From 6f3a0574747642149d1016825e98e4955fae6870 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jun 08 2017 11:03:18 +0000 Subject: * Thu Jun 08 2017 Lukas Vrabec - 3.13.1-225.18 - Add a boolean to enable the use of dac_override - Add support for userns for sandbox domains - Allow zabbix_t to kill zabbix_script_t processes - Allow kdumpgui to read removable disk device - Allow virtlogd_t to execute itself - Allow keepalived to read/write usermodehelper state - Allow named_t to bind on udp 4321 port - Fix interface tlp_manage_pid_files() - Allow collectd domain read lvm config files. BZ(1459097) - Allow abrt_dump_oops_t to execute bin_t - udev wants this when unconfined disabled - Hide broken symptoms when machine is configured with network bounding. --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 4e273eb..f64ff4a 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index d34ae73..62b762d 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -10227,7 +10227,7 @@ index 6a1e4d1..08fd8e4 100644 + allow $1 domain:process rlimitinh; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..31ebde7 100644 +index cf04cb5..8d3d65b 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,49 @@ policy_module(domain, 1.11.0) @@ -10395,7 +10395,7 @@ index cf04cb5..31ebde7 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -160,11 +249,386 @@ allow unconfined_domain_type domain:msg { send receive }; +@@ -160,11 +249,387 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -10702,6 +10702,7 @@ index cf04cb5..31ebde7 100644 +') + +ifdef(`hide_broken_symptoms',` ++ dontaudit domain self:capability { net_admin }; + dontaudit domain self:udp_socket listen; + allow domain domain:key { link search }; + dontaudit domain domain:socket_class_set { read write }; @@ -48990,7 +48991,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..b41b341 100644 +index 39f185f..a313a7d 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -49020,7 +49021,7 @@ index 39f185f..b41b341 100644 -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; -+allow udev_t self:capability2 { block_suspend }; ++allow udev_t self:capability2 { block_suspend wake_alarm }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:capability2 block_suspend; -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index 5113ce0..01537b3 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..a6d7fa7 100644 +index eb50f07..963ccdc 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1058,7 +1058,7 @@ index eb50f07..a6d7fa7 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +474,79 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +474,80 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1110,6 +1110,7 @@ index eb50f07..a6d7fa7 100644 +auth_read_passwd(abrt_dump_oops_t) + +corecmd_getattr_all_executables(abrt_dump_oops_t) ++corecmd_exec_bin(abrt_dump_oops_t) + +dev_read_urand(abrt_dump_oops_t) +dev_read_rand(abrt_dump_oops_t) @@ -1142,7 +1143,7 @@ index eb50f07..a6d7fa7 100644 ####################################### # -@@ -404,25 +554,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +555,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1205,7 +1206,7 @@ index eb50f07..a6d7fa7 100644 ') ####################################### -@@ -430,10 +615,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +616,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -9813,7 +9814,7 @@ index 531a8f2..3fcf187 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..f726b13 100644 +index 1241123..bec431b 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9875,6 +9876,15 @@ index 1241123..f726b13 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) +@@ -129,7 +132,7 @@ corenet_tcp_bind_dns_port(named_t) + corenet_udp_bind_dns_port(named_t) + corenet_tcp_sendrecv_dns_port(named_t) + corenet_udp_sendrecv_dns_port(named_t) +- ++corenet_udp_bind_whois_port(named_t) + corenet_tcp_bind_rndc_port(named_t) + corenet_tcp_sendrecv_rndc_port(named_t) + @@ -141,9 +144,13 @@ corenet_sendrecv_all_client_packets(named_t) corenet_tcp_connect_all_ports(named_t) corenet_tcp_sendrecv_all_ports(named_t) @@ -15688,7 +15698,7 @@ index 954309e..6780142 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..cb6a356 100644 +index 6471fa8..228b603 100644 --- a/collectd.te +++ b/collectd.te @@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) @@ -15763,10 +15773,12 @@ index 6471fa8..cb6a356 100644 logging_send_syslog_msg(collectd_t) -@@ -74,17 +92,45 @@ tunable_policy(`collectd_tcp_network_connect',` - corenet_tcp_sendrecv_all_ports(collectd_t) +@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',` ') + optional_policy(` ++ lvm_read_config(collectd_t) ++') + +optional_policy(` + pdns_stream_connect(collectd_t) @@ -15788,7 +15800,7 @@ index 6471fa8..cb6a356 100644 + snmp_read_snmp_var_lib_dirs(collectd_t) +') + - optional_policy(` ++optional_policy(` virt_read_config(collectd_t) + virt_stream_connect(collectd_t) ') @@ -42205,10 +42217,10 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 2990962..abd217f 100644 +index 2990962..6629aaf 100644 --- a/kdumpgui.te +++ b/kdumpgui.te -@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0) +@@ -5,79 +5,90 @@ policy_module(kdumpgui, 1.2.0) # Declarations # @@ -42272,8 +42284,10 @@ index 2990962..abd217f 100644 fs_list_hugetlbfs(kdumpgui_t) -fs_read_dos_files(kdumpgui_t) - storage_raw_read_fixed_disk(kdumpgui_t) +-storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) ++storage_raw_read_removable_device(kdumpgui_t) ++storage_raw_read_fixed_disk(kdumpgui_t) +storage_getattr_removable_dev(kdumpgui_t) auth_use_nsswitch(kdumpgui_t) @@ -42317,7 +42331,7 @@ index 2990962..abd217f 100644 ') optional_policy(` -@@ -87,4 +97,10 @@ optional_policy(` +@@ -87,4 +98,10 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -42429,10 +42443,10 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..5187a62 +index 0000000..04c46e7 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,93 @@ +@@ -0,0 +1,95 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -42473,6 +42487,7 @@ index 0000000..5187a62 +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) +kernel_request_load_module(keepalived_t) ++kernel_rw_usermodehelper_state(keepalived_t) + +auth_use_nsswitch(keepalived_t) + @@ -42485,6 +42500,7 @@ index 0000000..5187a62 +corenet_tcp_connect_smtp_port(keepalived_t) +corenet_tcp_connect_snmp_port(keepalived_t) +corenet_tcp_connect_agentx_port(keepalived_t) ++corenet_tcp_connect_squid_port(keepalived_t) + +domain_read_all_domains_state(keepalived_t) + @@ -109545,7 +109561,7 @@ index 0000000..eef708d +/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0) diff --git a/tlp.if b/tlp.if new file mode 100644 -index 0000000..46f12a4 +index 0000000..368e188 --- /dev/null +++ b/tlp.if @@ -0,0 +1,184 @@ @@ -109688,7 +109704,7 @@ index 0000000..46f12a4 + ') + + files_search_pids($1) -+ read_files_pattern($1, tlp_var_run_t, tlp_var_run_t) ++ manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t) +') + +######################################## @@ -110541,10 +110557,10 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..c919a2d 100644 +index 5ceacde..a395940 100644 --- a/tor.te +++ b/tor.te -@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) +@@ -13,6 +13,20 @@ policy_module(tor, 1.9.0) ## gen_tunable(tor_bind_all_unreserved_ports, false) @@ -110555,10 +110571,17 @@ index 5ceacde..c919a2d 100644 +## +gen_tunable(tor_can_network_relay, false) + ++## ++##

++## Allow tor to run onion services ++##

++## ++gen_tunable(tor_can_onion_services, false) ++ type tor_t; type tor_exec_t; init_daemon_domain(tor_t, tor_exec_t) -@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t) +@@ -25,13 +39,19 @@ init_script_file(tor_initrc_exec_t) type tor_var_lib_t; files_type(tor_var_lib_t) @@ -110578,7 +110601,7 @@ index 5ceacde..c919a2d 100644 ######################################## # -@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; +@@ -48,6 +68,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; allow tor_t tor_etc_t:file read_file_perms; allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; @@ -110587,7 +110610,7 @@ index 5ceacde..c919a2d 100644 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) +@@ -77,7 +99,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) corenet_udp_sendrecv_generic_node(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) @@ -110595,7 +110618,7 @@ index 5ceacde..c919a2d 100644 corenet_sendrecv_dns_server_packets(tor_t) corenet_udp_bind_dns_port(tor_t) corenet_udp_sendrecv_dns_port(tor_t) -@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t) +@@ -85,6 +106,7 @@ corenet_udp_sendrecv_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_tcp_bind_tor_port(tor_t) corenet_tcp_sendrecv_tor_port(tor_t) @@ -110603,7 +110626,7 @@ index 5ceacde..c919a2d 100644 corenet_sendrecv_all_client_packets(tor_t) corenet_tcp_connect_all_ports(tor_t) -@@ -98,19 +113,22 @@ dev_read_urand(tor_t) +@@ -98,19 +120,26 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) @@ -110626,6 +110649,10 @@ index 5ceacde..c919a2d 100644 + corenet_tcp_bind_http_port(tor_t) +') + ++tunable_policy(`tor_can_onion_services',` ++ allow tor_t self:capability { dac_read_search dac_override }; ++') ++ optional_policy(` seutil_sigchld_newrole(tor_t) ') @@ -115057,7 +115084,7 @@ index facdee8..487857a 100644 + dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ') diff --git a/virt.te b/virt.te -index f03dcf5..2ed3d3a 100644 +index f03dcf5..71afe45 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,414 @@ @@ -116082,7 +116109,7 @@ index f03dcf5..2ed3d3a 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +719,344 @@ optional_policy(` +@@ -746,44 +719,347 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -116143,6 +116170,9 @@ index f03dcf5..2ed3d3a 100644 -can_exec(virsh_t, virsh_exec_t) +allow virtlogd_t self:unix_stream_socket create_stream_socket_perms; + ++# Allow virtlogd_t to execute itself. ++allow virtlogd_t virtlogd_exec_t:file execute_no_trans; ++ +dev_read_sysfs(virtlogd_t) + +logging_send_syslog_msg(virtlogd_t) @@ -116293,7 +116323,7 @@ index f03dcf5..2ed3d3a 100644 +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) - ++ +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; +') @@ -116385,7 +116415,7 @@ index f03dcf5..2ed3d3a 100644 + sanlock_stream_connect(virt_domain) + ') +') -+ + +tunable_policy(`virt_use_rawip',` + allow virt_domain self:rawip_socket create_socket_perms; +') @@ -116449,7 +116479,7 @@ index f03dcf5..2ed3d3a 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1067,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1070,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116476,7 +116506,7 @@ index f03dcf5..2ed3d3a 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1087,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1090,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116510,7 +116540,7 @@ index f03dcf5..2ed3d3a 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1124,20 @@ optional_policy(` +@@ -856,14 +1127,20 @@ optional_policy(` ') optional_policy(` @@ -116532,7 +116562,7 @@ index f03dcf5..2ed3d3a 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1162,66 @@ optional_policy(` +@@ -888,49 +1165,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -116617,7 +116647,7 @@ index f03dcf5..2ed3d3a 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1233,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1236,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -116637,7 +116667,7 @@ index f03dcf5..2ed3d3a 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1254,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1257,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -116661,7 +116691,7 @@ index f03dcf5..2ed3d3a 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1279,355 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1282,355 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -117162,7 +117192,7 @@ index f03dcf5..2ed3d3a 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1640,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -117177,7 +117207,7 @@ index f03dcf5..2ed3d3a 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1658,7 @@ optional_policy(` +@@ -1192,7 +1661,7 @@ optional_policy(` ######################################## # @@ -117186,7 +117216,7 @@ index f03dcf5..2ed3d3a 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1667,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1670,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -117418,6 +117448,7 @@ index f03dcf5..2ed3d3a 100644 +kernel_read_network_state(sandbox_net_domain) + +allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service }; ++allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service }; + +allow sandbox_net_domain self:udp_socket create_socket_perms; +allow sandbox_net_domain self:tcp_socket create_stream_socket_perms; @@ -117445,6 +117476,7 @@ index f03dcf5..2ed3d3a 100644 +') + +allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; ++allow sandbox_caps_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; + +list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) +read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) @@ -120806,7 +120838,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..aab4f86 100644 +index 7f496c6..bf2ae51 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -121056,7 +121088,7 @@ index 7f496c6..aab4f86 100644 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t) corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) -@@ -177,21 +218,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +218,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) @@ -121100,6 +121132,7 @@ index 7f496c6..aab4f86 100644 +allow zabbix_t zabbix_script_exec_t:dir search_dir_perms; +allow zabbix_t zabbix_script_exec_t:dir read_file_perms; +allow zabbix_t zabbix_script_exec_t:file ioctl; ++allow zabbix_t zabbix_script_t:process signal; + +init_domtrans_script(zabbix_script_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index b98add2..3bf9127 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.17%{?dist} +Release: 225.18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,20 @@ exit 0 %endif %changelog +* Thu Jun 08 2017 Lukas Vrabec - 3.13.1-225.18 +- Add a boolean to enable the use of dac_override +- Add support for userns for sandbox domains +- Allow zabbix_t to kill zabbix_script_t processes +- Allow kdumpgui to read removable disk device +- Allow virtlogd_t to execute itself +- Allow keepalived to read/write usermodehelper state +- Allow named_t to bind on udp 4321 port +- Fix interface tlp_manage_pid_files() +- Allow collectd domain read lvm config files. BZ(1459097) +- Allow abrt_dump_oops_t to execute bin_t +- udev wants this when unconfined disabled +- Hide broken symptoms when machine is configured with network bounding. + * Mon Jun 05 2017 Lukas Vrabec - 3.13.1-225.17 - Allow dnsmasq_t domain to read systemd-resolved pid files. - Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.