570,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +570,64 @@ interface(`mta_read_aliases',`
## </summary>
## </param>
#
@@ -50588,9 +50716,7 @@ index ed81cac..2224799 100644
+ files_search_etc($1)
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
-+ mta_etc_filetrans_aliases($1, "aliases")
-+ mta_etc_filetrans_aliases($1, "aliases.db")
-+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
++ mta_filetrans_named_content($1)
')
########################################
@@ -50639,7 +50765,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -674,14 +644,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +642,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -50657,7 +50783,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -697,6 +666,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +664,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -50683,7 +50809,7 @@ index ed81cac..2224799 100644
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -713,8 +701,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +699,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
## <summary>
@@ -50694,7 +50820,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -732,7 +720,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +718,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
## <summary>
@@ -50703,7 +50829,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -753,8 +741,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +739,8 @@ interface(`mta_getattr_spool',`
########################################
## <summary>
@@ -50714,7 +50840,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -775,9 +763,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +761,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
## <summary>
@@ -50726,7 +50852,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -811,7 +798,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +796,7 @@ interface(`mta_spool_filetrans',`
#######################################
## <summary>
@@ -50735,7 +50861,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -819,10 +806,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +804,10 @@ interface(`mta_spool_filetrans',`
## </summary>
## </param>
#
@@ -50750,7 +50876,7 @@ index ed81cac..2224799 100644
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +817,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +815,7 @@ interface(`mta_read_spool_files',`
########################################
## <summary>
@@ -50759,7 +50885,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -845,13 +832,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +830,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -50777,7 +50903,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -866,13 +854,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +852,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -50795,7 +50921,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -891,8 +880,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +878,7 @@ interface(`mta_delete_spool',`
########################################
## <summary>
@@ -50805,7 +50931,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -911,45 +899,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +897,9 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -50852,7 +50978,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -968,7 +920,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +918,7 @@ interface(`mta_search_queue',`
#######################################
## <summary>
@@ -50861,7 +50987,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -981,13 +933,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +931,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
@@ -50877,7 +51003,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1000,14 +952,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +950,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
@@ -50894,7 +51020,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1027,7 +979,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +977,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
## <summary>
## Create, read, write, and delete
@@ -50903,7 +51029,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1047,6 +999,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +997,41 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -50945,7 +51071,7 @@ index ed81cac..2224799 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -1055,6 +1042,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1040,7 @@ interface(`mta_manage_queue',`
## </summary>
## </param>
#
@@ -50953,7 +51079,7 @@ index ed81cac..2224799 100644
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
-@@ -1065,8 +1053,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1051,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
## <summary>
@@ -50964,7 +51090,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1069,200 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1067,201 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -51162,6 +51288,7 @@ index ed81cac..2224799 100644
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
++ mta_etc_filetrans_aliases($1, "__db.aliases.db")
+ mta_filetrans_home_content($1)
+ mta_filetrans_admin_home_content($1)
+')
@@ -59332,10 +59459,10 @@ index 57c0161..c554eb6 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
-index 5b2cb0d..ad16c77 100644
+index 5b2cb0d..429c9b8 100644
--- a/nut.te
+++ b/nut.te
-@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0)
+@@ -7,154 +7,145 @@ policy_module(nut, 1.3.0)
attribute nut_domain;
@@ -59448,9 +59575,9 @@ index 5b2cb0d..ad16c77 100644
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
-
-+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -59470,6 +59597,8 @@ index 5b2cb0d..ad16c77 100644
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
++dev_read_rand(nut_upsmon_t)
++
+# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
@@ -65548,7 +65677,7 @@ index 21a6ecb..b99e4cb 100644
domain_system_change_exemption($1)
role_transition $2 pingd_initrc_exec_t system_r;
diff --git a/pingd.te b/pingd.te
-index ab01060..3817823 100644
+index ab01060..778c8eb 100644
--- a/pingd.te
+++ b/pingd.te
@@ -10,7 +10,7 @@ type pingd_exec_t;
@@ -65560,7 +65689,14 @@ index ab01060..3817823 100644
type pingd_initrc_exec_t;
init_script_file(pingd_initrc_exec_t)
-@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t)
+@@ -45,10 +45,10 @@ corenet_tcp_bind_generic_node(pingd_t)
+ corenet_sendrecv_pingd_server_packets(pingd_t)
+ corenet_tcp_bind_pingd_port(pingd_t)
+
++dev_read_urand(pingd_t)
++
+ auth_use_nsswitch(pingd_t)
+
files_search_usr(pingd_t)
logging_send_syslog_msg(pingd_t)
@@ -66122,10 +66258,10 @@ index 69be2aa..2d7b3f6 100644
admin_pattern($1, pkcs_slotd_var_run_t)
diff --git a/pkcs.te b/pkcs.te
-index 8eb3f7b..b0fc2a7 100644
+index 8eb3f7b..e04f9e1 100644
--- a/pkcs.te
+++ b/pkcs.te
-@@ -7,21 +7,30 @@ policy_module(pkcs, 1.0.1)
+@@ -7,21 +7,31 @@ policy_module(pkcs, 1.0.1)
type pkcs_slotd_t;
type pkcs_slotd_exec_t;
@@ -66141,6 +66277,7 @@ index 8eb3f7b..b0fc2a7 100644
files_type(pkcs_slotd_var_lib_t)
+type pkcs_slotd_lock_t;
++typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t;
+files_lock_file(pkcs_slotd_lock_t)
+
type pkcs_slotd_var_run_t;
@@ -66156,7 +66293,7 @@ index 8eb3f7b..b0fc2a7 100644
files_tmpfs_file(pkcs_slotd_tmpfs_t)
########################################
-@@ -40,6 +49,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+@@ -40,6 +50,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
@@ -66165,7 +66302,7 @@ index 8eb3f7b..b0fc2a7 100644
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
-@@ -51,10 +62,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
+@@ -51,10 +63,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
@@ -77394,10 +77531,10 @@ index afc0068..589a7fd 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..0bee752 100644
+index 8644d8b..4d073e9 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,178 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -77484,8 +77621,6 @@ index 8644d8b..0bee752 100644
-
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
--
--files_read_usr_files(quantum_t)
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
@@ -77573,18 +77708,17 @@ index 8644d8b..0bee752 100644
+ corenet_tcp_sendrecv_all_ports(neutron_t)
+')
--auth_use_nsswitch(quantum_t)
+-files_read_usr_files(quantum_t)
+optional_policy(`
+ dbus_system_bus_client(neutron_t)
+')
--libs_exec_ldconfig(quantum_t)
+-auth_use_nsswitch(quantum_t)
+optional_policy(`
+ brctl_domtrans(neutron_t)
+')
--logging_send_audit_msgs(quantum_t)
--logging_send_syslog_msg(quantum_t)
+-libs_exec_ldconfig(quantum_t)
+optional_policy(`
+ dnsmasq_domtrans(neutron_t)
+ dnsmasq_signal(neutron_t)
@@ -77592,43 +77726,50 @@ index 8644d8b..0bee752 100644
+ dnsmasq_read_state(neutron_t)
+')
--miscfiles_read_localization(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
+optional_policy(`
+ rhcs_domtrans_haproxy(neutron_t)
+ rhcs_stream_connect_haproxy(neutron_t)
+')
--sysnet_domtrans_ifconfig(quantum_t)
+-miscfiles_read_localization(quantum_t)
+optional_policy(`
+ iptables_domtrans(neutron_t)
+')
- optional_policy(`
-- brctl_domtrans(quantum_t)
+-sysnet_domtrans_ifconfig(quantum_t)
++optional_policy(`
+ modutils_domtrans_insmod(neutron_t)
- ')
++')
optional_policy(`
-- mysql_stream_connect(quantum_t)
-- mysql_read_config(quantum_t)
+- brctl_domtrans(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
-+')
+ ')
-- mysql_tcp_connect(quantum_t)
-+optional_policy(`
+ optional_policy(`
+- mysql_stream_connect(quantum_t)
+- mysql_read_config(quantum_t)
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
++')
+
+- mysql_tcp_connect(quantum_t)
++optional_policy(`
++ openvswitch_domtrans(neutron_t)
++ openvswitch_stream_connect(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
-+ openvswitch_domtrans(neutron_t)
-+ openvswitch_stream_connect(neutron_t)
++ rpm_exec(neutron_t)
++ rpm_read_db(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
@@ -78389,7 +78530,7 @@ index 4460582..4c66c25 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..0e88460 100644
+index 403a4fe..0ff0178 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -78426,7 +78567,7 @@ index 403a4fe..0e88460 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,10 +75,15 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,12 +75,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
@@ -78441,8 +78582,15 @@ index 403a4fe..0e88460 100644
+corenet_tcp_bind_radius_port(radiusd_t)
corenet_udp_bind_radius_port(radiusd_t)
++corenet_sendrecv_radsec_server_packets(radiusd_t)
++corenet_tcp_bind_radsec_port(radiusd_t)
++corenet_udp_bind_radsec_port(radiusd_t)
++corenet_tcp_connect_radsec_port(radiusd_t)
++
corenet_sendrecv_snmp_client_packets(radiusd_t)
-@@ -97,7 +103,6 @@ domain_use_interactive_fds(radiusd_t)
+ corenet_tcp_connect_snmp_port(radiusd_t)
+
+@@ -97,7 +108,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -78450,7 +78598,7 @@ index 403a4fe..0e88460 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +114,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +119,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -78458,7 +78606,7 @@ index 403a4fe..0e88460 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
-@@ -122,6 +126,11 @@ optional_policy(`
+@@ -122,6 +131,11 @@ optional_policy(`
')
optional_policy(`
@@ -78470,7 +78618,7 @@ index 403a4fe..0e88460 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +149,10 @@ optional_policy(`
+@@ -140,5 +154,10 @@ optional_policy(`
')
optional_policy(`
@@ -81185,10 +81333,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..2c625fb 100644
+index 47de2d6..9f18690 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,91 @@
+@@ -1,31 +1,92 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -81302,6 +81450,7 @@ index 47de2d6..2c625fb 100644
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
index c8bdea2..bf60580 100644
@@ -82128,7 +82277,7 @@ index c8bdea2..bf60580 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..25c0f70 100644
+index 6cf79c4..0706417 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -82167,7 +82316,7 @@ index 6cf79c4..25c0f70 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -44,34 +73,281 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@@ -82320,6 +82469,8 @@ index 6cf79c4..25c0f70 100644
+init_rw_script_tmp_files(cluster_t)
+init_manage_script_status_files(cluster_t)
+
++systemd_dbus_chat_logind(cluster_t)
++
+userdom_delete_user_tmp_files(cluster_t)
+userdom_rw_user_tmp_files(cluster_t)
+userdom_kill_all_users(cluster_t)
@@ -82453,7 +82604,7 @@ index 6cf79c4..25c0f70 100644
')
#####################################
-@@ -79,13 +355,14 @@ optional_policy(`
+@@ -79,13 +357,14 @@ optional_policy(`
# dlm_controld local policy
#
@@ -82470,7 +82621,7 @@ index 6cf79c4..25c0f70 100644
kernel_rw_net_sysctls(dlm_controld_t)
corecmd_exec_bin(dlm_controld_t)
-@@ -98,16 +375,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +377,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -82504,7 +82655,7 @@ index 6cf79c4..25c0f70 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +409,7 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +411,7 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -82515,7 +82666,7 @@ index 6cf79c4..25c0f70 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -140,6 +429,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +431,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
@@ -82524,7 +82675,7 @@ index 6cf79c4..25c0f70 100644
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +439,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +441,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -82535,7 +82686,7 @@ index 6cf79c4..25c0f70 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +449,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +451,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -82544,7 +82695,7 @@ index 6cf79c4..25c0f70 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +471,8 @@ optional_policy(`
+@@ -182,7 +473,8 @@ optional_policy(`
')
optional_policy(`
@@ -82554,7 +82705,7 @@ index 6cf79c4..25c0f70 100644
')
optional_policy(`
-@@ -190,12 +480,12 @@ optional_policy(`
+@@ -190,12 +482,12 @@ optional_policy(`
')
optional_policy(`
@@ -82570,7 +82721,7 @@ index 6cf79c4..25c0f70 100644
')
optional_policy(`
-@@ -203,6 +493,13 @@ optional_policy(`
+@@ -203,6 +495,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -82584,7 +82735,7 @@ index 6cf79c4..25c0f70 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +518,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +520,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -82605,7 +82756,7 @@ index 6cf79c4..25c0f70 100644
snmp_stream_connect(foghorn_t)
')
-@@ -247,16 +546,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +548,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -82627,7 +82778,7 @@ index 6cf79c4..25c0f70 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +578,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -82687,7 +82838,7 @@ index 6cf79c4..25c0f70 100644
######################################
#
# qdiskd local policy
-@@ -292,7 +642,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +644,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
@@ -82695,7 +82846,7 @@ index 6cf79c4..25c0f70 100644
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
-@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +672,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -86276,7 +86427,7 @@ index ef3b225..ac3f823 100644
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff --git a/rpm.te b/rpm.te
-index 6fc360e..75415ab 100644
+index 6fc360e..77ca468 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -86618,7 +86769,7 @@ index 6fc360e..75415ab 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,73 +331,125 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,73 +331,129 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -86663,11 +86814,11 @@ index 6fc360e..75415ab 100644
+logging_send_audit_msgs(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
-+miscfiles_filetrans_named_content(rpm_script_t)
-
+-
-modutils_run_depmod(rpm_script_t, rpm_roles)
-modutils_run_insmod(rpm_script_t, rpm_roles)
--
++miscfiles_filetrans_named_content(rpm_script_t)
+
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
@@ -86710,6 +86861,10 @@ index 6fc360e..75415ab 100644
+')
+
+optional_policy(`
++ glusterd_filetrans_named_pid(rpm_script_t)
++')
++
++optional_policy(`
+ sblim_filetrans_named_content(rpm_script_t)
')
@@ -86764,7 +86919,7 @@ index 6fc360e..75415ab 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +461,6 @@ optional_policy(`
+@@ -409,6 +465,6 @@ optional_policy(`
')
optional_policy(`
@@ -91893,7 +92048,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..3502684 100644
+index 299756b..2b642a3 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -91999,7 +92154,7 @@ index 299756b..3502684 100644
')
optional_policy(`
-@@ -117,6 +133,58 @@ optional_policy(`
+@@ -117,6 +133,59 @@ optional_policy(`
# Reposd local policy
#
@@ -92058,6 +92213,7 @@ index 299756b..3502684 100644
+ virt_manage_config(sblim_sfcbd_t)
+ virt_stream_connect(sblim_sfcbd_t)
+ virt_search_images(sblim_sfcbd_t)
++ virt_getattr_images(sblim_sfcbd_t)
+')
diff --git a/screen.fc b/screen.fc
index e7c2cf7..435aaa6 100644
@@ -92798,7 +92954,7 @@ index 35ad2a7..6b75e85 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b4..906b5db 100644
+index 12700b4..27adacc 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -92938,7 +93094,7 @@ index 12700b4..906b5db 100644
')
optional_policy(`
-@@ -164,14 +168,27 @@ optional_policy(`
+@@ -164,6 +168,10 @@ optional_policy(`
')
optional_policy(`
@@ -92949,12 +93105,7 @@ index 12700b4..906b5db 100644
milter_stream_connect_all(sendmail_t)
')
- optional_policy(`
-+ mta_filetrans_home_content(sendmail_t)
-+')
-+
-+optional_policy(`
- munin_dontaudit_search_lib(sendmail_t)
+@@ -172,6 +180,11 @@ optional_policy(`
')
optional_policy(`
@@ -92966,7 +93117,7 @@ index 12700b4..906b5db 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +210,10 @@ optional_policy(`
+@@ -193,6 +206,10 @@ optional_policy(`
')
optional_policy(`
@@ -92977,18 +93128,15 @@ index 12700b4..906b5db 100644
udev_read_db(sendmail_t)
')
-@@ -206,8 +227,8 @@ optional_policy(`
+@@ -206,8 +223,6 @@ optional_policy(`
#
optional_policy(`
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases")
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db")
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp")
-- unconfined_domain(unconfined_sendmail_t)
-+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliases")
-+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliases.db")
-+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliasesdb-stamp")
-+ unconfined_domain(unconfined_sendmail_t)
++ mta_filetrans_named_content(unconfined_sendmail_t)
+ unconfined_domain(unconfined_sendmail_t)
')
diff --git a/sensord.fc b/sensord.fc
index 8185d5a..9be989a 100644
@@ -93103,7 +93251,7 @@ index d204752..85631b3 100644
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..80cb2bc 100644
+index 5e82fd6..ddb249d 100644
--- a/sensord.te
+++ b/sensord.te
@@ -9,27 +9,38 @@ type sensord_t;
@@ -93127,7 +93275,7 @@ index 5e82fd6..80cb2bc 100644
# Local policy
#
-+allow sensord_t self:process signal;
++allow sensord_t self:process { signal execmem };
+
allow sensord_t self:fifo_file rw_fifo_file_perms;
allow sensord_t self:unix_stream_socket create_stream_socket_perms;
@@ -98067,10 +98215,10 @@ index a240455..04419ae 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..26fb335 100644
+index 2d8db1f..aafd7c8 100644
--- a/sssd.te
+++ b/sssd.te
-@@ -28,9 +28,17 @@ logging_log_file(sssd_var_log_t)
+@@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t)
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
@@ -98088,8 +98236,9 @@ index 2d8db1f..26fb335 100644
+# sssd local policy
#
- allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
-@@ -38,7 +46,7 @@ allow sssd_t self:capability2 block_suspend;
+-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
+ allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
@@ -98170,7 +98319,7 @@ index 2d8db1f..26fb335 100644
init_read_utmp(sssd_t)
-@@ -112,18 +120,56 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +120,58 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -98206,17 +98355,19 @@ index 2d8db1f..26fb335 100644
+optional_policy(`
+ ldap_stream_connect(sssd_t)
+ ldap_read_certs(sssd_t)
- ')
++')
+
+optional_policy(`
+ systemd_login_read_pid_files(sssd_t)
-+')
+ ')
+
+########################################
+#
+# sssd SELinux manager local policy
+#
+
++allow sssd_selinux_manager_t self:capability { setgid setuid };
++
+domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
+
+logging_send_audit_msgs(sssd_selinux_manager_t)
@@ -103173,7 +103324,7 @@ index c416a83..cd83b89 100644
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 98b51fd..b25ec0d 100644
+index 98b51fd..2a003a5 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
@@ -103413,7 +103564,7 @@ index 98b51fd..b25ec0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -206,10 +263,79 @@ interface(`userhelper_exec',`
+@@ -206,10 +263,83 @@ interface(`userhelper_exec',`
type userhelper_exec_t;
')
@@ -103477,6 +103628,10 @@ index 98b51fd..b25ec0d 100644
+ ')
+
+ optional_policy(`
++ hddtemp_run($1_consolehelper_t, $2)
++ ')
++
++ optional_policy(`
+ shutdown_run($1_consolehelper_t, $2)
+ shutdown_send_sigchld($3)
+ ')
@@ -104385,7 +104540,7 @@ index a4f20bc..b3bd64f 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..aacee65 100644
+index facdee8..01641f5 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -104864,7 +105019,15 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -450,8 +304,7 @@ interface(`virt_read_content',`
+@@ -434,6 +288,7 @@ interface(`virt_read_content',`
+ read_files_pattern($1, virt_content_t, virt_content_t)
+ read_lnk_files_pattern($1, virt_content_t, virt_content_t)
+ read_blk_files_pattern($1, virt_content_t, virt_content_t)
++ read_chr_files_pattern($1, virt_content_t, virt_content_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+@@ -450,8 +305,7 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -104874,7 +105037,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,35 +312,17 @@ interface(`virt_read_content',`
+@@ -459,35 +313,17 @@ interface(`virt_read_content',`
## </summary>
## </param>
#
@@ -104913,7 +105076,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -495,53 +330,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +331,37 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@@ -104977,7 +105140,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -549,34 +368,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +369,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@@ -105020,7 +105183,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -584,32 +390,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +391,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary>
## </param>
#
@@ -105069,7 +105232,7 @@ index facdee8..aacee65 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -618,54 +428,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +429,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@@ -105133,7 +105296,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +465,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +466,38 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -105200,7 +105363,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +504,58 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +505,58 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
@@ -105281,7 +105444,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +563,19 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +564,19 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
@@ -105307,7 +105470,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +583,18 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +584,18 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
@@ -105331,7 +105494,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +602,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +603,18 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@@ -105355,7 +105518,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -839,20 +621,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +622,73 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@@ -105434,7 +105597,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,94 +695,267 @@ interface(`virt_read_lib_files',`
+@@ -860,94 +696,267 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -105731,7 +105894,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +963,17 @@ interface(`virt_append_log',`
+@@ -955,20 +964,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -105756,7 +105919,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +981,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +982,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -105779,7 +105942,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +999,35 @@ interface(`virt_search_images',`
+@@ -995,36 +1000,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -105835,7 +105998,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1035,17 @@ interface(`virt_read_images',`
+@@ -1032,20 +1036,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -105860,7 +106023,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1053,57 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1054,57 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -105923,7 +106086,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1111,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1112,28 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
@@ -105960,7 +106123,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1140,188 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1141,188 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -106167,7 +106330,7 @@ index facdee8..aacee65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1337,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1338,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -106256,7 +106419,7 @@ index facdee8..aacee65 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..2a9e44c 100644
+index f03dcf5..26ed5aa 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,241 @@
@@ -107055,7 +107218,7 @@ index f03dcf5..2a9e44c 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +458,25 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +458,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -107065,6 +107228,7 @@ index f03dcf5..2a9e44c 100644
+domain_signull_all_domains(virtd_t)
-files_read_usr_files(virtd_t)
++files_list_all_mountpoints(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
@@ -107085,7 +107249,7 @@ index f03dcf5..2a9e44c 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +509,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +510,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -107105,7 +107269,7 @@ index f03dcf5..2a9e44c 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +531,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +532,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -107142,7 +107306,7 @@ index f03dcf5..2a9e44c 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +559,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +560,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -107151,7 +107315,7 @@ index f03dcf5..2a9e44c 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +584,12 @@ optional_policy(`
+@@ -665,20 +585,12 @@ optional_policy(`
')
optional_policy(`
@@ -107172,7 +107336,7 @@ index f03dcf5..2a9e44c 100644
')
optional_policy(`
-@@ -691,20 +602,26 @@ optional_policy(`
+@@ -691,20 +603,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -107206,7 +107370,7 @@ index f03dcf5..2a9e44c 100644
')
optional_policy(`
-@@ -712,11 +629,18 @@ optional_policy(`
+@@ -712,11 +630,18 @@ optional_policy(`
')
optional_policy(`
@@ -107225,7 +107389,7 @@ index f03dcf5..2a9e44c 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +651,18 @@ optional_policy(`
+@@ -727,10 +652,18 @@ optional_policy(`
')
optional_policy(`
@@ -107244,7 +107408,7 @@ index f03dcf5..2a9e44c 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +678,277 @@ optional_policy(`
+@@ -746,44 +679,277 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -107345,7 +107509,7 @@ index f03dcf5..2a9e44c 100644
-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -107392,7 +107556,7 @@ index f03dcf5..2a9e44c 100644
+miscfiles_read_generic_certs(virt_domain)
+
+storage_raw_read_removable_device(virt_domain)
-
++
+sysnet_read_config(virt_domain)
+
+term_use_all_inherited_terms(virt_domain)
@@ -107544,7 +107708,7 @@ index f03dcf5..2a9e44c 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +959,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +960,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -107571,7 +107735,7 @@ index f03dcf5..2a9e44c 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +979,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +980,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -107588,10 +107752,10 @@ index f03dcf5..2a9e44c 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -107605,7 +107769,7 @@ index f03dcf5..2a9e44c 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1016,20 @@ optional_policy(`
+@@ -856,14 +1017,20 @@ optional_policy(`
')
optional_policy(`
@@ -107627,7 +107791,7 @@ index f03dcf5..2a9e44c 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1054,65 @@ optional_policy(`
+@@ -888,49 +1055,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -107711,7 +107875,7 @@ index f03dcf5..2a9e44c 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1124,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1125,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -107731,7 +107895,7 @@ index f03dcf5..2a9e44c 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1145,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1146,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -107755,7 +107919,7 @@ index f03dcf5..2a9e44c 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1170,318 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1171,319 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -107771,21 +107935,21 @@ index f03dcf5..2a9e44c 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-+
+
+-miscfiles_read_localization(virtd_lxc_t)
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
--miscfiles_read_localization(virtd_lxc_t)
-+optional_policy(`
-+ docker_exec_lib(virtd_lxc_t)
-+')
-
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
++ docker_exec_lib(virtd_lxc_t)
++')
++
++optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -107819,88 +107983,6 @@ index f03dcf5..2a9e44c 100644
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-+
-+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
-+
-+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
-+allow svirt_sandbox_domain virtd_lxc_t:fd use;
-+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-+
-+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
-+
-+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
-+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
-+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
-+
-+kernel_getattr_proc(svirt_sandbox_domain)
-+kernel_list_all_proc(svirt_sandbox_domain)
-+kernel_read_all_sysctls(svirt_sandbox_domain)
-+kernel_read_net_sysctls(svirt_sandbox_domain)
-+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
-+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
-+kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
-+
-+corecmd_exec_all_executables(svirt_sandbox_domain)
-+
-+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
-+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
-+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
-+files_entrypoint_all_files(svirt_sandbox_domain)
-+files_list_var(svirt_sandbox_domain)
-+files_list_var_lib(svirt_sandbox_domain)
-+files_search_all(svirt_sandbox_domain)
-+files_read_config_files(svirt_sandbox_domain)
-+files_read_usr_symlinks(svirt_sandbox_domain)
-+files_search_locks(svirt_sandbox_domain)
-+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
-+
-+fs_getattr_all_fs(svirt_sandbox_domain)
-+fs_list_inotifyfs(svirt_sandbox_domain)
-+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
-+fs_read_fusefs_files(svirt_sandbox_domain)
-+fs_read_hugetlbfs_files(svirt_sandbox_domain)
-+
-+auth_dontaudit_read_passwd(svirt_sandbox_domain)
-+auth_dontaudit_read_login_records(svirt_sandbox_domain)
-+auth_dontaudit_write_login_records(svirt_sandbox_domain)
-+auth_search_pam_console_data(svirt_sandbox_domain)
-+
-+clock_read_adjtime(svirt_sandbox_domain)
-+
-+init_read_utmp(svirt_sandbox_domain)
-+init_dontaudit_write_utmp(svirt_sandbox_domain)
-+
-+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
-+
-+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
-+miscfiles_read_fonts(svirt_sandbox_domain)
-+miscfiles_read_hwdata(svirt_sandbox_domain)
-+
-+systemd_read_unit_files(svirt_sandbox_domain)
-+
-+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
-+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
-+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -107984,24 +108066,107 @@ index f03dcf5..2a9e44c 100644
-miscfiles_read_fonts(svirt_lxc_domain)
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
-+ docker_read_share_files(svirt_sandbox_domain)
-+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+ docker_use_ptys(svirt_sandbox_domain)
-+')
++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
+
-+optional_policy(`
-+ gear_read_pid_files(svirt_sandbox_domain)
-+')
++allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
++allow svirt_sandbox_domain virtd_lxc_t:fd use;
++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
++
++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_sandbox_domain)
++kernel_list_all_proc(svirt_sandbox_domain)
++kernel_read_all_sysctls(svirt_sandbox_domain)
++kernel_read_net_sysctls(svirt_sandbox_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
++kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
++
++corecmd_exec_all_executables(svirt_sandbox_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
++files_dontaudit_getattr_all_files(svirt_sandbox_domain)
++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
++files_entrypoint_all_files(svirt_sandbox_domain)
++files_list_var(svirt_sandbox_domain)
++files_list_var_lib(svirt_sandbox_domain)
++files_search_all(svirt_sandbox_domain)
++files_read_config_files(svirt_sandbox_domain)
++files_read_usr_symlinks(svirt_sandbox_domain)
++files_search_locks(svirt_sandbox_domain)
++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
++
++fs_getattr_all_fs(svirt_sandbox_domain)
++fs_list_inotifyfs(svirt_sandbox_domain)
++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
++fs_read_fusefs_files(svirt_sandbox_domain)
++fs_read_hugetlbfs_files(svirt_sandbox_domain)
++fs_read_tmpfs_symlinks(svirt_sandbox_domain)
++
++auth_dontaudit_read_passwd(svirt_sandbox_domain)
++auth_dontaudit_read_login_records(svirt_sandbox_domain)
++auth_dontaudit_write_login_records(svirt_sandbox_domain)
++auth_search_pam_console_data(svirt_sandbox_domain)
++
++clock_read_adjtime(svirt_sandbox_domain)
++
++init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_write_utmp(svirt_sandbox_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
++
++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
++miscfiles_read_fonts(svirt_sandbox_domain)
++miscfiles_read_hwdata(svirt_sandbox_domain)
++
++systemd_read_unit_files(svirt_sandbox_domain)
++
++userdom_use_inherited_user_terminals(svirt_sandbox_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ docker_read_share_files(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++ docker_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ gear_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
+
@@ -108061,6 +108226,11 @@ index f03dcf5..2a9e44c 100644
+tunable_policy(`virt_sandbox_use_mknod',`
+ allow svirt_lxc_net_t self:capability mknod;
+')
++
++tunable_policy(`virt_sandbox_use_all_caps',`
++ allow svirt_lxc_net_t self:capability all_capability_perms;
++ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
++')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -108072,11 +108242,6 @@ index f03dcf5..2a9e44c 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_all_caps',`
-+ allow svirt_lxc_net_t self:capability all_capability_perms;
-+ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
-+')
-+
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -108166,12 +108331,12 @@ index f03dcf5..2a9e44c 100644
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
@@ -108212,7 +108377,7 @@ index f03dcf5..2a9e44c 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1494,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1496,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -108227,7 +108392,7 @@ index f03dcf5..2a9e44c 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1512,8 @@ optional_policy(`
+@@ -1192,9 +1514,8 @@ optional_policy(`
########################################
#
@@ -108238,7 +108403,7 @@ index f03dcf5..2a9e44c 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1526,233 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1528,238 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -108337,6 +108502,7 @@ index f03dcf5..2a9e44c 100644
+
+optional_policy(`
+ devicekit_manage_pid_files(virt_qemu_ga_t)
++ devicekit_read_log_files(virt_qemu_ga_t)
+')
+
+optional_policy(`
@@ -108344,6 +108510,10 @@ index f03dcf5..2a9e44c 100644
+')
+
+optional_policy(`
++ rpm_dbus_chat(virt_qemu_ga_t)
++')
++
++optional_policy(`
+ shutdown_domtrans(virt_qemu_ga_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 723c399..7dcacba 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 105%{?dist}
+Release: 105.1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,40 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jan 29 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.1
+- Add unconfined_setsched() interface
+- Add ipsec_rw_inherited_pipes() interface.
+- Update seutil_manage_config() interface.
+- journald now reads the netlink audit socket
+- Update ipsec_manage_pid() interface.
+- Allow netutils chown capability to make tcpdump working with -w
+- Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t.
+- Allow ipsec to execute _updown.netkey script to run unbound-control.
+- Add auditing support for ipsec.
+- Allow nut_upsmon_t to read random_device_t. BZ(1186072)
+- Allow fowner capability for sssd because of selinux_child handling.
+- ALlow bind to read/write inherited ipsec pipes
+- Allow hypervkvp to read /dev/urandom and read addition states/config files.
+- Allow cluster domain to dbus chat with systemd-logind.
+- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd
+- Add glusterd_filetrans_named_pid() interface.
+- Allow radiusd to connect to radsec ports.
+- Allow setuid/setgid for selinux_child.
+- Allow pingd to read /dev/urandom. BZ(1181831)
+- Allow lsmd plugin to connect to tcp/5989 by default.
+- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
+- Allow docker_t to changes it rlimit
+- Allow docker to setsched on unconfined_t user
+- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
+- Call correct macro in virt_read_content().
+- Allow neutron to read rpm DB.
+- Add labeling for pacemaker.log.
+- Allow radius to connect/bind radsec ports.
+- Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log.
+- Add devicekit_read_log_files()
+- Allow virt_qemu_ga to dbus chat with rpm.
+- Update virt_read_content() interface to allow read also char devices.
+
* Thu Jan 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105
- Fix labels on /etc/kde/kdm
- Allow texlive managers to relabelfrom
More information about the scm-commits
mailing list