diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 544c986..ac42d8a 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 5bca7f4..73cc8a7 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -17844,10 +17844,10 @@ index 1a03abd..3221f80 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index d7c11a0..6b3331d 100644 +index d7c11a0..efcd377 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,23 +1,26 @@ +@@ -1,23 +1,29 @@ -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/cgroup/.* <> +# ecryptfs does not support xattr @@ -17866,6 +17866,9 @@ index d7c11a0..6b3331d 100644 +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) +/dev/shm/.* <> ++/dev/oracleasm -d gen_context(system_u:object_r:oracleasmfs_t,s0) ++/dev/oracleasm/.* <> ++ +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) @@ -17885,7 +17888,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..c17a25a 100644 +index 8416beb..737bfbc 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18949,7 +18952,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -2214,19 +2588,567 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +2588,642 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # @@ -19093,6 +19096,81 @@ index 8416beb..c17a25a 100644 + +######################################## +## ++## List oracleasmfs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_list_oracleasmfs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Get the attributes of an oracleasmfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_oracleasmfs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:file getattr; ++') ++ ++######################################## ++## ++## Get the attributes of an oracleasmfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_setattr_oracleasmfs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:file setattr; ++') ++ ++######################################## ++## ++## Get the attributes of an oracleasmfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_setattr_oracleasmfs_dirs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:dir setattr; ++') ++ ++######################################## ++## +## Search inotifyfs filesystem. +## +## @@ -19523,7 +19601,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -2234,18 +3156,19 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3231,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # @@ -19548,7 +19626,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -2253,38 +3176,41 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3251,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # @@ -19602,7 +19680,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -2292,19 +3218,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3293,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -19630,7 +19708,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -2312,16 +3240,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3315,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -19651,7 +19729,7 @@ index 8416beb..c17a25a 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3325,24 @@ interface(`fs_getattr_nfs',` +@@ -2398,6 +3400,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -19676,7 +19754,7 @@ index 8416beb..c17a25a 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3505,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19684,7 +19762,7 @@ index 8416beb..c17a25a 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3544,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -19692,7 +19770,7 @@ index 8416beb..c17a25a 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3571,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -19737,7 +19815,7 @@ index 8416beb..c17a25a 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3629,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -19746,7 +19824,7 @@ index 8416beb..c17a25a 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3649,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -19789,7 +19867,7 @@ index 8416beb..c17a25a 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3699,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19798,7 +19876,7 @@ index 8416beb..c17a25a 100644 ') ######################################## -@@ -2627,7 +3648,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3723,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -19807,7 +19885,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -2719,6 +3740,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3815,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -19873,7 +19951,7 @@ index 8416beb..c17a25a 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3821,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3896,7 @@ interface(`fs_search_removable',` ## ## ## @@ -19882,7 +19960,7 @@ index 8416beb..c17a25a 100644 ## ## # -@@ -2777,7 +3857,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3932,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -19891,7 +19969,7 @@ index 8416beb..c17a25a 100644 ## ## # -@@ -2970,6 +4050,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4125,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -19899,7 +19977,7 @@ index 8416beb..c17a25a 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4091,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4166,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -19907,7 +19985,7 @@ index 8416beb..c17a25a 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4132,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4207,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -19915,7 +19993,7 @@ index 8416beb..c17a25a 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4220,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4295,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -19940,7 +20018,7 @@ index 8416beb..c17a25a 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3190,28 +4291,100 @@ interface(`fs_unmount_nfsd_fs',` +@@ -3190,28 +4366,100 @@ interface(`fs_unmount_nfsd_fs',` allow $1 nfsd_fs_t:filesystem unmount; ') @@ -20054,7 +20132,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3219,17 +4392,17 @@ interface(`fs_getattr_nfsd_fs',` +@@ -3219,17 +4467,17 @@ interface(`fs_getattr_nfsd_fs',` ## ## # @@ -20075,7 +20153,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3237,35 +4410,34 @@ interface(`fs_search_nfsd_fs',` +@@ -3237,35 +4485,34 @@ interface(`fs_search_nfsd_fs',` ## ## # @@ -20124,7 +20202,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3273,12 +4445,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +4520,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -20139,7 +20217,7 @@ index 8416beb..c17a25a 100644 ') ######################################## -@@ -3392,7 +4564,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4639,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20148,7 +20226,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3429,7 +4601,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4676,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20157,7 +20235,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3447,7 +4619,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4694,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20166,7 +20244,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3779,6 +4951,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5026,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20191,7 +20269,7 @@ index 8416beb..c17a25a 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5005,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5080,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20216,7 +20294,7 @@ index 8416beb..c17a25a 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5116,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5191,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20225,7 +20303,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3916,17 +5124,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5199,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20246,7 +20324,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3934,17 +5142,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5217,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20267,7 +20345,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3952,17 +5160,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5235,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20307,7 +20385,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -3970,31 +5197,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5272,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20363,7 +20441,7 @@ index 8416beb..c17a25a 100644 ') ######################################## -@@ -4066,33 +5310,161 @@ interface(`fs_tmpfs_filetrans',` +@@ -4066,33 +5385,161 @@ interface(`fs_tmpfs_filetrans',` type tmpfs_t; ') @@ -20534,7 +20612,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -4100,72 +5472,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,72 +5547,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20624,7 +20702,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -4173,17 +5545,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5620,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -20646,7 +20724,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -4191,37 +5564,37 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5639,37 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -20692,7 +20770,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -4229,18 +5602,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5677,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -20714,7 +20792,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -4248,18 +5621,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5696,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -20738,7 +20816,7 @@ index 8416beb..c17a25a 100644 ## ## ## -@@ -4267,32 +5641,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5716,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -20777,7 +20855,7 @@ index 8416beb..c17a25a 100644 ') ######################################## -@@ -4407,6 +5780,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5855,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20803,7 +20881,7 @@ index 8416beb..c17a25a 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5895,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5970,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20812,7 +20890,7 @@ index 8416beb..c17a25a 100644 ') ######################################## -@@ -4549,7 +5943,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6018,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20821,7 +20899,7 @@ index 8416beb..c17a25a 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5990,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6065,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -20848,7 +20926,7 @@ index 8416beb..c17a25a 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6085,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6160,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -20874,7 +20952,7 @@ index 8416beb..c17a25a 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6345,173 @@ interface(`fs_unconfined',` +@@ -4912,3 +6420,173 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -29669,7 +29747,7 @@ index cc877c7..b8e6e98 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..53f66a4 100644 +index 8274418..df2df52 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,38 @@ @@ -29734,7 +29812,7 @@ index 8274418..53f66a4 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +79,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +79,37 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -29773,10 +29851,12 @@ index 8274418..53f66a4 100644 + +/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) ++ ++/usr/libexec/gsd-backlight-helper -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -91,19 +133,34 @@ ifndef(`distro_debian',` +@@ -91,19 +135,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -29815,7 +29895,7 @@ index 8274418..53f66a4 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -111,7 +168,18 @@ ifndef(`distro_debian',` +@@ -111,7 +170,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -46500,7 +46580,7 @@ index 2cea692..bf86a31 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..155d5ce 100644 +index a392fc4..8a3cec2 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46625,7 +46705,7 @@ index a392fc4..155d5ce 100644 fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -137,11 +157,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -137,11 +157,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -46634,6 +46714,8 @@ index a392fc4..155d5ce 100644 init_rw_utmp(dhcpc_t) +init_stream_connect(dhcpc_t) +init_stream_send(dhcpc_t) ++ ++libs_exec_ldconfig(dhcpc_t) logging_send_syslog_msg(dhcpc_t) @@ -46642,7 +46724,7 @@ index a392fc4..155d5ce 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -161,7 +185,15 @@ ifdef(`distro_ubuntu',` +@@ -161,7 +187,21 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -46654,12 +46736,18 @@ index a392fc4..155d5ce 100644 +') + +optional_policy(` ++ cloudform_init_domtrans(dhcpc_t) ++ cloudform_read_lib_files(dhcpc_t) ++ cloudform_read_lib_lnk_files(dhcpc_t) ++') ++ ++optional_policy(` + devicekit_dontaudit_rw_log(dhcpc_t) + devicekit_dontaudit_read_pid_files(dhcpc_t) ') optional_policy(` -@@ -179,10 +211,6 @@ optional_policy(` +@@ -179,10 +219,6 @@ optional_policy(` ') optional_policy(` @@ -46670,7 +46758,7 @@ index a392fc4..155d5ce 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -195,23 +223,31 @@ optional_policy(` +@@ -195,23 +231,31 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -46705,7 +46793,7 @@ index a392fc4..155d5ce 100644 ') optional_policy(` -@@ -221,7 +257,16 @@ optional_policy(` +@@ -221,7 +265,16 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -46723,7 +46811,7 @@ index a392fc4..155d5ce 100644 ') optional_policy(` -@@ -233,6 +278,10 @@ optional_policy(` +@@ -233,6 +286,10 @@ optional_policy(` ') optional_policy(` @@ -46734,7 +46822,7 @@ index a392fc4..155d5ce 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,12 +321,26 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -46761,7 +46849,7 @@ index a392fc4..155d5ce 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -279,14 +350,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -46794,7 +46882,7 @@ index a392fc4..155d5ce 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +388,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -46852,7 +46940,7 @@ index a392fc4..155d5ce 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +443,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -46865,7 +46953,7 @@ index a392fc4..155d5ce 100644 ') optional_policy(` -@@ -350,7 +453,16 @@ optional_policy(` +@@ -350,7 +461,16 @@ optional_policy(` ') optional_policy(` @@ -46883,7 +46971,7 @@ index a392fc4..155d5ce 100644 ') optional_policy(` -@@ -371,3 +483,13 @@ optional_policy(` +@@ -371,3 +491,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -51124,7 +51212,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..beadc1e 100644 +index 9dc60c6..af8711d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -54426,7 +54514,7 @@ index 9dc60c6..beadc1e 100644 ## Create keys for all user domains. ##
## -@@ -3435,4 +4628,1799 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4628,1817 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -54636,6 +54724,24 @@ index 9dc60c6..beadc1e 100644 + +######################################## +## ++## dontaudit manage dirs /root ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_manage_admin_dir',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir manage_dir_perms; ++') ++ ++######################################## ++## +## RW unpriviledged user SysV sempaphores. +## +## diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index a876cfd..5af0e41 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -1275,7 +1275,7 @@ index bd5ec9a..554177c 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 3593510..b6a0f70 100644 +index 3593510..9617b13 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` @@ -1314,7 +1314,7 @@ index 3593510..b6a0f70 100644 fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) -@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t) +@@ -48,12 +55,15 @@ auth_use_nsswitch(accountsd_t) auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) @@ -1323,7 +1323,15 @@ index 3593510..b6a0f70 100644 logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) -@@ -66,9 +73,16 @@ optional_policy(` + logging_set_loginuid(accountsd_t) + ++userdom_dontaudit_create_admin_dir(accountsd_t) ++userdom_dontaudit_manage_admin_dir(accountsd_t) ++ + userdom_read_user_tmp_files(accountsd_t) + userdom_read_user_home_content_files(accountsd_t) + +@@ -66,9 +76,16 @@ optional_policy(` ') optional_policy(` @@ -12278,7 +12286,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..b824421 100644 +index 550b287..1401e7b 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t) @@ -12345,7 +12353,7 @@ index 550b287..b824421 100644 fs_search_cgroup_dirs(certmonger_t) -@@ -68,18 +83,21 @@ auth_rw_cache(certmonger_t) +@@ -68,18 +83,22 @@ auth_rw_cache(certmonger_t) init_getattr_all_script_files(certmonger_t) @@ -12358,6 +12366,7 @@ index 550b287..b824421 100644 +miscfiles_manage_all_certs(certmonger_t) + +systemd_exec_systemctl(certmonger_t) ++systemd_manage_all_unit_files(certmonger_t) userdom_search_user_home_content(certmonger_t) @@ -12370,7 +12379,7 @@ index 550b287..b824421 100644 ') optional_policy(` -@@ -92,11 +110,60 @@ optional_policy(` +@@ -92,11 +111,60 @@ optional_policy(` ') optional_policy(` @@ -14386,10 +14395,10 @@ index 0000000..3849f13 +/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) diff --git a/cloudform.if b/cloudform.if new file mode 100644 -index 0000000..a06f04b +index 0000000..55fe0d6 --- /dev/null +++ b/cloudform.if -@@ -0,0 +1,60 @@ +@@ -0,0 +1,116 @@ +## cloudform policy + +####################################### @@ -14415,6 +14424,24 @@ index 0000000..a06f04b + kernel_read_system_state($1_t) +') + ++######################################## ++## ++## Execute a domain transition to run cloud_init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cloudform_init_domtrans',` ++ gen_require(` ++ type cloud_init_t, cloud_init_exec_t; ++ ') ++ ++ domtrans_pattern($1, cloud_init_exec_t, cloud_init_t) ++') ++ +###################################### +## +## Execute mongod in the caller domain. @@ -14433,6 +14460,44 @@ index 0000000..a06f04b + can_exec($1, mongod_exec_t) +') + ++####################################### ++## ++## Allow read to cloud lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cloudform_read_lib_files',` ++ gen_require(` ++ type cloud_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t) ++') ++ ++####################################### ++## ++## Allow read to cloud lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cloudform_read_lib_lnk_files',` ++ gen_require(` ++ type cloud_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t) ++') ++ +###################################### +## +## Execute mongod in the caller domain. @@ -28831,7 +28896,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..e42654a 100644 +index 98072a3..a30b953 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28875,7 +28940,7 @@ index 98072a3..e42654a 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -63,20 +77,25 @@ dev_search_sysfs(firewalld_t) +@@ -63,20 +77,26 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -28905,10 +28970,11 @@ index 98072a3..e42654a 100644 +sysnet_relabelto_net_conf(firewalld_t) + +userdom_dontaudit_create_admin_dir(firewalld_t) ++userdom_dontaudit_manage_admin_dir(firewalld_t) optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +114,10 @@ optional_policy(` +@@ -95,6 +115,10 @@ optional_policy(` ') optional_policy(` @@ -38337,16 +38403,20 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..1131ca0 +index 0000000..419d280 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,21 @@ +@@ -0,0 +1,25 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0) + ++/usr/lib/systemd/system/ipa-ods-exporter.* -- gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0) ++ +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + ++/usr/libexec/ipa/ipa-ods-exporter -- gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0) ++ +/usr/libexec/ipa/ipa-dnskeysyncd -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0) +/usr/libexec/ipa/ipa-dnskeysync-replica -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0) + @@ -38605,10 +38675,10 @@ index 0000000..1a30961 +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..81f38fe +index 0000000..e4c5d89 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,202 @@ +@@ -0,0 +1,260 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38629,12 +38699,19 @@ index 0000000..81f38fe +type ipa_dnskey_exec_t; +init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t) + ++type ipa_ods_exporter_t, ipa_domain; ++type ipa_ods_exporter_exec_t; ++init_daemon_domain(ipa_ods_exporter_t, ipa_ods_exporter_exec_t) ++ +type ipa_otpd_unit_file_t; +systemd_unit_file(ipa_otpd_unit_file_t) + +type ipa_dnskey_unit_file_t; +systemd_unit_file(ipa_dnskey_unit_file_t) + ++type ipa_ods_exporter_unit_file_t; ++systemd_unit_file(ipa_ods_exporter_unit_file_t) ++ +type ipa_log_t; +logging_log_file(ipa_log_t) + @@ -38724,6 +38801,10 @@ index 0000000..81f38fe +logging_send_syslog_msg(ipa_helper_t) + +optional_policy(` ++ dirsrv_stream_connect(ipa_helper_t) ++') ++ ++optional_policy(` + ldap_stream_connect(ipa_helper_t) +') + @@ -38811,6 +38892,53 @@ index 0000000..81f38fe + opendnssec_manage_var_files(ipa_dnskey_t) + opendnssec_filetrans_etc_content(ipa_dnskey_t) +') ++ ++######################################## ++# ++# ipa-ods-exporter local policy ++# ++allow ipa_ods_exporter_t self:netlink_route_socket { bind create getattr nlmsg_read }; ++allow ipa_ods_exporter_t self:udp_socket { connect create getattr }; ++allow ipa_ods_exporter_t self:unix_dgram_socket { create getopt setopt }; ++ ++manage_files_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t) ++list_dirs_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t) ++ ++manage_files_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t) ++manage_dirs_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t) ++files_tmp_filetrans(ipa_ods_exporter_t, ipa_tmp_t, { dir file }) ++ ++kernel_dgram_send(ipa_ods_exporter_t) ++ ++auth_use_nsswitch(ipa_ods_exporter_t) ++ ++corecmd_exec_bin(ipa_ods_exporter_t) ++corecmd_exec_shell(ipa_ods_exporter_t) ++ ++libs_exec_ldconfig(ipa_ods_exporter_t) ++ ++logging_send_syslog_msg(ipa_ods_exporter_t) ++ ++miscfiles_read_certs(ipa_ods_exporter_t) ++ ++sysnet_read_config(ipa_ods_exporter_t) ++ ++optional_policy(` ++ bind_search_cache(ipa_ods_exporter_t) ++') ++ ++optional_policy(` ++ dirsrv_stream_connect(ipa_ods_exporter_t) ++') ++ ++optional_policy(` ++ opendnssec_manage_var_files(ipa_ods_exporter_t) ++ opendnssec_stream_connect(ipa_ods_exporter_t) ++') ++ ++optional_policy(` ++ ldap_stream_connect(ipa_ods_exporter_t) ++') diff --git a/ipmievd.fc b/ipmievd.fc new file mode 100644 index 0000000..0f598ca @@ -64025,10 +64153,10 @@ index 0000000..08d0e79 +/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0) diff --git a/opendnssec.if b/opendnssec.if new file mode 100644 -index 0000000..eac3932 +index 0000000..7c08157 --- /dev/null +++ b/opendnssec.if -@@ -0,0 +1,208 @@ +@@ -0,0 +1,228 @@ + +## policy for opendnssec + @@ -64237,6 +64365,26 @@ index 0000000..eac3932 + + files_etc_filetrans($1, opendnssec_conf_t, file) +') ++ ++######################################## ++## ++## Connect to opendnssec over an unix ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_stream_connect',` ++ gen_require(` ++ type opendnssec_t, opendnssec_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t, opendnssec_t) ++') diff --git a/opendnssec.te b/opendnssec.te new file mode 100644 index 0000000..e246d45 @@ -67503,10 +67651,10 @@ index 0000000..6ae382c + diff --git a/oracleasm.te b/oracleasm.te new file mode 100644 -index 0000000..0493b99 +index 0000000..14d642b --- /dev/null +++ b/oracleasm.te -@@ -0,0 +1,34 @@ +@@ -0,0 +1,57 @@ +policy_module(oracleasm, 1.0.0) + +######################################## @@ -67521,19 +67669,42 @@ index 0000000..0493b99 +type oracleasm_initrc_exec_t; +init_script_file(oracleasm_initrc_exec_t) + ++type oracleasm_tmp_t; ++files_tmp_file(oracleasm_tmp_t) ++ +######################################## +# +# oracleasm local policy +# + ++allow oracleasm_t self:capability { fsetid fowner chown }; +allow oracleasm_t self:fifo_file rw_fifo_file_perms; +allow oracleasm_t self:unix_stream_socket create_stream_socket_perms; + ++manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t) ++manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t) ++files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir }) ++ ++kernel_read_system_state(oracleasm_t) ++ ++auth_read_passwd(oracleasm_t) ++ ++dev_rw_sysfs(oracleasm_t) ++ +domain_use_interactive_fds(oracleasm_t) + +corecmd_exec_shell(oracleasm_t) +corecmd_exec_bin(oracleasm_t) + ++fs_getattr_xattr_fs(oracleasm_t) ++fs_list_oracleasmfs(oracleasm_t) ++fs_getattr_oracleasmfs(oracleasm_t) ++fs_setattr_oracleasmfs(oracleasm_t) ++fs_setattr_oracleasmfs_dirs(oracleasm_t) ++ ++storage_raw_read_fixed_disk(oracleasm_t) ++storage_raw_read_removable_device(oracleasm_t) ++ +optional_policy(` + mount_domtrans(oracleasm_t) +') @@ -71061,11 +71232,12 @@ index 0000000..a2cb118 + diff --git a/pki.fc b/pki.fc new file mode 100644 -index 0000000..e6592ea +index 0000000..b2b20f0 --- /dev/null +++ b/pki.fc -@@ -0,0 +1,56 @@ +@@ -0,0 +1,57 @@ +/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/etc/pki/pki-tomcat/ca/(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) +/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) @@ -113268,7 +113440,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..da66f68 100644 +index f03dcf5..ef46070 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -114850,7 +115022,7 @@ index f03dcf5..da66f68 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1258,354 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1258,356 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -114860,22 +115032,24 @@ index f03dcf5..da66f68 100644 +sysnet_exec_ifconfig(virtd_lxc_t) -auth_use_nsswitch(virtd_lxc_t) -+userdom_read_admin_home_files(virtd_lxc_t) ++systemd_dbus_chat_machined(virtd_lxc_t) -logging_send_syslog_msg(virtd_lxc_t) ++userdom_read_admin_home_files(virtd_lxc_t) + +-miscfiles_read_localization(virtd_lxc_t) +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) --miscfiles_read_localization(virtd_lxc_t) +-seutil_domtrans_setfiles(virtd_lxc_t) +-seutil_read_config(virtd_lxc_t) +-seutil_read_default_contexts(virtd_lxc_t) + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') - --seutil_domtrans_setfiles(virtd_lxc_t) --seutil_read_config(virtd_lxc_t) --seutil_read_default_contexts(virtd_lxc_t) ++ +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') @@ -115098,20 +115272,18 @@ index f03dcf5..da66f68 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) -+ gear_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` ++ gear_read_pid_files(svirt_sandbox_domain) ++') + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + @@ -115145,9 +115317,11 @@ index f03dcf5..da66f68 100644 + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + docker_read_share_files(svirt_sandbox_domain) + docker_exec_share_files(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) @@ -115346,7 +115520,7 @@ index f03dcf5..da66f68 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1618,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1620,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115361,7 +115535,7 @@ index f03dcf5..da66f68 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1636,7 @@ optional_policy(` +@@ -1192,7 +1638,7 @@ optional_policy(` ######################################## # @@ -115370,7 +115544,7 @@ index f03dcf5..da66f68 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1645,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1647,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 86f5f5f..dd60480 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.13%{?dist} +Release: 191.14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,19 @@ exit 0 %endif %changelog +* Thu Aug 25 2016 Lukas Vrabec 3.13.1-191.14 +- Add new domain ipa_ods_exporter_t BZ(1366640) +- Create new interface opendnssec_stream_connect() +- Dontaudit accountsd domain creating dirs in /root +- Dontaudit firewalld wants write to /root +- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t +- Allow certmonger to manage all systemd unit files +- Allow ipa_helper_t stream connect to dirsrv_t domain +- Update oracleasm SELinux module +- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness +- Add new userdom_dontaudit_manage_admin_dir() interface +- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type + * Tue Aug 23 2016 Lukas Vrabec 3.13.1-191.13 - Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module - Allow krb5kdc_t to read krb4kdc_conf_t dirs.