Release 7.2.2

policy/modules/admin/brctl.if

@@ -19,6 +19,26 @@ interface(`brctl_domtrans',`
 	domtrans_pattern($1, brctl_exec_t, brctl_t)
 ')
 
+########################################
+## <summary>
+##  Allow a specified domain to execute, execute without transition,
+##  get attributes, map, open, and read the brctl_exec_t file type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain being granted permissions on brctl_exec_t file type.
+##  </summary>
+## </param>
+#
+interface(`brctl_exec_permissions',`
+    gen_require(`
+        type brctl_exec_t;
+    ')
+
+    allow $1 brctl_exec_t:file exec_file_perms;
+')
+
+
 ########################################
 ## <summary>
 ##	Execute brctl in the brctl domain, and

policy/modules/kernel/files.if

@@ -6978,6 +6978,27 @@ interface(`files_rw_runtime_files',`
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')
 
+########################################
+## <summary>
+##  Allow a specified domain to create, lock, open, read, and write
+##  files labeled with var_run_t. This is a generic interface that can be
+##  applied to any domain passed as a parameter.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain being granted file operation permissions on var_run_t file type.
+##  </summary>
+## </param>
+#
+interface(`var_run_file_operations',`
+    gen_require(`
+        type var_run_t;
+    ')
+
+    allow $1 var_run_t:file manage_file_perms;
+')
+
+
 ########################################
 ## <summary>
 ##	Delete generic runtime symlinks.

policy/modules/services/container.te

@@ -742,6 +742,14 @@ userdom_search_user_runtime_root(container_engine_t)
 userdom_manage_user_runtime_root_dirs(container_engine_t)
 files_map_etc_files(container_engine_t)
 fs_read_cgroup_lnk_file(container_engine_t)
+files_manage_quota_aos(container_engine_t)
+files_manage_overlay_aos(container_engine_t)
+
+corenet_tcp_connect_all_unreserved_ports(container_engine_t)
+
+kernel_read_vm_overcommit_sysctl(container_engine_t)
+
+kernel_search_vm_sysctl(container_engine_t)
 
 ifdef(`init_systemd',`
 	# needed by runc, which is also invoked by other engines

policy/modules/system/aos.if

@@ -164,9 +164,28 @@ interface(`files_manage_quota_aos',`
 
 	allow $1 aos_var_run_t:dir manage_dir_perms;
 	allow $1 aos_var_run_t:file { manage_file_perms quotaon exec_file_perms };
-	allow $1 aos_var_run_t:filesystem { quotaget quotamod };
+	allow $1 aos_var_run_t:filesystem { quotaget quotamod remount getattr };
 ')
 
+########################################
+## <summary>
+##	Manage overlay files in /var/aos directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_overlay_aos',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:lnk_file { read };
+')	
+
+
 ########################################
 ## <summary>
 ##	Allow relabeled /var/aos directory.

policy/modules/system/iptables.te

@@ -103,7 +103,9 @@ sysnet_dns_name_resolve(iptables_t)
 
 userdom_use_inherited_user_terminals(iptables_t)
 
-
+dev_rw_xen(iptables_t)
+xen_append_log(iptables_t)
+var_run_file_operations(iptables_t)
 
 optional_policy(`
 	# iptables may try to rw /ptmx in a container

policy/modules/system/sysnetwork.te

@@ -369,6 +369,10 @@ seutil_use_runinit_fds(ifconfig_t)
 
 sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
 
+dev_rw_xen(ifconfig_t)
+
+var_run_file_operations(ifconfig_t)
+
 # For "ip netns identify $$"
 userdom_read_all_users_state(ifconfig_t)
 userdom_use_user_terminals(ifconfig_t)

policy/modules/system/xen.te

@@ -562,6 +562,16 @@ userdom_dontaudit_search_user_home_content(xm_t)
 
 dev_rw_xen(xm_t)
 
+brctl_exec_permissions(xm_t)
+
+files_map_etc_files(xm_t)
+
+write_logging_runtime_dirs(xm_t)
+
+files_manage_var_run_dirs(xm_t)
+
+var_run_file_operations(xm_t)
+
 tunable_policy(`xen_use_fusefs',`
 	fs_manage_fusefs_dirs(xm_t)
 	fs_manage_fusefs_files(xm_t)