diff --git a/certmonger.te b/certmonger.te
index 0803529e4a..0585431e14 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -144,6 +144,7 @@ optional_policy(`
optional_policy(`
pki_rw_tomcat_cert(certmonger_t)
pki_read_tomcat_lib_files(certmonger_t)
+ pki_tomcat_systemctl(certmonger_t)
')
optional_policy(`
diff --git a/keepalived.te b/keepalived.te
index c4f0c3237b..4b5c0e4ecf 100644
--- a/keepalived.te
+++ b/keepalived.te
@@ -24,7 +24,7 @@ application_executable_file(keepalived_unconfined_script_exec_t)
#
allow keepalived_t self:capability { net_admin net_raw kill };
-allow keepalived_t self:process { signal_perms };
+allow keepalived_t self:process { signal_perms setpgid };
allow keepalived_t self:netlink_socket create_socket_perms;
allow keepalived_t self:netlink_generic_socket create_socket_perms;
allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
diff --git a/lldpad.te b/lldpad.te
index 42e5578f22..3399d597a8 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -64,3 +64,7 @@ optional_policy(`
optional_policy(`
networkmanager_dgram_send(lldpad_t)
')
+
+optional_policy(`
+ virt_dgram_send(lldpad_t)
+')
diff --git a/openvswitch.te b/openvswitch.te
index d37f970208..1dc8a63a6b 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t)
# openvswitch local policy
#
-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
+allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
allow openvswitch_t self:capability2 block_suspend;
allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
@@ -41,6 +41,7 @@ allow openvswitch_t self:tcp_socket create_stream_socket_perms;
allow openvswitch_t self:netlink_socket create_socket_perms;
allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
allow openvswitch_t self:netlink_generic_socket create_socket_perms;
+allow openvswitch_t self:tun_socket { create_socket_perms relabelfrom relabelto };
can_exec(openvswitch_t, openvswitch_exec_t)
@@ -69,6 +70,7 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
+kernel_load_module(openvswitch_t)
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
kernel_request_load_module(openvswitch_t)
@@ -87,6 +89,8 @@ corecmd_exec_shell(openvswitch_t)
dev_read_rand(openvswitch_t)
dev_read_urand(openvswitch_t)
dev_read_sysfs(openvswitch_t)
+dev_rw_vfio_dev(openvswitch_t)
+corenet_rw_tun_tap_dev(openvswitch_t)
domain_use_interactive_fds(openvswitch_t)
@@ -111,6 +115,10 @@ modutils_read_module_deps(openvswitch_t)
sysnet_dns_name_resolve(openvswitch_t)
+logging_send_audit_msgs(openvswitch_t)
+
+write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t)
+
optional_policy(`
hostname_exec(openvswitch_t)
')
diff --git a/pki.if b/pki.if
index f18fcc68fc..f69ae02984 100644
--- a/pki.if
+++ b/pki.if
@@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
')
+
+########################################
+##
+## Execute pki in the pkit_tomcat_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pki_tomcat_systemctl',`
+ gen_require(`
+ type pki_tomcat_t;
+ type pki_tomcat_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pki_tomcat_unit_file_t:file read_file_perms;
+ allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pki_tomcat_t)
+')
diff --git a/rhcs.if b/rhcs.if
index 59e5d7e3b7..145d67f2a0 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -957,3 +957,22 @@ interface(`rhcs_start_haproxy_services',`
systemd_exec_systemctl($1)
allow $1 haproxy_unit_file_t:service {status start};
')
+
+########################################
+##
+## Create log files with a named file
+## type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_named_filetrans_log_dir',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ logging_log_named_filetrans($1, var_log_t, dir, "bundles")
+')
diff --git a/rhcs.te b/rhcs.te
index a95c73dc7e..a5aec03a82 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -319,6 +319,10 @@ optional_policy(`
ricci_dontaudit_rw_modcluster_pipes(cluster_t)
')
+optional_policy(`
+ rhcs_named_filetrans_log_dir(cluster_t)
+')
+
optional_policy(`
rpc_systemctl_nfsd(cluster_t)
rpc_systemctl_rpcd(cluster_t)
diff --git a/tomcat.te b/tomcat.te
index 97bdd60c90..e35ae6b3d9 100644
--- a/tomcat.te
+++ b/tomcat.te
@@ -51,6 +51,9 @@ optional_policy(`
# tomcat domain policy
#
+allow tomcat_t self:capability { dac_override setuid kill };
+
+allow tomcat_t self:process { setcap signal signull };
allow tomcat_domain self:fifo_file rw_fifo_file_perms;
allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
@@ -82,6 +85,7 @@ corenet_tcp_connect_amqp_port(tomcat_domain)
corenet_tcp_connect_oracle_port(tomcat_domain)
corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
corenet_tcp_connect_unreserved_ports(tomcat_domain)
+corenet_tcp_connect_mssql_port(tomcat_domain)
dev_read_rand(tomcat_domain)
dev_read_urand(tomcat_domain)
diff --git a/virt.if b/virt.if
index 1d17889f38..c6792a5a37 100644
--- a/virt.if
+++ b/virt.if
@@ -1618,4 +1618,23 @@ interface(`virt_dontaudit_read_state',`
dontaudit $1 virtd_t:dir search_dir_perms;
dontaudit $1 virtd_t:file read_file_perms;
dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+##
+## Send to libvirt with a unix dgram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_dgram_send',`
+ gen_require(`
+ type virtd_t, virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
\ No newline at end of file