Blame SOURCES/policy-rhel-7.4.z-contrib.patch

4e9cfe
diff --git a/certmonger.te b/certmonger.te
4e9cfe
index 0803529e4..0585431e1 100644
4e9cfe
--- a/certmonger.te
4e9cfe
+++ b/certmonger.te
4e9cfe
@@ -144,6 +144,7 @@ optional_policy(`
4e9cfe
 optional_policy(`
4e9cfe
 	pki_rw_tomcat_cert(certmonger_t)
4e9cfe
 	pki_read_tomcat_lib_files(certmonger_t)
4e9cfe
+    pki_tomcat_systemctl(certmonger_t)
4e9cfe
 ')
4e9cfe
 
4e9cfe
 optional_policy(`
a3dbbd
diff --git a/lldpad.te b/lldpad.te
a3dbbd
index 42e5578f2..3399d597a 100644
a3dbbd
--- a/lldpad.te
a3dbbd
+++ b/lldpad.te
a3dbbd
@@ -64,3 +64,7 @@ optional_policy(`
a3dbbd
 optional_policy(`
a3dbbd
     networkmanager_dgram_send(lldpad_t)
a3dbbd
 ')
a3dbbd
+
a3dbbd
+optional_policy(`
a3dbbd
+    virt_dgram_send(lldpad_t)
a3dbbd
+')
4e9cfe
diff --git a/pki.if b/pki.if
4e9cfe
index f18fcc68f..f69ae0298 100644
4e9cfe
--- a/pki.if
4e9cfe
+++ b/pki.if
4e9cfe
@@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
4e9cfe
 	files_search_pids($1)
4e9cfe
 	stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
4e9cfe
 ')
4e9cfe
+
4e9cfe
+########################################
4e9cfe
+## <summary>
4e9cfe
+##	Execute pki in the pkit_tomcat_t domain.
4e9cfe
+## </summary>
4e9cfe
+## <param name="domain">
4e9cfe
+##	<summary>
4e9cfe
+##	Domain allowed to transition.
4e9cfe
+##	</summary>
4e9cfe
+## </param>
4e9cfe
+#
4e9cfe
+interface(`pki_tomcat_systemctl',`
4e9cfe
+	gen_require(`
4e9cfe
+		type pki_tomcat_t;
4e9cfe
+		type pki_tomcat_unit_file_t;
4e9cfe
+	')
4e9cfe
+
4e9cfe
+	systemd_exec_systemctl($1)
4e9cfe
+    systemd_read_fifo_file_passwd_run($1)
4e9cfe
+	allow $1 pki_tomcat_unit_file_t:file read_file_perms;
4e9cfe
+	allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
4e9cfe
+
4e9cfe
+	ps_process_pattern($1, pki_tomcat_t)
4e9cfe
+')
a3dbbd
diff --git a/tomcat.te b/tomcat.te
a3dbbd
index 97bdd60c9..386c4b7ac 100644
a3dbbd
--- a/tomcat.te
a3dbbd
+++ b/tomcat.te
a3dbbd
@@ -51,6 +51,9 @@ optional_policy(`
a3dbbd
 # tomcat domain policy
a3dbbd
 #
a3dbbd
 
a3dbbd
+allow tomcat_t self:capability { dac_override setuid kill };
a3dbbd
+
a3dbbd
+allow tomcat_t self:process { setcap signal signull };
a3dbbd
 allow tomcat_domain self:fifo_file rw_fifo_file_perms;
a3dbbd
 allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
a3dbbd
 
a3dbbd
diff --git a/virt.if b/virt.if
a3dbbd
index 1d17889f3..c6792a5a3 100644
a3dbbd
--- a/virt.if
a3dbbd
+++ b/virt.if
a3dbbd
@@ -1618,4 +1618,23 @@ interface(`virt_dontaudit_read_state',`
a3dbbd
 	dontaudit $1 virtd_t:dir search_dir_perms;
a3dbbd
 	dontaudit $1 virtd_t:file read_file_perms;
a3dbbd
 	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
a3dbbd
+')
a3dbbd
+
a3dbbd
+#######################################
a3dbbd
+## <summary>
a3dbbd
+##	Send to libvirt with a unix dgram socket.
a3dbbd
+## </summary>
a3dbbd
+## <param name="domain">
a3dbbd
+##	<summary>
a3dbbd
+##	Domain allowed access.
a3dbbd
+##	</summary>
a3dbbd
+## </param>
a3dbbd
+#
a3dbbd
+interface(`virt_dgram_send',`
a3dbbd
+	gen_require(`
a3dbbd
+		type virtd_t, virt_var_run_t;
a3dbbd
+	')
a3dbbd
+
a3dbbd
+	files_search_pids($1)
a3dbbd
+	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
a3dbbd
 ')
a3dbbd
\ No newline at end of file