From ae2eb0c592f4cfc6b04f750fabac022f2620f340 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 21 2014 20:57:19 +0000 Subject: * Tue Jan 21 2014 Miroslav Grepl 3.12.1-120 - Allow apache to write to the owncloud data directory in /var/www/html... - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file - Allow kdump to create lnk lock file - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - Add interfaces to handle transient --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 4a3079c..cb0663f 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -8888,7 +8888,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..8f294d2 100644 +index cf04cb5..61b53bc 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -9006,7 +9006,7 @@ index cf04cb5..8f294d2 100644 ') ######################################## -@@ -147,12 +207,18 @@ optional_policy(` +@@ -147,12 +207,21 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -9017,6 +9017,9 @@ index cf04cb5..8f294d2 100644 +allow unconfined_domain_type unconfined_domain_type:dbus send_msg; + ++# Allow manage transient unit files ++allow unconfined_domain_type self:service manage_service_perms; ++ # Act upon any other process. -allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; +allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; @@ -9026,7 +9029,7 @@ index cf04cb5..8f294d2 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +232,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +235,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -26925,7 +26928,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..197d939 100644 +index 24e7804..45d0b37 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -27907,7 +27910,7 @@ index 24e7804..197d939 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2338,360 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2338,432 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -28249,6 +28252,78 @@ index 24e7804..197d939 100644 + +######################################## +## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_start_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service start; ++') ++ ++######################################## ++## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_stop_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service stop; ++') ++ ++######################################## ++## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_reload_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service reload; ++') ++ ++######################################## ++## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_status_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service status; ++') ++ ++######################################## ++## +## Transition to init named content +## +## @@ -38113,10 +38188,10 @@ index 0000000..1d9bdfd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..2109915 +index 0000000..0ad142f --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,653 @@ +@@ -0,0 +1,657 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -38758,6 +38833,10 @@ index 0000000..2109915 +files_read_usr_files(systemd_domain) + +init_search_pid_dirs(systemd_domain) ++init_start_transient_unit(systemd_domain) ++init_stop_transient_unit(systemd_domain) ++init_status_transient_unit(systemd_domain) ++init_reload_transient_unit(systemd_domain) + +logging_stream_connect_syslog(systemd_domain) + diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 497806f..fe214bb 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -3067,10 +3067,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..fc53125 100644 +index 550a69e..908ec3b 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,161 +1,206 @@ +@@ -1,161 +1,207 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3391,6 +3391,7 @@ index 550a69e..fc53125 100644 + +/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -14334,7 +14335,7 @@ index 5b830ec..0647a3b 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index 5f0c793..d11e25b 100644 +index 5f0c793..62ae9b2 100644 --- a/consolekit.te +++ b/consolekit.te @@ -19,12 +19,16 @@ type consolekit_var_run_t; @@ -14354,6 +14355,15 @@ index 5f0c793..d11e25b 100644 allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket { accept listen }; +@@ -33,7 +37,7 @@ create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) + append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) + read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) + setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +-logging_log_filetrans(consolekit_t, consolekit_log_t, file) ++logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file }) + + manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) + manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) @@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) @@ -34325,7 +34335,7 @@ index 3a00b3a..21efcc4 100644 + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index 70f3007..f8b68bf 100644 +index 70f3007..58bd992 100644 --- a/kdump.te +++ b/kdump.te @@ -1,4 +1,4 @@ @@ -34334,7 +34344,7 @@ index 70f3007..f8b68bf 100644 ####################################### # -@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t) +@@ -12,35 +12,56 @@ init_system_domain(kdump_t, kdump_exec_t) type kdump_etc_t; files_config_file(kdump_etc_t) @@ -34372,13 +34382,14 @@ index 70f3007..f8b68bf 100644 +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash") -+ -+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) -allow kdump_t kdump_etc_t:file read_file_perms; ++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) ++ +manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t) +manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) -+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file }) ++manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) ++files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file }) -files_read_etc_files(kdump_t) files_read_etc_runtime_files(kdump_t) @@ -34395,7 +34406,7 @@ index 70f3007..f8b68bf 100644 dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) -@@ -48,22 +68,32 @@ term_use_console(kdump_t) +@@ -48,22 +69,35 @@ term_use_console(kdump_t) ####################################### # @@ -34409,12 +34420,14 @@ index 70f3007..f8b68bf 100644 + allow kdumpctl_t self:capability { dac_override sys_chroot }; allow kdumpctl_t self:process setfscreate; --allow kdumpctl_t self:fifo_file rw_fifo_file_perms; ++ + allow kdumpctl_t self:fifo_file rw_fifo_file_perms; -allow kdumpctl_t self:unix_stream_socket { accept listen }; ++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; -allow kdumpctl_t kdump_etc_t:file read_file_perms; -+allow kdumpctl_t self:fifo_file rw_fifo_file_perms; -+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; ++manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t) ++files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump") manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) @@ -34433,7 +34446,7 @@ index 70f3007..f8b68bf 100644 kernel_read_system_state(kdumpctl_t) -@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t) +@@ -71,46 +105,56 @@ corecmd_exec_bin(kdumpctl_t) corecmd_exec_shell(kdumpctl_t) dev_read_sysfs(kdumpctl_t) @@ -47959,41 +47972,51 @@ index 0000000..395c2fd + mysql_tcp_connect(httpd_mythtv_script_t) +') diff --git a/nagios.fc b/nagios.fc -index d78dfc3..a00cc2d 100644 +index d78dfc3..1c81436 100644 --- a/nagios.fc +++ b/nagios.fc -@@ -1,88 +1,97 @@ +@@ -1,88 +1,109 @@ -/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) ++/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/bin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/sbin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) ++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/icinga/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) ++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) ++ ++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++ +ifdef(`distro_debian',` +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +') @@ -48013,9 +48036,9 @@ index d78dfc3..a00cc2d 100644 -/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) +# mail plugins +/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) -+ -+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++ +# system plugins /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) @@ -48106,10 +48129,11 @@ index d78dfc3..a00cc2d 100644 -/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) -/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) -- --/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) +# eventhandlers +/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) ++/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) + +-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/nagios.if b/nagios.if index 0641e97..d7d9a79 100644 --- a/nagios.if @@ -51233,7 +51257,7 @@ index 8f2ab09..6ab4ea1 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index df4c10f..8c09c68 100644 +index df4c10f..fb50d4a 100644 --- a/nscd.te +++ b/nscd.te @@ -1,36 +1,37 @@ @@ -51285,7 +51309,11 @@ index df4c10f..8c09c68 100644 type nscd_log_t; logging_log_file(nscd_log_t) -@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid }; +@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t) + # + + allow nscd_t self:capability { kill setgid setuid }; ++allow nscd_t self:capability2 block_suspend; dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; @@ -51358,7 +51386,7 @@ index df4c10f..8c09c68 100644 corenet_rw_tun_tap_dev(nscd_t) selinux_get_fs_mount(nscd_t) -@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t) +@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t) selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) @@ -51383,7 +51411,7 @@ index df4c10f..8c09c68 100644 userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,20 +130,31 @@ optional_policy(` +@@ -121,20 +131,31 @@ optional_policy(` ') optional_policy(` @@ -82793,7 +82821,7 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..e45c73a +index 0000000..e30b346 --- /dev/null +++ b/sandboxX.if @@ -0,0 +1,393 @@ @@ -82841,7 +82869,7 @@ index 0000000..e45c73a + dontaudit sandbox_x_domain $1:fifo_file { read write }; + dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; -+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; ++ dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:process { signal sigkill }; + + allow $1 sandbox_tmpfs_type:file manage_file_perms; @@ -83192,7 +83220,7 @@ index 0000000..e45c73a +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..4566e9b +index 0000000..0161658 --- /dev/null +++ b/sandboxX.te @@ -0,0 +1,498 @@ @@ -83479,6 +83507,10 @@ index 0000000..4566e9b + fs_exec_fusefs_files(sandbox_x_domain) +') + ++optional_policy(` ++ networkmanager_dontaudit_dbus_chat(sandbox_x_domain) ++') ++ +files_search_home(sandbox_x_t) +userdom_use_user_ptys(sandbox_x_t) + @@ -83635,10 +83667,6 @@ index 0000000..4566e9b +') + +optional_policy(` -+ networkmanager_dontaudit_dbus_chat(sandbox_web_type) -+') -+ -+optional_policy(` + nsplugin_manage_rw(sandbox_web_type) + nsplugin_read_rw_files(sandbox_web_type) + nsplugin_rw_exec(sandbox_web_type) diff --git a/selinux-policy.spec b/selinux-policy.spec index b842728..cd8b928 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 119%{?dist} +Release: 120%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,9 +579,20 @@ SELinux Reference policy mls base module. %endif %changelog -* Mon Jan 20 2014 Miroslav Grepl 3.12.1-118 +* Tue Jan 21 2014 Miroslav Grepl 3.12.1-120 +- Allow apache to write to the owncloud data directory in /var/www/html... +- Allow consolekit to create log dir +- Add support for icinga CGI scripts +- Add support for icinga +- Allow kdumpctl_t to create kdump lock file +- Allow kdump to create lnk lock file +- Allow nscd_t block_suspen capability +- Allow unconfined domain types to manage own transient unit file +- Allow systemd domains to handle transient init unit files +- Add interfaces to handle transient + +* Mon Jan 20 2014 Miroslav Grepl 3.12.1-119 - Add cron unconfined role support for uncofined SELinux user -- Call kernel_rw_usermodehelper_state() in init.te - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() @@ -594,11 +605,9 @@ SELinux Reference policy mls base module. - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee -- Fix calling usermodehelper to use _state in interface name - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux -- Call kernel_read_usermodhelper/kernel_rw_usermodhelper - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata