+## Allow confined virtual guests to use smartcards @@ -117154,8 +117155,7 @@ index f03dcf567..5ce41db0d 100644 +##
+##
+## Allow sandbox containers to use mknod system calls
@@ -117194,11 +117194,11 @@ index f03dcf567..5ce41db0d 100644
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
-+
-+virt_domain_template(svirt_tcg)
-+role system_r types svirt_tcg_t;
-type virt_cache_t alias svirt_cache_t;
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
++
+type qemu_exec_t, virt_file_type;
+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
@@ -117561,10 +117561,13 @@ index f03dcf567..5ce41db0d 100644
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
--
++allow svirt_t self:process ptrace;
+
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@@ -117573,15 +117576,12 @@ index f03dcf567..5ce41db0d 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-+allow svirt_t self:process ptrace;
-
+-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
@@ -117606,6 +117606,8 @@ index f03dcf567..5ce41db0d 100644
+
+storage_raw_read_fixed_disk(svirt_t)
+
++userdom_read_all_users_state(svirt_t)
++
+#######################################
+#
+# svirt_prot_exec local policy
@@ -117692,7 +117694,7 @@ index f03dcf567..5ce41db0d 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +426,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +428,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -117739,22 +117741,22 @@ index f03dcf567..5ce41db0d 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +461,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +463,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
-can_exec(virtd_t, virt_tmp_t)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
@@ -117773,7 +117775,7 @@ index f03dcf567..5ce41db0d 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +486,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +488,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -117801,7 +117803,7 @@ index f03dcf567..5ce41db0d 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +506,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +508,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -117832,7 +117834,7 @@ index f03dcf567..5ce41db0d 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +558,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +560,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -117852,19 +117854,29 @@ index f03dcf567..5ce41db0d 100644
selinux_validate_context(virtd_t)
-@@ -620,27 +580,35 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +582,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+-userdom_read_all_users_state(virtd_t)
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
-+
+
+-ifdef(`hide_broken_symptoms',`
+- dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
+-tunable_policy(`virt_use_fusefs',`
+- fs_manage_fusefs_dirs(virtd_t)
+- fs_manage_fusefs_files(virtd_t)
+- fs_read_fusefs_symlinks(virtd_t)
+-')
+userdom_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
- userdom_read_all_users_state(virtd_t)
++userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_tmp_files(virtd_t)
+userdom_setattr_user_tmp_files(virtd_t)
@@ -117877,24 +117889,9 @@ index f03dcf567..5ce41db0d 100644
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+virt_filetrans_home_content(virtd_t)
--ifdef(`hide_broken_symptoms',`
-- dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
--
--tunable_policy(`virt_use_fusefs',`
-- fs_manage_fusefs_dirs(virtd_t)
-- fs_manage_fusefs_files(virtd_t)
-- fs_read_fusefs_symlinks(virtd_t)
--')
--
--tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs(virtd_t)
-- fs_manage_nfs_files(virtd_t)
-- fs_read_nfs_symlinks(virtd_t)
-+tunable_policy(`virt_use_nfs',`
-+ fs_manage_nfs_dirs(virtd_t)
-+ fs_manage_nfs_files(virtd_t)
-+ fs_read_nfs_symlinks(virtd_t)
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtd_t)
+@@ -640,7 +610,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -117903,7 +117900,7 @@ index f03dcf567..5ce41db0d 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +633,12 @@ optional_policy(`
+@@ -665,20 +635,12 @@ optional_policy(`
')
optional_policy(`
@@ -117924,7 +117921,7 @@ index f03dcf567..5ce41db0d 100644
')
optional_policy(`
-@@ -691,20 +651,26 @@ optional_policy(`
+@@ -691,99 +653,432 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -117952,113 +117949,103 @@ index f03dcf567..5ce41db0d 100644
- kerberos_use(virtd_t)
+ kerberos_read_keytab(virtd_t)
+ kerberos_use(virtd_t)
- ')
-
- optional_policy(`
-@@ -712,11 +678,18 @@ optional_policy(`
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
++ lvm_domtrans(virtd_t)
++')
++
++optional_policy(`
+ # Run mount in the mount_t domain.
- mount_domtrans(virtd_t)
- mount_signal(virtd_t)
- ')
-
- optional_policy(`
++ mount_domtrans(virtd_t)
++ mount_signal(virtd_t)
++')
++
++optional_policy(`
+ numad_domtrans(virtd_t)
+ numad_dbus_chat(virtd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(virtd_t)
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
- policykit_read_lib(virtd_t)
-@@ -727,10 +700,18 @@ optional_policy(`
- ')
-
- optional_policy(`
++ policykit_domtrans_auth(virtd_t)
++ policykit_domtrans_resolve(virtd_t)
++ policykit_read_lib(virtd_t)
++')
++
++optional_policy(`
++ qemu_exec(virtd_t)
++')
++
++optional_policy(`
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
- sasl_connect(virtd_t)
- ')
-
- optional_policy(`
++ sasl_connect(virtd_t)
++')
++
++optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
-
-@@ -746,44 +727,356 @@ optional_policy(`
- udev_read_pid_files(virtd_t)
- ')
-
++ kernel_read_xen_state(virtd_t)
++ kernel_write_xen_state(virtd_t)
++
++ xen_exec(virtd_t)
++ xen_stream_connect(virtd_t)
++ xen_stream_connect_xenstore(virtd_t)
++ xen_read_image_files(virtd_t)
++')
++
++optional_policy(`
++ udev_domtrans(virtd_t)
++ udev_read_db(virtd_t)
++ udev_read_pid_files(virtd_t)
++')
++
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
- ########################################
- #
--# Virsh local policy
++########################################
++#
+# virtlogd local policy
- #
-
--allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
--allow virsh_t self:process { getcap getsched setsched setcap signal };
--allow virsh_t self:fifo_file rw_fifo_file_perms;
--allow virsh_t self:unix_stream_socket { accept connectto listen };
--allow virsh_t self:tcp_socket { accept listen };
++#
++
+# virtlogd is allowed to manage files it creates in /var/run/libvirt
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
-
--manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
+# virtlogd needs to read /etc/libvirt/virtlogd.conf only
+allow virtlogd_t virtlogd_etc_t:file read_file_perms;
+files_search_etc(virtlogd_t)
+allow virtlogd_t virt_etc_t:dir search;
-
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++
+# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated
+# context from other stuff in /var/run/libvirt
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file })
+# This lets systemd create the socket itself too
-
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++
+# virtlogd creates a /var/run/virtlogd.pid file
+allow virtlogd_t virtlogd_var_run_t:file manage_file_perms;
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
-
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
++
+manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+kernel_read_network_state(virtlogd_t)
-
--can_exec(virsh_t, virsh_exec_t)
++
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow virtlogd_t to execute itself.
+allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
+
+dev_read_sysfs(virtlogd_t)
-
++
+logging_send_syslog_msg(virtlogd_t)
+
+auth_use_nsswitch(virtlogd_t)
@@ -118264,30 +118251,40 @@ index f03dcf567..5ce41db0d 100644
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- lvm_domtrans(virtd_t)
+ tunable_policy(`virt_use_glusterd',`
+ glusterd_manage_pid(virt_domain)
+ ')
-+')
-+
+ ')
+
+-optional_policy(`
+- mount_domtrans(virtd_t)
+- mount_signal(virtd_t)
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- policykit_domtrans_auth(virtd_t)
+- policykit_domtrans_resolve(virtd_t)
+- policykit_read_lib(virtd_t)
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
+ fs_manage_cifs_named_sockets(virt_domain)
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- qemu_exec(virtd_t)
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -118295,49 +118292,83 @@ index f03dcf567..5ce41db0d 100644
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
+ udev_read_db(virt_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- sasl_connect(virtd_t)
+ tunable_policy(`virt_use_pcscd',`
+ pcscd_stream_connect(virt_domain)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- kernel_read_xen_state(virtd_t)
+- kernel_write_xen_state(virtd_t)
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
+')
-+
+
+- xen_exec(virtd_t)
+- xen_stream_connect(virtd_t)
+- xen_stream_connect_xenstore(virtd_t)
+- xen_read_image_files(virtd_t)
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- udev_domtrans(virtd_t)
+- udev_read_db(virtd_t)
+- udev_read_pid_files(virtd_t)
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Virsh local policy
+# xm local policy
-+#
+ #
+type virsh_t, virt_system_domain;
+type virsh_exec_t, virt_file_type;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-+
+
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
-+allow virsh_t self:fifo_file rw_fifo_file_perms;
+ allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+-
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
-+
-+can_exec(virsh_t, virsh_exec_t)
+
+ can_exec(virsh_t, virsh_exec_t)
+-
virt_domtrans(virsh_t)
virt_manage_images(virsh_t)
virt_manage_config(virsh_t)
@@ -118372,7 +118403,7 @@ index f03dcf567..5ce41db0d 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1087,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -118399,7 +118430,7 @@ index f03dcf567..5ce41db0d 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1107,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -118416,10 +118447,10 @@ index f03dcf567..5ce41db0d 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -118433,7 +118464,7 @@ index f03dcf567..5ce41db0d 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1144,20 @@ optional_policy(`
+@@ -856,14 +1146,20 @@ optional_policy(`
')
optional_policy(`
@@ -118455,7 +118486,7 @@ index f03dcf567..5ce41db0d 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1182,66 @@ optional_policy(`
+@@ -888,49 +1184,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -118540,7 +118571,7 @@ index f03dcf567..5ce41db0d 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1253,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -118560,7 +118591,7 @@ index f03dcf567..5ce41db0d 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1274,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -118584,7 +118615,7 @@ index f03dcf567..5ce41db0d 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1299,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -118611,7 +118642,8 @@ index f03dcf567..5ce41db0d 100644
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
@@ -118623,8 +118655,7 @@ index f03dcf567..5ce41db0d 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -118844,13 +118875,13 @@ index f03dcf567..5ce41db0d 100644
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
++
++optional_policy(`
++ udev_read_pid_files(svirt_sandbox_domain)
++')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -119000,8 +119031,7 @@ index f03dcf567..5ce41db0d 100644
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(container_file_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
@@ -119011,7 +119041,8 @@ index f03dcf567..5ce41db0d 100644
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(svirt_qemu_net_t)
+')
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+userdom_use_user_ptys(svirt_qemu_net_t)
########################################
@@ -119028,7 +119059,7 @@ index f03dcf567..5ce41db0d 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1601,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -119043,7 +119074,7 @@ index f03dcf567..5ce41db0d 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1619,7 @@ optional_policy(`
+@@ -1192,7 +1621,7 @@ optional_policy(`
########################################
#
@@ -119052,7 +119083,7 @@ index f03dcf567..5ce41db0d 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1628,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7509df1..4abaa6d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 284%{?dist}
+Release: 285%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,9 @@ exit 0
%endif
%changelog
+* Thu Sep 14 2017 Lukas Vrabec