From 5d15cbb533a285a64f33d76e98aefae1191f96e9 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 08 2014 10:27:09 +0000 Subject: Add neutron fixes --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 9331692..4718a40 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -31691,7 +31691,7 @@ index 4e94884..ae63d78 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..616d6a8 100644 +index 39ea221..e2be79a 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -31712,7 +31712,7 @@ index 39ea221..616d6a8 100644 +## Allow syslogd the ability to read/write terminals +##

+## -+gen_tunable(logging_syslogd_use_tty, false) ++gen_tunable(logging_syslogd_use_tty, true) attribute logfile; diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 31259b3..34c8553 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -17844,7 +17844,7 @@ index 06da9a0..c7834c8 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..d084359 100644 +index 9f34c2e..5997cc2 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -18114,12 +18114,13 @@ index 9f34c2e..d084359 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,21 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) -libs_read_lib_files(cupsd_t) libs_exec_lib_files(cupsd_t) ++libs_exec_ldconfig(cupsd_t) logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) @@ -18140,7 +18141,7 @@ index 9f34c2e..d084359 100644 userdom_dontaudit_search_user_home_content(cupsd_t) optional_policy(` -@@ -275,6 +305,8 @@ optional_policy(` +@@ -275,6 +306,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -18149,7 +18150,7 @@ index 9f34c2e..d084359 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +317,10 @@ optional_policy(` +@@ -285,8 +318,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -18160,7 +18161,7 @@ index 9f34c2e..d084359 100644 ') ') -@@ -299,8 +333,8 @@ optional_policy(` +@@ -299,8 +334,8 @@ optional_policy(` ') optional_policy(` @@ -18170,7 +18171,7 @@ index 9f34c2e..d084359 100644 ') optional_policy(` -@@ -309,7 +343,6 @@ optional_policy(` +@@ -309,7 +344,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -18178,7 +18179,7 @@ index 9f34c2e..d084359 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -337,7 +370,11 @@ optional_policy(` +@@ -337,7 +371,11 @@ optional_policy(` ') optional_policy(` @@ -18191,7 +18192,7 @@ index 9f34c2e..d084359 100644 ') ######################################## -@@ -345,12 +382,11 @@ optional_policy(` +@@ -345,12 +383,11 @@ optional_policy(` # Configuration daemon local policy # @@ -18207,7 +18208,7 @@ index 9f34c2e..d084359 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +412,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -18228,7 +18229,7 @@ index 9f34c2e..d084359 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +430,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -18249,7 +18250,7 @@ index 9f34c2e..d084359 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +447,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -18261,7 +18262,7 @@ index 9f34c2e..d084359 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +473,12 @@ optional_policy(` +@@ -452,9 +474,12 @@ optional_policy(` ') optional_policy(` @@ -18275,7 +18276,7 @@ index 9f34c2e..d084359 100644 ') optional_policy(` -@@ -490,10 +514,6 @@ optional_policy(` +@@ -490,10 +515,6 @@ optional_policy(` # Lpd local policy # @@ -18286,7 +18287,7 @@ index 9f34c2e..d084359 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +532,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -18320,7 +18321,7 @@ index 9f34c2e..d084359 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +558,6 @@ optional_policy(` +@@ -546,7 +559,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -18328,7 +18329,7 @@ index 9f34c2e..d084359 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +574,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -18480,7 +18481,7 @@ index 9f34c2e..d084359 100644 ######################################## # -@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +618,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -18488,7 +18489,7 @@ index 9f34c2e..d084359 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +627,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -18502,7 +18503,7 @@ index 9f34c2e..d084359 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +639,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -18511,7 +18512,7 @@ index 9f34c2e..d084359 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -769,3 +650,4 @@ optional_policy(` +@@ -769,3 +651,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -22832,10 +22833,10 @@ index 0000000..543baf1 +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..68e0556 +index 0000000..b744b8c --- /dev/null +++ b/docker.te -@@ -0,0 +1,148 @@ +@@ -0,0 +1,152 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -22905,6 +22906,7 @@ index 0000000..68e0556 +corecmd_exec_shell(docker_t) + +corenet_tcp_bind_generic_node(docker_t) ++corenet_tcp_connect_http_port(docker_t) + +files_read_etc_files(docker_t) + @@ -22914,6 +22916,9 @@ index 0000000..68e0556 + +auth_use_nsswitch(docker_t) + ++logging_send_audit_msgs(docker_t) ++logging_send_syslog_msg(docker_t) ++ +miscfiles_read_localization(docker_t) + +mount_domtrans(docker_t) @@ -31998,6 +32003,82 @@ index 94ec5f8..6cbbf7d 100644 logging_send_syslog_msg(iodined_t) +diff --git a/ipa.fc b/ipa.fc +new file mode 100644 +index 0000000..9278f85 +--- /dev/null ++++ b/ipa.fc +@@ -0,0 +1,4 @@ ++/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) ++ ++/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) ++ +diff --git a/ipa.if b/ipa.if +new file mode 100644 +index 0000000..c6cf456 +--- /dev/null ++++ b/ipa.if +@@ -0,0 +1,21 @@ ++## Policy for IPA services. ++ ++######################################## ++## ++## Execute rtas_errd in the rtas_errd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipa_domtrans_otpd',` ++ gen_require(` ++ type ipa_otpd_t, ipa_otpd_t_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t) ++') ++ +diff --git a/ipa.te b/ipa.te +new file mode 100644 +index 0000000..02f7cfa +--- /dev/null ++++ b/ipa.te +@@ -0,0 +1,33 @@ ++policy_module(ipa, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute ipa_domain; ++ ++type ipa_otpd_t, ipa_domain; ++type ipa_otpd_exec_t; ++init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t) ++ ++type ipa_otpd_unit_file_t; ++systemd_unit_file(ipa_otpd_unit_file_t) ++ ++######################################## ++# ++# ipa_otpd local policy ++# ++ ++allow ipa_otpd_t self:fifo_file rw_fifo_file_perms; ++allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms; ++ ++corenet_tcp_connect_radius_port(ipa_otpd_t) ++ ++optional_policy(` ++ dirsrv_stream_connect(ipa_otpd_t) ++') ++ ++optional_policy(` ++ kerberos_use(ipa_otpd_t) ++') diff --git a/irc.fc b/irc.fc index 48e7739..c3285c2 100644 --- a/irc.fc @@ -35087,7 +35168,7 @@ index f9de9fc..11e6268 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 3465a9a..353c4ce 100644 +index 3465a9a..15b3d6d 100644 --- a/kerberos.te +++ b/kerberos.te @@ -1,4 +1,4 @@ @@ -35248,7 +35329,7 @@ index 3465a9a..353c4ce 100644 sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -@@ -154,6 +173,10 @@ optional_policy(` +@@ -154,11 +173,16 @@ optional_policy(` ') optional_policy(` @@ -35259,7 +35340,13 @@ index 3465a9a..353c4ce 100644 nis_use_ypbind(kadmind_t) ') -@@ -174,24 +197,27 @@ optional_policy(` + optional_policy(` + sssd_read_public_files(kadmind_t) ++ sssd_stream_connect(kadmind_t) + ') + + optional_policy(` +@@ -174,24 +198,27 @@ optional_policy(` # Krb5kdc local policy # @@ -35291,7 +35378,7 @@ index 3465a9a..353c4ce 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) +@@ -203,54 +230,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) @@ -35357,7 +35444,7 @@ index 3465a9a..353c4ce 100644 sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -@@ -261,11 +286,11 @@ optional_policy(` +@@ -261,11 +287,11 @@ optional_policy(` ') optional_policy(` @@ -35371,7 +35458,7 @@ index 3465a9a..353c4ce 100644 ') optional_policy(` -@@ -273,6 +298,10 @@ optional_policy(` +@@ -273,6 +299,10 @@ optional_policy(` ') optional_policy(` @@ -35382,7 +35469,7 @@ index 3465a9a..353c4ce 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +310,12 @@ optional_policy(` +@@ -281,10 +311,12 @@ optional_policy(` # kpropd local policy # @@ -35398,7 +35485,7 @@ index 3465a9a..353c4ce 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -303,26 +335,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -48952,7 +49039,7 @@ index 0e8508c..ee2e3de 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..7688ca5 100644 +index 0b48a30..8350f85 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -49107,7 +49194,7 @@ index 0b48a30..7688ca5 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +149,17 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +149,31 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -49125,7 +49212,9 @@ index 0b48a30..7688ca5 100644 storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +168,11 @@ init_domtrans_script(NetworkManager_t) + init_dontaudit_write_utmp(NetworkManager_t) + init_domtrans_script(NetworkManager_t) ++init_signull_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -49138,7 +49227,7 @@ index 0b48a30..7688ca5 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +187,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +188,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -49175,7 +49264,7 @@ index 0b48a30..7688ca5 100644 ') optional_policy(` -@@ -196,10 +228,6 @@ optional_policy(` +@@ -196,10 +229,6 @@ optional_policy(` ') optional_policy(` @@ -49186,7 +49275,7 @@ index 0b48a30..7688ca5 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +238,11 @@ optional_policy(` +@@ -210,16 +239,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -49205,7 +49294,7 @@ index 0b48a30..7688ca5 100644 ') ') -@@ -231,18 +254,23 @@ optional_policy(` +@@ -231,18 +255,23 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -49232,7 +49321,7 @@ index 0b48a30..7688ca5 100644 ') optional_policy(` -@@ -250,6 +278,10 @@ optional_policy(` +@@ -250,6 +279,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -49243,7 +49332,7 @@ index 0b48a30..7688ca5 100644 ') optional_policy(` -@@ -257,11 +289,10 @@ optional_policy(` +@@ -257,11 +290,10 @@ optional_policy(` ') optional_policy(` @@ -49259,7 +49348,7 @@ index 0b48a30..7688ca5 100644 ') optional_policy(` -@@ -274,10 +305,17 @@ optional_policy(` +@@ -274,10 +306,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -49277,7 +49366,7 @@ index 0b48a30..7688ca5 100644 ') optional_policy(` -@@ -289,6 +327,7 @@ optional_policy(` +@@ -289,6 +328,7 @@ optional_policy(` ') optional_policy(` @@ -49285,7 +49374,7 @@ index 0b48a30..7688ca5 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +335,7 @@ optional_policy(` +@@ -296,7 +336,7 @@ optional_policy(` ') optional_policy(` @@ -49294,7 +49383,7 @@ index 0b48a30..7688ca5 100644 ') optional_policy(` -@@ -307,6 +346,7 @@ optional_policy(` +@@ -307,6 +347,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -49302,7 +49391,7 @@ index 0b48a30..7688ca5 100644 ') optional_policy(` -@@ -320,13 +360,19 @@ optional_policy(` +@@ -320,13 +361,19 @@ optional_policy(` ') optional_policy(` @@ -49326,7 +49415,7 @@ index 0b48a30..7688ca5 100644 ') optional_policy(` -@@ -356,6 +402,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +403,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -57396,10 +57485,10 @@ index 96db654..6d3feb9 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..4694942 100644 +index dfd46e4..fabf59e 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,29 @@ +@@ -1,15 +1,30 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) @@ -57437,6 +57526,7 @@ index dfd46e4..4694942 100644 +/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + +/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -70161,10 +70251,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..0ef5efc 100644 +index 769d1fd..2cd8df3 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,109 @@ +@@ -1,96 +1,123 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -70214,55 +70304,49 @@ index 769d1fd..0ef5efc 100644 -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { setgid setuid sys_resource }; ++allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin }; +allow neutron_t self:process { setsched setrlimit }; +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; +allow neutron_t self:tcp_socket { accept listen }; +allow neutron_t self:unix_stream_socket { accept listen }; - --manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) --append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) --create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) --setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) --logging_log_filetrans(quantum_t, quantum_log_t, dir) ++ +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +logging_log_filetrans(neutron_t, neutron_log_t, dir) - --manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) --files_tmp_filetrans(quantum_t, quantum_tmp_t, file) ++ +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) +files_tmp_filetrans(neutron_t, neutron_tmp_t, file) --manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) --manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) --files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) +-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) +-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +-logging_log_filetrans(quantum_t, quantum_log_t, dir) +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) --can_exec(quantum_t, quantum_tmp_t) +-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) +-files_tmp_filetrans(quantum_t, quantum_tmp_t, file) +can_exec(neutron_t, neutron_tmp_t) --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) +-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) +-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) +-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) +kernel_read_kernel_sysctls(neutron_t) +kernel_read_system_state(neutron_t) ++kernel_read_network_state(neutron_t) ++kernel_request_load_module(neutron_t) --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) +-can_exec(quantum_t, quantum_tmp_t) +corecmd_exec_shell(neutron_t) +corecmd_exec_bin(neutron_t) --corenet_all_recvfrom_unlabeled(quantum_t) --corenet_all_recvfrom_netlabel(quantum_t) --corenet_tcp_sendrecv_generic_if(quantum_t) --corenet_tcp_sendrecv_generic_node(quantum_t) --corenet_tcp_sendrecv_all_ports(quantum_t) --corenet_tcp_bind_generic_node(quantum_t) +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) +corenet_all_recvfrom_unlabeled(neutron_t) +corenet_all_recvfrom_netlabel(neutron_t) +corenet_tcp_sendrecv_generic_if(neutron_t) @@ -70270,65 +70354,85 @@ index 769d1fd..0ef5efc 100644 +corenet_tcp_sendrecv_all_ports(neutron_t) +corenet_tcp_bind_generic_node(neutron_t) --dev_list_sysfs(quantum_t) --dev_read_urand(quantum_t) +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) +corenet_tcp_bind_neutron_port(neutron_t) +corenet_tcp_connect_keystone_port(neutron_t) +corenet_tcp_connect_amqp_port(neutron_t) +corenet_tcp_connect_mysqld_port(neutron_t) --files_read_usr_files(quantum_t) -+dev_list_sysfs(neutron_t) +-corenet_all_recvfrom_unlabeled(quantum_t) +-corenet_all_recvfrom_netlabel(quantum_t) +-corenet_tcp_sendrecv_generic_if(quantum_t) +-corenet_tcp_sendrecv_generic_node(quantum_t) +-corenet_tcp_sendrecv_all_ports(quantum_t) +-corenet_tcp_bind_generic_node(quantum_t) ++domain_named_filetrans(neutron_t) + +-dev_list_sysfs(quantum_t) +-dev_read_urand(quantum_t) ++dev_read_sysfs(neutron_t) +dev_read_urand(neutron_t) ++dev_mounton_sysfs(neutron_t) ++dev_mount_sysfs_fs(neutron_t) --auth_use_nsswitch(quantum_t) +-files_read_usr_files(quantum_t) +auth_use_nsswitch(neutron_t) --libs_exec_ldconfig(quantum_t) +-auth_use_nsswitch(quantum_t) +libs_exec_ldconfig(neutron_t) --logging_send_audit_msgs(quantum_t) --logging_send_syslog_msg(quantum_t) +-libs_exec_ldconfig(quantum_t) +logging_send_audit_msgs(neutron_t) +logging_send_syslog_msg(neutron_t) --miscfiles_read_localization(quantum_t) +-logging_send_audit_msgs(quantum_t) +-logging_send_syslog_msg(quantum_t) +sysnet_exec_ifconfig(neutron_t) --sysnet_domtrans_ifconfig(quantum_t) +-miscfiles_read_localization(quantum_t) +optional_policy(` + brctl_domtrans(neutron_t) +') +-sysnet_domtrans_ifconfig(quantum_t) ++optional_policy(` ++ dnsmasq_domtrans(neutron_t) ++') + optional_policy(` - brctl_domtrans(quantum_t) -+ mysql_stream_connect(neutron_t) -+ mysql_read_config(neutron_t) -+ -+ mysql_tcp_connect(neutron_t) ++ iptables_domtrans(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ postgresql_stream_connect(neutron_t) -+ postgresql_unpriv_client(neutron_t) ++ mysql_stream_connect(neutron_t) ++ mysql_read_config(neutron_t) - mysql_tcp_connect(quantum_t) -+ postgresql_tcp_connect(neutron_t) ++ mysql_tcp_connect(neutron_t) ') optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) -+ openvswitch_domtrans(neutron_t) -+ openvswitch_stream_connect(neutron_t) ++ postgresql_stream_connect(neutron_t) ++ postgresql_unpriv_client(neutron_t) ++ ++ postgresql_tcp_connect(neutron_t) +') - postgresql_tcp_connect(quantum_t) +optional_policy(` -+ sudo_exec(neutron_t) ++ openvswitch_domtrans(neutron_t) ++ openvswitch_stream_connect(neutron_t) ') ++ ++optional_policy(` ++ sudo_exec(neutron_t) ++') diff --git a/quota.fc b/quota.fc index cadabe3..54ba01d 100644 --- a/quota.fc @@ -93953,7 +94057,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..9f596dc 100644 +index 7116181..92703c0 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -93966,7 +94070,7 @@ index 7116181..9f596dc 100644 type tuned_var_run_t; files_pid_file(tuned_var_run_t) -@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t) +@@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t) # Local policy # @@ -93979,10 +94083,11 @@ index 7116181..9f596dc 100644 +allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms; +allow tuned_t self:netlink_socket create_socket_perms; +allow tuned_t self:udp_socket create_socket_perms; ++allow tuned_t self:socket create_socket_perms; read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) +@@ -41,14 +48,19 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -94001,11 +94106,12 @@ index 7116181..9f596dc 100644 manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) ++allow tuned_t tuned_var_run_t:file relabel_file_perms; +can_exec(tuned_t, tuned_var_run_t) kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) -@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t) +@@ -57,6 +69,8 @@ kernel_request_load_module(tuned_t) kernel_rw_kernel_sysctl(tuned_t) kernel_rw_hotplug_sysctls(tuned_t) kernel_rw_vm_sysctls(tuned_t) @@ -94014,7 +94120,7 @@ index 7116181..9f596dc 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +76,57 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +78,57 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t)