From ba0eef5c75c32e7e2b623bebc203e3b90054b2c4 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 23 2016 10:56:24 +0000 Subject: * Tue Aug 23 2016 Lukas Vrabec 3.13.1-210 - Add few interfaces to cloudform.if file - Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module - Allow krb5kdc_t to read krb4kdc_conf_t dirs. - Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. - Make confined users working again - Fix hypervkvp module - Allow ipmievd domain to create lock files in /var/lock/subsys/ - Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t - A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. - Allow systemd to stop systemd-machined daemon. This allows stop virtual machines. - Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 36c37c6..815ea7a 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0404fca..db612be 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -37342,7 +37342,7 @@ index 79a45f6..d092e6e 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..5bee7df 100644 +index 17eda24..01ef803 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37570,12 +37570,14 @@ index 17eda24..5bee7df 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +259,68 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +259,70 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) +fs_read_efivarfs_files(init_t) + ++fstools_getattr_swap_files(init_t) ++ mcs_process_set_categories(init_t) -mcs_killall(init_t) @@ -37630,12 +37632,12 @@ index 17eda24..5bee7df 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) -+ + +-miscfiles_read_localization(init_t) +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) - --miscfiles_read_localization(init_t) ++ +userdom_transition_login_userdomain(init_t) +userdom_noatsecure_login_userdomain(init_t) +userdom_sigchld_login_userdomain(init_t) @@ -37644,7 +37646,7 @@ index 17eda24..5bee7df 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +329,264 @@ ifdef(`distro_gentoo',` +@@ -186,29 +331,264 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37918,7 +37920,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -216,7 +594,30 @@ optional_policy(` +@@ -216,7 +596,30 @@ optional_policy(` ') optional_policy(` @@ -37950,7 +37952,7 @@ index 17eda24..5bee7df 100644 ') ######################################## -@@ -225,9 +626,9 @@ optional_policy(` +@@ -225,9 +628,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37962,7 +37964,7 @@ index 17eda24..5bee7df 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +659,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +661,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37979,7 +37981,7 @@ index 17eda24..5bee7df 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +684,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +686,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38022,7 +38024,7 @@ index 17eda24..5bee7df 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +721,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +723,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38034,7 +38036,7 @@ index 17eda24..5bee7df 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +733,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +735,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38045,7 +38047,7 @@ index 17eda24..5bee7df 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +744,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +746,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38055,7 +38057,7 @@ index 17eda24..5bee7df 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +753,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +755,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38063,7 +38065,7 @@ index 17eda24..5bee7df 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +760,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +762,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38071,7 +38073,7 @@ index 17eda24..5bee7df 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +768,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +770,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38089,7 +38091,7 @@ index 17eda24..5bee7df 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +786,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +788,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38103,7 +38105,7 @@ index 17eda24..5bee7df 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +801,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +803,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38117,7 +38119,7 @@ index 17eda24..5bee7df 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +814,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +816,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38128,7 +38130,7 @@ index 17eda24..5bee7df 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +827,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +829,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38136,7 +38138,7 @@ index 17eda24..5bee7df 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +846,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +848,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38160,7 +38162,7 @@ index 17eda24..5bee7df 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +879,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +881,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38168,7 +38170,7 @@ index 17eda24..5bee7df 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +913,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +915,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38179,7 +38181,7 @@ index 17eda24..5bee7df 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +937,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +939,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38188,7 +38190,7 @@ index 17eda24..5bee7df 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +952,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +954,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38196,7 +38198,7 @@ index 17eda24..5bee7df 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +973,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +975,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38204,7 +38206,7 @@ index 17eda24..5bee7df 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +983,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +985,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38249,7 +38251,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -559,14 +1028,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1030,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38281,7 +38283,7 @@ index 17eda24..5bee7df 100644 ') ') -@@ -577,6 +1063,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1065,39 @@ ifdef(`distro_suse',` ') ') @@ -38321,7 +38323,7 @@ index 17eda24..5bee7df 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1108,8 @@ optional_policy(` +@@ -589,6 +1110,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38330,7 +38332,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -610,6 +1131,7 @@ optional_policy(` +@@ -610,6 +1133,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38338,7 +38340,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -626,6 +1148,17 @@ optional_policy(` +@@ -626,6 +1150,17 @@ optional_policy(` ') optional_policy(` @@ -38356,7 +38358,7 @@ index 17eda24..5bee7df 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1175,13 @@ optional_policy(` +@@ -642,9 +1177,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38370,7 +38372,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -657,15 +1194,11 @@ optional_policy(` +@@ -657,15 +1196,11 @@ optional_policy(` ') optional_policy(` @@ -38388,7 +38390,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -686,6 +1219,15 @@ optional_policy(` +@@ -686,6 +1221,15 @@ optional_policy(` ') optional_policy(` @@ -38404,7 +38406,7 @@ index 17eda24..5bee7df 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1268,7 @@ optional_policy(` +@@ -726,6 +1270,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38412,7 +38414,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -743,7 +1286,13 @@ optional_policy(` +@@ -743,7 +1288,13 @@ optional_policy(` ') optional_policy(` @@ -38427,7 +38429,7 @@ index 17eda24..5bee7df 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1315,10 @@ optional_policy(` +@@ -766,6 +1317,10 @@ optional_policy(` ') optional_policy(` @@ -38438,7 +38440,7 @@ index 17eda24..5bee7df 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1328,20 @@ optional_policy(` +@@ -775,10 +1330,20 @@ optional_policy(` ') optional_policy(` @@ -38459,7 +38461,7 @@ index 17eda24..5bee7df 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1350,10 @@ optional_policy(` +@@ -787,6 +1352,10 @@ optional_policy(` ') optional_policy(` @@ -38470,7 +38472,7 @@ index 17eda24..5bee7df 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1375,6 @@ optional_policy(` +@@ -808,8 +1377,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38479,7 +38481,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -818,6 +1383,10 @@ optional_policy(` +@@ -818,6 +1385,10 @@ optional_policy(` ') optional_policy(` @@ -38490,7 +38492,7 @@ index 17eda24..5bee7df 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1396,12 @@ optional_policy(` +@@ -827,10 +1398,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38503,7 +38505,7 @@ index 17eda24..5bee7df 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1428,62 @@ optional_policy(` +@@ -857,21 +1430,62 @@ optional_policy(` ') optional_policy(` @@ -38567,7 +38569,7 @@ index 17eda24..5bee7df 100644 ') optional_policy(` -@@ -887,6 +1499,10 @@ optional_policy(` +@@ -887,6 +1501,10 @@ optional_policy(` ') optional_policy(` @@ -38578,7 +38580,7 @@ index 17eda24..5bee7df 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1513,218 @@ optional_policy(` +@@ -897,3 +1515,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -39441,10 +39443,10 @@ index 312cd04..102b975 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..a143623 100644 +index 73a1c4e..63c7fc0 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,45 @@ +@@ -1,22 +1,48 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -39458,6 +39460,7 @@ index 73a1c4e..a143623 100644 +/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + ++/usr/libexec/iptables/iptables.init -- gen_context(system_u:object_r:iptables_exec_t,s0) + +/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) + @@ -39505,6 +39508,8 @@ index 73a1c4e..a143623 100644 + +/var/lib/ebtables(/.*)? gen_context(system_u:object_r:iptables_var_lib_t,s0) + ++/var/lock/subsys/iptables -- gen_context(system_u:object_r:iptables_lock_t,s0) ++ +/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index c42fbc3..bf211db 100644 @@ -39575,10 +39580,10 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..fa11d0f 100644 +index be8ed1e..218750e 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te -@@ -16,15 +16,18 @@ role iptables_roles types iptables_t; +@@ -16,15 +16,21 @@ role iptables_roles types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -39594,13 +39599,16 @@ index be8ed1e..fa11d0f 100644 +type iptables_var_lib_t; +files_pid_file(iptables_var_lib_t) + ++type iptables_lock_t; ++files_lock_file(iptables_lock_t) ++ +type iptables_unit_file_t; +systemd_unit_file(iptables_unit_file_t) + ######################################## # # Iptables local policy -@@ -35,25 +38,33 @@ dontaudit iptables_t self:capability sys_tty_config; +@@ -35,25 +41,36 @@ dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:netlink_socket create_socket_perms; @@ -39623,6 +39631,9 @@ index be8ed1e..fa11d0f 100644 + can_exec(iptables_t, iptables_exec_t) ++manage_files_pattern(iptables_t, iptables_lock_t, iptables_lock_t) ++files_lock_filetrans(iptables_t, iptables_lock_t, file) ++ allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) @@ -39637,7 +39648,7 @@ index be8ed1e..fa11d0f 100644 kernel_use_fds(iptables_t) # needed by ipvsadm -@@ -64,19 +75,23 @@ corenet_relabelto_all_packets(iptables_t) +@@ -64,19 +81,23 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -39663,7 +39674,7 @@ index be8ed1e..fa11d0f 100644 auth_use_nsswitch(iptables_t) -@@ -85,15 +100,14 @@ init_use_script_ptys(iptables_t) +@@ -85,15 +106,14 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -39681,7 +39692,7 @@ index be8ed1e..fa11d0f 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +116,9 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +122,9 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -39691,7 +39702,7 @@ index be8ed1e..fa11d0f 100644 ') optional_policy(` -@@ -110,6 +127,13 @@ optional_policy(` +@@ -110,6 +133,13 @@ optional_policy(` ') optional_policy(` @@ -39705,7 +39716,7 @@ index be8ed1e..fa11d0f 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +148,16 @@ optional_policy(` +@@ -124,6 +154,16 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -39722,7 +39733,7 @@ index be8ed1e..fa11d0f 100644 ') optional_policy(` -@@ -135,9 +169,9 @@ optional_policy(` +@@ -135,9 +175,9 @@ optional_policy(` ') optional_policy(` @@ -46677,7 +46688,7 @@ index 2cea692..8edb742 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..79fadfc 100644 +index a392fc4..de79419 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46802,7 +46813,7 @@ index a392fc4..79fadfc 100644 fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -137,11 +157,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -137,11 +157,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -46811,6 +46822,8 @@ index a392fc4..79fadfc 100644 init_rw_utmp(dhcpc_t) +init_stream_connect(dhcpc_t) +init_stream_send(dhcpc_t) ++ ++libs_exec_ldconfig(dhcpc_t) logging_send_syslog_msg(dhcpc_t) @@ -46819,7 +46832,7 @@ index a392fc4..79fadfc 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -161,7 +185,15 @@ ifdef(`distro_ubuntu',` +@@ -161,7 +187,21 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -46831,12 +46844,18 @@ index a392fc4..79fadfc 100644 +') + +optional_policy(` ++ cloudform_init_domtrans(dhcpc_t) ++ cloudform_read_var_lib_files(dhcpc_t) ++ cloudform_read_var_lib_lnk_files(dhcpc_t) ++') ++ ++optional_policy(` + devicekit_dontaudit_rw_log(dhcpc_t) + devicekit_dontaudit_read_pid_files(dhcpc_t) ') optional_policy(` -@@ -179,10 +211,6 @@ optional_policy(` +@@ -179,10 +219,6 @@ optional_policy(` ') optional_policy(` @@ -46847,7 +46866,7 @@ index a392fc4..79fadfc 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -195,23 +223,31 @@ optional_policy(` +@@ -195,23 +231,31 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -46882,7 +46901,7 @@ index a392fc4..79fadfc 100644 ') optional_policy(` -@@ -221,7 +257,16 @@ optional_policy(` +@@ -221,7 +265,16 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -46900,7 +46919,7 @@ index a392fc4..79fadfc 100644 ') optional_policy(` -@@ -233,6 +278,10 @@ optional_policy(` +@@ -233,6 +286,10 @@ optional_policy(` ') optional_policy(` @@ -46911,7 +46930,7 @@ index a392fc4..79fadfc 100644 vmware_append_log(dhcpc_t) ') -@@ -264,29 +313,66 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,29 +321,66 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -46978,7 +46997,7 @@ index a392fc4..79fadfc 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +385,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +393,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -47036,7 +47055,7 @@ index a392fc4..79fadfc 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +440,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +448,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -47049,7 +47068,7 @@ index a392fc4..79fadfc 100644 ') optional_policy(` -@@ -350,7 +458,16 @@ optional_policy(` +@@ -350,7 +466,16 @@ optional_policy(` ') optional_policy(` @@ -47067,7 +47086,7 @@ index a392fc4..79fadfc 100644 ') optional_policy(` -@@ -371,3 +488,13 @@ optional_policy(` +@@ -371,3 +496,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -48929,10 +48948,10 @@ index 0000000..16cd1ac +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..e77911b +index 0000000..7abdaa0 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,965 @@ +@@ -0,0 +1,967 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49261,6 +49280,8 @@ index 0000000..e77911b + +init_dbus_chat(systemd_machined_t) +init_status(systemd_machined_t) ++init_start(systemd_machined_t) ++init_stop(systemd_machined_t) + +userdom_dbus_send_all_users(systemd_machined_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 12515db..a07bea4 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -14386,10 +14386,10 @@ index 0000000..3849f13 +/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) diff --git a/cloudform.if b/cloudform.if new file mode 100644 -index 0000000..a06f04b +index 0000000..55fe0d6 --- /dev/null +++ b/cloudform.if -@@ -0,0 +1,60 @@ +@@ -0,0 +1,116 @@ +## cloudform policy + +####################################### @@ -14415,6 +14415,24 @@ index 0000000..a06f04b + kernel_read_system_state($1_t) +') + ++######################################## ++## ++## Execute a domain transition to run cloud_init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cloudform_init_domtrans',` ++ gen_require(` ++ type cloud_init_t, cloud_init_exec_t; ++ ') ++ ++ domtrans_pattern($1, cloud_init_exec_t, cloud_init_t) ++') ++ +###################################### +## +## Execute mongod in the caller domain. @@ -14433,6 +14451,44 @@ index 0000000..a06f04b + can_exec($1, mongod_exec_t) +') + ++####################################### ++## ++## Allow read to cloud lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cloudform_read_lib_files',` ++ gen_require(` ++ type cloud_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t) ++') ++ ++####################################### ++## ++## Allow read to cloud lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cloudform_read_lib_lnk_files',` ++ gen_require(` ++ type cloud_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t) ++') ++ +###################################### +## +## Execute mongod in the caller domain. @@ -22042,7 +22098,7 @@ index dda905b..5587295 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..d2ff291 100644 +index 62d22cb..a5ea200 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -22077,7 +22133,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -41,59 +58,68 @@ interface(`dbus_stub',` +@@ -41,59 +58,69 @@ interface(`dbus_stub',` template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; @@ -22121,6 +22177,7 @@ index 62d22cb..d2ff291 100644 - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + # For connecting to the bus + allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms }; ++ allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; @@ -22168,7 +22225,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -103,91 +129,88 @@ template(`dbus_role_template',` +@@ -103,91 +130,88 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` gen_require(` @@ -22298,7 +22355,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',` +@@ -195,15 +219,18 @@ interface(`dbus_connect_spec_session_bus',` ## ## # @@ -22323,7 +22380,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',` +@@ -211,57 +238,39 @@ interface(`dbus_session_bus_client',` ## ## # @@ -22395,7 +22452,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',` +@@ -269,15 +278,19 @@ interface(`dbus_spec_session_bus_client',` ## ## # @@ -22421,7 +22478,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',` +@@ -285,44 +298,52 @@ interface(`dbus_send_session_bus',` ## ## # @@ -22488,7 +22545,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',` +@@ -330,18 +351,18 @@ interface(`dbus_send_spec_session_bus',` ## ## # @@ -22512,7 +22569,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -349,20 +369,18 @@ interface(`dbus_read_config',` +@@ -349,20 +370,18 @@ interface(`dbus_read_config',` ## ## # @@ -22538,7 +22595,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',` +@@ -370,26 +389,20 @@ interface(`dbus_read_lib_files',` ## ## # @@ -22571,7 +22628,7 @@ index 62d22cb..d2ff291 100644 ## ## ## Type to be used as a domain. -@@ -397,81 +409,67 @@ interface(`dbus_manage_lib_files',` +@@ -397,81 +410,67 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -22681,7 +22738,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -479,18 +477,18 @@ interface(`dbus_spec_session_domain',` +@@ -479,18 +478,18 @@ interface(`dbus_spec_session_domain',` ## ## # @@ -22705,7 +22762,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -498,98 +496,121 @@ interface(`dbus_connect_system_bus',` +@@ -498,98 +497,121 @@ interface(`dbus_connect_system_bus',` ## ## # @@ -22868,7 +22925,7 @@ index 62d22cb..d2ff291 100644 ## ## ## -@@ -597,28 +618,50 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +619,50 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -32769,7 +32826,7 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..cfd00e3 100644 +index ab09d61..1a07290 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,76 @@ @@ -32921,7 +32978,7 @@ index ab09d61..cfd00e3 100644 + allow $3 $1_gkeyringd_t:fd use; + allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; + -+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write }; ++ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write connectto}; + stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) + + kernel_read_system_state($1_gkeyringd_t) @@ -37516,10 +37573,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..572b64b 100644 +index 4eb7041..de9cd55 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,152 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,153 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -37605,6 +37662,7 @@ index 4eb7041..572b64b 100644 +dev_read_urand(hypervkvp_t) + +files_dontaudit_search_home(hypervkvp_t) ++files_dontaudit_getattr_non_security_files(hypervkvp_t) + +fs_getattr_all_fs(hypervkvp_t) +fs_read_hugetlbfs_files(hypervkvp_t) @@ -38856,10 +38914,10 @@ index 0000000..81f38fe +') diff --git a/ipmievd.fc b/ipmievd.fc new file mode 100644 -index 0000000..afe4e83 +index 0000000..0f598ca --- /dev/null +++ b/ipmievd.fc -@@ -0,0 +1,7 @@ +@@ -0,0 +1,9 @@ +/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0) + +/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0) @@ -38867,6 +38925,8 @@ index 0000000..afe4e83 +/usr/libexec/openipmi-helper -- gen_context(system_u:object_r:ipmievd_exec_t,s0) + +/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0) ++ ++/var/lock/subsys/ipmi -- gen_context(system_u:object_r:ipmievd_lock_t,s0) diff --git a/ipmievd.if b/ipmievd.if new file mode 100644 index 0000000..e86db54 @@ -38995,10 +39055,10 @@ index 0000000..e86db54 +') diff --git a/ipmievd.te b/ipmievd.te new file mode 100644 -index 0000000..32d7f6c +index 0000000..a2c9648 --- /dev/null +++ b/ipmievd.te -@@ -0,0 +1,33 @@ +@@ -0,0 +1,51 @@ +policy_module(ipmievd, 1.0.0) + +######################################## @@ -39013,6 +39073,9 @@ index 0000000..32d7f6c +type ipmievd_var_run_t; +files_pid_file(ipmievd_var_run_t) + ++type ipmievd_lock_t; ++files_lock_file(ipmievd_lock_t) ++ +type ipmievd_unit_file_t; +systemd_unit_file(ipmievd_unit_file_t) + @@ -39027,11 +39090,26 @@ index 0000000..32d7f6c +manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t) +files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file }) + ++manage_files_pattern(ipmievd_t, ipmievd_lock_t, ipmievd_lock_t) ++files_lock_filetrans(ipmievd_t, ipmievd_lock_t, file) ++ ++kernel_read_system_state(ipmievd_t) ++ ++auth_read_passwd(ipmievd_t) ++ ++corecmd_exec_bin(ipmievd_t) ++ +dev_manage_ipmi_dev(ipmievd_t) +dev_filetrans_ipmi(ipmievd_t) ++dev_read_sysfs(ipmievd_t) ++ ++files_read_kernel_modules(ipmievd_t) + +logging_send_syslog_msg(ipmievd_t) + ++modutils_exec_insmod(ipmievd_t) ++modutils_read_module_config(ipmievd_t) ++ diff --git a/irc.fc b/irc.fc index 48e7739..1bf0326 100644 --- a/irc.fc @@ -42778,7 +42856,7 @@ index f6c00d8..e3cb4f1 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..a6356be 100644 +index 8833d59..3fde8ee 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -42955,7 +43033,7 @@ index 8833d59..a6356be 100644 ') optional_policy(` -@@ -174,24 +205,27 @@ optional_policy(` +@@ -174,24 +205,28 @@ optional_policy(` # Krb5kdc local policy # @@ -42976,6 +43054,7 @@ index 8833d59..a6356be 100644 +can_exec(krb5kdc_t, krb5kdc_exec_t) + ++list_dirs_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms; +dontaudit krb5kdc_t krb5kdc_conf_t:file write; @@ -42987,7 +43066,7 @@ index 8833d59..a6356be 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -201,71 +235,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +@@ -201,71 +236,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) @@ -43081,7 +43160,7 @@ index 8833d59..a6356be 100644 ') optional_policy(` -@@ -273,6 +315,10 @@ optional_policy(` +@@ -273,6 +316,10 @@ optional_policy(` ') optional_policy(` @@ -43092,7 +43171,7 @@ index 8833d59..a6356be 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +327,12 @@ optional_policy(` +@@ -281,10 +328,12 @@ optional_policy(` # kpropd local policy # @@ -43108,7 +43187,7 @@ index 8833d59..a6356be 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -301,27 +349,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +@@ -301,27 +350,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) @@ -58491,7 +58570,7 @@ index 94b9734..448a7e8 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 86dc29d..7380935 100644 +index 86dc29d..c7d9376 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -58823,7 +58902,7 @@ index 86dc29d..7380935 100644 ## ## ## Role allowed access. -@@ -287,33 +427,189 @@ interface(`networkmanager_stream_connect',` +@@ -287,33 +427,190 @@ interface(`networkmanager_stream_connect',` ## ## # @@ -59026,6 +59105,7 @@ index 86dc29d..7380935 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") @@ -86270,10 +86350,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..aa2272c 100644 +index 47de2d6..c2bc05a 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,101 @@ +@@ -1,31 +1,104 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -86391,6 +86471,9 @@ index 47de2d6..aa2272c 100644 +/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) +/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++ + +/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 95fbdfc..a81eca1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 209%{?dist} +Release: 210%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,19 @@ exit 0 %endif %changelog +* Tue Aug 23 2016 Lukas Vrabec 3.13.1-210 +- Add few interfaces to cloudform.if file +- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module +- Allow krb5kdc_t to read krb4kdc_conf_t dirs. +- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. +- Make confined users working again +- Fix hypervkvp module +- Allow ipmievd domain to create lock files in /var/lock/subsys/ +- Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t +- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. +- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines. +- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ + * Tue Aug 16 2016 Lukas Vrabec 3.13.1-209 - Fix lsm SELinux module - Dontaudit firewalld to create dirs in /root/ BZ(1340611)