From bd4ec66b12b04780baed15aa22aff788de2e809f Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Sep 14 2017 12:21:01 +0000
Subject: * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-260.9
- Allow svirt_t read userdomain state
- Fix keepalived SELinux module
- Allow automount domain to manage mount pid files
- Allow stunnel_t domain setsched
- Allow svirt_t read userdomain state
- Fix keepalived SELinux module
- Allow automount domain to manage mount pid files
- Allow stunnel_t domain setsched
- Add keepalived domain setpgid capability
- dbus: add policy for dbus-broker
- Revert "Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)"
- Allow tomcat domain to connect to mssql port
- Fix typo bug in apache module
- Dontaudit that system_mail_t is trying to read /root/ files
- Merge branch 'f26' of github.com:fedora-selinux/selinux-policy-contrib into f26
- networkmanager: allow talking to openvswitch
- Merge pull request #27 from lslebodn/pki_tomcat_tf26
- Make working webadm_t userdomain
- Allow redis domain to execute shell scripts.
- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
- Add couple capabilities to keepalived domain and allow get attributes of all domains
- Allow dmidecode read rhsmcertd lock files
- Add new interface rhsmcertd_rw_lock_files()
- Allow pki_tomcat_t use nsswitch
- Allow logrotate_t to change passwd and reloead services
- Label all plymouthd archives as plymouthd_var_log_t
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
- Add few rules to make tlp_t domain working in enforcing mode
- Allow cloud_init_t to dbus chat with systemd_timedated_t
- Allow logrotate_t to write to kmsg
- Add capability kill to rhsmcertd_t
- Allow winbind to manage smbd_tmp_t files
- Allow ipa_dnskey_t to exec ipa_dnskey_exec_t files
- Allow sysctl_irq_t assciate with proc_t
- Allow sshd_t domain to send signull to xdm_t processes
- Allow updpwd_t domain auth file name trans
- Add support labeling for vmci and vsock device
- Add userdom_dontaudit_manage_admin_files() interface
- Allow iptables_t domain to read files with modules_conf_t label
- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
- Allow useradd_t domain dbus chat with systemd
- Dontaudit netutils to write to kdumpctl_tmp_t pipes BZ(1481670)
---
diff --git a/container-selinux.tgz b/container-selinux.tgz
index 81f0bba..94eaa5e 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f26-base.patch b/policy-f26-base.patch
index efb6180..53121df 100644
--- a/policy-f26-base.patch
+++ b/policy-f26-base.patch
@@ -2117,7 +2117,7 @@ index c6ca761c9..0c86bfd54 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c3592a..5038ed0d5 100644
+index c44c3592a..cba535365 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2175,7 +2175,7 @@ index c44c3592a..5038ed0d5 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t)
+@@ -80,15 +86,19 @@ init_use_script_ptys(netutils_t)
auth_use_nsswitch(netutils_t)
@@ -2191,7 +2191,14 @@ index c44c3592a..5038ed0d5 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw };
++ kdump_dontaudit_inherited_kdumpctl_tmp_pipes(netutils_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(netutils_t)
+ ')
+
+@@ -110,11 +120,10 @@ allow ping_t self:capability { setuid net_raw };
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
@@ -2205,7 +2212,7 @@ index c44c3592a..5038ed0d5 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +133,9 @@ corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -2215,7 +2222,7 @@ index c44c3592a..5038ed0d5 100644
domain_use_interactive_fds(ping_t)
-@@ -131,14 +139,14 @@ files_read_etc_files(ping_t)
+@@ -131,14 +143,14 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
@@ -2234,7 +2241,7 @@ index c44c3592a..5038ed0d5 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',`
+@@ -146,14 +158,29 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
nagios_dontaudit_rw_log(ping_t)
nagios_dontaudit_rw_pipes(ping_t)
@@ -2264,7 +2271,7 @@ index c44c3592a..5038ed0d5 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -161,6 +184,15 @@ optional_policy(`
+@@ -161,6 +188,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -2280,7 +2287,7 @@ index c44c3592a..5038ed0d5 100644
########################################
#
# Traceroute local policy
-@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +210,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -2288,7 +2295,7 @@ index c44c3592a..5038ed0d5 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +233,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -2296,7 +2303,7 @@ index c44c3592a..5038ed0d5 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +242,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -3098,7 +3105,7 @@ index 99e3903ea..fa68362ea 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..d698fdd02 100644
+index 1d732f1e7..6a7c8001a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3229,7 +3236,7 @@ index 1d732f1e7..d698fdd02 100644
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
-@@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -212,17 +236,18 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -3240,7 +3247,8 @@ index 1d732f1e7..d698fdd02 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t)
+ init_dontaudit_write_utmp(groupadd_t)
++init_dbus_chat(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -3250,7 +3258,7 @@ index 1d732f1e7..d698fdd02 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t)
+@@ -232,14 +257,14 @@ corecmd_exec_bin(groupadd_t)
logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@@ -3267,7 +3275,7 @@ index 1d732f1e7..d698fdd02 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -251,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
+@@ -251,6 +276,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)
optional_policy(`
@@ -3278,7 +3286,7 @@ index 1d732f1e7..d698fdd02 100644
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
-@@ -273,7 +301,7 @@ optional_policy(`
+@@ -273,7 +302,7 @@ optional_policy(`
# Passwd local policy
#
@@ -3287,7 +3295,7 @@ index 1d732f1e7..d698fdd02 100644
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
-@@ -288,6 +316,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -288,6 +317,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -3295,7 +3303,7 @@ index 1d732f1e7..d698fdd02 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -296,6 +325,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -296,6 +326,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -3303,7 +3311,7 @@ index 1d732f1e7..d698fdd02 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +340,32 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3340,7 +3348,7 @@ index 1d732f1e7..d698fdd02 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +374,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +375,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -3354,7 +3362,7 @@ index 1d732f1e7..d698fdd02 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +387,20 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3375,7 +3383,7 @@ index 1d732f1e7..d698fdd02 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -362,7 +411,7 @@ optional_policy(`
+@@ -362,7 +412,7 @@ optional_policy(`
# Password admin local policy
#
@@ -3384,7 +3392,7 @@ index 1d732f1e7..d698fdd02 100644
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
-@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3397,7 +3405,7 @@ index 1d732f1e7..d698fdd02 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +466,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3405,7 +3413,7 @@ index 1d732f1e7..d698fdd02 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +475,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3418,7 +3426,7 @@ index 1d732f1e7..d698fdd02 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,8 +492,10 @@ optional_policy(`
+@@ -446,8 +493,10 @@ optional_policy(`
# Useradd local policy
#
@@ -3431,7 +3439,7 @@ index 1d732f1e7..d698fdd02 100644
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
-@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3442,7 +3450,7 @@ index 1d732f1e7..d698fdd02 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3482,7 +3490,7 @@ index 1d732f1e7..d698fdd02 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3490,7 +3498,11 @@ index 1d732f1e7..d698fdd02 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
+
+ init_use_fds(useradd_t)
+ init_rw_utmp(useradd_t)
++init_dbus_chat(useradd_t)
+
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3540,7 +3552,7 @@ index 1d732f1e7..d698fdd02 100644
')
optional_policy(`
-@@ -545,14 +600,27 @@ optional_policy(`
+@@ -545,14 +602,27 @@ optional_policy(`
')
optional_policy(`
@@ -3568,7 +3580,7 @@ index 1d732f1e7..d698fdd02 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +630,12 @@ optional_policy(`
+@@ -562,3 +632,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -6524,7 +6536,7 @@ index 3f6e16889..340e49fd6 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c05491..a7b0f009a 100644
+index b31c05491..b15a7aa05 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6617,10 +6629,12 @@ index b31c05491..a7b0f009a 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +138,13 @@
+@@ -118,6 +138,15 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
++/dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0)
++/dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0)
+/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@@ -6631,7 +6645,7 @@ index b31c05491..a7b0f009a 100644
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +156,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +158,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6646,7 +6660,7 @@ index b31c05491..a7b0f009a 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -169,18 +198,26 @@ ifdef(`distro_suse', `
+@@ -169,18 +200,26 @@ ifdef(`distro_suse', `
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -6673,7 +6687,7 @@ index b31c05491..a7b0f009a 100644
ifdef(`distro_debian',`
# this is a static /dev dir "backup mount"
-@@ -198,12 +235,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +237,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6704,7 +6718,7 @@ index b31c05491..a7b0f009a 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285ea6..6b4efa025 100644
+index 76f285ea6..6be6206e0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -8726,7 +8740,7 @@ index 76f285ea6..6b4efa025 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +6034,1064 @@ interface(`dev_unconfined',`
+@@ -4851,3 +6034,1068 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -8978,6 +8992,8 @@ index 76f285ea6..6b4efa025 100644
+ type dlm_control_device_t;
+ type clock_device_t;
+ type v4l_device_t;
++ type vsock_device_t;
++ type vmci_device_t;
+ type vfio_device_t;
+ type event_device_t;
+ type xen_device_t;
@@ -9145,6 +9161,8 @@ index 76f285ea6..6b4efa025 100644
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
++ filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock")
++ filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
@@ -9792,7 +9810,7 @@ index 76f285ea6..6b4efa025 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a8715a..5c45b9323 100644
+index 0b1a8715a..849b00191 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -9957,7 +9975,7 @@ index 0b1a8715a..5c45b9323 100644
#
# Type for /dev/tpm
#
-@@ -266,6 +330,15 @@ dev_node(usbmon_device_t)
+@@ -266,14 +330,30 @@ dev_node(usbmon_device_t)
type userio_device_t;
dev_node(userio_device_t)
@@ -9973,7 +9991,14 @@ index 0b1a8715a..5c45b9323 100644
type v4l_device_t;
dev_node(v4l_device_t)
-@@ -274,6 +347,7 @@ dev_node(v4l_device_t)
++type vsock_device_t;
++dev_node(vsock_device_t)
++
++type vmci_device_t;
++dev_node(vmci_device_t)
++
+ #
+ # vhost_device_t is the type for /dev/vhost-net
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -9981,7 +10006,7 @@ index 0b1a8715a..5c45b9323 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -319,5 +393,8 @@ files_associate_tmp(device_node)
+@@ -319,5 +399,8 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -21301,7 +21326,7 @@ index e100d886b..5113b226d 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c5e..a2f0d0614 100644
+index 8dbab4c5e..326973d25 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -21364,7 +21389,12 @@ index 8dbab4c5e..a2f0d0614 100644
type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -118,6 +147,7 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
+@@ -114,10 +143,12 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
+
+ # /proc/irq directory and files
+ type sysctl_irq_t, sysctl_type;
++fs_associate_proc(sysctl_irq_t)
+ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
# /proc/net/rpc directory and files
type sysctl_rpc_t, sysctl_type;
@@ -21372,7 +21402,7 @@ index 8dbab4c5e..a2f0d0614 100644
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
# /proc/sys/crypto directory and files
-@@ -133,14 +163,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -133,14 +164,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@@ -21387,7 +21417,7 @@ index 8dbab4c5e..a2f0d0614 100644
# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +175,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +176,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@@ -21398,7 +21428,7 @@ index 8dbab4c5e..a2f0d0614 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +191,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +192,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -21413,7 +21443,7 @@ index 8dbab4c5e..a2f0d0614 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +223,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +224,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@@ -21421,7 +21451,7 @@ index 8dbab4c5e..a2f0d0614 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +268,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +269,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@@ -21429,7 +21459,7 @@ index 8dbab4c5e..a2f0d0614 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +278,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +279,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@@ -21455,7 +21485,7 @@ index 8dbab4c5e..a2f0d0614 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -263,7 +301,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +302,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -21465,7 +21495,7 @@ index 8dbab4c5e..a2f0d0614 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,13 +316,23 @@ files_list_root(kernel_t)
+@@ -277,13 +317,23 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -21489,7 +21519,7 @@ index 8dbab4c5e..a2f0d0614 100644
ifdef(`distro_redhat',`
# Bugzilla 222337
-@@ -291,11 +340,29 @@ ifdef(`distro_redhat',`
+@@ -291,11 +341,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -21519,7 +21549,7 @@ index 8dbab4c5e..a2f0d0614 100644
')
optional_policy(`
-@@ -305,6 +372,19 @@ optional_policy(`
+@@ -305,6 +373,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -21539,7 +21569,7 @@ index 8dbab4c5e..a2f0d0614 100644
')
optional_policy(`
-@@ -312,6 +392,11 @@ optional_policy(`
+@@ -312,6 +393,11 @@ optional_policy(`
')
optional_policy(`
@@ -21551,7 +21581,7 @@ index 8dbab4c5e..a2f0d0614 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +417,6 @@ optional_policy(`
+@@ -332,9 +418,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -21561,7 +21591,7 @@ index 8dbab4c5e..a2f0d0614 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +425,7 @@ optional_policy(`
+@@ -343,9 +426,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -21572,7 +21602,7 @@ index 8dbab4c5e..a2f0d0614 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +434,7 @@ optional_policy(`
+@@ -354,7 +435,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -21581,7 +21611,7 @@ index 8dbab4c5e..a2f0d0614 100644
')
')
-@@ -364,9 +444,22 @@ optional_policy(`
+@@ -364,9 +445,22 @@ optional_policy(`
')
optional_policy(`
@@ -21604,7 +21634,7 @@ index 8dbab4c5e..a2f0d0614 100644
########################################
#
# Unlabeled process local policy
-@@ -388,6 +481,8 @@ optional_policy(`
+@@ -388,6 +482,8 @@ optional_policy(`
if( ! secure_mode_insmod ) {
allow can_load_kernmodule self:capability sys_module;
@@ -21613,7 +21643,7 @@ index 8dbab4c5e..a2f0d0614 100644
# load_module() calls stop_machine() which
# calls sched_setscheduler()
allow can_load_kernmodule self:capability sys_nice;
-@@ -399,14 +494,38 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +495,38 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
@@ -27859,7 +27889,7 @@ index fe0c68272..79d568a54 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7b0..3038b0862 100644
+index cc877c7b0..b14a28d5c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -28242,7 +28272,7 @@ index cc877c7b0..3038b0862 100644
rpm_use_script_fds(sshd_t)
')
-@@ -289,13 +379,93 @@ optional_policy(`
+@@ -289,13 +379,94 @@ optional_policy(`
')
optional_policy(`
@@ -28284,6 +28314,7 @@ index cc877c7b0..3038b0862 100644
+
+optional_policy(`
xserver_domtrans_xauth(sshd_t)
++ xserver_xdm_signull(sshd_t)
')
+ifdef(`TODO',`
@@ -28336,7 +28367,7 @@ index cc877c7b0..3038b0862 100644
########################################
#
# ssh_keygen local policy
-@@ -304,19 +474,33 @@ optional_policy(`
+@@ -304,19 +475,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -28371,7 +28402,7 @@ index cc877c7b0..3038b0862 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +516,9 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +517,9 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
@@ -28381,7 +28412,7 @@ index cc877c7b0..3038b0862 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +527,150 @@ optional_policy(`
+@@ -341,3 +528,150 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -28702,7 +28733,7 @@ index 8274418c6..a47fd0b4d 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc2d..e6be63aa8 100644
+index 6bf0ecc2d..a7f53d058 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@@ -29705,7 +29736,32 @@ index 6bf0ecc2d..e6be63aa8 100644
')
########################################
-@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1135,6 +1456,24 @@ interface(`xserver_signal',`
+
+ ########################################
+ ##
++## Send a null signal to xdm processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_xdm_signull',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:process signull;
++')
++
++########################################
++##
+ ## Kill X servers
+ ##
+ ##
+@@ -1210,6 +1549,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
##
@@ -29731,7 +29787,7 @@ index 6bf0ecc2d..e6be63aa8 100644
## Connect to the X server over a unix domain
## stream socket.
##
-@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1584,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -29758,7 +29814,7 @@ index 6bf0ecc2d..e6be63aa8 100644
')
########################################
-@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1629,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -29767,7 +29823,7 @@ index 6bf0ecc2d..e6be63aa8 100644
##
##
##
-@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1639,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -29796,7 +29852,7 @@ index 6bf0ecc2d..e6be63aa8 100644
')
########################################
-@@ -1284,10 +1658,662 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1676,662 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -33159,7 +33215,7 @@ index 3efd5b669..3db526f84 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..2d255df93 100644
+index 09b791dcc..385cd6d79 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -33374,11 +33430,12 @@ index 09b791dcc..2d255df93 100644
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,12 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
+auth_manage_passwd(updpwd_t)
++auth_filetrans_named_content(updpwd_t)
+
+mls_file_read_all_levels(updpwd_t)
+mls_file_write_all_levels(updpwd_t)
@@ -33386,7 +33443,7 @@ index 09b791dcc..2d255df93 100644
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +377,7 @@ auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
@@ -33397,7 +33454,7 @@ index 09b791dcc..2d255df93 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +405,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -33414,7 +33471,7 @@ index 09b791dcc..2d255df93 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +424,29 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -33448,7 +33505,7 @@ index 09b791dcc..2d255df93 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +454,42 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
@@ -33493,7 +33550,7 @@ index 09b791dcc..2d255df93 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +501,7 @@ optional_policy(`
+@@ -438,6 +502,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -33501,7 +33558,7 @@ index 09b791dcc..2d255df93 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +520,159 @@ optional_policy(`
+@@ -456,10 +521,159 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -38545,7 +38602,7 @@ index c42fbc329..bf211dbee 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e6c..91d1296b8 100644
+index be8ed1e6c..73e51f7ef 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
@@ -38673,7 +38730,7 @@ index be8ed1e6c..91d1296b8 100644
')
optional_policy(`
-@@ -110,7 +138,15 @@ optional_policy(`
+@@ -110,7 +138,16 @@ optional_policy(`
')
optional_policy(`
@@ -38686,10 +38743,11 @@ index be8ed1e6c..91d1296b8 100644
+optional_policy(`
modutils_run_insmod(iptables_t, iptables_roles)
+ modutils_list_module_config(iptables_t)
++ modutils_read_module_config(iptables_t)
')
optional_policy(`
-@@ -119,11 +155,25 @@ optional_policy(`
+@@ -119,11 +156,25 @@ optional_policy(`
')
optional_policy(`
@@ -38715,7 +38773,7 @@ index be8ed1e6c..91d1296b8 100644
')
optional_policy(`
-@@ -135,9 +185,9 @@ optional_policy(`
+@@ -135,9 +186,9 @@ optional_policy(`
')
optional_policy(`
@@ -50642,7 +50700,7 @@ index db7597682..c54480a1d 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..597fe227f 100644
+index 9dc60c6c0..e41d712ba 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -53952,7 +54010,7 @@ index 9dc60c6c0..597fe227f 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4638,1817 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4638,1835 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -54180,6 +54238,24 @@ index 9dc60c6c0..597fe227f 100644
+
+########################################
+##
++## dontaudit manage files /root
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_manage_admin_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file manage_file_perms;
++')
++
++########################################
++##
+## RW unpriviledged user SysV sempaphores.
+##
+##
diff --git a/policy-f26-contrib.patch b/policy-f26-contrib.patch
index d2f7f58..20ebea2 100644
--- a/policy-f26-contrib.patch
+++ b/policy-f26-contrib.patch
@@ -5575,7 +5575,7 @@ index f6eb4851f..fe461a3fc 100644
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
-index 6649962b6..6dd10dd7d 100644
+index 6649962b6..46b939da2 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6823,7 +6823,7 @@ index 6649962b6..6dd10dd7d 100644
avahi_dbus_chat(httpd_t)
')
+
-+ tunable_policy(`httpd_dbus_sssd',
++ tunable_policy(`httpd_dbus_sssd',`
+ sssd_dbus_chat(httpd_t)
+ ')
')
@@ -9005,7 +9005,7 @@ index f24e36960..4484a98da 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 27d2f400b..1297f5bbe 100644
+index 27d2f400b..f74f75f1b 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -9060,7 +9060,7 @@ index 27d2f400b..1297f5bbe 100644
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
-@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t)
+@@ -135,15 +139,19 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -9077,13 +9077,14 @@ index 27d2f400b..1297f5bbe 100644
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
++ mount_rw_pid_files(automount_t)
+')
+
+optional_policy(`
fstools_domtrans(automount_t)
')
-@@ -166,3 +173,8 @@ optional_policy(`
+@@ -166,3 +174,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -14793,10 +14794,10 @@ index 000000000..55fe0d668
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 000000000..21e6ae757
+index 000000000..73f3eb8a0
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,250 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -14904,6 +14905,7 @@ index 000000000..21e6ae757
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
++systemd_dbus_chat_timedated(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
@@ -18501,7 +18503,7 @@ index ad0bae948..615a947aa 100644
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
-index 1303b3036..f13c53200 100644
+index 1303b3036..f5bd4aee8 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
@@ -18687,6 +18689,15 @@ index 1303b3036..f13c53200 100644
- #
- # Declarations
- #
+-
+- role $1 types { unconfined_cronjob_t crontab_t };
+-
+- ##############################
+- #
+- # Local policy
+- #
+-
+- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ ##############################
+ #
+ # Declarations
@@ -18694,41 +18705,32 @@ index 1303b3036..f13c53200 100644
+
+ role $1 types unconfined_cronjob_t;
-- role $1 types { unconfined_cronjob_t crontab_t };
+- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+- allow $2 crond_t:process sigchld;
+ ##############################
+ #
+ # Local policy
+ #
-- ##############################
-- #
-- # Local policy
-- #
-+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-
-- domtrans_pattern($2, crontab_exec_t, crontab_t)
-+ allow $2 crond_t:process sigchld;
-
-- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-- allow $2 crond_t:process sigchld;
-+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
-+ # cronjob shows up in user ps
-+ ps_process_pattern($2, unconfined_cronjob_t)
-+ allow $2 unconfined_cronjob_t:process signal_perms;
++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
--
++ allow $2 crond_t:process sigchld;
+
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
--
++ allow $2 user_cron_spool_t:file { getattr read write ioctl };
+
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
--
++ # cronjob shows up in user ps
++ ps_process_pattern($2, unconfined_cronjob_t)
++ allow $2 unconfined_cronjob_t:process signal_perms;
+
- allow $2 user_cron_spool_t:file entrypoint;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 unconfined_cronjob_t:process ptrace;
@@ -18853,25 +18855,23 @@ index 1303b3036..f13c53200 100644
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
--
-- allow $2 user_cron_spool_t:file entrypoint;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
-- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+- allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 user_cron_spool_t:file entrypoint;
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
++ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
-+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-- dontaudit $2 user_cron_spool_t:file entrypoint;
+ allow $2 cronjob_t:process { signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
@@ -18879,6 +18879,8 @@ index 1303b3036..f13c53200 100644
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+- dontaudit $2 user_cron_spool_t:file entrypoint;
+-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
@@ -19187,10 +19189,11 @@ index 1303b3036..f13c53200 100644
- allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write crond TCP sockets.
+## Read and write inherited spool files.
+##
+##
@@ -19205,11 +19208,10 @@ index 1303b3036..f13c53200 100644
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Read and write crond TCP sockets.
++')
++
++########################################
++##
+## Read, and write cron daemon TCP sockets.
##
##
@@ -19437,7 +19439,7 @@ index 1303b3036..f13c53200 100644
##
##
##
-@@ -829,7 +876,97 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -19534,9 +19536,38 @@ index 1303b3036..f13c53200 100644
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
++')
++
++#######################################
++##
++## Create specified objects in generic
++## log directories with the cron log file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`cron_generic_log_filetrans_log_insights',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
')
diff --git a/cron.te b/cron.te
-index 7de385956..61dcff6a5 100644
+index 7de385956..e4c99bdd4 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@@ -20203,7 +20234,7 @@ index 7de385956..61dcff6a5 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +549,18 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +549,22 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -20219,10 +20250,14 @@ index 7de385956..61dcff6a5 100644
+
+optional_policy(`
+ bind_read_config(system_cronjob_t)
++')
++
++optional_policy(`
++ cron_generic_log_filetrans_log_insights(system_cronjob_t)
')
optional_policy(`
-@@ -551,10 +569,6 @@ optional_policy(`
+@@ -551,10 +573,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -20233,7 +20268,7 @@ index 7de385956..61dcff6a5 100644
')
optional_policy(`
-@@ -567,6 +581,10 @@ optional_policy(`
+@@ -567,6 +585,10 @@ optional_policy(`
')
optional_policy(`
@@ -20244,7 +20279,7 @@ index 7de385956..61dcff6a5 100644
ftp_read_log(system_cronjob_t)
')
-@@ -591,6 +609,8 @@ optional_policy(`
+@@ -591,6 +613,8 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -20253,7 +20288,7 @@ index 7de385956..61dcff6a5 100644
')
optional_policy(`
-@@ -598,7 +618,31 @@ optional_policy(`
+@@ -598,7 +622,31 @@ optional_policy(`
')
optional_policy(`
@@ -20285,7 +20320,7 @@ index 7de385956..61dcff6a5 100644
')
optional_policy(`
-@@ -607,7 +651,12 @@ optional_policy(`
+@@ -607,7 +655,12 @@ optional_policy(`
')
optional_policy(`
@@ -20298,7 +20333,7 @@ index 7de385956..61dcff6a5 100644
')
optional_policy(`
-@@ -615,12 +664,27 @@ optional_policy(`
+@@ -615,12 +668,27 @@ optional_policy(`
')
optional_policy(`
@@ -20328,7 +20363,7 @@ index 7de385956..61dcff6a5 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +692,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +696,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -20362,7 +20397,7 @@ index 7de385956..61dcff6a5 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +725,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +729,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -22471,10 +22506,10 @@ index f55c42082..e9d64ab5f 100644
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
-index dda905b9c..558729530 100644
+index dda905b9c..60806a524 100644
--- a/dbus.fc
+++ b/dbus.fc
-@@ -1,20 +1,29 @@
+@@ -1,20 +1,31 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
@@ -22490,6 +22525,8 @@ index dda905b9c..558729530 100644
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
@@ -23454,7 +23491,7 @@ index 62d22cb46..c0c2ed47d 100644
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
')
diff --git a/dbus.te b/dbus.te
-index c9998c80d..d8ef03416 100644
+index c9998c80d..131d809ae 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -23581,7 +23618,7 @@ index c9998c80d..d8ef03416 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +124,176 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -23603,6 +23640,7 @@ index c9998c80d..d8ef03416 100644
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
++init_start_system(system_dbusd_t) # needed by dbus-broker
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -23772,7 +23810,7 @@ index c9998c80d..d8ef03416 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +302,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -23797,7 +23835,7 @@ index c9998c80d..d8ef03416 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +321,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -23805,7 +23843,7 @@ index c9998c80d..d8ef03416 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +330,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -23847,7 +23885,7 @@ index c9998c80d..d8ef03416 100644
')
########################################
-@@ -244,5 +367,9 @@ optional_policy(`
+@@ -244,5 +368,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -26091,7 +26129,7 @@ index 41c3f6770..653a1ecbb 100644
##
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
-index aa0ef6e94..02bdb681d 100644
+index aa0ef6e94..3c52d892c 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t)
@@ -26102,7 +26140,7 @@ index aa0ef6e94..02bdb681d 100644
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
-+ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
++ rhsmcertd_rw_lock_files(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808d8..84735a8cb 100644
@@ -39921,10 +39959,10 @@ index 000000000..2925529a9
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 000000000..28955ddc0
+index 000000000..99cb86250
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,275 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -40121,6 +40159,8 @@ index 000000000..28955ddc0
+
+dev_read_rand(ipa_dnskey_t)
+
++can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
++
+libs_exec_ldconfig(ipa_dnskey_t)
+
+logging_send_syslog_msg(ipa_dnskey_t)
@@ -43237,10 +43277,10 @@ index 000000000..bd7e7fa17
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 000000000..202ac2b59
+index 000000000..e5b8b3bbf
--- /dev/null
+++ b/keepalived.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,100 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@@ -43266,8 +43306,8 @@ index 000000000..202ac2b59
+# keepalived local policy
+#
+
-+allow keepalived_t self:capability { net_admin net_raw kill };
-+allow keepalived_t self:process { signal_perms };
++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace };
++allow keepalived_t self:process { signal_perms setpgid };
+allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
+allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
@@ -43297,6 +43337,7 @@ index 000000000..202ac2b59
+corenet_tcp_connect_squid_port(keepalived_t)
+
+domain_read_all_domains_state(keepalived_t)
++domain_getattr_all_domains(keepalived_t)
+
+dev_read_urand(keepalived_t)
+
@@ -47460,15 +47501,19 @@ index dd8e01af3..9cd6b0b8e 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..0129ddb61 100644
+index be0ab84b3..9ca958706 100644
--- a/logrotate.te
+++ b/logrotate.te
-@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
+@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
# Declarations
#
-attribute_role logrotate_roles;
-roleattribute system_r logrotate_roles;
++gen_require(`
++ class passwd passwd;
++')
++
+##
+##
+## Allow logrotate to manage nfs files
@@ -47497,7 +47542,7 @@ index be0ab84b3..0129ddb61 100644
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
-@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +42,33 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
@@ -47520,6 +47565,8 @@ index be0ab84b3..0129ddb61 100644
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
++allow logrotate_t self:passwd { passwd };
++
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
@@ -47535,7 +47582,7 @@ index be0ab84b3..0129ddb61 100644
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +77,54 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@@ -47558,6 +47605,7 @@ index be0ab84b3..0129ddb61 100644
+dev_read_urand(logrotate_t)
+dev_read_sysfs(logrotate_t)
++dev_write_kmsg(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_all_fs(logrotate_t)
@@ -47594,7 +47642,7 @@ index be0ab84b3..0129ddb61 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +135,57 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +142,58 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
@@ -47606,6 +47654,7 @@ index be0ab84b3..0129ddb61 100644
init_all_labeled_script_domtrans(logrotate_t)
+init_reload_services(logrotate_t)
++init_reload_transient_unit(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -47658,7 +47707,7 @@ index be0ab84b3..0129ddb61 100644
')
optional_policy(`
-@@ -135,16 +200,17 @@ optional_policy(`
+@@ -135,16 +208,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -47678,7 +47727,7 @@ index be0ab84b3..0129ddb61 100644
')
optional_policy(`
-@@ -170,6 +236,11 @@ optional_policy(`
+@@ -170,6 +244,11 @@ optional_policy(`
')
optional_policy(`
@@ -47690,7 +47739,7 @@ index be0ab84b3..0129ddb61 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +249,8 @@ optional_policy(`
+@@ -178,7 +257,8 @@ optional_policy(`
')
optional_policy(`
@@ -47700,7 +47749,7 @@ index be0ab84b3..0129ddb61 100644
')
optional_policy(`
-@@ -198,17 +270,18 @@ optional_policy(`
+@@ -198,17 +278,18 @@ optional_policy(`
')
optional_policy(`
@@ -47722,7 +47771,7 @@ index be0ab84b3..0129ddb61 100644
')
optional_policy(`
-@@ -216,6 +289,14 @@ optional_policy(`
+@@ -216,6 +297,14 @@ optional_policy(`
')
optional_policy(`
@@ -47737,7 +47786,7 @@ index be0ab84b3..0129ddb61 100644
samba_exec_log(logrotate_t)
')
-@@ -228,26 +309,50 @@ optional_policy(`
+@@ -228,26 +317,50 @@ optional_policy(`
')
optional_policy(`
@@ -56191,7 +56240,7 @@ index ed81cac5a..cd52baf59 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c6a..94b1dfca7 100644
+index ff1d68c6a..3f662fbef 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -56291,7 +56340,7 @@ index ff1d68c6a..94b1dfca7 100644
procmail_exec(user_mail_domain)
')
-@@ -166,57 +166,76 @@ optional_policy(`
+@@ -166,57 +166,77 @@ optional_policy(`
uucp_manage_spool(user_mail_domain)
')
@@ -56344,6 +56393,7 @@ index ff1d68c6a..94b1dfca7 100644
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+userdom_dontaudit_list_user_tmp(system_mail_t)
++userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@@ -56387,7 +56437,7 @@ index ff1d68c6a..94b1dfca7 100644
')
optional_policy(`
-@@ -225,17 +244,21 @@ optional_policy(`
+@@ -225,17 +245,21 @@ optional_policy(`
')
optional_policy(`
@@ -56411,7 +56461,7 @@ index ff1d68c6a..94b1dfca7 100644
courier_stream_connect_authdaemon(system_mail_t)
')
-@@ -244,9 +267,10 @@ optional_policy(`
+@@ -244,9 +268,10 @@ optional_policy(`
')
optional_policy(`
@@ -56425,7 +56475,7 @@ index ff1d68c6a..94b1dfca7 100644
')
optional_policy(`
-@@ -258,10 +282,17 @@ optional_policy(`
+@@ -258,10 +283,17 @@ optional_policy(`
')
optional_policy(`
@@ -56443,7 +56493,7 @@ index ff1d68c6a..94b1dfca7 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -272,6 +303,19 @@ optional_policy(`
+@@ -272,6 +304,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -56463,7 +56513,7 @@ index ff1d68c6a..94b1dfca7 100644
')
optional_policy(`
-@@ -279,6 +323,10 @@ optional_policy(`
+@@ -279,6 +324,10 @@ optional_policy(`
')
optional_policy(`
@@ -56474,7 +56524,7 @@ index ff1d68c6a..94b1dfca7 100644
userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
-@@ -287,42 +335,36 @@ optional_policy(`
+@@ -287,42 +336,36 @@ optional_policy(`
')
optional_policy(`
@@ -56527,7 +56577,7 @@ index ff1d68c6a..94b1dfca7 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,44 +374,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -56597,7 +56647,7 @@ index ff1d68c6a..94b1dfca7 100644
')
optional_policy(`
-@@ -381,24 +427,49 @@ optional_policy(`
+@@ -381,24 +428,49 @@ optional_policy(`
########################################
#
@@ -60652,9 +60702,15 @@ index 86dc29dfa..c7d9376d5 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f20095e..4419e3531 100644
+index 55f20095e..3ed3ed0b3 100644
--- a/networkmanager.te
+++ b/networkmanager.te
+@@ -1,4 +1,4 @@
+-policy_module(networkmanager, 1.15.2)
++policy_module(networkmanager, 1.15.3)
+
+ ########################################
+ #
@@ -9,15 +9,18 @@ type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -60872,10 +60928,10 @@ index 55f20095e..4419e3531 100644
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+systemd_machined_read_pid_files(NetworkManager_t)
-+
-+term_use_unallocated_ttys(NetworkManager_t)
-userdom_write_user_tmp_sockets(NetworkManager_t)
++term_use_unallocated_ttys(NetworkManager_t)
++
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
@@ -60941,16 +60997,16 @@ index 55f20095e..4419e3531 100644
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
+ dnsmasq_systemctl(NetworkManager_t)
++')
++
++optional_policy(`
++ dnssec_trigger_domtrans(NetworkManager_t)
++ dnssec_trigger_signull(NetworkManager_t)
++ dnssec_trigger_sigkill(NetworkManager_t)
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
-+ dnssec_trigger_domtrans(NetworkManager_t)
-+ dnssec_trigger_signull(NetworkManager_t)
-+ dnssec_trigger_sigkill(NetworkManager_t)
-+')
-+
-+optional_policy(`
+ fcoe_dgram_send_fcoemon(NetworkManager_t)
')
@@ -61079,7 +61135,7 @@ index 55f20095e..4419e3531 100644
')
optional_policy(`
-@@ -338,12 +431,19 @@ optional_policy(`
+@@ -338,12 +431,23 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t)
')
@@ -61090,6 +61146,10 @@ index 55f20095e..4419e3531 100644
+ openfortivpn_signull(NetworkManager_t)
+')
+
++optional_policy(`
++ openvswitch_stream_connect(NetworkManager_t)
++')
++
########################################
#
# wpa_cli local policy
@@ -61100,7 +61160,7 @@ index 55f20095e..4419e3531 100644
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
-@@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +461,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -73247,7 +73307,7 @@ index 000000000..798efb632
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 000000000..afa1ba1f4
+index 000000000..f80377711
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,283 @@
@@ -73363,7 +73423,7 @@ index 000000000..afa1ba1f4
+can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t)
+
-+auth_read_passwd(pki_tomcat_t)
++auth_use_nsswitch(pki_tomcat_t)
+
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
@@ -73535,7 +73595,7 @@ index 000000000..afa1ba1f4
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
-index 735500fd1..2ba6832cc 100644
+index 735500fd1..7f694728c 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
@@ -1,15 +1,14 @@
@@ -73553,7 +73613,7 @@ index 735500fd1..2ba6832cc 100644
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
++/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
@@ -87547,7 +87607,7 @@ index 16c8ecbe3..4e021eca7 100644
+ ')
')
diff --git a/redis.te b/redis.te
-index 25cd4175f..61de8277a 100644
+index 25cd4175f..84c02e325 100644
--- a/redis.te
+++ b/redis.te
@@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t)
@@ -87579,7 +87639,7 @@ index 25cd4175f..61de8277a 100644
manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
manage_files_pattern(redis_t, redis_log_t, redis_log_t)
manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
-@@ -42,14 +50,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+@@ -42,24 +50,27 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
@@ -87597,7 +87657,12 @@ index 25cd4175f..61de8277a 100644
corenet_sendrecv_redis_server_packets(redis_t)
corenet_tcp_bind_redis_port(redis_t)
-@@ -60,6 +71,4 @@ dev_read_urand(redis_t)
+ corenet_tcp_sendrecv_redis_port(redis_t)
+
++corecmd_exec_shell(redis_t)
++
+ dev_read_sysfs(redis_t)
+ dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
@@ -90475,7 +90540,7 @@ index 8c0280418..896c8c67f 100644
/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905b3..4b17c933e 100644
+index 6dbc905b3..42e4306c8 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
@@ -90571,23 +90636,21 @@ index 6dbc905b3..4b17c933e 100644
##
##
##
-@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -196,10 +192,47 @@ interface(`rhsmcertd_read_pid_files',`
allow $1 rhsmcertd_var_run_t:file read_file_perms;
')
-####################################
+########################################
- ##
--## Connect to rhsmcertd with a
--## unix domain stream socket.
++##
+## Read rhsmcertd PID files.
- ##
- ##
- ##
-@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',`
- ##
- ##
- #
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`rhsmcertd_manage_pid_files',`
+ gen_require(`
+ type rhsmcertd_var_run_t;
@@ -90616,6 +90679,27 @@ index 6dbc905b3..4b17c933e 100644
+ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
+')
+
++########################################
+ ##
+-## Connect to rhsmcertd with a
+-## unix domain stream socket.
++## Read/wirte lock files.
+ ##
+ ##
+ ##
+@@ -207,6 +240,26 @@ interface(`rhsmcertd_read_pid_files',`
+ ##
+ ##
+ #
++interface(`rhsmcertd_rw_lock_files',`
++ gen_require(`
++ type rhsmcertd_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 rhsmcertd_lock_t:file rw_file_perms;
++')
++
+####################################
+##
+## Connect to rhsmcertd over a unix domain
@@ -90630,7 +90714,7 @@ index 6dbc905b3..4b17c933e 100644
interface(`rhsmcertd_stream_connect',`
gen_require(`
type rhsmcertd_t, rhsmcertd_var_run_t;
-@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',`
+@@ -239,30 +292,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
##
@@ -90674,7 +90758,7 @@ index 6dbc905b3..4b17c933e 100644
##
##
##
-@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+@@ -270,35 +322,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
##
##
##
@@ -90706,24 +90790,24 @@ index 6dbc905b3..4b17c933e 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
-+
+
+- logging_search_logs($1)
+- admin_pattern($1, rhsmcertd_log_t)
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
-- logging_search_logs($1)
-- admin_pattern($1, rhsmcertd_log_t)
-+ logging_search_logs($1)
-+ admin_pattern($1, rhsmcertd_log_t)
-
- files_search_var_lib($1)
- admin_pattern($1, rhsmcertd_var_lib_t)
-+ files_search_var_lib($1)
-+ admin_pattern($1, rhsmcertd_var_lib_t)
++ logging_search_logs($1)
++ admin_pattern($1, rhsmcertd_log_t)
- files_search_pids($1)
- admin_pattern($1, rhsmcertd_var_run_t)
++ files_search_var_lib($1)
++ admin_pattern($1, rhsmcertd_var_lib_t)
++
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
@@ -90734,7 +90818,7 @@ index 6dbc905b3..4b17c933e 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a279..75b615f81 100644
+index d32e1a279..b79ae3194 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -90747,11 +90831,13 @@ index d32e1a279..75b615f81 100644
type rhsmcertd_var_lib_t;
files_type(rhsmcertd_var_lib_t)
-@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -29,19 +32,22 @@ files_pid_file(rhsmcertd_var_run_t)
+ # Local policy
#
- allow rhsmcertd_t self:capability sys_nice;
+-allow rhsmcertd_t self:capability sys_nice;
-allow rhsmcertd_t self:process { signal setsched };
++allow rhsmcertd_t self:capability { kill sys_nice };
+allow rhsmcertd_t self:process { signal_perms setsched };
+
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
@@ -93981,7 +94067,7 @@ index ef3b22507..a33cae9d6 100644
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff --git a/rpm.te b/rpm.te
-index 6fc360e60..2f24b1e0c 100644
+index 6fc360e60..219964375 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -94324,7 +94410,7 @@ index 6fc360e60..2f24b1e0c 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,73 +331,129 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,73 +331,130 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -94357,9 +94443,10 @@ index 6fc360e60..2f24b1e0c 100644
+init_manage_transient_unit(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
-
-+systemd_config_all_services(rpm_script_t)
++init_dbus_chat(rpm_script_t)
+
++systemd_config_all_services(rpm_script_t)
+
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-libs_run_ldconfig(rpm_script_t, rpm_roles)
@@ -94474,7 +94561,7 @@ index 6fc360e60..2f24b1e0c 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +465,6 @@ optional_policy(`
+@@ -409,6 +466,6 @@ optional_policy(`
')
optional_policy(`
@@ -96594,7 +96681,7 @@ index 50d07fb2e..a34db489c 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441e7..c7a475130 100644
+index 2b7c441e7..5d52fba0f 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -97732,9 +97819,12 @@ index 2b7c441e7..c7a475130 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -871,40 +970,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
- rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+-rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
++manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
-# This needs a file context specification
-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -107400,7 +107490,7 @@ index 49dd63ca1..ae2e798f5 100644
+
+/var/log/stunnel.* -- gen_context(system_u:object_r:stunnel_log_t,s0)
diff --git a/stunnel.te b/stunnel.te
-index 27a8480bc..5482c7549 100644
+index 27a8480bc..fc3fca520 100644
--- a/stunnel.te
+++ b/stunnel.te
@@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t)
@@ -107413,15 +107503,18 @@ index 27a8480bc..5482c7549 100644
type stunnel_tmp_t;
files_tmp_file(stunnel_tmp_t)
-@@ -23,7 +26,7 @@ files_pid_file(stunnel_var_run_t)
+@@ -23,9 +26,9 @@ files_pid_file(stunnel_var_run_t)
# Local policy
#
-allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:capability { setgid setuid sys_chroot sys_nice };
dontaudit stunnel_t self:capability sys_tty_config;
- allow stunnel_t self:process signal_perms;
+-allow stunnel_t self:process signal_perms;
++allow stunnel_t self:process { setsched signal_perms };
allow stunnel_t self:fifo_file rw_fifo_file_perms;
+ allow stunnel_t self:tcp_socket { accept listen };
+ allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
@@ -111083,10 +111176,10 @@ index 000000000..368e18842
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
-index 000000000..f31ed95d7
+index 000000000..761cc35b0
--- /dev/null
+++ b/tlp.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,80 @@
+policy_module(tlp, 1.0.0)
+
+########################################
@@ -111131,6 +111224,7 @@ index 000000000..f31ed95d7
+kernel_rw_fs_sysctls(tlp_t)
+kernel_rw_kernel_sysctl(tlp_t)
+kernel_rw_vm_sysctls(tlp_t)
++kernel_create_rpc_sysctls(tlp_t)
+
+auth_read_passwd(tlp_t)
+
@@ -111139,12 +111233,16 @@ index 000000000..f31ed95d7
+dev_list_sysfs(tlp_t)
+dev_manage_sysfs(tlp_t)
+dev_rw_cpu_microcode(tlp_t)
++dev_rw_wireless(tlp_t)
+
+files_read_kernel_modules(tlp_t)
++files_load_kernel_modules(tlp_t)
+
+modutils_exec_insmod(tlp_t)
+modutils_read_module_config(tlp_t)
+
++logging_send_syslog_msg(tlp_t)
++
+storage_raw_read_fixed_disk(tlp_t)
+storage_raw_write_removable_device(tlp_t)
+
@@ -111152,6 +111250,7 @@ index 000000000..f31ed95d7
+
+optional_policy(`
+ dbus_stream_connect_system_dbusd(tlp_t)
++ dbus_system_bus_client(tlp_t)
+')
+
+optional_policy(`
@@ -111733,10 +111832,10 @@ index 000000000..e5cec8fda
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 000000000..029e04e14
+index 000000000..c4a59211f
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,71 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -111792,6 +111891,7 @@ index 000000000..029e04e14
+corenet_tcp_connect_http_port(tomcat_domain)
+corenet_tcp_connect_mxi_port(tomcat_domain)
+corenet_tcp_connect_http_cache_port(tomcat_domain)
++corenet_tcp_connect_mssql_port(tomcat_domain)
+
+dev_read_rand(tomcat_domain)
+dev_read_urand(tomcat_domain)
@@ -116492,10 +116592,10 @@ index facdee8b3..2a619ba9e 100644
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
diff --git a/virt.te b/virt.te
-index f03dcf567..5ce41db0d 100644
+index f03dcf567..529ae6612 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,451 +1,422 @@
+@@ -1,451 +1,424 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -116661,7 +116761,8 @@ index f03dcf567..5ce41db0d 100644
+##
+##
+gen_tunable(virt_use_usb, true)
-+
+
+-attribute svirt_lxc_domain;
+##
+##
+## Allow confined virtual guests to use smartcards
@@ -116690,8 +116791,7 @@ index f03dcf567..5ce41db0d 100644
+##
+##
+gen_tunable(virt_sandbox_use_sys_admin, false)
-
--attribute svirt_lxc_domain;
++
+##
+##
+## Allow sandbox containers to use mknod system calls
@@ -116730,11 +116830,11 @@ index f03dcf567..5ce41db0d 100644
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
-+
-+virt_domain_template(svirt_tcg)
-+role system_r types svirt_tcg_t;
-type virt_cache_t alias svirt_cache_t;
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
++
+type qemu_exec_t, virt_file_type;
+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
@@ -117097,10 +117197,13 @@ index f03dcf567..5ce41db0d 100644
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
--
++allow svirt_t self:process ptrace;
+
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@@ -117109,15 +117212,12 @@ index f03dcf567..5ce41db0d 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-+allow svirt_t self:process ptrace;
-
+-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
@@ -117142,6 +117242,8 @@ index f03dcf567..5ce41db0d 100644
+
+storage_raw_read_fixed_disk(svirt_t)
+
++userdom_read_all_users_state(svirt_t)
++
+#######################################
+#
+# svirt_prot_exec local policy
@@ -117228,7 +117330,7 @@ index f03dcf567..5ce41db0d 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +426,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +428,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -117275,22 +117377,22 @@ index f03dcf567..5ce41db0d 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +461,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +463,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
-can_exec(virtd_t, virt_tmp_t)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
@@ -117309,7 +117411,7 @@ index f03dcf567..5ce41db0d 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +486,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +488,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -117337,7 +117439,7 @@ index f03dcf567..5ce41db0d 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +506,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +508,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -117368,7 +117470,7 @@ index f03dcf567..5ce41db0d 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +558,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +560,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -117388,19 +117490,29 @@ index f03dcf567..5ce41db0d 100644
selinux_validate_context(virtd_t)
-@@ -620,27 +580,35 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +582,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+-userdom_read_all_users_state(virtd_t)
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
-+
+
+-ifdef(`hide_broken_symptoms',`
+- dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
+-tunable_policy(`virt_use_fusefs',`
+- fs_manage_fusefs_dirs(virtd_t)
+- fs_manage_fusefs_files(virtd_t)
+- fs_read_fusefs_symlinks(virtd_t)
+-')
+userdom_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
- userdom_read_all_users_state(virtd_t)
++userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_tmp_files(virtd_t)
+userdom_setattr_user_tmp_files(virtd_t)
@@ -117413,24 +117525,9 @@ index f03dcf567..5ce41db0d 100644
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+virt_filetrans_home_content(virtd_t)
--ifdef(`hide_broken_symptoms',`
-- dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
--
--tunable_policy(`virt_use_fusefs',`
-- fs_manage_fusefs_dirs(virtd_t)
-- fs_manage_fusefs_files(virtd_t)
-- fs_read_fusefs_symlinks(virtd_t)
--')
--
--tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs(virtd_t)
-- fs_manage_nfs_files(virtd_t)
-- fs_read_nfs_symlinks(virtd_t)
-+tunable_policy(`virt_use_nfs',`
-+ fs_manage_nfs_dirs(virtd_t)
-+ fs_manage_nfs_files(virtd_t)
-+ fs_read_nfs_symlinks(virtd_t)
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtd_t)
+@@ -640,7 +610,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -117439,7 +117536,7 @@ index f03dcf567..5ce41db0d 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +633,12 @@ optional_policy(`
+@@ -665,20 +635,12 @@ optional_policy(`
')
optional_policy(`
@@ -117460,7 +117557,7 @@ index f03dcf567..5ce41db0d 100644
')
optional_policy(`
-@@ -691,20 +651,26 @@ optional_policy(`
+@@ -691,99 +653,432 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -117488,113 +117585,103 @@ index f03dcf567..5ce41db0d 100644
- kerberos_use(virtd_t)
+ kerberos_read_keytab(virtd_t)
+ kerberos_use(virtd_t)
- ')
-
- optional_policy(`
-@@ -712,11 +678,18 @@ optional_policy(`
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
++ lvm_domtrans(virtd_t)
++')
++
++optional_policy(`
+ # Run mount in the mount_t domain.
- mount_domtrans(virtd_t)
- mount_signal(virtd_t)
- ')
-
- optional_policy(`
++ mount_domtrans(virtd_t)
++ mount_signal(virtd_t)
++')
++
++optional_policy(`
+ numad_domtrans(virtd_t)
+ numad_dbus_chat(virtd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(virtd_t)
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
- policykit_read_lib(virtd_t)
-@@ -727,10 +700,18 @@ optional_policy(`
- ')
-
- optional_policy(`
++ policykit_domtrans_auth(virtd_t)
++ policykit_domtrans_resolve(virtd_t)
++ policykit_read_lib(virtd_t)
++')
++
++optional_policy(`
++ qemu_exec(virtd_t)
++')
++
++optional_policy(`
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
- sasl_connect(virtd_t)
- ')
-
- optional_policy(`
++ sasl_connect(virtd_t)
++')
++
++optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
-
-@@ -746,44 +727,356 @@ optional_policy(`
- udev_read_pid_files(virtd_t)
- ')
-
++ kernel_read_xen_state(virtd_t)
++ kernel_write_xen_state(virtd_t)
++
++ xen_exec(virtd_t)
++ xen_stream_connect(virtd_t)
++ xen_stream_connect_xenstore(virtd_t)
++ xen_read_image_files(virtd_t)
++')
++
++optional_policy(`
++ udev_domtrans(virtd_t)
++ udev_read_db(virtd_t)
++ udev_read_pid_files(virtd_t)
++')
++
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
- ########################################
- #
--# Virsh local policy
++########################################
++#
+# virtlogd local policy
- #
-
--allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
--allow virsh_t self:process { getcap getsched setsched setcap signal };
--allow virsh_t self:fifo_file rw_fifo_file_perms;
--allow virsh_t self:unix_stream_socket { accept connectto listen };
--allow virsh_t self:tcp_socket { accept listen };
++#
++
+# virtlogd is allowed to manage files it creates in /var/run/libvirt
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
-
--manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
+# virtlogd needs to read /etc/libvirt/virtlogd.conf only
+allow virtlogd_t virtlogd_etc_t:file read_file_perms;
+files_search_etc(virtlogd_t)
+allow virtlogd_t virt_etc_t:dir search;
-
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++
+# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated
+# context from other stuff in /var/run/libvirt
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file })
+# This lets systemd create the socket itself too
-
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++
+# virtlogd creates a /var/run/virtlogd.pid file
+allow virtlogd_t virtlogd_var_run_t:file manage_file_perms;
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
-
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
++
+manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+kernel_read_network_state(virtlogd_t)
-
--can_exec(virsh_t, virsh_exec_t)
++
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow virtlogd_t to execute itself.
+allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
+
+dev_read_sysfs(virtlogd_t)
-
++
+logging_send_syslog_msg(virtlogd_t)
+
+auth_use_nsswitch(virtlogd_t)
@@ -117800,30 +117887,40 @@ index f03dcf567..5ce41db0d 100644
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- lvm_domtrans(virtd_t)
+ tunable_policy(`virt_use_glusterd',`
+ glusterd_manage_pid(virt_domain)
+ ')
-+')
-+
+ ')
+
+-optional_policy(`
+- mount_domtrans(virtd_t)
+- mount_signal(virtd_t)
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- policykit_domtrans_auth(virtd_t)
+- policykit_domtrans_resolve(virtd_t)
+- policykit_read_lib(virtd_t)
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
+ fs_manage_cifs_named_sockets(virt_domain)
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- qemu_exec(virtd_t)
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -117831,49 +117928,83 @@ index f03dcf567..5ce41db0d 100644
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
+ udev_read_db(virt_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- sasl_connect(virtd_t)
+ tunable_policy(`virt_use_pcscd',`
+ pcscd_stream_connect(virt_domain)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- kernel_read_xen_state(virtd_t)
+- kernel_write_xen_state(virtd_t)
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
+')
-+
+
+- xen_exec(virtd_t)
+- xen_stream_connect(virtd_t)
+- xen_stream_connect_xenstore(virtd_t)
+- xen_read_image_files(virtd_t)
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- udev_domtrans(virtd_t)
+- udev_read_db(virtd_t)
+- udev_read_pid_files(virtd_t)
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Virsh local policy
+# xm local policy
-+#
+ #
+type virsh_t, virt_system_domain;
+type virsh_exec_t, virt_file_type;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-+
+
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
-+allow virsh_t self:fifo_file rw_fifo_file_perms;
+ allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+-
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
-+
-+can_exec(virsh_t, virsh_exec_t)
+
+ can_exec(virsh_t, virsh_exec_t)
+-
virt_domtrans(virsh_t)
virt_manage_images(virsh_t)
virt_manage_config(virsh_t)
@@ -117908,7 +118039,7 @@ index f03dcf567..5ce41db0d 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1087,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -117935,7 +118066,7 @@ index f03dcf567..5ce41db0d 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1107,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -117952,10 +118083,10 @@ index f03dcf567..5ce41db0d 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -117969,7 +118100,7 @@ index f03dcf567..5ce41db0d 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1144,20 @@ optional_policy(`
+@@ -856,14 +1146,20 @@ optional_policy(`
')
optional_policy(`
@@ -117991,7 +118122,7 @@ index f03dcf567..5ce41db0d 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1182,66 @@ optional_policy(`
+@@ -888,49 +1184,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -118076,7 +118207,7 @@ index f03dcf567..5ce41db0d 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1253,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -118096,7 +118227,7 @@ index f03dcf567..5ce41db0d 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1274,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -118120,7 +118251,7 @@ index f03dcf567..5ce41db0d 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1299,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -118147,7 +118278,8 @@ index f03dcf567..5ce41db0d 100644
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
@@ -118159,8 +118291,7 @@ index f03dcf567..5ce41db0d 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -118380,13 +118511,13 @@ index f03dcf567..5ce41db0d 100644
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
++
++optional_policy(`
++ udev_read_pid_files(svirt_sandbox_domain)
++')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -118536,8 +118667,7 @@ index f03dcf567..5ce41db0d 100644
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(container_file_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
@@ -118547,7 +118677,8 @@ index f03dcf567..5ce41db0d 100644
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(svirt_qemu_net_t)
+')
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+userdom_use_user_ptys(svirt_qemu_net_t)
########################################
@@ -118564,7 +118695,7 @@ index f03dcf567..5ce41db0d 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1601,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -118579,7 +118710,7 @@ index f03dcf567..5ce41db0d 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1619,7 @@ optional_policy(`
+@@ -1192,7 +1621,7 @@ optional_policy(`
########################################
#
@@ -118588,7 +118719,7 @@ index f03dcf567..5ce41db0d 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1628,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -119960,10 +120091,10 @@ index 4815a93f4..24dcf5174 100644
+ rhcs_rw_cluster_tmpfs(wdmd_t)
')
diff --git a/webadm.te b/webadm.te
-index 2a6cae773..6d0a2a1c5 100644
+index 2a6cae773..d2752d9bb 100644
--- a/webadm.te
+++ b/webadm.te
-@@ -25,6 +25,9 @@ role webadm_r;
+@@ -25,12 +25,21 @@ role webadm_r;
userdom_base_user_template(webadm)
@@ -119973,26 +120104,43 @@ index 2a6cae773..6d0a2a1c5 100644
########################################
#
# Local policy
-@@ -32,6 +35,12 @@ userdom_base_user_template(webadm)
-
- allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ #
+-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource };
++
+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
+can_exec(webadm_t, webadm_tmp_t)
-+
+
files_dontaudit_search_all_dirs(webadm_t)
files_list_var(webadm_t)
+@@ -38,12 +47,26 @@ files_list_var(webadm_t)
+ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
-@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t)
++init_rw_pipes(webadm_t)
++init_status(webadm_t)
++
+ logging_send_audit_msgs(webadm_t)
+ logging_send_syslog_msg(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
++userdom_dontaudit_manage_admin_files(webadm_t)
++
++optional_policy(`
++ apache_admin(webadm_t, webadm_r)
++')
++
++optional_policy(`
++ dbus_system_bus_client(webadm_t)
++')
-apache_admin(webadm_t, webadm_r)
+optional_policy(`
-+ apache_admin(webadm_t, webadm_r)
++ policykit_dbus_chat(webadm_t)
+')
tunable_policy(`webadm_manage_user_files',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 554b107..ad08eae 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 260.8%{?dist}
+Release: 260.9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,50 @@ exit 0
%endif
%changelog
+* Thu Sep 14 2017 Lukas Vrabec - 3.13.1-260.9
+- Allow svirt_t read userdomain state
+- Fix keepalived SELinux module
+- Allow automount domain to manage mount pid files
+- Allow stunnel_t domain setsched
+- Allow svirt_t read userdomain state
+- Fix keepalived SELinux module
+- Allow automount domain to manage mount pid files
+- Allow stunnel_t domain setsched
+- Add keepalived domain setpgid capability
+- dbus: add policy for dbus-broker
+- Revert "Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)"
+- Allow tomcat domain to connect to mssql port
+- Fix typo bug in apache module
+- Dontaudit that system_mail_t is trying to read /root/ files
+- Merge branch 'f26' of github.com:fedora-selinux/selinux-policy-contrib into f26
+- networkmanager: allow talking to openvswitch
+- Merge pull request #27 from lslebodn/pki_tomcat_tf26
+- Make working webadm_t userdomain
+- Allow redis domain to execute shell scripts.
+- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
+- Add couple capabilities to keepalived domain and allow get attributes of all domains
+- Allow dmidecode read rhsmcertd lock files
+- Add new interface rhsmcertd_rw_lock_files()
+- Allow pki_tomcat_t use nsswitch
+- Allow logrotate_t to change passwd and reloead services
+- Label all plymouthd archives as plymouthd_var_log_t
+- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
+- Add few rules to make tlp_t domain working in enforcing mode
+- Allow cloud_init_t to dbus chat with systemd_timedated_t
+- Allow logrotate_t to write to kmsg
+- Add capability kill to rhsmcertd_t
+- Allow winbind to manage smbd_tmp_t files
+- Allow ipa_dnskey_t to exec ipa_dnskey_exec_t files
+- Allow sysctl_irq_t assciate with proc_t
+- Allow sshd_t domain to send signull to xdm_t processes
+- Allow updpwd_t domain auth file name trans
+- Add support labeling for vmci and vsock device
+- Add userdom_dontaudit_manage_admin_files() interface
+- Allow iptables_t domain to read files with modules_conf_t label
+- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
+- Allow useradd_t domain dbus chat with systemd
+- Dontaudit netutils to write to kdumpctl_tmp_t pipes BZ(1481670)
+
* Thu Aug 31 2017 Lukas Vrabec - 3.13.1-260.8
- Allow ddclient use nsswitch BZ(1456241)
- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)