From 8610886f2e68980121f177ece17ca5d7fe9edeac Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 10 2016 15:16:44 +0000 Subject: * Mon Oct 10 2016 Lukas Vrabec - 3.13.1-219 - Dontaudit leaked file descriptors for thumb. BZ(1383071) - Fix typo in cobbler SELinux module - Merge pull request #165 from rhatdan/container - Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156) - Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t - Rename svirt_lxc_net_t to container_t - Rename docker.pp to container.pp, causes change in interface name - Allow httpd_t domain to list inotify filesystem. - Fix couple AVC to start roundup properly - Allow dovecot_t send signull to dovecot_deliver_t - Add sys_ptrace capability to pegasus domain - Allow firewalld to stream connect to NetworkManager. BZ(1380954) - rename docker intefaces to container - Merge pull request #164 from rhatdan/docker-base - Rename docker.pp to container.pp, causes change in interface name - Allow gvfs to read /dev/nvme* devices BZ(1380951) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index b151925..930b000 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index dfc836d..800ac4a 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -10185,7 +10185,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..9e9400f 100644 +index cf04cb5..990ecf3 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10373,7 +10373,7 @@ index cf04cb5..9e9400f 100644 +') + +optional_policy(` -+ docker_filetrans_named_content(named_filetrans_domain) ++ container_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` @@ -10717,7 +10717,7 @@ index cf04cb5..9e9400f 100644 +') + +optional_policy(` -+ docker_spc_stream_connect(domain) ++ container_spc_stream_connect(domain) +') + +optional_policy(` @@ -25403,7 +25403,7 @@ index 234a940..a92415a 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..59d8b87 100644 +index 0fef1fc..c3b8b13 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0) @@ -25509,8 +25509,8 @@ index 0fef1fc..59d8b87 100644 optional_policy(` - git_role(staff_r, staff_t) -+ docker_stream_connect(staff_t) -+ docker_exec(staff_t) ++ container_stream_connect(staff_t) ++ container_runtime_exec(staff_t) +') + +optional_policy(` @@ -25802,7 +25802,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..d389826 100644 +index 2522ca6..47b6d44 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,92 @@ policy_module(sysadm, 2.6.1) @@ -25898,7 +25898,7 @@ index 2522ca6..d389826 100644 +') + +optional_policy(` -+ docker_stream_connect(sysadm_t) ++ container_stream_connect(sysadm_t) +') + +optional_policy(` @@ -27237,7 +27237,7 @@ index 0000000..15b42ae + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..79f40da +index 0000000..60c3f9d --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,358 @@ @@ -27436,7 +27436,7 @@ index 0000000..79f40da +') + +optional_policy(` -+ docker_entrypoint(unconfined_t) ++ container_runtime_entrypoint(unconfined_t) +') + +optional_policy(` @@ -31791,7 +31791,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..010654c 100644 +index 8b40377..b4908dd 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32301,7 +32301,7 @@ index 8b40377..010654c 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +559,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -32346,6 +32346,7 @@ index 8b40377..010654c 100644 dev_setattr_power_mgmt_dev(xdm_t) +dev_getattr_null_dev(xdm_t) +dev_setattr_null_dev(xdm_t) ++dev_read_nvme(xdm_t) domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. @@ -32355,7 +32356,7 @@ index 8b40377..010654c 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +612,30 @@ files_list_mnt(xdm_t) +@@ -431,9 +613,30 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -32386,7 +32387,7 @@ index 8b40377..010654c 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +644,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +645,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -32437,7 +32438,7 @@ index 8b40377..010654c 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +692,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +693,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -32607,7 +32608,7 @@ index 8b40377..010654c 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +861,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +862,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -32639,7 +32640,7 @@ index 8b40377..010654c 100644 ') optional_policy(` -@@ -518,8 +896,36 @@ optional_policy(` +@@ -518,8 +897,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -32677,7 +32678,7 @@ index 8b40377..010654c 100644 ') ') -@@ -530,6 +936,20 @@ optional_policy(` +@@ -530,6 +937,20 @@ optional_policy(` ') optional_policy(` @@ -32698,7 +32699,7 @@ index 8b40377..010654c 100644 hostname_exec(xdm_t) ') -@@ -547,28 +967,78 @@ optional_policy(` +@@ -547,28 +968,78 @@ optional_policy(` ') optional_policy(` @@ -32786,7 +32787,7 @@ index 8b40377..010654c 100644 ') optional_policy(` -@@ -580,6 +1050,14 @@ optional_policy(` +@@ -580,6 +1051,14 @@ optional_policy(` ') optional_policy(` @@ -32801,7 +32802,7 @@ index 8b40377..010654c 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1072,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1073,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -32810,7 +32811,7 @@ index 8b40377..010654c 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1082,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1083,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -32823,7 +32824,7 @@ index 8b40377..010654c 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1099,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1100,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -32839,7 +32840,7 @@ index 8b40377..010654c 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1115,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1116,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -32850,7 +32851,7 @@ index 8b40377..010654c 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1130,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1131,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32892,7 +32893,7 @@ index 8b40377..010654c 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1181,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1182,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -32924,7 +32925,7 @@ index 8b40377..010654c 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1214,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1215,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32939,7 +32940,7 @@ index 8b40377..010654c 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1235,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1236,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32963,7 +32964,7 @@ index 8b40377..010654c 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1254,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1255,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -32972,7 +32973,7 @@ index 8b40377..010654c 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1298,54 @@ optional_policy(` +@@ -785,17 +1299,54 @@ optional_policy(` ') optional_policy(` @@ -33029,7 +33030,7 @@ index 8b40377..010654c 100644 ') optional_policy(` -@@ -803,6 +1353,10 @@ optional_policy(` +@@ -803,6 +1354,10 @@ optional_policy(` ') optional_policy(` @@ -33040,7 +33041,7 @@ index 8b40377..010654c 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1372,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1373,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -33065,7 +33066,7 @@ index 8b40377..010654c 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1395,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1396,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -33100,7 +33101,7 @@ index 8b40377..010654c 100644 ') optional_policy(` -@@ -912,7 +1460,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1461,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -33109,7 +33110,7 @@ index 8b40377..010654c 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1514,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1515,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -33141,7 +33142,7 @@ index 8b40377..010654c 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1560,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1561,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -42422,7 +42423,7 @@ index 58bc27f..9e86fce 100644 + + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c4..a6a1d12 100644 +index 79048c4..262c9ec 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -42658,7 +42659,7 @@ index 79048c4..a6a1d12 100644 ') optional_policy(` -+ docker_rw_sem(lvm_t) ++ container_rw_sem(lvm_t) +') + +optional_policy(` @@ -49099,7 +49100,7 @@ index 0000000..16cd1ac +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f2c6d14 +index 0000000..bd6672d --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,971 @@ @@ -49446,8 +49447,8 @@ index 0000000..f2c6d14 +') + +optional_policy(` -+ docker_read_share_files(systemd_machined_t) -+ docker_spc_read_state(systemd_machined_t) ++ container_read_share_files(systemd_machined_t) ++ container_spc_read_state(systemd_machined_t) +') + +optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c0c7d57..48b201d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..5f57515 100644 +index eb50f07..a308065 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -873,7 +873,7 @@ index eb50f07..5f57515 100644 ') optional_policy(` -+ docker_stream_connect(abrt_t) ++ container_stream_connect(abrt_t) +') + +optional_policy(` @@ -1070,7 +1070,7 @@ index eb50f07..5f57515 100644 -allow abrt_dump_oops_t self:capability dac_override; +allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid }; -+allow abrt_dump_oops_t self:cap_userns { kill }; ++allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace }; +allow abrt_dump_oops_t self:process setfscreate; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; -allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; @@ -5492,7 +5492,7 @@ index f6eb485..757b864 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..4cb64e5 100644 +index 6649962..248b38c 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6210,7 +6210,7 @@ index 6649962..4cb64e5 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +575,176 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +575,177 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6277,6 +6277,7 @@ index 6649962..4cb64e5 100644 -fs_search_auto_mountpoints(httpd_t) +fs_rw_anon_inodefs_files(httpd_t) +fs_rw_hugetlbfs_files(httpd_t) ++fs_list_inotifyfs(httpd_t) + +auth_use_nsswitch(httpd_t) + @@ -6451,7 +6452,7 @@ index 6649962..4cb64e5 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6511,7 +6512,7 @@ index 6649962..4cb64e5 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6614,7 +6615,7 @@ index 6649962..4cb64e5 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6695,7 +6696,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -749,24 +919,32 @@ optional_policy(` +@@ -749,24 +920,32 @@ optional_policy(` ') optional_policy(` @@ -6734,7 +6735,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -775,6 +953,10 @@ optional_policy(` +@@ -775,6 +954,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6745,7 +6746,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -786,35 +968,60 @@ optional_policy(` +@@ -786,35 +969,60 @@ optional_policy(` ') optional_policy(` @@ -6819,7 +6820,7 @@ index 6649962..4cb64e5 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1029,30 @@ optional_policy(` +@@ -822,8 +1030,30 @@ optional_policy(` ') optional_policy(` @@ -6850,7 +6851,7 @@ index 6649962..4cb64e5 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1061,8 @@ optional_policy(` +@@ -832,6 +1062,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6859,7 +6860,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -842,20 +1073,44 @@ optional_policy(` +@@ -842,20 +1074,44 @@ optional_policy(` ') optional_policy(` @@ -6910,7 +6911,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -863,16 +1118,31 @@ optional_policy(` +@@ -863,16 +1119,31 @@ optional_policy(` ') optional_policy(` @@ -6944,7 +6945,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -883,65 +1153,189 @@ optional_policy(` +@@ -883,65 +1154,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7156,7 +7157,7 @@ index 6649962..4cb64e5 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1344,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1345,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7310,7 +7311,7 @@ index 6649962..4cb64e5 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1429,107 @@ optional_policy(` +@@ -1083,172 +1430,107 @@ optional_policy(` ') ') @@ -7548,7 +7549,7 @@ index 6649962..4cb64e5 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1537,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1538,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7645,7 +7646,7 @@ index 6649962..4cb64e5 100644 ######################################## # -@@ -1321,8 +1612,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1613,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7662,7 +7663,7 @@ index 6649962..4cb64e5 100644 ') ######################################## -@@ -1330,49 +1628,40 @@ optional_policy(` +@@ -1330,49 +1629,40 @@ optional_policy(` # User content local policy # @@ -7728,7 +7729,7 @@ index 6649962..4cb64e5 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1672,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -14958,7 +14959,7 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd..e01156f 100644 +index 5f306dd..578b615 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -15042,7 +15043,7 @@ index 5f306dd..e01156f 100644 ') optional_policy(` -@@ -192,13 +206,13 @@ optional_policy(` +@@ -192,13 +206,14 @@ optional_policy(` ') optional_policy(` @@ -15057,6 +15058,7 @@ index 5f306dd..e01156f 100644 - tftp_manage_config_files(cobblerd_t) - tftp_etc_filetrans_config(cobblerd_t, file, "tftp") + tftp_manage_config(cobblerd_t) ++ tftp_delete_content_dirs(cobblerd_t) tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) ') diff --git a/cockpit.fc b/cockpit.fc @@ -15273,7 +15275,7 @@ index 0000000..d5920c0 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..23ebc59 +index 0000000..e7b8c7e --- /dev/null +++ b/cockpit.te @@ -0,0 +1,115 @@ @@ -15336,8 +15338,8 @@ index 0000000..23ebc59 +manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t) +files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file }) + -+read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) -+list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) ++manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) ++manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) + +auth_use_nsswitch(cockpit_ws_t) + @@ -26631,7 +26633,7 @@ index d5badb7..c2431fc 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..315aa2f 100644 +index 0aabc7e..3d8233b 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -26702,7 +26704,7 @@ index 0aabc7e..315aa2f 100644 corecmd_exec_bin(dovecot_domain) corecmd_exec_shell(dovecot_domain) -@@ -81,26 +79,34 @@ dev_read_sysfs(dovecot_domain) +@@ -81,26 +79,36 @@ dev_read_sysfs(dovecot_domain) dev_read_rand(dovecot_domain) dev_read_urand(dovecot_domain) @@ -26731,6 +26733,8 @@ index 0aabc7e..315aa2f 100644 +domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) + +allow dovecot_t dovecot_auth_t:process signal; ++ ++allow dovecot_t dovecot_deliver_t:process signull; allow dovecot_t dovecot_cert_t:dir list_dir_perms; -allow dovecot_t dovecot_cert_t:file read_file_perms; @@ -26747,7 +26751,7 @@ index 0aabc7e..315aa2f 100644 allow dovecot_t dovecot_keytab_t:file read_file_perms; -@@ -108,12 +114,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) +@@ -108,12 +116,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) @@ -26764,19 +26768,19 @@ index 0aabc7e..315aa2f 100644 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -@@ -125,45 +132,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +@@ -125,45 +134,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) -- ++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file }) + -can_exec(dovecot_t, dovecot_exec_t) - -allow dovecot_t dovecot_auth_t:process signal; - -domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) -+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file }) - +- -corenet_all_recvfrom_unlabeled(dovecot_t) corenet_all_recvfrom_netlabel(dovecot_t) corenet_tcp_sendrecv_generic_if(dovecot_t) @@ -26821,7 +26825,7 @@ index 0aabc7e..315aa2f 100644 init_getattr_utmp(dovecot_t) -@@ -171,45 +168,44 @@ auth_use_nsswitch(dovecot_t) +@@ -171,45 +170,44 @@ auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) @@ -26885,7 +26889,7 @@ index 0aabc7e..315aa2f 100644 sendmail_domtrans(dovecot_t) ') -@@ -227,46 +223,69 @@ optional_policy(` +@@ -227,46 +225,69 @@ optional_policy(` ######################################## # @@ -26964,7 +26968,7 @@ index 0aabc7e..315aa2f 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -277,53 +296,79 @@ optional_policy(` +@@ -277,53 +298,79 @@ optional_policy(` ') optional_policy(` @@ -27063,7 +27067,7 @@ index 0aabc7e..315aa2f 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +377,6 @@ optional_policy(` +@@ -332,5 +379,6 @@ optional_policy(` ') optional_policy(` @@ -29024,7 +29028,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..a30b953 100644 +index 98072a3..ee152e2 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -29102,7 +29106,12 @@ index 98072a3..a30b953 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +115,10 @@ optional_policy(` +@@ -91,10 +111,15 @@ optional_policy(` + + optional_policy(` + networkmanager_dbus_chat(firewalld_t) ++ networkmanager_stream_connect(firewalld_t) + ') ') optional_policy(` @@ -69076,7 +69085,7 @@ index 0000000..fa4cfaa Binary files /dev/null and b/pcp.pp differ diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..f302fd8 +index 0000000..d6fdef6 --- /dev/null +++ b/pcp.te @@ -0,0 +1,297 @@ @@ -69238,7 +69247,7 @@ index 0000000..f302fd8 +') + +optional_policy(` -+ docker_manage_lib_files(pcp_pmcd_t) ++ container_manage_lib_files(pcp_pmcd_t) +') + +optional_policy(` @@ -69814,7 +69823,7 @@ index d2fc677..86dce34 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..bc31081 100644 +index 608f454..270648d 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -70157,7 +70166,8 @@ index 608f454..bc31081 100644 +# pegasus local policy # - allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; +-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; ++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service sys_ptrace }; dontaudit pegasus_t self:capability sys_tty_config; -allow pegasus_t self:process signal; +allow pegasus_t self:process { setsched signal }; @@ -90304,6 +90314,16 @@ index 0000000..da94453 + #unconfined_domain(rolekit_t) + domain_named_filetrans(rolekit_t) +') +diff --git a/roundup.fc b/roundup.fc +index 6f05cd0..dc2a9aa 100644 +--- a/roundup.fc ++++ b/roundup.fc +@@ -2,4 +2,4 @@ + + /usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0) + +-/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) ++/var/lib/roundup(/.*)? gen_context(system_u:object_r:roundup_var_lib_t,s0) diff --git a/roundup.if b/roundup.if index 975bb6a..ce4f5ea 100644 --- a/roundup.if @@ -90322,10 +90342,14 @@ index 975bb6a..ce4f5ea 100644 init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff --git a/roundup.te b/roundup.te -index ccb5991..189ac01 100644 +index ccb5991..fa10c5a 100644 --- a/roundup.te +++ b/roundup.te -@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t) +@@ -38,10 +38,10 @@ files_pid_filetrans(roundup_t, roundup_var_run_t, file) + kernel_read_kernel_sysctls(roundup_t) + kernel_list_proc(roundup_t) + kernel_read_proc_symlinks(roundup_t) ++kernel_read_system_state(roundup_t) corecmd_exec_bin(roundup_t) @@ -90333,7 +90357,7 @@ index ccb5991..189ac01 100644 corenet_all_recvfrom_netlabel(roundup_t) corenet_tcp_sendrecv_generic_if(roundup_t) corenet_tcp_sendrecv_generic_node(roundup_t) -@@ -60,16 +59,11 @@ dev_read_urand(roundup_t) +@@ -60,19 +60,19 @@ dev_read_urand(roundup_t) domain_use_interactive_fds(roundup_t) @@ -90350,11 +90374,19 @@ index ccb5991..189ac01 100644 sysnet_dns_name_resolve(roundup_t) userdom_dontaudit_use_unpriv_user_fds(roundup_t) ++ ++optional_policy(` ++ apache_search_config(roundup_t) ++') ++ + userdom_dontaudit_search_user_home_dirs(roundup_t) + + optional_policy(` diff --git a/rpc.fc b/rpc.fc -index a6fb30c..38a2f09 100644 +index a6fb30c..3148280 100644 --- a/rpc.fc +++ b/rpc.fc -@@ -1,12 +1,23 @@ +@@ -1,12 +1,25 @@ -/etc/exports -- gen_context(system_u:object_r:exports_t,s0) +# +# /etc @@ -90372,19 +90404,21 @@ index a6fb30c..38a2f09 100644 -/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0) + +# +# /sbin +# +/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - ++ +# +# /usr +# /usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -@@ -16,7 +27,12 @@ +@@ -16,7 +29,12 @@ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) @@ -107737,7 +107771,7 @@ index 3dd87da..0d13384 100644 -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/tftp.if b/tftp.if -index 9957e30..cd21321 100644 +index 9957e30..51af586 100644 --- a/tftp.if +++ b/tftp.if @@ -1,8 +1,8 @@ @@ -107751,17 +107785,13 @@ index 9957e30..cd21321 100644 ## ## ## -@@ -13,18 +13,21 @@ +@@ -13,18 +13,40 @@ interface(`tftp_read_content',` gen_require(` type tftpdir_t; + type tftpdir_rw_t; - ') - -- files_search_var_lib($1) -- allow $1 tftpdir_t:dir list_dir_perms; -- allow $1 tftpdir_t:file read_file_perms; -- allow $1 tftpdir_t:lnk_file read_lnk_file_perms; ++ ') ++ + list_dirs_pattern($1, tftpdir_t, tftpdir_t) + read_files_pattern($1, tftpdir_t, tftpdir_t) + read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) @@ -107769,46 +107799,68 @@ index 9957e30..cd21321 100644 + list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++') ++ ++######################################## ++## ++## Search tftp /var/lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_search_rw_content',` ++ gen_require(` ++ type tftpdir_rw_t; + ') + ++ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + files_search_var_lib($1) +- allow $1 tftpdir_t:dir list_dir_perms; +- allow $1 tftpdir_t:file read_file_perms; +- allow $1 tftpdir_t:lnk_file read_lnk_file_perms; ') ######################################## ## -## Create, read, write, and delete -## tftp rw content. -+## Search tftp /var/lib directories. ++## Allow read tftp /var/lib files. ## ## ## -@@ -32,20 +35,18 @@ interface(`tftp_read_content',` +@@ -32,20 +54,18 @@ interface(`tftp_read_content',` ## ## # -interface(`tftp_manage_rw_content',` -+interface(`tftp_search_rw_content',` ++interface(`tftp_read_rw_content',` gen_require(` type tftpdir_rw_t; ') -+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) files_search_var_lib($1) - allow $1 tftpdir_rw_t:dir manage_dir_perms; - allow $1 tftpdir_rw_t:file manage_file_perms; - allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; ++ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## ## -## Read tftpd configuration files. -+## Allow read tftp /var/lib files. ++## Allow write tftp /var/lib files. ## ## ## -@@ -53,19 +54,18 @@ interface(`tftp_manage_rw_content',` +@@ -53,19 +73,18 @@ interface(`tftp_manage_rw_content',` ## ## # -interface(`tftp_read_config_files',` -+interface(`tftp_read_rw_content',` ++interface(`tftp_write_rw_content',` gen_require(` - type tftpd_conf_t; + type tftpdir_rw_t; @@ -107817,23 +107869,23 @@ index 9957e30..cd21321 100644 - files_search_etc($1) - allow $1 tftpd_conf_t:file read_file_perms; + files_search_var_lib($1) -+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## ## -## Create, read, write, and delete -## tftpd configuration files. -+## Allow write tftp /var/lib files. ++## Manage tftp /var/lib files. ## ## ## -@@ -73,55 +73,83 @@ interface(`tftp_read_config_files',` +@@ -73,55 +92,83 @@ interface(`tftp_read_config_files',` ## ## # -interface(`tftp_manage_config_files',` -+interface(`tftp_write_rw_content',` ++interface(`tftp_manage_rw_content',` gen_require(` - type tftpd_conf_t; + type tftpdir_rw_t; @@ -107842,7 +107894,8 @@ index 9957e30..cd21321 100644 - files_search_etc($1) - allow $1 tftpd_conf_t:file manage_file_perms; + files_search_var_lib($1) -+ write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## @@ -107859,14 +107912,13 @@ index 9957e30..cd21321 100644 ## -## +# -+interface(`tftp_manage_rw_content',` ++interface(`tftp_delete_content_dirs',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) -+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ delete_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) +') + +######################################## @@ -107928,7 +107980,7 @@ index 9957e30..cd21321 100644 ## ## Private file type. ## -@@ -131,25 +159,38 @@ interface(`tftp_etc_filetrans_config',` +@@ -131,25 +178,38 @@ interface(`tftp_etc_filetrans_config',` ## Class of the object being created. ## ## @@ -107975,7 +108027,7 @@ index 9957e30..cd21321 100644 ## ## ## -@@ -161,18 +202,22 @@ interface(`tftp_filetrans_tftpdir',` +@@ -161,18 +221,22 @@ interface(`tftp_filetrans_tftpdir',` interface(`tftp_admin',` gen_require(` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; @@ -108625,10 +108677,10 @@ index 0000000..9524b50 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..e80cde4 +index 0000000..3f3a239 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,162 @@ +@@ -0,0 +1,165 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -108730,6 +108782,9 @@ index 0000000..e80cde4 + +sysnet_read_config(thumb_t) + ++ ++term_dontaudit_use_unallocated_ttys(thumb_t) ++ +userdom_dontaudit_setattr_user_tmp(thumb_t) +userdom_read_user_tmp_files(thumb_t) +userdom_read_user_home_content_files(thumb_t) @@ -111903,10 +111958,10 @@ index a4f20bc..d8b1fd1 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..58c4c51 100644 +index facdee8..31f7fd1 100644 --- a/virt.if +++ b/virt.if -@@ -1,120 +1,104 @@ +@@ -1,120 +1,110 @@ -## Libvirt virtualization API. +## Libvirt virtualization API @@ -111930,8 +111985,10 @@ index facdee8..58c4c51 100644 - attribute_role virt_domain_roles; - attribute virt_image_type, virt_domain, virt_tmpfs_type; - attribute virt_ptynode, virt_tmp_type; -- ') -- ++ type virtd_lxc_t; + ') ++') + - ######################################## - # - # Declarations @@ -111956,7 +112013,19 @@ index facdee8..58c4c51 100644 - - optional_policy(` - pulseaudio_tmpfs_content($1_tmpfs_t) -+ type virtd_lxc_t; ++######################################## ++## ++## svirt_sandbox_domain attribute stub interface. No access allowed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_stub_svirt_sandbox_domain',` ++ gen_require(` ++ attribute svirt_sandbox_domain; ') +') @@ -111996,7 +112065,7 @@ index facdee8..58c4c51 100644 - pulseaudio_run($1_t, virt_domain_roles) +######################################## +## -+## svirt_sandbox_domain attribute stub interface. No access allowed. ++## container_image_t stub interface. No access allowed. +## +## +## @@ -112004,27 +112073,17 @@ index facdee8..58c4c51 100644 +## +## +# -+interface(`virt_stub_svirt_sandbox_domain',` ++interface(`virt_stub_container_image',` + gen_require(` -+ attribute svirt_sandbox_domain; ++ type container_image_t; ') +') - optional_policy(` - xserver_rw_shm($1_t) -+######################################## -+## -+## svirt_sandbox_file_t stub interface. No access allowed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# +interface(`virt_stub_svirt_sandbox_file',` + gen_require(` -+ type svirt_sandbox_file_t; ++ type container_image_t; ') ') @@ -112094,7 +112153,7 @@ index facdee8..58c4c51 100644 ## ## # -@@ -125,31 +109,32 @@ interface(`virt_image',` +@@ -125,31 +115,32 @@ interface(`virt_image',` typeattribute $1 virt_image_type; files_type($1) @@ -112139,7 +112198,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -157,95 +142,71 @@ interface(`virt_domtrans',` +@@ -157,95 +148,71 @@ interface(`virt_domtrans',` ## ## # @@ -112259,7 +112318,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -253,17 +214,18 @@ interface(`virt_run_virt_domain',` +@@ -253,17 +220,18 @@ interface(`virt_run_virt_domain',` ## ## # @@ -112283,7 +112342,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -271,48 +233,36 @@ interface(`virt_signal_all_virt_domains',` +@@ -271,48 +239,36 @@ interface(`virt_signal_all_virt_domains',` ## ## # @@ -112343,7 +112402,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -320,18 +270,18 @@ interface(`virt_run_svirt_lxc_domain',` +@@ -320,18 +276,18 @@ interface(`virt_run_svirt_lxc_domain',` ## ## # @@ -112368,7 +112427,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -339,18 +289,18 @@ interface(`virt_getattr_virtd_exec_files',` +@@ -339,18 +295,18 @@ interface(`virt_getattr_virtd_exec_files',` ## ## # @@ -112392,7 +112451,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -358,18 +308,20 @@ interface(`virt_stream_connect',` +@@ -358,18 +314,20 @@ interface(`virt_stream_connect',` ## ## # @@ -112418,7 +112477,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -377,22 +329,20 @@ interface(`virt_attach_tun_iface',` +@@ -377,22 +335,20 @@ interface(`virt_attach_tun_iface',` ## ## # @@ -112446,7 +112505,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -400,22 +350,17 @@ interface(`virt_read_config',` +@@ -400,22 +356,17 @@ interface(`virt_read_config',` ## ## # @@ -112473,7 +112532,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -434,6 +379,7 @@ interface(`virt_read_content',` +@@ -434,6 +385,7 @@ interface(`virt_read_content',` read_files_pattern($1, virt_content_t, virt_content_t) read_lnk_files_pattern($1, virt_content_t, virt_content_t) read_blk_files_pattern($1, virt_content_t, virt_content_t) @@ -112481,7 +112540,7 @@ index facdee8..58c4c51 100644 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) -@@ -450,8 +396,7 @@ interface(`virt_read_content',` +@@ -450,8 +402,7 @@ interface(`virt_read_content',` ######################################## ## @@ -112491,7 +112550,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -459,35 +404,17 @@ interface(`virt_read_content',` +@@ -459,35 +410,17 @@ interface(`virt_read_content',` ## ## # @@ -112530,7 +112589,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -495,53 +422,38 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +428,38 @@ interface(`virt_manage_virt_content',` ## ## # @@ -112595,7 +112654,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -549,34 +461,21 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,34 +467,21 @@ interface(`virt_home_filetrans_virt_content',` ## ## # @@ -112638,7 +112697,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -584,32 +483,36 @@ interface(`virt_manage_svirt_home_content',` +@@ -584,32 +489,36 @@ interface(`virt_manage_svirt_home_content',` ## ## # @@ -112687,7 +112746,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -618,54 +521,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +527,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -112751,7 +112810,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -673,107 +558,607 @@ interface(`virt_home_filetrans',` +@@ -673,107 +564,607 @@ interface(`virt_home_filetrans',` ## ## # @@ -113106,15 +113165,15 @@ index facdee8..58c4c51 100644 +# +interface(`virt_exec_sandbox_files',` + gen_require(` -+ type svirt_sandbox_file_t; ++ type container_image_t; + ') + -+ can_exec($1, svirt_sandbox_file_t) ++ can_exec($1, container_image_t) +') + +######################################## +## -+## Allow any svirt_sandbox_file_t to be an entrypoint of this domain ++## Allow any container_image_t to be an entrypoint of this domain +## +## +## @@ -113125,9 +113184,9 @@ index facdee8..58c4c51 100644 +# +interface(`virt_sandbox_entrypoint',` + gen_require(` -+ type svirt_sandbox_file_t; ++ type container_image_t; + ') -+ allow $1 svirt_sandbox_file_t:file entrypoint; ++ allow $1 container_image_t:file entrypoint; +') + +####################################### @@ -113142,12 +113201,12 @@ index facdee8..58c4c51 100644 +# +interface(`virt_read_sandbox_files',` + gen_require(` -+ type svirt_sandbox_file_t; ++ type container_image_t; + ') + -+ list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ list_dirs_pattern($1, container_image_t, container_image_t) ++ read_files_pattern($1, container_image_t, container_image_t) ++ read_lnk_files_pattern($1, container_image_t, container_image_t) +') + +####################################### @@ -113162,15 +113221,15 @@ index facdee8..58c4c51 100644 +# +interface(`virt_manage_sandbox_files',` + gen_require(` -+ type svirt_sandbox_file_t; ++ type container_image_t; + ') + -+ manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ allow $1 svirt_sandbox_file_t:dir_file_class_set { relabelfrom relabelto }; ++ manage_dirs_pattern($1, container_image_t, container_image_t) ++ manage_files_pattern($1, container_image_t, container_image_t) ++ manage_fifo_files_pattern($1, container_image_t, container_image_t) ++ manage_chr_files_pattern($1, container_image_t, container_image_t) ++ manage_lnk_files_pattern($1, container_image_t, container_image_t) ++ allow $1 container_image_t:dir_file_class_set { relabelfrom relabelto }; +') + +####################################### @@ -113185,10 +113244,10 @@ index facdee8..58c4c51 100644 +# +interface(`virt_getattr_sandbox_filesystem',` + gen_require(` -+ type svirt_sandbox_file_t; ++ type container_image_t; + ') + -+ allow $1 svirt_sandbox_file_t:filesystem getattr; ++ allow $1 container_image_t:filesystem getattr; +') + +####################################### @@ -113203,10 +113262,10 @@ index facdee8..58c4c51 100644 +# +interface(`virt_relabel_sandbox_filesystem',` + gen_require(` -+ type svirt_sandbox_file_t; ++ type container_image_t; + ') + -+ allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto }; ++ allow $1 container_image_t:filesystem { relabelfrom relabelto }; +') + +####################################### @@ -113221,10 +113280,10 @@ index facdee8..58c4c51 100644 +# +interface(`virt_mounton_sandbox_file',` + gen_require(` -+ type svirt_sandbox_file_t; ++ type container_image_t; + ') + -+ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton; ++ allow $1 container_image_t:dir_file_class_set mounton; +') + +####################################### @@ -113240,11 +113299,11 @@ index facdee8..58c4c51 100644 +interface(`virt_stream_connect_sandbox',` + gen_require(` + attribute svirt_sandbox_domain; -+ type svirt_sandbox_file_t; ++ type container_image_t; + ') + + files_search_pids($1) -+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) ++ stream_connect_pattern($1, container_image_t, container_image_t, svirt_sandbox_domain) + ps_process_pattern(svirt_sandbox_domain, $1) +') + @@ -113404,7 +113463,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -781,19 +1166,17 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +1172,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -113428,7 +113487,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -801,18 +1184,17 @@ interface(`virt_read_pid_files',` +@@ -801,18 +1190,17 @@ interface(`virt_read_pid_files',` ## ## # @@ -113451,7 +113510,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -820,18 +1202,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +1208,17 @@ interface(`virt_manage_pid_files',` ## ## # @@ -113474,7 +113533,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -839,192 +1220,243 @@ interface(`virt_search_lib',` +@@ -839,192 +1226,243 @@ interface(`virt_search_lib',` ## ## # @@ -113798,7 +113857,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -1032,20 +1464,17 @@ interface(`virt_read_images',` +@@ -1032,20 +1470,17 @@ interface(`virt_read_images',` ## ## # @@ -113823,7 +113882,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -1053,15 +1482,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1488,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -113846,7 +113905,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -1069,21 +1500,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1506,17 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -113872,7 +113931,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -1091,36 +1518,18 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1524,18 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -113914,7 +113973,7 @@ index facdee8..58c4c51 100644 ## ## ## -@@ -1136,50 +1545,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1551,76 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -114024,10 +114083,10 @@ index facdee8..58c4c51 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..36bc283 100644 +index f03dcf5..d369e60 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,402 @@ +@@ -1,451 +1,400 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -114583,28 +114642,27 @@ index f03dcf5..36bc283 100644 -optional_policy(` - dbus_read_lib_files(virt_domain) -') +- +-optional_policy(` +- nscd_use(virt_domain) +-') +type virtd_lxc_t, virt_system_domain; +type virtd_lxc_exec_t, virt_file_type; +init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) -optional_policy(` -- nscd_use(virt_domain) +- samba_domtrans_smbd(virt_domain) -') +type virt_lxc_var_run_t, virt_file_type; +files_pid_file(virt_lxc_var_run_t) +typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; -optional_policy(` -- samba_domtrans_smbd(virt_domain) --') -+# virt lxc container files -+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type; -+files_mountpoint(svirt_sandbox_file_t) - --optional_policy(` - xen_rw_image_files(virt_domain) -') -+type container_image_t; ++# virt lxc container files ++type container_image_t, svirt_file_type; ++typealias container_image_t alias { svirt_sandbox_file_t svirt_lxc_file_t }; +files_mountpoint(container_image_t) ######################################## @@ -114617,17 +114675,17 @@ index f03dcf5..36bc283 100644 - -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -- ++allow svirt_t self:process ptrace; + -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -+allow svirt_t self:process ptrace; - --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) @@ -114740,7 +114798,7 @@ index f03dcf5..36bc283 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +406,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +404,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -114787,7 +114845,7 @@ index f03dcf5..36bc283 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +441,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +439,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -114820,7 +114878,7 @@ index f03dcf5..36bc283 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +466,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +464,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -114848,7 +114906,7 @@ index f03dcf5..36bc283 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +486,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +484,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -114879,7 +114937,7 @@ index f03dcf5..36bc283 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +538,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +536,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -114899,7 +114957,7 @@ index f03dcf5..36bc283 100644 selinux_validate_context(virtd_t) -@@ -620,18 +560,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +558,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -114936,7 +114994,7 @@ index f03dcf5..36bc283 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +588,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +586,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -114945,7 +115003,7 @@ index f03dcf5..36bc283 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +613,12 @@ optional_policy(` +@@ -665,20 +611,12 @@ optional_policy(` ') optional_policy(` @@ -114966,7 +115024,7 @@ index f03dcf5..36bc283 100644 ') optional_policy(` -@@ -691,20 +631,26 @@ optional_policy(` +@@ -691,20 +629,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -114977,12 +115035,11 @@ index f03dcf5..36bc283 100644 ') optional_policy(` -- iptables_domtrans(virtd_t) + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` -+ iptables_domtrans(virtd_t) + iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + @@ -114998,7 +115055,7 @@ index f03dcf5..36bc283 100644 ') optional_policy(` -@@ -712,11 +658,18 @@ optional_policy(` +@@ -712,11 +656,18 @@ optional_policy(` ') optional_policy(` @@ -115017,7 +115074,7 @@ index f03dcf5..36bc283 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +680,18 @@ optional_policy(` +@@ -727,10 +678,18 @@ optional_policy(` ') optional_policy(` @@ -115036,7 +115093,7 @@ index f03dcf5..36bc283 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +707,336 @@ optional_policy(` +@@ -746,44 +705,336 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -115234,7 +115291,7 @@ index f03dcf5..36bc283 100644 +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) -+ + +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) @@ -115351,7 +115408,7 @@ index f03dcf5..36bc283 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; - ++ +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -115376,12 +115433,12 @@ index f03dcf5..36bc283 100644 +manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) + -+manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_dirs_pattern(virsh_t, container_image_t, container_image_t) ++manage_files_pattern(virsh_t, container_image_t, container_image_t) ++manage_chr_files_pattern(virsh_t, container_image_t, container_image_t) ++manage_lnk_files_pattern(virsh_t, container_image_t, container_image_t) ++manage_sock_files_pattern(virsh_t, container_image_t, container_image_t) ++manage_fifo_files_pattern(virsh_t, container_image_t, container_image_t) +virt_transition_svirt_sandbox(virsh_t, system_r) + +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) @@ -115395,7 +115452,7 @@ index f03dcf5..36bc283 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1047,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1045,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -115422,7 +115479,7 @@ index f03dcf5..36bc283 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1067,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1065,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -115439,10 +115496,10 @@ index f03dcf5..36bc283 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -115456,7 +115513,7 @@ index f03dcf5..36bc283 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1104,20 @@ optional_policy(` +@@ -856,14 +1102,20 @@ optional_policy(` ') optional_policy(` @@ -115478,7 +115535,7 @@ index f03dcf5..36bc283 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1142,66 @@ optional_policy(` +@@ -888,49 +1140,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -115541,15 +115598,15 @@ index f03dcf5..36bc283 100644 +files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) +filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") + -+manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom }; -+allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom }; -+files_associate_rootfs(svirt_sandbox_file_t) ++manage_dirs_pattern(virtd_lxc_t, container_image_t, container_image_t) ++manage_files_pattern(virtd_lxc_t, container_image_t, container_image_t) ++manage_chr_files_pattern(virtd_lxc_t, container_image_t, container_image_t) ++manage_lnk_files_pattern(virtd_lxc_t, container_image_t, container_image_t) ++manage_sock_files_pattern(virtd_lxc_t, container_image_t, container_image_t) ++manage_fifo_files_pattern(virtd_lxc_t, container_image_t, container_image_t) ++allow virtd_lxc_t container_image_t:dir_file_class_set { relabelto relabelfrom }; ++allow virtd_lxc_t container_image_t:filesystem { relabelto relabelfrom }; ++files_associate_rootfs(container_image_t) + +seutil_read_file_contexts(virtd_lxc_t) @@ -115563,7 +115620,7 @@ index f03dcf5..36bc283 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1213,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1211,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -115577,13 +115634,13 @@ index f03dcf5..36bc283 100644 files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) -files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) -+files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set) ++files_root_filetrans(virtd_lxc_t, container_image_t, dir_file_class_set) +fs_read_fusefs_files(virtd_lxc_t) fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1234,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1232,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -115607,7 +115664,7 @@ index f03dcf5..36bc283 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1259,359 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1257,360 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115634,12 +115691,12 @@ index f03dcf5..36bc283 100644 + hal_dbus_chat(virtd_lxc_t) + ') +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` -+ docker_exec_lib(virtd_lxc_t) ++ container_exec_lib(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -115680,89 +115737,7 @@ index f03dcf5..36bc283 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -115771,13 +115746,13 @@ index f03dcf5..36bc283 100644 +allow svirt_sandbox_domain virtd_lxc_t:fd use; +allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; + -+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto }; -+allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto }; ++manage_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++manage_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++manage_lnk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++manage_sock_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++manage_fifo_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++allow svirt_sandbox_domain container_image_t:file { execmod relabelfrom relabelto }; ++allow svirt_sandbox_domain container_image_t:dir { execmod relabelfrom relabelto }; +virt_mounton_sandbox_file(svirt_sandbox_domain) + +list_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t) @@ -115786,11 +115761,11 @@ index f03dcf5..36bc283 100644 +allow svirt_sandbox_domain container_image_t:file execmod; +can_exec(svirt_sandbox_domain, container_image_t) + -+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; -+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; -+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem { getattr remount }; ++allow svirt_sandbox_domain container_image_t:blk_file setattr; ++rw_blk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++can_exec(svirt_sandbox_domain, container_image_t) ++allow svirt_sandbox_domain container_image_t:dir mounton; ++allow svirt_sandbox_domain container_image_t:filesystem { getattr remount }; + +kernel_getattr_proc(svirt_sandbox_domain) +kernel_list_all_proc(svirt_sandbox_domain) @@ -115861,8 +115836,89 @@ index f03dcf5..36bc283 100644 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++optional_policy(` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') @@ -115882,8 +115938,9 @@ index f03dcf5..36bc283 100644 +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -115910,11 +115967,11 @@ index f03dcf5..36bc283 100644 optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ docker_read_share_files(svirt_sandbox_domain) -+ docker_exec_share_files(svirt_sandbox_domain) -+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) -+ docker_use_ptys(svirt_sandbox_domain) -+ docker_spc_stream_connect(svirt_sandbox_domain) ++ container_read_share_files(svirt_sandbox_domain) ++ container_exec_share_files(svirt_sandbox_domain) ++ container_lib_filetrans(svirt_sandbox_domain,container_image_t, sock_file) ++ container_use_ptys(svirt_sandbox_domain) ++ container_spc_stream_connect(svirt_sandbox_domain) + fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) + dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) ') @@ -115922,40 +115979,21 @@ index f03dcf5..36bc283 100644 ######################################## # -# Lxc net local policy -+# svirt_lxc_net_t local policy - # -+virt_sandbox_domain_template(svirt_lxc_net) -+virt_default_capabilities(svirt_lxc_net_t) -+typeattribute svirt_lxc_net_t sandbox_net_domain; -+dontaudit svirt_lxc_net_t self:capability fsetid; -+dontaudit svirt_lxc_net_t self:capability2 block_suspend ; -+allow svirt_lxc_net_t self:process { execstack execmem }; -+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+kernel_load_module(svirt_lxc_net_t) ++# container_t local policy + # ++virt_sandbox_domain_template(container) ++typealias container_t alias svirt_lxc_net_t; ++virt_default_capabilities(container_t) ++typeattribute container_t sandbox_net_domain; ++dontaudit container_t self:capability fsetid; ++dontaudit container_t self:capability2 block_suspend ; ++allow container_t self:process { execstack execmem }; ++manage_chr_files_pattern(container_t, container_image_t, container_image_t) ++kernel_load_module(container_t) + +tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -+ -+tunable_policy(`virt_sandbox_use_mknod',` -+ allow svirt_lxc_net_t self:capability mknod; -+') -+ -+tunable_policy(`virt_sandbox_use_all_caps',` -+ allow svirt_lxc_net_t self:capability all_capability_perms; -+ allow svirt_lxc_net_t self:capability2 all_capability2_perms; -+') -+ -+tunable_policy(`virt_sandbox_use_netlink',` -+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+ allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; -+', ` -+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) ++ allow container_t self:capability sys_admin; +') -+ -+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -dontaudit svirt_lxc_net_t self:capability2 block_suspend; @@ -115968,10 +116006,16 @@ index f03dcf5..36bc283 100644 -allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; -- ++tunable_policy(`virt_sandbox_use_mknod',` ++ allow container_t self:capability mknod; ++') + -kernel_read_network_state(svirt_lxc_net_t) - kernel_read_irq_sysctls(svirt_lxc_net_t) -+kernel_read_messages(svirt_lxc_net_t) +-kernel_read_irq_sysctls(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_all_caps',` ++ allow container_t self:capability all_capability_perms; ++ allow container_t self:capability2 all_capability2_perms; ++') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -115983,55 +116027,72 @@ index f03dcf5..36bc283 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -- ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow container_t self:netlink_socket create_socket_perms; ++ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow container_t self:netlink_kobject_uevent_socket create_socket_perms; ++', ` ++ logging_dontaudit_send_audit_msgs(container_t) ++') + -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) -corenet_udp_bind_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_all_ports(svirt_lxc_net_t) -- ++allow container_t virt_lxc_var_run_t:dir list_dir_perms; ++allow container_t virt_lxc_var_run_t:file read_file_perms; + -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) -- ++kernel_read_irq_sysctls(container_t) ++kernel_read_messages(container_t) + -dev_getattr_mtrr_dev(svirt_lxc_net_t) -dev_read_rand(svirt_lxc_net_t) - dev_read_sysfs(svirt_lxc_net_t) -+dev_read_mtrr(svirt_lxc_net_t) -+dev_read_rand(svirt_lxc_net_t) - dev_read_urand(svirt_lxc_net_t) - - files_read_kernel_modules(svirt_lxc_net_t) - -+fs_noxattr_type(svirt_sandbox_file_t) -+# Do we actually need these? - fs_mount_cgroup(svirt_lxc_net_t) - fs_manage_cgroup_dirs(svirt_lxc_net_t) +-dev_read_sysfs(svirt_lxc_net_t) +-dev_read_urand(svirt_lxc_net_t) ++dev_read_sysfs(container_t) ++dev_read_mtrr(container_t) ++dev_read_rand(container_t) ++dev_read_urand(container_t) + +-files_read_kernel_modules(svirt_lxc_net_t) ++files_read_kernel_modules(container_t) + +-fs_mount_cgroup(svirt_lxc_net_t) +-fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) -+fs_manage_cgroup_files(svirt_lxc_net_t) ++fs_noxattr_type(container_image_t) ++# Do we actually need these? ++fs_mount_cgroup(container_t) ++fs_manage_cgroup_dirs(container_t) ++fs_manage_cgroup_files(container_t) +# Needed for docker -+fs_unmount_xattr_fs(svirt_lxc_net_t) -+ -+term_pty(svirt_sandbox_file_t) ++fs_unmount_xattr_fs(container_t) - auth_use_nsswitch(svirt_lxc_net_t) +-auth_use_nsswitch(svirt_lxc_net_t) ++term_pty(container_image_t) -logging_send_audit_msgs(svirt_lxc_net_t) -+rpm_read_db(svirt_lxc_net_t) ++auth_use_nsswitch(container_t) -userdom_use_user_ptys(svirt_lxc_net_t) -+logging_send_syslog_msg(svirt_lxc_net_t) ++rpm_read_db(container_t) -optional_policy(` - rpm_read_db(svirt_lxc_net_t) ++logging_send_syslog_msg(container_t) ++ +tunable_policy(`virt_sandbox_use_audit',` -+ logging_send_audit_msgs(svirt_lxc_net_t) ++ logging_send_audit_msgs(container_t) ') -####################################### -+userdom_use_user_ptys(svirt_lxc_net_t) ++userdom_use_user_ptys(container_t) + +######################################## # -# Prot exec local policy -+# svirt_lxc_net_t local policy ++# container_t local policy # +virt_sandbox_domain_template(svirt_qemu_net) +typeattribute svirt_qemu_net_t sandbox_net_domain; @@ -116055,12 +116116,12 @@ index f03dcf5..36bc283 100644 + +term_use_generic_ptys(svirt_qemu_net_t) +term_use_ptmx(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + @@ -116075,12 +116136,12 @@ index f03dcf5..36bc283 100644 + +files_read_kernel_modules(svirt_qemu_net_t) + -+fs_noxattr_type(svirt_sandbox_file_t) ++fs_noxattr_type(container_image_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) + -+term_pty(svirt_sandbox_file_t) ++term_pty(container_image_t) + +auth_use_nsswitch(svirt_qemu_net_t) + @@ -116108,7 +116169,7 @@ index f03dcf5..36bc283 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1624,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116123,7 +116184,7 @@ index f03dcf5..36bc283 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1642,7 @@ optional_policy(` +@@ -1192,7 +1641,7 @@ optional_policy(` ######################################## # @@ -116132,7 +116193,7 @@ index f03dcf5..36bc283 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1651,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1650,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -116306,7 +116367,7 @@ index f03dcf5..36bc283 100644 + +######################################## +# -+# svirt_lxc_net_t local policy ++# container_t local policy +# +virt_sandbox_domain_template(svirt_kvm_net) +typeattribute svirt_kvm_net_t sandbox_net_domain; @@ -116342,12 +116403,12 @@ index f03dcf5..36bc283 100644 + +files_read_kernel_modules(svirt_kvm_net_t) + -+fs_noxattr_type(svirt_sandbox_file_t) ++fs_noxattr_type(container_image_t) +fs_mount_cgroup(svirt_kvm_net_t) +fs_manage_cgroup_dirs(svirt_kvm_net_t) +fs_manage_cgroup_files(svirt_kvm_net_t) + -+term_pty(svirt_sandbox_file_t) ++term_pty(container_image_t) + +auth_use_nsswitch(svirt_kvm_net_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 456c3d4..4a40174 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 218%{?dist} +Release: 219%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,24 @@ exit 0 %endif %changelog +* Mon Oct 10 2016 Lukas Vrabec - 3.13.1-219 +- Dontaudit leaked file descriptors for thumb. BZ(1383071) +- Fix typo in cobbler SELinux module +- Merge pull request #165 from rhatdan/container +- Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156) +- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t +- Rename svirt_lxc_net_t to container_t +- Rename docker.pp to container.pp, causes change in interface name +- Allow httpd_t domain to list inotify filesystem. +- Fix couple AVC to start roundup properly +- Allow dovecot_t send signull to dovecot_deliver_t +- Add sys_ptrace capability to pegasus domain +- Allow firewalld to stream connect to NetworkManager. BZ(1380954) +- rename docker intefaces to container +- Merge pull request #164 from rhatdan/docker-base +- Rename docker.pp to container.pp, causes change in interface name +- Allow gvfs to read /dev/nvme* devices BZ(1380951) + * Wed Oct 05 2016 Colin Walters - 3.13.1-218 - Revert addition of systemd service for factory reset, since it is basically worse than what we had before. BZ(1290659)