+## Allow logrotate to manage nfs files @@ -47497,7 +47542,7 @@ index be0ab84b3..0129ddb61 100644 type logrotate_lock_t; files_lock_file(logrotate_lock_t) -@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t) +@@ -25,21 +42,33 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) @@ -47520,6 +47565,8 @@ index be0ab84b3..0129ddb61 100644 + +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + ++allow logrotate_t self:passwd { passwd }; ++ +# Set a context other than the default one for newly created files. +allow logrotate_t self:process setfscreate; + @@ -47535,7 +47582,7 @@ index be0ab84b3..0129ddb61 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +77,54 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -47558,6 +47605,7 @@ index be0ab84b3..0129ddb61 100644 +dev_read_urand(logrotate_t) +dev_read_sysfs(logrotate_t) ++dev_write_kmsg(logrotate_t) + +fs_search_auto_mountpoints(logrotate_t) +fs_getattr_all_fs(logrotate_t) @@ -47594,7 +47642,7 @@ index be0ab84b3..0129ddb61 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +135,57 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +142,58 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -47606,6 +47654,7 @@ index be0ab84b3..0129ddb61 100644 init_all_labeled_script_domtrans(logrotate_t) +init_reload_services(logrotate_t) ++init_reload_transient_unit(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) @@ -47658,7 +47707,7 @@ index be0ab84b3..0129ddb61 100644 ') optional_policy(` -@@ -135,16 +200,17 @@ optional_policy(` +@@ -135,16 +208,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -47678,7 +47727,7 @@ index be0ab84b3..0129ddb61 100644 ') optional_policy(` -@@ -170,6 +236,11 @@ optional_policy(` +@@ -170,6 +244,11 @@ optional_policy(` ') optional_policy(` @@ -47690,7 +47739,7 @@ index be0ab84b3..0129ddb61 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +249,8 @@ optional_policy(` +@@ -178,7 +257,8 @@ optional_policy(` ') optional_policy(` @@ -47700,7 +47749,7 @@ index be0ab84b3..0129ddb61 100644 ') optional_policy(` -@@ -198,17 +270,18 @@ optional_policy(` +@@ -198,17 +278,18 @@ optional_policy(` ') optional_policy(` @@ -47722,7 +47771,7 @@ index be0ab84b3..0129ddb61 100644 ') optional_policy(` -@@ -216,6 +289,14 @@ optional_policy(` +@@ -216,6 +297,14 @@ optional_policy(` ') optional_policy(` @@ -47737,7 +47786,7 @@ index be0ab84b3..0129ddb61 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +309,50 @@ optional_policy(` +@@ -228,26 +317,50 @@ optional_policy(` ') optional_policy(` @@ -56191,7 +56240,7 @@ index ed81cac5a..cd52baf59 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c6a..94b1dfca7 100644 +index ff1d68c6a..3f662fbef 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -56291,7 +56340,7 @@ index ff1d68c6a..94b1dfca7 100644 procmail_exec(user_mail_domain) ') -@@ -166,57 +166,76 @@ optional_policy(` +@@ -166,57 +166,77 @@ optional_policy(` uucp_manage_spool(user_mail_domain) ') @@ -56344,6 +56393,7 @@ index ff1d68c6a..94b1dfca7 100644 +userdom_dontaudit_list_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) +userdom_dontaudit_list_user_tmp(system_mail_t) ++userdom_dontaudit_read_inherited_admin_home_files(system_mail_t) + +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) @@ -56387,7 +56437,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -225,17 +244,21 @@ optional_policy(` +@@ -225,17 +245,21 @@ optional_policy(` ') optional_policy(` @@ -56411,7 +56461,7 @@ index ff1d68c6a..94b1dfca7 100644 courier_stream_connect_authdaemon(system_mail_t) ') -@@ -244,9 +267,10 @@ optional_policy(` +@@ -244,9 +268,10 @@ optional_policy(` ') optional_policy(` @@ -56425,7 +56475,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -258,10 +282,17 @@ optional_policy(` +@@ -258,10 +283,17 @@ optional_policy(` ') optional_policy(` @@ -56443,7 +56493,7 @@ index ff1d68c6a..94b1dfca7 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +303,19 @@ optional_policy(` +@@ -272,6 +304,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -56463,7 +56513,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -279,6 +323,10 @@ optional_policy(` +@@ -279,6 +324,10 @@ optional_policy(` ') optional_policy(` @@ -56474,7 +56524,7 @@ index ff1d68c6a..94b1dfca7 100644 userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` -@@ -287,42 +335,36 @@ optional_policy(` +@@ -287,42 +336,36 @@ optional_policy(` ') optional_policy(` @@ -56527,7 +56577,7 @@ index ff1d68c6a..94b1dfca7 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,44 +374,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -56597,7 +56647,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -381,24 +427,49 @@ optional_policy(` +@@ -381,24 +428,49 @@ optional_policy(` ######################################## # @@ -60652,9 +60702,15 @@ index 86dc29dfa..c7d9376d5 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f20095e..4419e3531 100644 +index 55f20095e..3ed3ed0b3 100644 --- a/networkmanager.te +++ b/networkmanager.te +@@ -1,4 +1,4 @@ +-policy_module(networkmanager, 1.15.2) ++policy_module(networkmanager, 1.15.3) + + ######################################## + # @@ -9,15 +9,18 @@ type NetworkManager_t; type NetworkManager_exec_t; init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -60872,10 +60928,10 @@ index 55f20095e..4419e3531 100644 -# certificates in user home directories (cert_home_t in ~/\.pki) -userdom_read_user_home_content_files(NetworkManager_t) +systemd_machined_read_pid_files(NetworkManager_t) -+ -+term_use_unallocated_ttys(NetworkManager_t) -userdom_write_user_tmp_sockets(NetworkManager_t) ++term_use_unallocated_ttys(NetworkManager_t) ++ +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) @@ -60941,16 +60997,16 @@ index 55f20095e..4419e3531 100644 dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) + dnsmasq_systemctl(NetworkManager_t) ++') ++ ++optional_policy(` ++ dnssec_trigger_domtrans(NetworkManager_t) ++ dnssec_trigger_signull(NetworkManager_t) ++ dnssec_trigger_sigkill(NetworkManager_t) ') optional_policy(` - gnome_stream_connect_all_gkeyringd(NetworkManager_t) -+ dnssec_trigger_domtrans(NetworkManager_t) -+ dnssec_trigger_signull(NetworkManager_t) -+ dnssec_trigger_sigkill(NetworkManager_t) -+') -+ -+optional_policy(` + fcoe_dgram_send_fcoemon(NetworkManager_t) ') @@ -61079,7 +61135,7 @@ index 55f20095e..4419e3531 100644 ') optional_policy(` -@@ -338,12 +431,19 @@ optional_policy(` +@@ -338,12 +431,23 @@ optional_policy(` vpn_relabelfrom_tun_socket(NetworkManager_t) ') @@ -61090,6 +61146,10 @@ index 55f20095e..4419e3531 100644 + openfortivpn_signull(NetworkManager_t) +') + ++optional_policy(` ++ openvswitch_stream_connect(NetworkManager_t) ++') ++ ######################################## # # wpa_cli local policy @@ -61100,7 +61160,7 @@ index 55f20095e..4419e3531 100644 allow wpa_cli_t self:unix_dgram_socket create_socket_perms; allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; -@@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +461,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -73247,7 +73307,7 @@ index 000000000..798efb632 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 000000000..afa1ba1f4 +index 000000000..f80377711 --- /dev/null +++ b/pki.te @@ -0,0 +1,283 @@ @@ -73363,7 +73423,7 @@ index 000000000..afa1ba1f4 +can_exec(pki_tomcat_t, pki_common_t) +init_stream_connect_script(pki_tomcat_t) + -+auth_read_passwd(pki_tomcat_t) ++auth_use_nsswitch(pki_tomcat_t) + +search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) + @@ -73535,7 +73595,7 @@ index 000000000..afa1ba1f4 +') + diff --git a/plymouthd.fc b/plymouthd.fc -index 735500fd1..2ba6832cc 100644 +index 735500fd1..7f694728c 100644 --- a/plymouthd.fc +++ b/plymouthd.fc @@ -1,15 +1,14 @@ @@ -73553,7 +73613,7 @@ index 735500fd1..2ba6832cc 100644 -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) ++/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) -/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) @@ -87547,7 +87607,7 @@ index 16c8ecbe3..4e021eca7 100644 + ') ') diff --git a/redis.te b/redis.te -index 25cd4175f..61de8277a 100644 +index 25cd4175f..84c02e325 100644 --- a/redis.te +++ b/redis.te @@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t) @@ -87579,7 +87639,7 @@ index 25cd4175f..61de8277a 100644 manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) manage_files_pattern(redis_t, redis_log_t, redis_log_t) manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) -@@ -42,14 +50,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +@@ -42,24 +50,27 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) @@ -87597,7 +87657,12 @@ index 25cd4175f..61de8277a 100644 corenet_sendrecv_redis_server_packets(redis_t) corenet_tcp_bind_redis_port(redis_t) -@@ -60,6 +71,4 @@ dev_read_urand(redis_t) + corenet_tcp_sendrecv_redis_port(redis_t) + ++corecmd_exec_shell(redis_t) ++ + dev_read_sysfs(redis_t) + dev_read_urand(redis_t) logging_send_syslog_msg(redis_t) @@ -90475,7 +90540,7 @@ index 8c0280418..896c8c67f 100644 /var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) diff --git a/rhsmcertd.if b/rhsmcertd.if -index 6dbc905b3..4b17c933e 100644 +index 6dbc905b3..42e4306c8 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if @@ -1,8 +1,8 @@ @@ -90571,23 +90636,21 @@ index 6dbc905b3..4b17c933e 100644 ##
+## Allow confined virtual guests to use smartcards @@ -116690,8 +116791,7 @@ index f03dcf567..5ce41db0d 100644 +##
+##
+## Allow sandbox containers to use mknod system calls
@@ -116730,11 +116830,11 @@ index f03dcf567..5ce41db0d 100644
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
-+
-+virt_domain_template(svirt_tcg)
-+role system_r types svirt_tcg_t;
-type virt_cache_t alias svirt_cache_t;
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
++
+type qemu_exec_t, virt_file_type;
+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
@@ -117097,10 +117197,13 @@ index f03dcf567..5ce41db0d 100644
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
--
++allow svirt_t self:process ptrace;
+
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@@ -117109,15 +117212,12 @@ index f03dcf567..5ce41db0d 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-+allow svirt_t self:process ptrace;
-
+-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
@@ -117142,6 +117242,8 @@ index f03dcf567..5ce41db0d 100644
+
+storage_raw_read_fixed_disk(svirt_t)
+
++userdom_read_all_users_state(svirt_t)
++
+#######################################
+#
+# svirt_prot_exec local policy
@@ -117228,7 +117330,7 @@ index f03dcf567..5ce41db0d 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +426,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +428,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -117275,22 +117377,22 @@ index f03dcf567..5ce41db0d 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +461,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +463,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
-can_exec(virtd_t, virt_tmp_t)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
@@ -117309,7 +117411,7 @@ index f03dcf567..5ce41db0d 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +486,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +488,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -117337,7 +117439,7 @@ index f03dcf567..5ce41db0d 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +506,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +508,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -117368,7 +117470,7 @@ index f03dcf567..5ce41db0d 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +558,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +560,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -117388,19 +117490,29 @@ index f03dcf567..5ce41db0d 100644
selinux_validate_context(virtd_t)
-@@ -620,27 +580,35 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +582,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+-userdom_read_all_users_state(virtd_t)
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
-+
+
+-ifdef(`hide_broken_symptoms',`
+- dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
+-tunable_policy(`virt_use_fusefs',`
+- fs_manage_fusefs_dirs(virtd_t)
+- fs_manage_fusefs_files(virtd_t)
+- fs_read_fusefs_symlinks(virtd_t)
+-')
+userdom_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
- userdom_read_all_users_state(virtd_t)
++userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_tmp_files(virtd_t)
+userdom_setattr_user_tmp_files(virtd_t)
@@ -117413,24 +117525,9 @@ index f03dcf567..5ce41db0d 100644
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+virt_filetrans_home_content(virtd_t)
--ifdef(`hide_broken_symptoms',`
-- dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
--
--tunable_policy(`virt_use_fusefs',`
-- fs_manage_fusefs_dirs(virtd_t)
-- fs_manage_fusefs_files(virtd_t)
-- fs_read_fusefs_symlinks(virtd_t)
--')
--
--tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs(virtd_t)
-- fs_manage_nfs_files(virtd_t)
-- fs_read_nfs_symlinks(virtd_t)
-+tunable_policy(`virt_use_nfs',`
-+ fs_manage_nfs_dirs(virtd_t)
-+ fs_manage_nfs_files(virtd_t)
-+ fs_read_nfs_symlinks(virtd_t)
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtd_t)
+@@ -640,7 +610,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -117439,7 +117536,7 @@ index f03dcf567..5ce41db0d 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +633,12 @@ optional_policy(`
+@@ -665,20 +635,12 @@ optional_policy(`
')
optional_policy(`
@@ -117460,7 +117557,7 @@ index f03dcf567..5ce41db0d 100644
')
optional_policy(`
-@@ -691,20 +651,26 @@ optional_policy(`
+@@ -691,99 +653,432 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -117488,113 +117585,103 @@ index f03dcf567..5ce41db0d 100644
- kerberos_use(virtd_t)
+ kerberos_read_keytab(virtd_t)
+ kerberos_use(virtd_t)
- ')
-
- optional_policy(`
-@@ -712,11 +678,18 @@ optional_policy(`
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
++ lvm_domtrans(virtd_t)
++')
++
++optional_policy(`
+ # Run mount in the mount_t domain.
- mount_domtrans(virtd_t)
- mount_signal(virtd_t)
- ')
-
- optional_policy(`
++ mount_domtrans(virtd_t)
++ mount_signal(virtd_t)
++')
++
++optional_policy(`
+ numad_domtrans(virtd_t)
+ numad_dbus_chat(virtd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(virtd_t)
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
- policykit_read_lib(virtd_t)
-@@ -727,10 +700,18 @@ optional_policy(`
- ')
-
- optional_policy(`
++ policykit_domtrans_auth(virtd_t)
++ policykit_domtrans_resolve(virtd_t)
++ policykit_read_lib(virtd_t)
++')
++
++optional_policy(`
++ qemu_exec(virtd_t)
++')
++
++optional_policy(`
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
- sasl_connect(virtd_t)
- ')
-
- optional_policy(`
++ sasl_connect(virtd_t)
++')
++
++optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
-
-@@ -746,44 +727,356 @@ optional_policy(`
- udev_read_pid_files(virtd_t)
- ')
-
++ kernel_read_xen_state(virtd_t)
++ kernel_write_xen_state(virtd_t)
++
++ xen_exec(virtd_t)
++ xen_stream_connect(virtd_t)
++ xen_stream_connect_xenstore(virtd_t)
++ xen_read_image_files(virtd_t)
++')
++
++optional_policy(`
++ udev_domtrans(virtd_t)
++ udev_read_db(virtd_t)
++ udev_read_pid_files(virtd_t)
++')
++
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
- ########################################
- #
--# Virsh local policy
++########################################
++#
+# virtlogd local policy
- #
-
--allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
--allow virsh_t self:process { getcap getsched setsched setcap signal };
--allow virsh_t self:fifo_file rw_fifo_file_perms;
--allow virsh_t self:unix_stream_socket { accept connectto listen };
--allow virsh_t self:tcp_socket { accept listen };
++#
++
+# virtlogd is allowed to manage files it creates in /var/run/libvirt
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
-
--manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
+# virtlogd needs to read /etc/libvirt/virtlogd.conf only
+allow virtlogd_t virtlogd_etc_t:file read_file_perms;
+files_search_etc(virtlogd_t)
+allow virtlogd_t virt_etc_t:dir search;
-
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++
+# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated
+# context from other stuff in /var/run/libvirt
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file })
+# This lets systemd create the socket itself too
-
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++
+# virtlogd creates a /var/run/virtlogd.pid file
+allow virtlogd_t virtlogd_var_run_t:file manage_file_perms;
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
-
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
++
+manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+kernel_read_network_state(virtlogd_t)
-
--can_exec(virsh_t, virsh_exec_t)
++
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow virtlogd_t to execute itself.
+allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
+
+dev_read_sysfs(virtlogd_t)
-
++
+logging_send_syslog_msg(virtlogd_t)
+
+auth_use_nsswitch(virtlogd_t)
@@ -117800,30 +117887,40 @@ index f03dcf567..5ce41db0d 100644
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- lvm_domtrans(virtd_t)
+ tunable_policy(`virt_use_glusterd',`
+ glusterd_manage_pid(virt_domain)
+ ')
-+')
-+
+ ')
+
+-optional_policy(`
+- mount_domtrans(virtd_t)
+- mount_signal(virtd_t)
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- policykit_domtrans_auth(virtd_t)
+- policykit_domtrans_resolve(virtd_t)
+- policykit_read_lib(virtd_t)
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
+ fs_manage_cifs_named_sockets(virt_domain)
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- qemu_exec(virtd_t)
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -117831,49 +117928,83 @@ index f03dcf567..5ce41db0d 100644
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
+ udev_read_db(virt_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- sasl_connect(virtd_t)
+ tunable_policy(`virt_use_pcscd',`
+ pcscd_stream_connect(virt_domain)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- kernel_read_xen_state(virtd_t)
+- kernel_write_xen_state(virtd_t)
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
+')
-+
+
+- xen_exec(virtd_t)
+- xen_stream_connect(virtd_t)
+- xen_stream_connect_xenstore(virtd_t)
+- xen_read_image_files(virtd_t)
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- udev_domtrans(virtd_t)
+- udev_read_db(virtd_t)
+- udev_read_pid_files(virtd_t)
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Virsh local policy
+# xm local policy
-+#
+ #
+type virsh_t, virt_system_domain;
+type virsh_exec_t, virt_file_type;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-+
+
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
-+allow virsh_t self:fifo_file rw_fifo_file_perms;
+ allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+-
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
-+
-+can_exec(virsh_t, virsh_exec_t)
+
+ can_exec(virsh_t, virsh_exec_t)
+-
virt_domtrans(virsh_t)
virt_manage_images(virsh_t)
virt_manage_config(virsh_t)
@@ -117908,7 +118039,7 @@ index f03dcf567..5ce41db0d 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1087,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -117935,7 +118066,7 @@ index f03dcf567..5ce41db0d 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1107,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -117952,10 +118083,10 @@ index f03dcf567..5ce41db0d 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -117969,7 +118100,7 @@ index f03dcf567..5ce41db0d 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1144,20 @@ optional_policy(`
+@@ -856,14 +1146,20 @@ optional_policy(`
')
optional_policy(`
@@ -117991,7 +118122,7 @@ index f03dcf567..5ce41db0d 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1182,66 @@ optional_policy(`
+@@ -888,49 +1184,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -118076,7 +118207,7 @@ index f03dcf567..5ce41db0d 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1253,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -118096,7 +118227,7 @@ index f03dcf567..5ce41db0d 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1274,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -118120,7 +118251,7 @@ index f03dcf567..5ce41db0d 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1299,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -118147,7 +118278,8 @@ index f03dcf567..5ce41db0d 100644
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
@@ -118159,8 +118291,7 @@ index f03dcf567..5ce41db0d 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -118380,13 +118511,13 @@ index f03dcf567..5ce41db0d 100644
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
++
++optional_policy(`
++ udev_read_pid_files(svirt_sandbox_domain)
++')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -118536,8 +118667,7 @@ index f03dcf567..5ce41db0d 100644
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(container_file_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
@@ -118547,7 +118677,8 @@ index f03dcf567..5ce41db0d 100644
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(svirt_qemu_net_t)
+')
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+userdom_use_user_ptys(svirt_qemu_net_t)
########################################
@@ -118564,7 +118695,7 @@ index f03dcf567..5ce41db0d 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1601,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -118579,7 +118710,7 @@ index f03dcf567..5ce41db0d 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1619,7 @@ optional_policy(`
+@@ -1192,7 +1621,7 @@ optional_policy(`
########################################
#
@@ -118588,7 +118719,7 @@ index f03dcf567..5ce41db0d 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1628,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -119960,10 +120091,10 @@ index 4815a93f4..24dcf5174 100644
+ rhcs_rw_cluster_tmpfs(wdmd_t)
')
diff --git a/webadm.te b/webadm.te
-index 2a6cae773..6d0a2a1c5 100644
+index 2a6cae773..d2752d9bb 100644
--- a/webadm.te
+++ b/webadm.te
-@@ -25,6 +25,9 @@ role webadm_r;
+@@ -25,12 +25,21 @@ role webadm_r;
userdom_base_user_template(webadm)
@@ -119973,26 +120104,43 @@ index 2a6cae773..6d0a2a1c5 100644
########################################
#
# Local policy
-@@ -32,6 +35,12 @@ userdom_base_user_template(webadm)
-
- allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ #
+-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource };
++
+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
+can_exec(webadm_t, webadm_tmp_t)
-+
+
files_dontaudit_search_all_dirs(webadm_t)
files_list_var(webadm_t)
+@@ -38,12 +47,26 @@ files_list_var(webadm_t)
+ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
-@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t)
++init_rw_pipes(webadm_t)
++init_status(webadm_t)
++
+ logging_send_audit_msgs(webadm_t)
+ logging_send_syslog_msg(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
++userdom_dontaudit_manage_admin_files(webadm_t)
++
++optional_policy(`
++ apache_admin(webadm_t, webadm_r)
++')
++
++optional_policy(`
++ dbus_system_bus_client(webadm_t)
++')
-apache_admin(webadm_t, webadm_r)
+optional_policy(`
-+ apache_admin(webadm_t, webadm_r)
++ policykit_dbus_chat(webadm_t)
+')
tunable_policy(`webadm_manage_user_files',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 554b107..ad08eae 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 260.8%{?dist}
+Release: 260.9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,50 @@ exit 0
%endif
%changelog
+* Thu Sep 14 2017 Lukas Vrabec