Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2021-11-20 02:38:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.1895 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Sat Nov 20 02:38:03 2021 rev:9 rq:931472 version:2.171.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2021-08-12 09:01:48.066138103 +0200
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.1895/container-selinux.changes
2021-11-20 02:38:09.404974862 +0100
@@ -1,0 +2,10 @@
+Fri Nov 12 16:21:06 UTC 2021 - Richard Brown <rbr...@suse.com>
+
+- Update to version 2.171.0
+ * Define kubernetes_file_t as a config_type
+ * Allow containers to be socket activated by user domains and by systemd.
+ * Allow iptables to use fifo files of a container runtime
+ * Allow container_runtime create all tmpfs content as
container_runtime_tmpfs_t
+ * Allow containers to create lnk_file on tmpfs_t directories.
+
+-------------------------------------------------------------------
Old:
----
container-selinux-2.164.2.tar.gz
New:
----
container-selinux-2.171.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.HOCAm8/_old 2021-11-20 02:38:09.884973278 +0100
+++ /var/tmp/diff_new_pack.HOCAm8/_new 2021-11-20 02:38:09.888973265 +0100
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.164.2
+Version: 2.171.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ container-selinux-2.164.2.tar.gz -> container-selinux-2.171.0.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.164.2/README.md
new/container-selinux-2.171.0/README.md
--- old/container-selinux-2.164.2/README.md 2021-08-02 19:18:31.000000000
+0200
+++ new/container-selinux-2.171.0/README.md 2021-11-10 23:21:41.000000000
+0100
@@ -2,29 +2,8 @@
## Blogs on SELinux Policy
-**[Docker and
SELinux](https://www.projectatomic.io/docs/docker-and-selinux/)**
-Interaction between SELinux policy and Docker
-
-**[Issues with Docker Volumes and
SELinux](https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/
)**
-Use of volume mounted content with SELinux
-
-**[Docker SELinux
Flag](https://www.projectatomic.io/blog/2016/07/docker-selinux-flag/)**
-Information on `???selinux-enabled` flag in Docker daemon
-
-**[SELinux Policy for
Containers](https://www.projectatomic.io/blog/2017/02/selinux-policy-containers/)**
-Tightening of SELinux policy to prevent information leaks
-
-**[Extending SELinux Policy for
Containers](https://www.projectatomic.io/blog/2016/03/selinux-and-docker-part-2/)**
-Policy module for running containers as securely as possible
-
-**[Practical SELinux and
Containers](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)**
-How to make SELinux and containers work well together with best security
separation
-
-**[`no-new-privileges` Security Flag in Docker
](https://www.projectatomic.io/blog/2016/03/no-new-privs-docker/)**
-Explains `--no-new-privileges` flag usage
-
**[Container Labeling](https://danwalsh.livejournal.com/81269.html)**
-Explains `container_t` vs c`ontainer_var_lib_t`
+Explains `container_t` vs `container_var_lib_t`
**[`container_t` versus
`svirt_lxc_net_t`](https://danwalsh.livejournal.com/79191.html)**
Clarifys `container_t` versus `svirt_lxc_net_t` aliases
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.164.2/container.fc
new/container-selinux-2.171.0/container.fc
--- old/container-selinux-2.164.2/container.fc 2021-08-02 19:18:31.000000000
+0200
+++ new/container-selinux-2.171.0/container.fc 2021-11-10 23:21:41.000000000
+0100
@@ -116,6 +116,8 @@
/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d
gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*
<<none>>
/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?
gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/data/.lock
gen_context(system_u:object_r:container_lock_t,s0)
+/var/lib/rancher/k3s/data/[^/]*/etc(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
/var/run/flannel(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/k3s(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?
gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.164.2/container.if
new/container-selinux-2.171.0/container.if
--- old/container-selinux-2.164.2/container.if 2021-08-02 19:18:31.000000000
+0200
+++ new/container-selinux-2.171.0/container.if 2021-11-10 23:21:41.000000000
+0100
@@ -608,6 +608,7 @@
type container_lock_t;
type container_log_t;
type container_config_t;
+ type container_file_t;
')
allow $1 container_runtime_t:process { ptrace signal_perms };
@@ -631,6 +632,8 @@
admin_pattern($1, container_unit_file_t)
allow $1 container_unit_file_t:service all_service_perms;
+ admin_pattern($1, container_file_t)
+
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.164.2/container.te
new/container-selinux-2.171.0/container.te
--- old/container-selinux-2.164.2/container.te 2021-08-02 19:18:31.000000000
+0200
+++ new/container-selinux-2.171.0/container.te 2021-11-10 23:21:41.000000000
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.164.2)
+policy_module(container, 2.171.0)
gen_require(`
class passwd rootok;
@@ -57,7 +57,7 @@
files_pid_file(spc_var_run_t)
type kubernetes_file_t;
-files_type(kubernetes_file_t)
+files_config_file(kubernetes_file_t)
type container_var_lib_t alias docker_var_lib_t;
files_type(container_var_lib_t)
@@ -199,7 +199,7 @@
manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t,
container_runtime_tmpfs_t)
allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom;
can_exec(container_runtime_domain, container_runtime_tmpfs_t)
-fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, { dir
file })
+fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t,
dir_file_class_set)
allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton;
manage_dirs_pattern(container_runtime_domain, container_ro_file_t,
container_ro_file_t)
@@ -802,7 +802,7 @@
manage_sock_files_pattern(container_domain, container_file_t, container_file_t)
allow container_domain container_file_t:{file dir} mounton;
allow container_domain container_file_t:filesystem { mount remount unmount };
-fs_tmpfs_filetrans(container_domain, container_file_t, { dir file })
+fs_tmpfs_filetrans(container_domain, container_file_t, { dir file lnk_file })
allow container_domain container_file_t:dir_file_class_set { relabelfrom
relabelto map };
container_read_share_files(container_domain)
container_exec_share_files(container_domain)
@@ -875,7 +875,6 @@
gen_require(`
type container_file_t;
')
-fs_noxattr_type(container_file_t)
# fs_associate_cgroupfs(container_file_t)
gen_require(`
type cgroup_t;
@@ -1033,6 +1032,7 @@
container_read_pid_files(iptables_t)
container_read_state(iptables_t)
container_append_file(iptables_t)
+allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
optional_policy(`
gen_require(`
@@ -1112,6 +1112,8 @@
container_domain_template(container_logreader)
typeattribute container_logreader_t container_net_domain;
logging_read_all_logs(container_logreader_t)
+# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges
+allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
logging_read_audit_log(container_logreader_t)
logging_list_logs(container_logreader_t)
@@ -1126,6 +1128,7 @@
gen_require(`
type sysadm_t, staff_t, user_t;
role sysadm_r, staff_r, user_r;
+ attribute userdomain;
')
container_runtime_run(sysadm_t, sysadm_r)
@@ -1139,6 +1142,10 @@
role user_r types container_user_domain;
staff_role_change_to(system_r)
+
+ allow staff_t container_runtime_t:process signal_perms;
+ allow staff_t container_domain:process signal_perms;
+ allow container_domain userdomain:unix_stream_socket { accept ioctl
read getattr lock write append getopt };
')
gen_require(`
@@ -1157,6 +1164,7 @@
')
dontaudit container_domain device_node:chr_file setattr;
dontaudit container_domain sysctl_type:file write;
+allow container_domain init_t:unix_stream_socket { accept ioctl read getattr
lock write append getopt };
allow container_t proc_t:filesystem remount;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/contrib/container-selinux.spec
new/container-selinux-2.171.0/contrib/container-selinux.spec
--- old/container-selinux-2.164.2/contrib/container-selinux.spec
2021-08-02 19:18:31.000000000 +0200
+++ new/container-selinux-2.171.0/contrib/container-selinux.spec
2021-11-10 23:21:41.000000000 +0100
@@ -78,6 +78,8 @@
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
install -p -m 644 container.if
%{buildroot}%{_datadir}/selinux/devel/include/services
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/udica/templates
+install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates
# remove spec file
rm -rf container-selinux.spec
@@ -112,6 +114,7 @@
%files
%doc README.md
%{_datadir}/selinux/*
+%{_datadir}/udica/templates/*
%changelog
* Fri Jan 06 2017 Dan Walsh <dwa...@redhat.com> - 2:2.1-1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/base_container.cil
new/container-selinux-2.171.0/udica-templates/base_container.cil
--- old/container-selinux-2.164.2/udica-templates/base_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/base_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,14 @@
+(block container
+(type process)
+(type socket)
+(roletype system_r process)
+(typeattributeset domain (process ))
+(typeattributeset container_domain (process ))
+(typeattributeset svirt_sandbox_domain (process ))
+(typeattributeset mcs_constrained_type (process ))
+(typeattributeset file_type (socket ))
+(allow process socket (sock_file (create open getattr setattr read write
rename link unlink ioctl lock append)))
+(allow process proc_type (file (getattr open read)))
+(allow process cpu_online_t (file (getattr open read)))
+(allow container_runtime_t process (key (create link read search setattr view
write)))
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/config_container.cil
new/container-selinux-2.171.0/udica-templates/config_container.cil
--- old/container-selinux-2.164.2/udica-templates/config_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/config_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,24 @@
+(block config_container
+ (optional config_container_optional
+ (allow process configfile (dir (ioctl read getattr lock search
open)))
+ (allow process configfile (file (ioctl read getattr lock open)))
+ (allow process configfile (lnk_file (read getattr)))
+ )
+)
+
+(block config_rw_container
+ (blockinherit config_container)
+ (optional config_rw_container_optional
+ (allow process configfile (dir (ioctl read write getattr lock
append open)))
+ (allow process configfile (file (ioctl read write getattr lock
append open)))
+ (allow process configfile (lnk_file (ioctl read write getattr
lock append open)))
+ )
+)
+
+(block config_manage_container
+ (optional config_manage_container_optional
+ (allow process configfile (dir (ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search rmdir
open)))
+ (allow process configfile (file (ioctl read write create
getattr setattr lock append unlink link rename open)))
+ (allow process configfile (lnk_file (ioctl read write create
getattr setattr lock append unlink link rename open)))
+ )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/home_container.cil
new/container-selinux-2.171.0/udica-templates/home_container.cil
--- old/container-selinux-2.164.2/udica-templates/home_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/home_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,37 @@
+(block home_container
+ (optional home_container_optional
+ (allow process process (capability (dac_override )))
+
+ (allow process user_home_dir_t (dir (getattr search open read
lock ioctl)))
+ (allow process home_root_t (dir (getattr search open read lock
ioctl)))
+ (allow process user_home_t (dir (getattr search open read lock
ioctl)))
+
+ (allow process user_home_dir_t (file (getattr ioctl lock open
read)))
+ (allow process user_home_t (file (getattr ioctl lock open
read)))
+ )
+)
+
+
+(block home_rw_container
+ (blockinherit home_container)
+ (optional home_rw_container_optional
+ (allow process user_home_dir_t (dir (open getattr setattr read
write link search add_name remove_name reparent lock ioctl)))
+ (allow process home_root_t (dir (open getattr setattr read
write link search add_name remove_name reparent lock ioctl)))
+ (allow process user_home_t (dir (open getattr setattr read
write link search add_name remove_name reparent lock ioctl)))
+
+ (allow process user_home_t (file (open getattr read write
append ioctl lock)))
+ (allow process user_home_dir_t (file (open getattr read write
append ioctl lock)))
+ )
+)
+
+(block home_manage_container
+ (blockinherit home_rw_container)
+ (optional home_manage_container_optional
+ (allow process user_home_dir_t (dir (create unlink rename rmdir
)))
+ (allow process home_root_t (dir (create unlink rename rmdir )))
+ (allow process user_home_t (dir (create unlink rename rmdir )))
+
+ (allow process user_home_t (file (create rename link unlink )))
+ (allow process user_home_dir_t (file (create rename link unlink
)))
+ )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/log_container.cil
new/container-selinux-2.171.0/udica-templates/log_container.cil
--- old/container-selinux-2.164.2/udica-templates/log_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/log_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,35 @@
+(block log_container
+ (optional log_container_optional
+ (allow process var_t (dir (getattr search open)))
+ (allow process logfile (dir (ioctl read getattr lock search
open)))
+ (allow process logfile (file (ioctl read getattr lock open
map)))
+ (allow process auditd_log_t (dir (ioctl read getattr lock
search open)))
+ (allow process auditd_log_t (file (ioctl read getattr lock
open)))
+ )
+)
+
+
+(block log_rw_container
+ (blockinherit log_container)
+
+ (optional log_rw_container_optional
+ (allow process logfile (dir (ioctl read write create getattr
setattr lock add_name search open)))
+ (allow process logfile (file (ioctl read write create getattr
setattr lock append open)))
+ (allow process logfile (lnk_file (ioctl read write getattr lock
append open)))
+ (allow process var_t (dir (getattr search open)))
+ (allow process auditd_log_t (dir (ioctl read getattr lock
search open)))
+ (allow process auditd_log_t (file (ioctl read getattr lock
open)))
+ )
+)
+
+(block log_manage_container
+ (blockinherit log_rw_container)
+
+ (optional log_manage_container_optional
+ (allow process logfile (dir (ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search rmdir
open)))
+ (allow process logfile (file (ioctl read write create getattr
setattr lock append unlink link rename open)))
+ (allow process logfile (lnk_file (ioctl read write create
getattr setattr lock append unlink link rename)))
+ (allow process auditd_log_t (dir (ioctl read write getattr lock
search open)))
+ (allow process auditd_log_t (file (ioctl read write getattr
lock open)))
+ )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/net_container.cil
new/container-selinux-2.171.0/udica-templates/net_container.cil
--- old/container-selinux-2.164.2/udica-templates/net_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/net_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,25 @@
+(block net_container
+ (optional net_container_optional
+ (typeattributeset sandbox_net_domain (process))
+ )
+)
+
+(block restricted_net_container
+ (optional restricted_net_container_optional
+ (allow process process (tcp_socket (ioctl read getattr lock
write setattr append bind connect getopt setopt shutdown create listen accept)))
+ (allow process process (udp_socket (ioctl read getattr lock
write setattr append bind connect getopt setopt shutdown create)))
+ (allow process process (sctp_socket (ioctl read getattr lock
write setattr append bind connect getopt setopt shutdown create)))
+
+ (allow process proc_t (lnk_file (read)))
+
+ (allow process node_t (node (tcp_recv tcp_send recvfrom
sendto)))
+ (allow process node_t (node (udp_recv recvfrom)))
+ (allow process node_t (node (udp_send sendto)))
+
+ (allow process node_t (udp_socket (node_bind)))
+ (allow process node_t (tcp_socket (node_bind)))
+
+ (allow process http_port_t (tcp_socket (name_connect)))
+ (allow process http_port_t (tcp_socket (recv_msg send_msg)))
+ )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/tmp_container.cil
new/container-selinux-2.171.0/udica-templates/tmp_container.cil
--- old/container-selinux-2.164.2/udica-templates/tmp_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/tmp_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,15 @@
+(block tmp_container
+ (optional tmp_container_optional
+ (allow process tmpfile (dir (getattr search open)))
+ (allow process tmpfile (file (ioctl read getattr lock open)))
+ )
+)
+
+(block tmp_rw_container
+ (blockinherit tmp_container)
+
+ (optional tmp_rw_container_optional
+ (allow process tmpfile (file (ioctl read write getattr lock
append open)))
+ (allow process tmpfile (dir (ioctl read write getattr lock
append open)))
+ )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/tty_container.cil
new/container-selinux-2.171.0/udica-templates/tty_container.cil
--- old/container-selinux-2.164.2/udica-templates/tty_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/tty_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,9 @@
+(block tty_container
+ (optional tty_container_optional
+ (allow process device_t (dir (getattr search open)))
+ (allow process device_t (dir (ioctl read getattr lock search
open)))
+ (allow process device_t (lnk_file (read getattr)))
+
+ (allow process devtty_t (chr_file (ioctl read write getattr
lock append open)))
+ )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/virt_container.cil
new/container-selinux-2.171.0/udica-templates/virt_container.cil
--- old/container-selinux-2.164.2/udica-templates/virt_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/virt_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,14 @@
+(block virt_container
+ (optional virt_container_optional
+ (allow process var_t (dir (getattr search open)))
+ (allow process var_t (lnk_file (read getattr)))
+
+ (allow process var_run_t (dir (getattr search open)))
+ (allow process var_run_t (lnk_file (read getattr)))
+
+ (allow process virt_var_run_t (dir (getattr search open)))
+ (allow process virt_var_run_t (sock_file (write getattr append
open)))
+
+ (allow process virtd_t (unix_stream_socket (connectto)))
+ )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/container-selinux-2.164.2/udica-templates/x_container.cil
new/container-selinux-2.171.0/udica-templates/x_container.cil
--- old/container-selinux-2.164.2/udica-templates/x_container.cil
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/x_container.cil
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,25 @@
+(block x_container
+ (optional x_container_optional
+ (allow xserver_t process (shm (getattr read write associate
unix_read unix_write lock)))
+
+ (allow process xserver_t (unix_stream_socket (connectto)))
+
+ (allow process device_t (dir (getattr search open)))
+
+ (allow process dri_device_t (chr_file (ioctl read write getattr
lock append open map)))
+
+ (allow process xserver_misc_device_t (chr_file (ioctl read
write getattr lock append open map)))
+
+ (allow process urandom_device_t (chr_file (open read)))
+
+ (allow process tmpfs_t (dir (getattr search open)))
+
+ (allow process tmp_t (dir (getattr search open)))
+ (allow process tmp_t (lnk_file (read getattr)))
+
+ (allow process xserver_tmp_t (dir (getattr search open)))
+ (allow process xserver_tmp_t (sock_file (write getattr append
open)))
+
+ (allow process xserver_exec_t (file (ioctl read getattr lock
map execute execute_no_trans open)))
+ )
+)
