Merge pull request #258 from bauen1/misc-fixes-1

policy/modules/admin/quota.te

@@ -33,7 +33,7 @@ files_pid_file(quota_nld_runtime_t)
 # Local policy
 #
 
-allow quota_t self:capability { dac_override sys_admin };
+allow quota_t self:capability { dac_override sys_admin linux_immutable };
 dontaudit quota_t self:capability sys_tty_config;
 allow quota_t self:process signal_perms;
 

policy/modules/kernel/corecommands.fc

@@ -166,6 +166,7 @@ ifdef(`distro_gentoo',`
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
+/usr/lib/atril/atrild		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth/.*		--	gen_context(system_u:object_r:bin_t,s0)

policy/modules/services/dnsmasq.te

@@ -85,6 +85,7 @@ dev_read_urand(dnsmasq_t)
 domain_use_interactive_fds(dnsmasq_t)
 
 files_read_etc_runtime_files(dnsmasq_t)
+files_watch_etc_dirs(dnsmasq_t)
 
 fs_getattr_all_fs(dnsmasq_t)
 fs_search_auto_mountpoints(dnsmasq_t)

policy/modules/system/init.te

@@ -218,6 +218,7 @@ logging_rw_generic_logs(init_t)
 logging_create_devlog(init_t)
 
 seutil_read_config(init_t)
+seutil_read_default_contexts(init_t)
 
 miscfiles_read_localization(init_t)
 

policy/modules/system/lvm.te

@@ -212,6 +212,8 @@ read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 allow lvm_t lvm_etc_t:file map;
 
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+# create /etc/lvm/archive
+allow lvm_t lvm_etc_t:dir create_dir_perms;
 # Map for vgchange on /etc/lvm/backup/ files
 allow lvm_t lvm_metadata_t:file map;
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d

policy/modules/system/selinuxutil.te

@@ -527,6 +527,7 @@ miscfiles_read_localization(semanage_t)
 seutil_libselinux_linked(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_config(semanage_t)
+seutil_manage_config_dirs(semanage_t)
 seutil_run_setfiles(semanage_t, semanage_roles)
 seutil_run_loadpolicy(semanage_t, semanage_roles)
 seutil_manage_bin_policy(semanage_t)

policy/modules/system/systemd.if

@@ -24,7 +24,7 @@ template(`systemd_role_template',`
 	gen_require(`
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
-		type systemd_run_exec_t;
+		type systemd_run_exec_t, systemd_analyze_exec_t;
 	')
 
 	#################################
@@ -60,7 +60,7 @@ template(`systemd_role_template',`
 	# Allow using file descriptors for user environment generators
 	allow $3 $1_systemd_t:fd use;
 
-	can_exec($3, systemd_run_exec_t)
+	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
 ')
 
 ######################################

policy/modules/system/systemd.te

@@ -339,6 +339,8 @@ fs_list_efivars(systemd_efi_generator_t)
 
 dev_write_sysfs_dirs(systemd_fstab_generator_t)
 
+files_search_all_mountpoints(systemd_fstab_generator_t)
+
 fstools_exec(systemd_fstab_generator_t)
 
 systemd_log_parse_environment(systemd_fstab_generator_t)