@@ -5088,7 +5186,7 @@ index f6eb485..438bc20 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1171,8 +1423,31 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1528,31 @@ interface(`apache_cgi_domain',`
########################################
##
-@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
+@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false)
+
+ ##
+-## Determine whether ftpd can read and write
+-## files in user home directories.
+-##
+ ## Determine whether sftpd can modify
+ ## public files used for public file
+ ## transfer services. Directories/Files must
+@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -29527,7 +29641,7 @@ index 36838c2..8bfc879 100644
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
-@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
+@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -29537,7 +29651,7 @@ index 36838c2..8bfc879 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
@@ -29564,7 +29678,7 @@ index 36838c2..8bfc879 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -29578,7 +29692,7 @@ index 36838c2..8bfc879 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -29586,7 +29700,7 @@ index 36838c2..8bfc879 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -29644,35 +29758,57 @@ index 36838c2..8bfc879 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
- corenet_sendrecv_oracledb_client_packets(ftpd_t)
- corenet_tcp_connect_oracledb_port(ftpd_t)
- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
+-')
+-
+-tunable_policy(`ftp_home_dir',`
+- allow ftpd_t self:capability { dac_override dac_read_search };
+-
+- userdom_manage_user_home_content_dirs(ftpd_t)
+- userdom_manage_user_home_content_files(ftpd_t)
+- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
+- userdom_manage_user_tmp_dirs(ftpd_t)
+- userdom_manage_user_tmp_files(ftpd_t)
+- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+-',`
+- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
+- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ corenet_sendrecv_oracle_client_packets(ftpd_t)
+ corenet_tcp_connect_oracle_port(ftpd_t)
+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
')
- tunable_policy(`ftp_home_dir',`
- allow ftpd_t self:capability { dac_override dac_read_search };
+-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
++tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(ftpd_t)
+ fs_manage_nfs_files(ftpd_t)
+ fs_manage_nfs_symlinks(ftpd_t)
+ ')
-- userdom_manage_user_home_content_dirs(ftpd_t)
-- userdom_manage_user_home_content_files(ftpd_t)
-- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
-+ userdom_manage_all_user_home_type_dirs(ftpd_t)
-+ userdom_manage_all_user_home_type_files(ftpd_t)
- userdom_manage_user_tmp_dirs(ftpd_t)
- userdom_manage_user_tmp_files(ftpd_t)
-- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
- ',`
-- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+-tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
++tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(ftpd_t)
+ fs_manage_cifs_files(ftpd_t)
+ fs_manage_cifs_symlinks(ftpd_t)
')
-@@ -363,9 +390,8 @@ optional_policy(`
+ optional_policy(`
+- tunable_policy(`ftp_home_dir',`
+- apache_search_sys_content(ftpd_t)
+- ')
+-')
+-
+-optional_policy(`
+ corecmd_exec_shell(ftpd_t)
+
+ files_read_usr_files(ftpd_t)
+@@ -363,9 +365,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
@@ -29683,7 +29819,7 @@ index 36838c2..8bfc879 100644
kerberos_use(ftpd_t)
')
-@@ -416,21 +442,20 @@ optional_policy(`
+@@ -416,21 +417,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -29707,7 +29843,7 @@ index 36838c2..8bfc879 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -29748,7 +29884,7 @@ index 36838c2..8bfc879 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +517,8 @@ tunable_policy(`sftpd_anon_write',`
+@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -49519,7 +49655,7 @@ index b1ac8b5..24782b3 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..6e2a403 100644
+index d15eb5b..7f3c31d 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -49561,6 +49697,14 @@ index d15eb5b..6e2a403 100644
logging_send_syslog_msg(modemmanager_t)
+@@ -56,3 +63,7 @@ optional_policy(`
+ udev_read_db(modemmanager_t)
+ udev_manage_pid_files(modemmanager_t)
+ ')
++
++optional_policy(`
++ systemd_dbus_chat_logind(modemmanager_t)
++')
diff --git a/mojomojo.fc b/mojomojo.fc
index 7b827ca..5ee8a0f 100644
--- a/mojomojo.fc
@@ -49807,7 +49951,7 @@ index 6fcfc31..e9e6bc5 100644
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
-index 169f236..f19680b 100644
+index 169f236..eaaeb0d 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
@@ -49853,7 +49997,7 @@ index 169f236..f19680b 100644
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-@@ -41,21 +51,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -41,21 +51,46 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@@ -49890,6 +50034,8 @@ index 169f236..f19680b 100644
-miscfiles_read_localization(mongod_t)
+auth_use_nsswitch(mongod_t)
+
++logging_send_syslog_msg(mongod_t)
++
+optional_policy(`
+ mysql_stream_connect(mongod_t)
+')
@@ -52622,10 +52768,10 @@ index 65a246a..fa86320 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..bd1eb52 100644
+index f42896c..2cf0c23 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -1,34 +1,44 @@
+@@ -1,34 +1,41 @@
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
@@ -52637,10 +52783,8 @@ index f42896c..bd1eb52 100644
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
+-
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
-+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
@@ -60208,10 +60352,10 @@ index bcd7d0a..0188086 100644
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/nsd.fc b/nsd.fc
-index 4f2b1b6..adea830 100644
+index 4f2b1b6..6b300d5 100644
--- a/nsd.fc
+++ b/nsd.fc
-@@ -1,16 +1,17 @@
+@@ -1,16 +1,19 @@
-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
@@ -60239,6 +60383,8 @@ index 4f2b1b6..adea830 100644
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
++
++/var/log/nsd\.log -- gen_context(system_u:object_r:nsd_log_t,s0)
diff --git a/nsd.if b/nsd.if
index a9c60ff..ad4f14a 100644
--- a/nsd.if
@@ -60329,7 +60475,7 @@ index a9c60ff..ad4f14a 100644
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
-index 47bb1d2..17db1a1 100644
+index 47bb1d2..5cc2b26 100644
--- a/nsd.te
+++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
@@ -60343,13 +60489,15 @@ index 47bb1d2..17db1a1 100644
type nsd_conf_t;
files_type(nsd_conf_t)
-@@ -20,32 +18,31 @@ domain_type(nsd_crond_t)
+@@ -20,41 +18,50 @@ domain_type(nsd_crond_t)
domain_entry_file(nsd_crond_t, nsd_exec_t)
role system_r types nsd_crond_t;
-type nsd_db_t;
-files_type(nsd_db_t)
--
++type nsd_log_t;
++logging_log_file(nsd_log_t)
+
type nsd_var_run_t;
files_pid_file(nsd_var_run_t)
@@ -60387,7 +60535,12 @@ index 47bb1d2..17db1a1 100644
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
files_pid_filetrans(nsd_t, nsd_var_run_t, file)
-@@ -55,6 +52,10 @@ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+
++manage_files_pattern(nsd_t, nsd_log_t, nsd_log_t)
++logging_log_filetrans(nsd_t, nsd_log_t, file)
++
+ manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
@@ -60398,7 +60551,7 @@ index 47bb1d2..17db1a1 100644
can_exec(nsd_t, nsd_exec_t)
kernel_read_system_state(nsd_t)
-@@ -62,7 +63,6 @@ kernel_read_kernel_sysctls(nsd_t)
+@@ -62,7 +69,6 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
@@ -60406,7 +60559,7 @@ index 47bb1d2..17db1a1 100644
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
-@@ -72,16 +72,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
+@@ -72,16 +78,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
corenet_udp_sendrecv_all_ports(nsd_t)
corenet_tcp_bind_generic_node(nsd_t)
corenet_udp_bind_generic_node(nsd_t)
@@ -60429,7 +60582,7 @@ index 47bb1d2..17db1a1 100644
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
-@@ -90,8 +94,6 @@ auth_use_nsswitch(nsd_t)
+@@ -90,8 +100,6 @@ auth_use_nsswitch(nsd_t)
logging_send_syslog_msg(nsd_t)
@@ -60438,7 +60591,7 @@ index 47bb1d2..17db1a1 100644
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
-@@ -105,23 +107,24 @@ optional_policy(`
+@@ -105,23 +113,24 @@ optional_policy(`
########################################
#
@@ -60471,7 +60624,7 @@ index 47bb1d2..17db1a1 100644
manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
-@@ -133,29 +136,33 @@ kernel_read_system_state(nsd_crond_t)
+@@ -133,29 +142,33 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
@@ -65918,7 +66071,7 @@ index 9b15730..cb00f20 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..ede6e1c 100644
+index 44dbc99..370dd38 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@@ -65950,9 +66103,9 @@ index 44dbc99..ede6e1c 100644
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
-+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource };
++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
+allow openvswitch_t self:capability2 block_suspend;
-+allow openvswitch_t self:process { fork setsched setrlimit signal };
++allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
-allow openvswitch_t self:rawip_socket create_socket_perms;
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
@@ -65984,12 +66137,15 @@ index 44dbc99..ede6e1c 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +69,49 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -63,35 +67,51 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
- files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-
--can_exec(openvswitch_t, openvswitch_exec_t)
+-files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-
+-can_exec(openvswitch_t, openvswitch_exec_t)
++files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
+
+kernel_load_module(openvswitch_t)
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
@@ -107583,7 +107739,7 @@ index 61c2e07..3b86095 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde..40e9303 100644
+index 5ceacde..9353adb 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@@ -107610,7 +107766,16 @@ index 5ceacde..40e9303 100644
########################################
#
# Local policy
-@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+ allow tor_t tor_etc_t:file read_file_perms;
+ allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
+
++dontaudit tor_t self:capability { net_admin };
++
+ manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+ manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+ manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
@@ -107618,7 +107783,7 @@ index 5ceacde..40e9303 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
@@ -107626,7 +107791,7 @@ index 5ceacde..40e9303 100644
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +108,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +110,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -111673,10 +111838,10 @@ index facdee8..816d860 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..5e41cd6 100644
+index f03dcf5..5b78d90 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,451 +1,395 @@
+@@ -1,451 +1,402 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -111831,6 +111996,13 @@ index f03dcf5..5e41cd6 100644
+
+##
++## Allow confined virtual guests to use smartcards
++##
+## Allow sandbox containers to send audit messages
+
+##
+## Allow sandbox containers to use sys_admin system calls, for example mount
+##
+## Allow sandbox containers to use mknod system calls
@@ -111890,11 +112062,11 @@ index f03dcf5..5e41cd6 100644
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
-
--type virt_cache_t alias svirt_cache_t;
++
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
-+
+
+-type virt_cache_t alias svirt_cache_t;
+type qemu_exec_t, virt_file_type;
+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
@@ -112259,24 +112431,24 @@ index f03dcf5..5e41cd6 100644
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-+allow svirt_t self:process ptrace;
-
+-
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
--
++allow svirt_t self:process ptrace;
+
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
@@ -112382,7 +112554,7 @@ index f03dcf5..5e41cd6 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +399,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +406,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -112429,7 +112601,7 @@ index f03dcf5..5e41cd6 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +434,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +441,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -112462,7 +112634,7 @@ index f03dcf5..5e41cd6 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +459,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +466,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -112490,7 +112662,7 @@ index f03dcf5..5e41cd6 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +479,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +486,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -112521,7 +112693,7 @@ index f03dcf5..5e41cd6 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +531,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +538,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -112541,7 +112713,7 @@ index f03dcf5..5e41cd6 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +553,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +560,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -112578,7 +112750,7 @@ index f03dcf5..5e41cd6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +581,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +588,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -112587,7 +112759,7 @@ index f03dcf5..5e41cd6 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +606,12 @@ optional_policy(`
+@@ -665,20 +613,12 @@ optional_policy(`
')
optional_policy(`
@@ -112608,7 +112780,7 @@ index f03dcf5..5e41cd6 100644
')
optional_policy(`
-@@ -691,20 +624,26 @@ optional_policy(`
+@@ -691,20 +631,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -112619,11 +112791,12 @@ index f03dcf5..5e41cd6 100644
')
optional_policy(`
+- iptables_domtrans(virtd_t)
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
- iptables_domtrans(virtd_t)
++ iptables_domtrans(virtd_t)
iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
@@ -112639,7 +112812,7 @@ index f03dcf5..5e41cd6 100644
')
optional_policy(`
-@@ -712,11 +651,18 @@ optional_policy(`
+@@ -712,11 +658,18 @@ optional_policy(`
')
optional_policy(`
@@ -112658,7 +112831,7 @@ index f03dcf5..5e41cd6 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +673,18 @@ optional_policy(`
+@@ -727,10 +680,18 @@ optional_policy(`
')
optional_policy(`
@@ -112677,7 +112850,7 @@ index f03dcf5..5e41cd6 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +700,321 @@ optional_policy(`
+@@ -746,44 +707,327 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -112767,7 +112940,7 @@ index f03dcf5..5e41cd6 100644
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
+dontaudit virt_domain virt_content_t:dir write;
-
++
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
+
@@ -112822,7 +112995,7 @@ index f03dcf5..5e41cd6 100644
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -112953,6 +113126,12 @@ index f03dcf5..5e41cd6 100644
+')
+
+optional_policy(`
++ tunable_policy(`virt_use_pcscd',`
++ pcscd_stream_connect(virt_domain)
++ ')
++')
++
++optional_policy(`
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
@@ -113021,7 +113200,7 @@ index f03dcf5..5e41cd6 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1025,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1038,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -113048,7 +113227,7 @@ index f03dcf5..5e41cd6 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1045,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1058,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -113065,10 +113244,10 @@ index f03dcf5..5e41cd6 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -113082,7 +113261,7 @@ index f03dcf5..5e41cd6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1082,20 @@ optional_policy(`
+@@ -856,14 +1095,20 @@ optional_policy(`
')
optional_policy(`
@@ -113104,7 +113283,7 @@ index f03dcf5..5e41cd6 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1120,66 @@ optional_policy(`
+@@ -888,49 +1133,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -113189,7 +113368,7 @@ index f03dcf5..5e41cd6 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1191,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1204,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -113209,7 +113388,7 @@ index f03dcf5..5e41cd6 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1212,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1225,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -113233,7 +113412,7 @@ index f03dcf5..5e41cd6 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1250,354 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -113302,7 +113481,89 @@ index f03dcf5..5e41cd6 100644
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-+
+
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
+-miscfiles_read_localization(svirt_lxc_domain)
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@@ -113399,8 +113660,9 @@ index f03dcf5..5e41cd6 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
+
+ optional_policy(`
+- udev_read_pid_files(svirt_lxc_domain)
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
@@ -113416,95 +113678,12 @@ index f03dcf5..5e41cd6 100644
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
-
--allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
--allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
--allow svirt_lxc_domain self:fifo_file manage_file_perms;
--allow svirt_lxc_domain self:sem create_sem_perms;
--allow svirt_lxc_domain self:shm create_shm_perms;
--allow svirt_lxc_domain self:msgq create_msgq_perms;
--allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
--allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
--
--allow svirt_lxc_domain virtd_lxc_t:fd use;
--allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virtd_lxc_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
--allow svirt_lxc_domain virsh_t:fd use;
--allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virsh_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
--allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
--manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
--allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
--allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
--
--can_exec(svirt_lxc_domain, svirt_lxc_file_t)
--
--kernel_getattr_proc(svirt_lxc_domain)
--kernel_list_all_proc(svirt_lxc_domain)
--kernel_read_kernel_sysctls(svirt_lxc_domain)
--kernel_rw_net_sysctls(svirt_lxc_domain)
--kernel_read_system_state(svirt_lxc_domain)
--kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
--
--corecmd_exec_all_executables(svirt_lxc_domain)
--
--files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
--files_dontaudit_getattr_all_files(svirt_lxc_domain)
--files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
--files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
--files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
--files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
--files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
--# files_entrypoint_all_files(svirt_lxc_domain)
--files_list_var(svirt_lxc_domain)
--files_list_var_lib(svirt_lxc_domain)
--files_search_all(svirt_lxc_domain)
--files_read_config_files(svirt_lxc_domain)
--files_read_usr_files(svirt_lxc_domain)
--files_read_usr_symlinks(svirt_lxc_domain)
--
--fs_getattr_all_fs(svirt_lxc_domain)
--fs_list_inotifyfs(svirt_lxc_domain)
--
--# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
--# fs_rw_inherited_cifs_files(svirt_lxc_domain)
--# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
--
--auth_dontaudit_read_login_records(svirt_lxc_domain)
--auth_dontaudit_write_login_records(svirt_lxc_domain)
--auth_search_pam_console_data(svirt_lxc_domain)
--
--clock_read_adjtime(svirt_lxc_domain)
--
--init_read_utmp(svirt_lxc_domain)
--init_dontaudit_write_utmp(svirt_lxc_domain)
--
--libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
--
--miscfiles_read_localization(svirt_lxc_domain)
--miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
--miscfiles_read_fonts(svirt_lxc_domain)
--
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
-
- optional_policy(`
-- udev_read_pid_files(svirt_lxc_domain)
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -113676,15 +113855,15 @@ index f03dcf5..5e41cd6 100644
+
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
@@ -113729,7 +113908,7 @@ index f03dcf5..5e41cd6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1610,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -113744,7 +113923,7 @@ index f03dcf5..5e41cd6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1615,7 @@ optional_policy(`
+@@ -1192,7 +1628,7 @@ optional_policy(`
########################################
#
@@ -113753,7 +113932,7 @@ index f03dcf5..5e41cd6 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1637,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -116835,7 +117014,7 @@ index 0928c5d..d270a72 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index a64aad3..fe078eb 100644
+index a64aad3..d923154 100644
--- a/xguest.te
+++ b/xguest.te
@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
@@ -116904,7 +117083,7 @@ index a64aad3..fe078eb 100644
storage_raw_read_removable_device(xguest_t)
storage_raw_write_removable_device(xguest_t)
',`
-@@ -54,9 +55,22 @@ ifndef(`enable_mls',`
+@@ -54,9 +55,25 @@ ifndef(`enable_mls',`
')
optional_policy(`
@@ -116915,6 +117094,9 @@ index a64aad3..fe078eb 100644
+kernel_dontaudit_request_load_module(xguest_t)
+kernel_read_software_raid_state(xguest_t)
+
++#GDM runs the X server as the unprivileged user.
++dev_rw_input_dev(xguest_t)
++
+tunable_policy(`selinuxuser_execstack',`
+ allow xguest_t self:process execstack;
+')
@@ -116928,7 +117110,7 @@ index a64aad3..fe078eb 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -65,10 +79,9 @@ optional_policy(`
+@@ -65,10 +82,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -116940,7 +117122,7 @@ index a64aad3..fe078eb 100644
')
')
-@@ -84,12 +97,25 @@ optional_policy(`
+@@ -84,12 +100,25 @@ optional_policy(`
')
')
@@ -116952,23 +117134,23 @@ index a64aad3..fe078eb 100644
+
+optional_policy(`
+ colord_dbus_chat(xguest_t)
+ ')
+
+ optional_policy(`
+- gnomeclock_dontaudit_dbus_chat(xguest_t)
++ chrome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
-+ chrome_role(xguest_r, xguest_t)
++ thumb_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
-+ thumb_role(xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- gnomeclock_dontaudit_dbus_chat(xguest_t)
+ dbus_dontaudit_chat_system_bus(xguest_t)
')
optional_policy(`
-@@ -97,75 +123,78 @@ optional_policy(`
+@@ -97,75 +126,78 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e75a885..b6182f9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 182%{?dist}
+Release: 183%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -651,6 +651,23 @@ exit 0
%endif
%changelog
+* Wed Apr 27 2016 Lukas Vrabec