++##
++## Allow tor to run onion services
++##
++##
++gen_tunable(tor_can_onion_services, false)
++
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
-@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t)
+@@ -25,13 +39,19 @@ init_script_file(tor_initrc_exec_t)
type tor_var_lib_t;
files_type(tor_var_lib_t)
@@ -110578,7 +110601,7 @@ index 5ceacde..c919a2d 100644
########################################
#
-@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +68,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
allow tor_t tor_etc_t:file read_file_perms;
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
@@ -110587,7 +110610,7 @@ index 5ceacde..c919a2d 100644
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +99,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
@@ -110595,7 +110618,7 @@ index 5ceacde..c919a2d 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +106,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
@@ -110603,7 +110626,7 @@ index 5ceacde..c919a2d 100644
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +113,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +120,26 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -110626,6 +110649,10 @@ index 5ceacde..c919a2d 100644
+ corenet_tcp_bind_http_port(tor_t)
+')
+
++tunable_policy(`tor_can_onion_services',`
++ allow tor_t self:capability { dac_read_search dac_override };
++')
++
optional_policy(`
seutil_sigchld_newrole(tor_t)
')
@@ -115057,7 +115084,7 @@ index facdee8..487857a 100644
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..2ed3d3a 100644
+index f03dcf5..71afe45 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,414 @@
@@ -116082,7 +116109,7 @@ index f03dcf5..2ed3d3a 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +719,344 @@ optional_policy(`
+@@ -746,44 +719,347 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -116143,6 +116170,9 @@ index f03dcf5..2ed3d3a 100644
-can_exec(virsh_t, virsh_exec_t)
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
++# Allow virtlogd_t to execute itself.
++allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
++
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
@@ -116293,7 +116323,7 @@ index f03dcf5..2ed3d3a 100644
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
-
++
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
+')
@@ -116385,7 +116415,7 @@ index f03dcf5..2ed3d3a 100644
+ sanlock_stream_connect(virt_domain)
+ ')
+')
-+
+
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
+')
@@ -116449,7 +116479,7 @@ index f03dcf5..2ed3d3a 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1067,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1070,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -116476,7 +116506,7 @@ index f03dcf5..2ed3d3a 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1087,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1090,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -116510,7 +116540,7 @@ index f03dcf5..2ed3d3a 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1124,20 @@ optional_policy(`
+@@ -856,14 +1127,20 @@ optional_policy(`
')
optional_policy(`
@@ -116532,7 +116562,7 @@ index f03dcf5..2ed3d3a 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1162,66 @@ optional_policy(`
+@@ -888,49 +1165,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -116617,7 +116647,7 @@ index f03dcf5..2ed3d3a 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1233,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1236,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -116637,7 +116667,7 @@ index f03dcf5..2ed3d3a 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1254,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1257,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -116661,7 +116691,7 @@ index f03dcf5..2ed3d3a 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1279,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1282,355 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -117162,7 +117192,7 @@ index f03dcf5..2ed3d3a 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1640,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -117177,7 +117207,7 @@ index f03dcf5..2ed3d3a 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1658,7 @@ optional_policy(`
+@@ -1192,7 +1661,7 @@ optional_policy(`
########################################
#
@@ -117186,7 +117216,7 @@ index f03dcf5..2ed3d3a 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1667,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1670,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -117418,6 +117448,7 @@ index f03dcf5..2ed3d3a 100644
+kernel_read_network_state(sandbox_net_domain)
+
+allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service };
++allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service };
+
+allow sandbox_net_domain self:udp_socket create_socket_perms;
+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
@@ -117445,6 +117476,7 @@ index f03dcf5..2ed3d3a 100644
+')
+
+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
++allow sandbox_caps_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+
+list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
@@ -120806,7 +120838,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..aab4f86 100644
+index 7f496c6..bf2ae51 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@@ -121056,7 +121088,7 @@ index 7f496c6..aab4f86 100644
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
-@@ -177,21 +218,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +218,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
@@ -121100,6 +121132,7 @@ index 7f496c6..aab4f86 100644
+allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
+allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
+allow zabbix_t zabbix_script_exec_t:file ioctl;
++allow zabbix_t zabbix_script_t:process signal;
+
+init_domtrans_script(zabbix_script_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b98add2..3bf9127 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 225.17%{?dist}
+Release: 225.18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,20 @@ exit 0
%endif
%changelog
+* Thu Jun 08 2017 Lukas Vrabec