From dacdd7fae3989b52ea07cb885233c76f00fea67c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 12 2014 12:19:44 +0000 Subject: * Tue Aug 12 2014 Lukas Vrabec 3.12.1-180 - label /usr/libexec/cockpit-agent as shell_exec_t - sysadm_t should be allowed to communicate with networkmanager - Allow sysadm_t to create netlink_tcpdiag socket - Label also /var/run/glusterd.socket file as gluster_var_run_t - Label conmans pid file as conman_var_run_t - Allow certmonger to stream connect to dirsrv to make ipa-server-install working. - Allow sensord to send a signal. - Dontaudit attempts to access check cert dirs/files for sssd. - Label keystone var run dir (#1123013) - Label neutron var run dir (#1123013) - Allow bacula manage bacula_log_t dirs - Fix typo in bacula.te and add filetrans also for bacula log files. - docker needs more access, need back port to RHEL7 - Allow alsa to create lock file to see if it fixes #1123423. - Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports - Dontaudit write access on generic cert files. We don't audit also access check. - Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t. - Back port modemmanager for F21. - docker does a getattr on all file systems - Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port. - shell_exec_t should not be in cockip.fc - Allow smokeping cgi script to send syslog messages (#1122163) - Allow cachefilesd_t to send itself signals - Allow svirt domains to manage chr files and blk files for mknod commands - docker needs setfcap --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 99ed4bf..4ceed02 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -3452,7 +3452,7 @@ index 7590165..85186a9 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..6f006ec 100644 +index 644d4d7..c8ab679 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3649,7 +3649,7 @@ index 644d4d7..6f006ec 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -241,10 +285,15 @@ ifdef(`distro_gentoo',` +@@ -241,26 +285,39 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3665,7 +3665,15 @@ index 644d4d7..6f006ec 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -257,10 +306,17 @@ ifdef(`distro_gentoo',` + + /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +- + /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +-/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3673,20 +3681,20 @@ index 644d4d7..6f006ec 100644 -/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) - ++ +/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) +/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) +/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ + +/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -269,6 +325,7 @@ ifdef(`distro_gentoo',` +@@ -269,6 +326,7 @@ ifdef(`distro_gentoo',` /usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -3694,7 +3702,7 @@ index 644d4d7..6f006ec 100644 /usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -276,10 +333,15 @@ ifdef(`distro_gentoo',` +@@ -276,10 +334,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3710,7 +3718,7 @@ index 644d4d7..6f006ec 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -294,16 +356,22 @@ ifdef(`distro_gentoo',` +@@ -294,16 +357,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3735,7 +3743,7 @@ index 644d4d7..6f006ec 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -321,20 +389,27 @@ ifdef(`distro_redhat', ` +@@ -321,20 +390,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3764,7 +3772,7 @@ index 644d4d7..6f006ec 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -342,6 +417,7 @@ ifdef(`distro_redhat', ` +@@ -342,6 +418,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -3772,7 +3780,7 @@ index 644d4d7..6f006ec 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +459,16 @@ ifdef(`distro_suse', ` +@@ -383,11 +460,16 @@ ifdef(`distro_suse', ` # # /var # @@ -3790,7 +3798,7 @@ index 644d4d7..6f006ec 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +478,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +479,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -20880,10 +20888,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..4a77968 100644 +index 88d0028..e49b8da 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,87 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -20897,11 +20905,12 @@ index 88d0028..4a77968 100644 role sysadm_r; userdom_admin_user_template(sysadm) ++allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -ifndef(`enable_mls',` - userdom_security_admin_template(sysadm_t, sysadm_r) -') -- + ######################################## # # Local policy @@ -20980,7 +20989,7 @@ index 88d0028..4a77968 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +103,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -20995,7 +21004,7 @@ index 88d0028..4a77968 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +111,9 @@ optional_policy(` +@@ -71,9 +113,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -21006,7 +21015,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -87,6 +127,7 @@ optional_policy(` +@@ -87,6 +129,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -21014,7 +21023,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -110,11 +151,17 @@ optional_policy(` +@@ -110,11 +153,17 @@ optional_policy(` ') optional_policy(` @@ -21032,20 +21041,20 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -122,11 +169,19 @@ optional_policy(` +@@ -122,11 +171,19 @@ optional_policy(` ') optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) ++') ++ ++optional_policy(` ++ consoletype_exec(sysadm_t) ') optional_policy(` - cvs_exec(sysadm_t) -+ consoletype_exec(sysadm_t) -+') -+ -+optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + @@ -21054,7 +21063,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -140,6 +195,10 @@ optional_policy(` +@@ -140,6 +197,10 @@ optional_policy(` ') optional_policy(` @@ -21065,7 +21074,7 @@ index 88d0028..4a77968 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +215,11 @@ optional_policy(` +@@ -156,11 +217,11 @@ optional_policy(` ') optional_policy(` @@ -21079,7 +21088,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -179,6 +238,13 @@ optional_policy(` +@@ -179,6 +240,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -21093,7 +21102,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -186,15 +252,20 @@ optional_policy(` +@@ -186,15 +254,20 @@ optional_policy(` ') optional_policy(` @@ -21105,19 +21114,19 @@ index 88d0028..4a77968 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -+ kudzu_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') optional_policy(` -@@ -214,22 +285,20 @@ optional_policy(` +@@ -214,22 +287,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -21146,7 +21155,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -241,14 +310,27 @@ optional_policy(` +@@ -241,14 +312,28 @@ optional_policy(` ') optional_policy(` @@ -21161,6 +21170,7 @@ index 88d0028..4a77968 100644 optional_policy(` + networkmanager_filetrans_named_content(sysadm_t) ++ networkmanager_stream_connect(sysadm_t) +') + +optional_policy(` @@ -21174,7 +21184,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -256,10 +338,20 @@ optional_policy(` +@@ -256,10 +341,20 @@ optional_policy(` ') optional_policy(` @@ -21195,7 +21205,7 @@ index 88d0028..4a77968 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,35 +362,41 @@ optional_policy(` +@@ -270,35 +365,41 @@ optional_policy(` ') optional_policy(` @@ -21244,7 +21254,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -312,6 +410,7 @@ optional_policy(` +@@ -312,6 +413,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -21252,7 +21262,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -319,12 +418,20 @@ optional_policy(` +@@ -319,12 +421,20 @@ optional_policy(` ') optional_policy(` @@ -21274,7 +21284,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -349,7 +456,18 @@ optional_policy(` +@@ -349,7 +459,18 @@ optional_policy(` ') optional_policy(` @@ -21294,7 +21304,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -360,19 +478,15 @@ optional_policy(` +@@ -360,19 +481,15 @@ optional_policy(` ') optional_policy(` @@ -21316,7 +21326,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -384,10 +498,6 @@ optional_policy(` +@@ -384,10 +501,6 @@ optional_policy(` ') optional_policy(` @@ -21327,7 +21337,7 @@ index 88d0028..4a77968 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +505,9 @@ optional_policy(` +@@ -395,6 +508,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -21337,7 +21347,7 @@ index 88d0028..4a77968 100644 ') optional_policy(` -@@ -402,31 +515,34 @@ optional_policy(` +@@ -402,31 +518,34 @@ optional_policy(` ') optional_policy(` @@ -21378,7 +21388,7 @@ index 88d0028..4a77968 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +555,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +558,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21389,7 +21399,7 @@ index 88d0028..4a77968 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +575,79 @@ ifndef(`distro_redhat',` +@@ -463,15 +578,79 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 9efc54b..3cc1787 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -566,7 +566,7 @@ index 058d908..cf17e67 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..721bfee 100644 +index cc43d25..9b01e12 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -802,7 +802,7 @@ index cc43d25..721bfee 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +193,42 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +193,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -842,13 +842,14 @@ index cc43d25..721bfee 100644 +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) +miscfiles_dontaudit_access_check_cert(abrt_t) ++miscfiles_dontaudit_write_generic_cert_files(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +236,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +237,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -865,7 +866,7 @@ index cc43d25..721bfee 100644 ') optional_policy(` -@@ -209,6 +248,20 @@ optional_policy(` +@@ -209,6 +249,20 @@ optional_policy(` ') optional_policy(` @@ -886,7 +887,7 @@ index cc43d25..721bfee 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -221,6 +274,11 @@ optional_policy(` +@@ -221,6 +275,11 @@ optional_policy(` ') optional_policy(` @@ -898,7 +899,7 @@ index cc43d25..721bfee 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -230,6 +288,7 @@ optional_policy(` +@@ -230,6 +289,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -906,7 +907,7 @@ index cc43d25..721bfee 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +299,17 @@ optional_policy(` +@@ -240,9 +300,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -925,7 +926,7 @@ index cc43d25..721bfee 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +320,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +321,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -940,7 +941,7 @@ index cc43d25..721bfee 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +339,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +340,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -948,7 +949,7 @@ index cc43d25..721bfee 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +348,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +349,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -969,7 +970,7 @@ index cc43d25..721bfee 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +369,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +370,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -996,7 +997,7 @@ index cc43d25..721bfee 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +405,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +406,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1010,7 +1011,7 @@ index cc43d25..721bfee 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +423,11 @@ optional_policy(` +@@ -330,10 +424,11 @@ optional_policy(` ####################################### # @@ -1024,7 +1025,7 @@ index cc43d25..721bfee 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +446,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +447,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1086,7 +1087,7 @@ index cc43d25..721bfee 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +504,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +505,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1933,16 +1934,18 @@ index 0000000..a95a4ad +') + diff --git a/alsa.fc b/alsa.fc -index 5de1e01..e5ab7ff 100644 +index 5de1e01..6620b08 100644 --- a/alsa.fc +++ b/alsa.fc -@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) +@@ -19,4 +19,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) + ++/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_lock_t,s0) ++ +/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0) + +/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0) @@ -2060,10 +2063,19 @@ index 708b743..cc78465 100644 + ps_process_pattern($1, alsa_t) ') diff --git a/alsa.te b/alsa.te -index cda6d20..a80ddb9 100644 +index cda6d20..e1c91b5 100644 --- a/alsa.te +++ b/alsa.te -@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t) +@@ -15,22 +15,32 @@ role alsa_roles types alsa_t; + type alsa_etc_rw_t; + files_config_file(alsa_etc_rw_t) + ++type alsa_lock_t; ++files_lock_file(alsa_lock_t) ++ + type alsa_tmp_t; + files_tmp_file(alsa_tmp_t) + type alsa_var_lib_t; files_type(alsa_var_lib_t) @@ -2089,7 +2101,17 @@ index cda6d20..a80ddb9 100644 allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen }; -@@ -51,7 +58,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) +@@ -43,6 +53,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) + + can_exec(alsa_t, alsa_exec_t) + ++manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t) ++files_lock_filetrans(alsa_t, alsa_lock_t, file) ++ + manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) + manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) + files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) +@@ -51,7 +64,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) @@ -2103,7 +2125,7 @@ index cda6d20..a80ddb9 100644 corecmd_exec_bin(alsa_t) -@@ -59,7 +72,6 @@ dev_read_sound(alsa_t) +@@ -59,7 +78,6 @@ dev_read_sound(alsa_t) dev_read_sysfs(alsa_t) dev_write_sound(alsa_t) @@ -2111,7 +2133,7 @@ index cda6d20..a80ddb9 100644 files_search_var_lib(alsa_t) term_dontaudit_use_console(alsa_t) -@@ -72,8 +84,6 @@ init_use_fds(alsa_t) +@@ -72,8 +90,6 @@ init_use_fds(alsa_t) logging_send_syslog_msg(alsa_t) @@ -8504,10 +8526,10 @@ index dcd774e..c240ffa 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index 3beba2f..12cd4f6 100644 +index 3beba2f..a6d4fb0 100644 --- a/bacula.te +++ b/bacula.te -@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t; +@@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t; # Local policy # @@ -8516,7 +8538,18 @@ index 3beba2f..12cd4f6 100644 allow bacula_t self:process signal; allow bacula_t self:fifo_file rw_fifo_file_perms; allow bacula_t self:tcp_socket { accept listen }; -@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t) + + read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) + ++manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t) + append_files_pattern(bacula_t, bacula_log_t, bacula_log_t) + create_files_pattern(bacula_t, bacula_log_t, bacula_log_t) + setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t) ++logging_log_filetrans(bacula_t, bacula_log_t, { file dir }) + + manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t) + manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t) +@@ -88,6 +90,10 @@ corenet_udp_bind_generic_node(bacula_t) corenet_sendrecv_generic_server_packets(bacula_t) corenet_udp_bind_generic_port(bacula_t) @@ -8527,7 +8560,7 @@ index 3beba2f..12cd4f6 100644 corenet_sendrecv_hplip_server_packets(bacula_t) corenet_tcp_bind_hplip_port(bacula_t) corenet_udp_bind_hplip_port(bacula_t) -@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t) +@@ -105,6 +111,7 @@ files_read_all_symlinks(bacula_t) fs_getattr_xattr_fs(bacula_t) fs_list_all(bacula_t) @@ -8535,7 +8568,7 @@ index 3beba2f..12cd4f6 100644 auth_read_shadow(bacula_t) logging_send_syslog_msg(bacula_t) -@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) +@@ -148,9 +155,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) domain_use_interactive_fds(bacula_admin_t) @@ -10460,10 +10493,10 @@ index 8de2ab9..3b41945 100644 + domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) ') diff --git a/cachefilesd.te b/cachefilesd.te -index 581c8ef..2c71b1d 100644 +index 581c8ef..2d9508e 100644 --- a/cachefilesd.te +++ b/cachefilesd.te -@@ -1,52 +1,143 @@ +@@ -1,52 +1,144 @@ -policy_module(cachefilesd, 1.0.1) +############################################################################### +# @@ -10556,6 +10589,7 @@ index 581c8ef..2c71b1d 100644 +# rules. +# allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; ++allow cachefilesd_t self:process signal_perms; +# Allow manipulation of pid file +allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; @@ -10949,7 +10983,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 2354e21..cc0fe4f 100644 +index 2354e21..3a07ee5 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -11038,7 +11072,7 @@ index 2354e21..cc0fe4f 100644 ') optional_policy(` -@@ -92,11 +109,51 @@ optional_policy(` +@@ -92,11 +109,52 @@ optional_policy(` ') optional_policy(` @@ -11046,6 +11080,7 @@ index 2354e21..cc0fe4f 100644 + dirsrv_manage_config(certmonger_t) + dirsrv_signal(certmonger_t) + dirsrv_signull(certmonger_t) ++ dirsrv_stream_connect(certmonger_t) +') + +optional_policy(` @@ -11539,7 +11574,7 @@ index 0000000..7beaafe +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..b4f29e9 +index 0000000..654098e --- /dev/null +++ b/chrome.te @@ -0,0 +1,249 @@ @@ -11751,7 +11786,7 @@ index 0000000..b4f29e9 + +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; -+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share }; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share }; + +manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) +fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) @@ -13424,10 +13459,10 @@ index 2a71346..3a38b11 100644 ') diff --git a/cockpit.fc b/cockpit.fc new file mode 100644 -index 0000000..276ea8a +index 0000000..b71de28 --- /dev/null +++ b/cockpit.fc -@@ -0,0 +1,10 @@ +@@ -0,0 +1,8 @@ +# cockpit stuff + +/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) @@ -13436,8 +13471,6 @@ index 0000000..276ea8a +/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) -+ -+/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) diff --git a/cockpit.if b/cockpit.if new file mode 100644 index 0000000..573dcae @@ -14894,10 +14927,10 @@ index 3f2b672..8fb887d 100644 +') diff --git a/conman.fc b/conman.fc new file mode 100644 -index 0000000..5f97ba9 +index 0000000..d2f5c80 --- /dev/null +++ b/conman.fc -@@ -0,0 +1,7 @@ +@@ -0,0 +1,8 @@ +/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0) + +/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0) @@ -14905,6 +14938,7 @@ index 0000000..5f97ba9 +/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0) +/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0) + ++/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0) diff --git a/conman.if b/conman.if new file mode 100644 index 0000000..54b4b04 @@ -15055,10 +15089,10 @@ index 0000000..54b4b04 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 0000000..d6b0314 +index 0000000..ccff09f --- /dev/null +++ b/conman.te -@@ -0,0 +1,49 @@ +@@ -0,0 +1,55 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -15073,6 +15107,9 @@ index 0000000..d6b0314 +type conman_log_t; +logging_log_file(conman_log_t) + ++type conman_var_run_t; ++files_pid_file(conman_var_run_t) ++ +type conman_unit_file_t; +systemd_unit_file(conman_unit_file_t) + @@ -15092,13 +15129,16 @@ index 0000000..d6b0314 +manage_files_pattern(conman_t, conman_log_t, conman_log_t) +logging_log_filetrans(conman_t, conman_log_t, { dir }) + ++manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t) ++files_pid_filetrans(conman_t, conman_var_run_t, file) ++ ++auth_read_passwd(conman_t) ++ +corenet_tcp_bind_generic_node(conman_t) +corenet_tcp_bind_conman_port(conman_t) + +corecmd_exec_bin(conman_t) + -+auth_read_passwd(conman_t) -+ +logging_send_syslog_msg(conman_t) + +sysnet_dns_name_resolve(conman_t) @@ -21596,7 +21636,7 @@ index a7326da..c87b5b7 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te -index bcb9770..b53e611 100644 +index bcb9770..7f0c21f 100644 --- a/denyhosts.te +++ b/denyhosts.te @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) @@ -21617,8 +21657,14 @@ index bcb9770..b53e611 100644 corenet_all_recvfrom_netlabel(denyhosts_t) corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) -@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t) +@@ -57,13 +59,17 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t) + corenet_tcp_connect_smtp_port(denyhosts_t) + corenet_tcp_sendrecv_smtp_port(denyhosts_t) ++corenet_sendrecv_sype_transport_client_packets(denyhosts_t) ++corenet_tcp_connect_sype_transport_port(denyhosts_t) ++corenet_tcp_sendrecv_sype_transport_port(denyhosts_t) ++ dev_read_urand(denyhosts_t) +auth_use_nsswitch(denyhosts_t) @@ -21631,7 +21677,7 @@ index bcb9770..b53e611 100644 sysnet_dns_name_resolve(denyhosts_t) sysnet_manage_config(denyhosts_t) sysnet_etc_filetrans_config(denyhosts_t) -@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t) +@@ -71,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` cron_system_entry(denyhosts_t, denyhosts_exec_t) ') @@ -24216,10 +24262,10 @@ index 0000000..683dfdc +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..73e71c1 +index 0000000..342d8bf --- /dev/null +++ b/docker.te -@@ -0,0 +1,274 @@ +@@ -0,0 +1,277 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -24279,7 +24325,7 @@ index 0000000..73e71c1 +# +# docker local policy +# -+allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service }; ++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service setfcap }; +allow docker_t self:process { getattr signal_perms }; +allow docker_t self:fifo_file rw_fifo_file_perms; +allow docker_t self:unix_stream_socket create_stream_socket_perms; @@ -24335,6 +24381,7 @@ index 0000000..73e71c1 +kernel_read_network_state(docker_t) +kernel_read_all_sysctls(docker_t) +kernel_rw_net_sysctls(docker_t) ++kernel_setsched(docker_t) + +domain_use_interactive_fds(docker_t) + @@ -24358,6 +24405,7 @@ index 0000000..73e71c1 + +fs_read_cgroup_files(docker_t) +fs_read_tmpfs_symlinks(docker_t) ++fs_search_all(docker_t) +fs_getattr_all_fs(docker_t) + +storage_raw_rw_fixed_disk(docker_t) @@ -24375,6 +24423,7 @@ index 0000000..73e71c1 +mount_domtrans(docker_t) + +seutil_read_default_contexts(docker_t) ++seutil_read_config(docker_t) + +sysnet_dns_name_resolve(docker_t) +sysnet_exec_ifconfig(docker_t) @@ -29321,7 +29370,7 @@ index e0a4f46..2d17fe6 100644 +') diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..9614520 +index 0000000..d9ea45b --- /dev/null +++ b/glusterd.fc @@ -0,0 +1,16 @@ @@ -29340,7 +29389,7 @@ index 0000000..9614520 +/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) + +/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) -+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) ++/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterd.if b/glusterd.if new file mode 100644 index 0000000..1ed97fe @@ -38553,7 +38602,7 @@ index adfe3dc..a60b664 100644 - -miscfiles_read_localization(keyboardd_t) diff --git a/keystone.fc b/keystone.fc -index b273d80..186cd86 100644 +index b273d80..6a07210 100644 --- a/keystone.fc +++ b/keystone.fc @@ -1,3 +1,5 @@ @@ -38562,6 +38611,12 @@ index b273d80..186cd86 100644 /etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0) /usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) +@@ -5,3 +7,5 @@ + /var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0) + + /var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0) ++ ++/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0) diff --git a/keystone.if b/keystone.if index d3e7fc9..f20248c 100644 --- a/keystone.if @@ -38802,10 +38857,16 @@ index d3e7fc9..f20248c 100644 + ') ') diff --git a/keystone.te b/keystone.te -index 3494d9b..477d7b6 100644 +index 3494d9b..6009a94 100644 --- a/keystone.te +++ b/keystone.te -@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t) +@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t) + type keystone_var_lib_t; + files_type(keystone_var_lib_t) + ++type keystone_var_run_t; ++files_pid_file(keystone_var_run_t) ++ type keystone_tmp_t; files_tmp_file(keystone_tmp_t) @@ -38820,7 +38881,18 @@ index 3494d9b..477d7b6 100644 allow keystone_t self:fifo_file rw_fifo_file_perms; allow keystone_t self:unix_stream_socket { accept listen }; -@@ -57,20 +61,36 @@ corenet_all_recvfrom_netlabel(keystone_t) +@@ -45,6 +52,10 @@ manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) + manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) + files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir) + ++manage_dirs_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t) ++manage_files_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t) ++files_pid_filetrans(keystone_t, keystone_var_run_t, { dir }) ++ + can_exec(keystone_t, keystone_tmp_t) + + kernel_read_system_state(keystone_t) +@@ -57,20 +68,36 @@ corenet_all_recvfrom_netlabel(keystone_t) corenet_tcp_sendrecv_generic_if(keystone_t) corenet_tcp_sendrecv_generic_node(keystone_t) corenet_tcp_bind_generic_node(keystone_t) @@ -44512,9 +44584,15 @@ index b1ac8b5..9b22bea 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index cb4c13d..9342be3 100644 +index cb4c13d..6af07aa 100644 --- a/modemmanager.te +++ b/modemmanager.te +@@ -1,4 +1,4 @@ +-policy_module(modemmanager, 1.1.1) ++policy_module(modemmanager, 1.2.1) + + ######################################## + # @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) typealias modemmanager_t alias ModemManager_t; typealias modemmanager_exec_t alias ModemManager_exec_t; @@ -44525,9 +44603,12 @@ index cb4c13d..9342be3 100644 ######################################## # # Local policy -@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; + kernel_read_system_state(modemmanager_t) ++corecmd_exec_bin(modemmanager_t) ++ dev_read_sysfs(modemmanager_t) +dev_read_urand(modemmanager_t) dev_rw_modem(modemmanager_t) @@ -44543,6 +44624,12 @@ index cb4c13d..9342be3 100644 logging_send_syslog_msg(modemmanager_t) +@@ -54,4 +59,5 @@ optional_policy(` + + optional_policy(` + udev_read_db(modemmanager_t) ++ udev_manage_pid_files(modemmanager_t) + ') diff --git a/mojomojo.if b/mojomojo.if index 73952f4..b19a6ee 100644 --- a/mojomojo.if @@ -45876,7 +45963,7 @@ index 6194b80..7490fe3 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..7e2d4fc 100644 +index 6a306ee..80996ad 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -45885,7 +45972,7 @@ index 6a306ee..7e2d4fc 100644 ######################################## # -@@ -6,17 +6,48 @@ policy_module(mozilla, 2.7.4) +@@ -6,17 +6,56 @@ policy_module(mozilla, 2.7.4) # ## @@ -45902,6 +45989,14 @@ index 6a306ee..7e2d4fc 100644 + +## +##

++## Allow mozilla plugin domain to bind unreserved tcp/udp ports. ++##

++## ++ ++gen_tunable(mozilla_plugin_bind_unreserved_ports, false) ++ ++## ++##

+## Allow mozilla plugin to support spice protocols. +##

+## @@ -45939,7 +46034,7 @@ index 6a306ee..7e2d4fc 100644 type mozilla_t; type mozilla_exec_t; typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -@@ -24,6 +55,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; +@@ -24,6 +63,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; userdom_user_application_domain(mozilla_t, mozilla_exec_t) role mozilla_roles types mozilla_t; @@ -45949,7 +46044,7 @@ index 6a306ee..7e2d4fc 100644 type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -@@ -31,28 +65,24 @@ userdom_user_home_content(mozilla_home_t) +@@ -31,28 +73,24 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; @@ -45983,7 +46078,7 @@ index 6a306ee..7e2d4fc 100644 role mozilla_plugin_config_roles types mozilla_plugin_config_t; type mozilla_tmp_t; -@@ -63,10 +93,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys +@@ -63,10 +101,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; userdom_user_tmpfs_file(mozilla_tmpfs_t) @@ -45994,7 +46089,7 @@ index 6a306ee..7e2d4fc 100644 ######################################## # # Local policy -@@ -75,27 +101,30 @@ optional_policy(` +@@ -75,27 +109,30 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -46038,7 +46133,7 @@ index 6a306ee..7e2d4fc 100644 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -103,76 +132,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +@@ -103,76 +140,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -46146,7 +46241,7 @@ index 6a306ee..7e2d4fc 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,57 +203,76 @@ auth_use_nsswitch(mozilla_t) +@@ -181,57 +211,76 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -46154,8 +46249,7 @@ index 6a306ee..7e2d4fc 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) - @@ -46164,7 +46258,8 @@ index 6a306ee..7e2d4fc 100644 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) - -userdom_write_user_tmp_sockets(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -mozilla_run_plugin(mozilla_t, mozilla_roles) -mozilla_run_plugin_config(mozilla_t, mozilla_roles) +#mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -46259,7 +46354,7 @@ index 6a306ee..7e2d4fc 100644 optional_policy(` apache_read_user_scripts(mozilla_t) -@@ -244,19 +285,12 @@ optional_policy(` +@@ -244,19 +293,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -46281,7 +46376,7 @@ index 6a306ee..7e2d4fc 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +299,32 @@ optional_policy(` +@@ -265,33 +307,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -46294,34 +46389,34 @@ index 6a306ee..7e2d4fc 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ++') ++ ++optional_policy(` ++ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ java_domtrans(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ lpd_domtrans_lpr(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ nscd_socket_use(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) -+ nscd_socket_use(mozilla_t) -+') -+ -+optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -46329,7 +46424,7 @@ index 6a306ee..7e2d4fc 100644 ') optional_policy(` -@@ -300,259 +333,256 @@ optional_policy(` +@@ -300,259 +341,256 @@ optional_policy(` ######################################## # @@ -46413,12 +46508,12 @@ index 6a306ee..7e2d4fc 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -46596,12 +46691,12 @@ index 6a306ee..7e2d4fc 100644 -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_manage_user_tmp_files(mozilla_plugin_t) -+systemd_read_logind_sessions_files(mozilla_plugin_t) - +- -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -- ++systemd_read_logind_sessions_files(mozilla_plugin_t) + -userdom_write_user_tmp_sockets(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) @@ -46732,7 +46827,7 @@ index 6a306ee..7e2d4fc 100644 ') optional_policy(` -@@ -560,7 +590,11 @@ optional_policy(` +@@ -560,7 +598,11 @@ optional_policy(` ') optional_policy(` @@ -46745,7 +46840,7 @@ index 6a306ee..7e2d4fc 100644 ') optional_policy(` -@@ -568,108 +602,137 @@ optional_policy(` +@@ -568,108 +610,142 @@ optional_policy(` ') optional_policy(` @@ -46774,7 +46869,8 @@ index 6a306ee..7e2d4fc 100644 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -- ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; @@ -46782,8 +46878,7 @@ index 6a306ee..7e2d4fc 100644 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - +- -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") @@ -46884,14 +46979,18 @@ index 6a306ee..7e2d4fc 100644 - allow mozilla_plugin_config_t self:process execmem; +optional_policy(` + gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t) -+') -+ -+optional_policy(` -+ xserver_use_user_fonts(mozilla_plugin_config_t) ') -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_config_t self:process { execmem execstack }; ++optional_policy(` ++ xserver_use_user_fonts(mozilla_plugin_config_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mozilla_plugin_config_t) +- fs_manage_nfs_files(mozilla_plugin_config_t) +- fs_manage_nfs_symlinks(mozilla_plugin_config_t) +ifdef(`distro_redhat',` + typealias mozilla_plugin_t alias nsplugin_t; + typealias mozilla_plugin_exec_t alias nsplugin_exec_t; @@ -46902,10 +47001,10 @@ index 6a306ee..7e2d4fc 100644 + typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t; ') --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mozilla_plugin_config_t) -- fs_manage_nfs_files(mozilla_plugin_config_t) -- fs_manage_nfs_symlinks(mozilla_plugin_config_t) +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_plugin_config_t) +- fs_manage_cifs_files(mozilla_plugin_config_t) +- fs_manage_cifs_symlinks(mozilla_plugin_config_t) +#tunable_policy(`mozilla_plugin_enable_homedirs',` +# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) +#', ` @@ -46918,10 +47017,8 @@ index 6a306ee..7e2d4fc 100644 + userdom_execmod_user_home_files(mozilla_plugin_t) ') --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mozilla_plugin_config_t) -- fs_manage_cifs_files(mozilla_plugin_config_t) -- fs_manage_cifs_symlinks(mozilla_plugin_config_t) +-optional_policy(` +- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_spice',` + dev_rw_generic_usb_dev(mozilla_plugin_t) + dev_setattr_generic_usb_dev(mozilla_plugin_t) @@ -46929,18 +47026,21 @@ index 6a306ee..7e2d4fc 100644 ') -optional_policy(` -- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +- xserver_use_user_fonts(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_gps',` + fs_manage_dos_dirs(mozilla_plugin_t) + fs_manage_dos_files(mozilla_plugin_t) - ') - --optional_policy(` -- xserver_use_user_fonts(mozilla_plugin_config_t) ++') ++ +tunable_policy(`mozilla_plugin_use_bluejeans',` + corenet_tcp_bind_unreserved_ports(mozilla_plugin_t) + corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t) + corenet_tcp_connect_commplex_main_port(mozilla_plugin_t) ++') ++ ++tunable_policy(`mozilla_plugin_bind_unreserved_ports',` ++ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t) ++ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t) ') diff --git a/mpd.fc b/mpd.fc index 313ce52..ae93e07 100644 @@ -74225,10 +74325,10 @@ index 76f5b39..8bb80a2 100644 +') + diff --git a/quantum.fc b/quantum.fc -index 70ab68b..2a8e41b 100644 +index 70ab68b..b985b65 100644 --- a/quantum.fc +++ b/quantum.fc -@@ -1,10 +1,31 @@ +@@ -1,10 +1,34 @@ -/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0) +/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0) +/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0) @@ -74267,6 +74367,9 @@ index 70ab68b..2a8e41b 100644 + +/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0) +/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0) ++ ++/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) ++/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) diff --git a/quantum.if b/quantum.if index afc0068..3105104 100644 --- a/quantum.if @@ -74583,10 +74686,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..daaaf4f 100644 +index 769d1fd..de82e12 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,169 @@ +@@ -1,96 +1,176 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -74630,6 +74733,9 @@ index 769d1fd..daaaf4f 100644 +type neutron_var_lib_t alias quantum_var_lib_t; +files_type(neutron_var_lib_t) + ++type neutron_var_run_t alias quantum_var_run_t; ++files_pid_file(neutron_var_run_t) ++ +type neutron_unit_file_t alias quantum_unit_file_t; +systemd_unit_file(neutron_unit_file_t) @@ -74703,6 +74809,10 @@ index 769d1fd..daaaf4f 100644 +manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir }) + ++manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t) ++manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t) ++files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir }) ++ +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) @@ -90001,10 +90111,10 @@ index d204752..31cc6e6 100644 + ') ') diff --git a/sensord.te b/sensord.te -index 5e82fd6..f3e5808 100644 +index 5e82fd6..64e130f 100644 --- a/sensord.te +++ b/sensord.te -@@ -9,12 +9,18 @@ type sensord_t; +@@ -9,27 +9,35 @@ type sensord_t; type sensord_exec_t; init_daemon_domain(sensord_t, sensord_exec_t) @@ -90023,7 +90133,10 @@ index 5e82fd6..f3e5808 100644 ######################################## # # Local policy -@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t) + # + ++allow sensord_t self:process signal; ++ allow sensord_t self:fifo_file rw_fifo_file_perms; allow sensord_t self:unix_stream_socket create_stream_socket_perms; @@ -91375,7 +91488,7 @@ index 1fa51c1..82e111c 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index a8b1aaf..fc0a2be 100644 +index a8b1aaf..4689a59 100644 --- a/smokeping.te +++ b/smokeping.te @@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) @@ -91403,12 +91516,14 @@ index a8b1aaf..fc0a2be 100644 mta_send_mail(smokeping_t) netutils_domtrans_ping(smokeping_t) -@@ -70,6 +68,8 @@ optional_policy(` +@@ -70,6 +68,10 @@ optional_policy(` files_search_tmp(httpd_smokeping_cgi_script_t) files_search_var_lib(httpd_smokeping_cgi_script_t) + auth_read_passwd(httpd_smokeping_cgi_script_t) + ++ logging_send_syslog_msg(httpd_smokeping_cgi_script_t) ++ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) netutils_domtrans_ping(httpd_smokeping_cgi_script_t) @@ -94827,7 +94942,7 @@ index a240455..3dd6f00 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 8b537aa..eb8bb88 100644 +index 8b537aa..b400fb6 100644 --- a/sssd.te +++ b/sssd.te @@ -1,4 +1,4 @@ @@ -94919,11 +95034,12 @@ index 8b537aa..eb8bb88 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -@@ -112,18 +107,34 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +107,35 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) -miscfiles_read_localization(sssd_t) ++miscfiles_dontaudit_access_check_cert(sssd_t) sysnet_dns_name_resolve(sssd_t) sysnet_use_ldap(sssd_t) @@ -101053,7 +101169,7 @@ index c30da4c..9ccc90c 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..88dcafb 100644 +index 9dec06c..d179539 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -102362,11 +102478,10 @@ index 9dec06c..88dcafb 100644 + optional_policy(` + ptchown_run(virt_domain, $2) + ') - ') - - ######################################## - ## --## Append virt log files. ++') ++ ++######################################## ++## +## Do not audit attempts to write virt daemon unnamed pipes. +## +## @@ -102382,10 +102497,11 @@ index 9dec06c..88dcafb 100644 + + dontaudit $1 virtd_t:fd use; + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Append virt log files. +## Send a sigkill to virtual machines ## ## @@ -102797,7 +102913,7 @@ index 9dec06c..88dcafb 100644 ## ## ## -@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -102836,44 +102952,60 @@ index 9dec06c..88dcafb 100644 - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) -- ++ allow $1 virt_domain:process signal_perms; + - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) -- ++ admin_pattern($1, virt_file_type) ++ admin_pattern($1, svirt_file_type) + - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t }) -- ++ virt_systemctl($1) ++ allow $1 virtd_unit_file_t:service all_service_perms; + - logging_search_logs($1) - admin_pattern($1, virt_log_t) - - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) -+ allow $1 virt_domain:process signal_perms; - +- - files_search_var($1) - admin_pattern($1, svirt_cache_t) - - files_search_var_lib($1) - admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) -+ admin_pattern($1, virt_file_type) -+ admin_pattern($1, svirt_file_type) - +- - files_search_locks($1) - admin_pattern($1, virt_lock_t) -+ virt_systemctl($1) -+ allow $1 virtd_unit_file_t:service all_service_perms; - -- dev_list_all_dev_nodes($1) -- allow $1 virt_ptynode:chr_file rw_term_perms; + virt_stream_connect_sandbox($1) + virt_stream_connect_svirt($1) + virt_stream_connect($1) ++') ++####################################### ++## ++## Getattr on virt executable. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`virt_default_capabilities',` ++ gen_require(` ++ attribute sandbox_caps_domain; ++ ') + +- dev_list_all_dev_nodes($1) +- allow $1 virt_ptynode:chr_file rw_term_perms; ++ typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index 1f22fba..50bb3f1 100644 +index 1f22fba..b3121c0 100644 --- a/virt.te +++ b/virt.te -@@ -1,147 +1,209 @@ +@@ -1,147 +1,224 @@ -policy_module(virt, 1.6.10) +policy_module(virt, 1.5.0) @@ -102896,6 +103028,7 @@ index 1f22fba..50bb3f1 100644 +attribute svirt_file_type; +attribute virt_file_type; +attribute sandbox_net_domain; ++attribute sandbox_caps_domain; + +type svirt_tmp_t, svirt_file_type; +files_tmp_file(svirt_tmp_t) @@ -103031,35 +103164,49 @@ index 1f22fba..50bb3f1 100644 +##

+## +gen_tunable(virt_sandbox_use_samba, false) ++ ++## ++##

++## Allow sandbox containers to send audit messages ++ ++##

++## ++gen_tunable(virt_sandbox_use_audit, true) -attribute svirt_lxc_domain; +## +##

-+## Allow sandbox containers to send audit messages ++## Allow sandbox containers to use netlink system calls ++##

++## ++gen_tunable(virt_sandbox_use_netlink, false) -attribute_role virt_domain_roles; -roleattribute system_r virt_domain_roles; ++## ++##

++## Allow sandbox containers to use sys_admin system calls, for example mount +##

+## -+gen_tunable(virt_sandbox_use_audit, true) ++gen_tunable(virt_sandbox_use_sys_admin, false) -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; +## +##

-+## Allow sandbox containers to use netlink system calls ++## Allow sandbox containers to use mknod system calls +##

+## -+gen_tunable(virt_sandbox_use_netlink, false) ++gen_tunable(virt_sandbox_use_mknod, false) -attribute_role svirt_lxc_domain_roles; -roleattribute system_r svirt_lxc_domain_roles; +## +##

-+## Allow sandbox containers to use sys_admin system calls, for example mount ++## Allow sandbox containers to use all capabilities +##

+## -+gen_tunable(virt_sandbox_use_sys_admin, false) ++gen_tunable(virt_sandbox_use_all_caps, false) virt_domain_template(svirt) -virt_domain_template(svirt_prot_exec) @@ -103153,7 +103300,7 @@ index 1f22fba..50bb3f1 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -150,295 +212,130 @@ ifdef(`enable_mls',` +@@ -150,295 +227,130 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -103524,7 +103671,7 @@ index 1f22fba..50bb3f1 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +345,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +360,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -103571,29 +103718,29 @@ index 1f22fba..50bb3f1 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +380,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +395,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +393,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +408,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -103601,7 +103748,7 @@ index 1f22fba..50bb3f1 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +401,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +416,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -103629,7 +103776,7 @@ index 1f22fba..50bb3f1 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +421,27 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +436,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -103662,7 +103809,7 @@ index 1f22fba..50bb3f1 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +472,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +487,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -103682,7 +103829,7 @@ index 1f22fba..50bb3f1 100644 selinux_validate_context(virtd_t) -@@ -613,18 +494,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +509,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -103719,7 +103866,7 @@ index 1f22fba..50bb3f1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +522,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +537,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -103728,7 +103875,7 @@ index 1f22fba..50bb3f1 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,20 +547,12 @@ optional_policy(` +@@ -658,20 +562,12 @@ optional_policy(` ') optional_policy(` @@ -103749,7 +103896,7 @@ index 1f22fba..50bb3f1 100644 ') optional_policy(` -@@ -684,14 +565,20 @@ optional_policy(` +@@ -684,14 +580,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -103772,7 +103919,7 @@ index 1f22fba..50bb3f1 100644 iptables_manage_config(virtd_t) ') -@@ -704,11 +591,13 @@ optional_policy(` +@@ -704,11 +606,13 @@ optional_policy(` ') optional_policy(` @@ -103786,7 +103933,7 @@ index 1f22fba..50bb3f1 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -719,10 +608,18 @@ optional_policy(` +@@ -719,10 +623,18 @@ optional_policy(` ') optional_policy(` @@ -103805,17 +103952,19 @@ index 1f22fba..50bb3f1 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +634,277 @@ optional_policy(` +@@ -737,44 +649,277 @@ optional_policy(` udev_read_db(virtd_t) ') +-######################################## +-# +-# Virsh local policy +optional_policy(` + unconfined_domain(virtd_t) +') + - ######################################## - # --# Virsh local policy ++######################################## ++# +# virtual domains common policy # +allow virt_domain self:capability2 compromise_kernel; @@ -104027,7 +104176,7 @@ index 1f22fba..50bb3f1 100644 + fs_read_cifs_symlinks(virt_domain) + fs_getattr_cifs(virt_domain) +') -+ + +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) @@ -104069,7 +104218,7 @@ index 1f22fba..50bb3f1 100644 +allow virsh_t self:tcp_socket create_stream_socket_perms; + +ps_process_pattern(virsh_t, svirt_sandbox_domain) - ++ +can_exec(virsh_t, virsh_exec_t) virt_domtrans(virsh_t) virt_manage_images(virsh_t) @@ -104105,7 +104254,7 @@ index 1f22fba..50bb3f1 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +915,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +930,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -104132,7 +104281,7 @@ index 1f22fba..50bb3f1 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +935,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +950,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -104149,10 +104298,10 @@ index 1f22fba..50bb3f1 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -104166,7 +104315,7 @@ index 1f22fba..50bb3f1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +972,20 @@ optional_policy(` +@@ -847,14 +987,20 @@ optional_policy(` ') optional_policy(` @@ -104188,7 +104337,7 @@ index 1f22fba..50bb3f1 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +1010,65 @@ optional_policy(` +@@ -879,49 +1025,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -104272,7 +104421,7 @@ index 1f22fba..50bb3f1 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1080,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1095,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -104292,7 +104441,7 @@ index 1f22fba..50bb3f1 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1101,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1116,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -104316,7 +104465,7 @@ index 1f22fba..50bb3f1 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1126,304 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1141,314 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -104345,12 +104494,12 @@ index 1f22fba..50bb3f1 100644 +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') @@ -104474,8 +104623,7 @@ index 1f22fba..50bb3f1 100644 +manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr; -+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) + +allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; +rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) @@ -104593,6 +104741,7 @@ index 1f22fba..50bb3f1 100644 +# svirt_lxc_net_t local policy # +virt_sandbox_domain_template(svirt_lxc_net) ++virt_default_capabilities(svirt_lxc_net_t) +typeattribute svirt_lxc_net_t sandbox_net_domain; -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; @@ -104611,6 +104760,7 @@ index 1f22fba..50bb3f1 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; ++manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -104629,6 +104779,17 @@ index 1f22fba..50bb3f1 100644 -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) -corenet_udp_bind_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_all_ports(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_mknod',` ++ allow svirt_lxc_net_t self:capability mknod; ++') + +-corenet_sendrecv_all_client_packets(svirt_lxc_net_t) +-corenet_tcp_connect_all_ports(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_all_caps',` ++ allow svirt_lxc_net_t self:capability all_capability_perms; ++ allow svirt_lxc_net_t self:capability2 all_capability2_perms; ++') + +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -104636,15 +104797,13 @@ index 1f22fba..50bb3f1 100644 +', ` + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') - --corenet_sendrecv_all_client_packets(svirt_lxc_net_t) --corenet_tcp_connect_all_ports(svirt_lxc_net_t) ++ +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; + +kernel_read_irq_sysctls(svirt_lxc_net_t) +kernel_read_messages(svirt_lxc_net_t) - ++ +dev_read_sysfs(svirt_lxc_net_t) dev_getattr_mtrr_dev(svirt_lxc_net_t) dev_read_rand(svirt_lxc_net_t) @@ -104714,7 +104873,8 @@ index 1f22fba..50bb3f1 100644 +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +kernel_read_irq_sysctls(svirt_qemu_net_t) + +dev_read_sysfs(svirt_qemu_net_t) @@ -104723,8 +104883,7 @@ index 1f22fba..50bb3f1 100644 +dev_read_urand(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +fs_noxattr_type(svirt_sandbox_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) @@ -104758,7 +104917,7 @@ index 1f22fba..50bb3f1 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1436,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1461,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -104773,7 +104932,7 @@ index 1f22fba..50bb3f1 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1454,8 @@ optional_policy(` +@@ -1183,9 +1479,8 @@ optional_policy(` ######################################## # @@ -104784,7 +104943,7 @@ index 1f22fba..50bb3f1 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1468,216 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1493,218 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -105003,6 +105162,8 @@ index 1f22fba..50bb3f1 100644 +optional_policy(` + systemd_dbus_chat_logind(sandbox_net_domain) +') ++ ++allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 --- a/vlock.te @@ -108038,10 +108199,14 @@ index d837e88..910aeec 100644 userdom_search_user_home_dirs(yam_t) diff --git a/zabbix.fc b/zabbix.fc -index ce10cb1..38b143f 100644 +index ce10cb1..14dc7c6 100644 --- a/zabbix.fc +++ b/zabbix.fc -@@ -4,12 +4,17 @@ +@@ -1,15 +1,23 @@ + /etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) + /etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) + /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) /usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) @@ -108055,9 +108220,12 @@ index ce10cb1..38b143f 100644 +/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) - ++ +/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0) - /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) ++/var/lib/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0) + +-/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) ++/var/log/zabbix.* gen_context(system_u:object_r:zabbix_log_t,s0) /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/zabbix.if b/zabbix.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 4702921..c83599c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 179%{?dist} +Release: 180%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,33 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Aug 12 2014 Lukas Vrabec 3.12.1-180 +- label /usr/libexec/cockpit-agent as shell_exec_t +- sysadm_t should be allowed to communicate with networkmanager +- Allow sysadm_t to create netlink_tcpdiag socket +- Label also /var/run/glusterd.socket file as gluster_var_run_t +- Label conmans pid file as conman_var_run_t +- Allow certmonger to stream connect to dirsrv to make ipa-server-install working. +- Allow sensord to send a signal. +- Dontaudit attempts to access check cert dirs/files for sssd. +- Label keystone var run dir (#1123013) +- Label neutron var run dir (#1123013) +- Allow bacula manage bacula_log_t dirs +- Fix typo in bacula.te and add filetrans also for bacula log files. +- docker needs more access, need back port to RHEL7 +- Allow alsa to create lock file to see if it fixes #1123423. +- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports +- Dontaudit write access on generic cert files. We don't audit also access check. +- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t. +- Back port modemmanager for F21. +- docker does a getattr on all file systems +- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port. +- shell_exec_t should not be in cockip.fc +- Allow smokeping cgi script to send syslog messages (#1122163) +- Allow cachefilesd_t to send itself signals +- Allow svirt domains to manage chr files and blk files for mknod commands +- docker needs setfcap + * Wed Jul 23 2014 Lukas Vrabec 3.12.1-179 - Bluejeans wants to connect to port 5000 - Allow zabbix domains to access /proc//net/dev