- Addopt corenet rules for unbound-anchor to rpm_script_t

- Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi
2014-02-11 20:28:28 +01:00 · 2014-02-11 20:28:28 +01:00 · 05a36cdcd0
parent 6383860028
commit 05a36cdcd0
3 changed files with 534 additions and 323 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..b60c687 100644
+index b191055..b64c141 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5484,7 +5484,7 @@ index b191055..b60c687 100644
 # reserved_port_t is the type of INET port numbers below 1024.
 #
 type reserved_port_t, port_type, reserved_port_type;
-@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,55 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
 network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@ -5497,7 +5497,9 @@ index b191055..b60c687 100644
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
-@@ -96,43 +119,53 @@ network_port(boinc, tcp,31416,s0)
+network_port(bacula, tcp,9103,s0, udp,9103,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+ network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
 network_port(biff) # no defined portcon
 network_port(certmaster, tcp,51235,s0)
@ -5556,7 +5558,7 @@ index b191055..b60c687 100644
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5623,7 +5625,7 @@ index b191055..b60c687 100644
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +227,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mxi, tcp,8005,s0, udp,8005,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
@ -5663,7 +5665,7 @@ index b191055..b60c687 100644
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-@@ -215,39 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +265,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
@ -5716,7 +5718,7 @@ index b191055..b60c687 100644
 network_port(ssh, tcp,22,s0)
 network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +315,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
 network_port(tcs, tcp, 30003, s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
@ -5727,7 +5729,7 @@ index b191055..b60c687 100644
 network_port(transproxy, tcp,8081,s0)
 network_port(trisoap, tcp,10200,s0, udp,10200,s0)
 network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +327,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -271,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
@ -5740,7 +5742,7 @@ index b191055..b60c687 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +344,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
@ -5767,7 +5769,7 @@ index b191055..b60c687 100644
 
 ########################################
 #
-@@ -333,6 +393,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5776,7 +5778,7 @@ index b191055..b60c687 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -345,9 +407,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -24233,7 +24235,7 @@ index 6bf0ecc..115c533 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..39c8bbb 100644
+index 8b40377..787bc72 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -24572,13 +24574,13 @@ index 8b40377..39c8bbb 100644
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
 ')
 
 optional_policy(`
+	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+')
+
+optional_policy(`
 +	ssh_use_ptys(xauth_t)
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
@ -24613,8 +24615,7 @@ index 8b40377..39c8bbb 100644
 +allow xdm_t self:dbus { send_msg acquire_svc };
 +
 +allow xdm_t xauth_home_t:file manage_file_perms;
- 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+
 +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@ -24623,7 +24624,8 @@ index 8b40377..39c8bbb 100644
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +xserver_filetrans_home_content(xdm_t)
 +xserver_filetrans_admin_home_content(xdm_t)
-+
+ 
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 +#Handle mislabeled files in homedir
 +userdom_delete_user_home_content_files(xdm_t)
 +userdom_signull_unpriv_users(xdm_t)
@ -24880,7 +24882,7 @@ index 8b40377..39c8bbb 100644
 +
 +#userdom_home_manager(xdm_t)
 +tunable_policy(`xdm_write_home',`
-+    userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
+    userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
 +',`
 +    userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
 +')
@ -25070,14 +25072,14 @@ index 8b40377..39c8bbb 100644
 +
 +	optional_policy(`
 +		hal_dbus_chat(xdm_t)
-+	')
-+
-+	optional_policy(`
-+		gnomeclock_dbus_chat(xdm_t)
 +	')
 
 	optional_policy(`
 -		accountsd_dbus_chat(xdm_t)
+		gnomeclock_dbus_chat(xdm_t)
+	')
+
+	optional_policy(`
 +		networkmanager_dbus_chat(xdm_t)
 	')
 ')
@ -25324,13 +25326,10 @@ index 8b40377..39c8bbb 100644
 
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -704,7 +1179,16 @@ fs_getattr_xattr_fs(xserver_t)
- fs_search_nfs(xserver_t)
+@@ -705,6 +1180,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
-
-+fs_rw_tmpfs_files(xserver_t)
-+
+ 
 +mls_file_read_to_clearance(xserver_t)
 +mls_file_write_all_levels(xserver_t)
 +mls_file_upgrade(xserver_t)
@ -25342,7 +25341,7 @@ index 8b40377..39c8bbb 100644
 mls_xwin_read_to_clearance(xserver_t)
 
 selinux_validate_context(xserver_t)
-@@ -718,20 +1202,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1201,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
 
@ -25366,7 +25365,7 @@ index 8b40377..39c8bbb 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1221,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
@ -25375,7 +25374,7 @@ index 8b40377..39c8bbb 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1265,44 @@ optional_policy(`
+@@ -785,17 +1264,44 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25422,7 +25421,7 @@ index 8b40377..39c8bbb 100644
 ')
 
 optional_policy(`
-@@ -803,6 +1310,10 @@ optional_policy(`
+@@ -803,6 +1309,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25433,7 +25432,7 @@ index 8b40377..39c8bbb 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -25447,7 +25446,7 @@ index 8b40377..39c8bbb 100644
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
 # Run xkbcomp.
@ -25456,7 +25455,7 @@ index 8b40377..39c8bbb 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -842,26 +1353,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1352,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -25491,7 +25490,7 @@ index 8b40377..39c8bbb 100644
 ')
 
 optional_policy(`
-@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -25500,7 +25499,7 @@ index 8b40377..39c8bbb 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -25532,7 +25531,7 @@ index 8b40377..39c8bbb 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
@ -27421,10 +27420,10 @@ index 016a770..1effeb4 100644
 +	files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
 +')
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 3f48d30..3701405 100644
+index 3f48d30..90a20cf 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
-@@ -13,6 +13,9 @@ role system_r types fsadm_t;
+@@ -13,9 +13,15 @@ role system_r types fsadm_t;
 type fsadm_log_t;
 logging_log_file(fsadm_log_t)
 
@ -27434,23 +27433,37 @@ index 3f48d30..3701405 100644
 type fsadm_tmp_t;
 files_tmp_file(fsadm_tmp_t)
 
-@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive };
+type fsadm_tmpfs_t;
+files_tmpfs_file(fsadm_tmpfs_t)
+
+ type swapfile_t; # customizable
+ files_type(swapfile_t)
+ 
+@@ -41,10 +47,21 @@ allow fsadm_t self:msg { send receive };
 
 can_exec(fsadm_t, fsadm_exec_t)
 
+-allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+-allow fsadm_t fsadm_tmp_t:file manage_file_perms;
 +manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
 +manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
 +files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file })
 +
- allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
- allow fsadm_t fsadm_tmp_t:file manage_file_perms;
+manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
+manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+ 
+manage_dirs_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
+manage_files_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
+fs_tmpfs_filetrans(fsadm_t, fsadm_tmpfs_t, { file dir })
+
 +files_create_boot_flag(fsadm_t)
 +files_setattr_root_dirs(fsadm_t)
- 
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
-@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+ manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
+@@ -53,6 +70,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
 # Enable swapping to files
 allow fsadm_t swapfile_t:file { rw_file_perms swapon };
 
@ -27458,7 +27471,7 @@ index 3f48d30..3701405 100644
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)
 kernel_request_load_module(fsadm_t)
-@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
+@@ -101,6 +119,8 @@ files_read_usr_files(fsadm_t)
 files_read_etc_files(fsadm_t)
 files_manage_lost_found(fsadm_t)
 files_manage_isid_type_dirs(fsadm_t)
@ -27467,7 +27480,15 @@ index 3f48d30..3701405 100644
 # Write to /etc/mtab.
 files_manage_etc_runtime_files(fsadm_t)
 files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -112,7 +132,6 @@ files_read_isid_type_files(fsadm_t)
+ fs_search_auto_mountpoints(fsadm_t)
+ fs_getattr_xattr_fs(fsadm_t)
+ fs_rw_ramfs_pipes(fsadm_t)
+-fs_rw_tmpfs_files(fsadm_t)
+ # remount file system to apply changes
+ fs_remount_xattr_fs(fsadm_t)
+ # for /dev/shm
+@@ -120,6 +139,9 @@ fs_list_auto_mountpoints(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
@ -27477,7 +27498,7 @@ index 3f48d30..3701405 100644
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
-@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +155,27 @@ storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
 storage_raw_write_removable_device(fsadm_t)
 storage_read_scsi_generic(fsadm_t)
@ -27507,7 +27528,7 @@ index 3f48d30..3701405 100644
 
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -166,6 +187,11 @@ optional_policy(`
+@@ -166,6 +194,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -27519,7 +27540,7 @@ index 3f48d30..3701405 100644
 	hal_dontaudit_write_log(fsadm_t)
 ')
 
-@@ -179,6 +205,10 @@ optional_policy(`
+@@ -179,6 +212,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -27530,7 +27551,7 @@ index 3f48d30..3701405 100644
 	nis_use_ypbind(fsadm_t)
 ')
 
-@@ -192,6 +222,10 @@ optional_policy(`
+@@ -192,6 +229,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29307,7 +29328,7 @@ index 79a45f6..9a14d49 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..17932ac 100644
+index 17eda24..afe80c5 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -29555,7 +29576,7 @@ index 17eda24..17932ac 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +286,213 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +286,214 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -29736,6 +29757,7 @@ index 17eda24..17932ac 100644
 +
 +optional_policy(`
 +	ipsec_read_config(init_t)
+    ipsec_manage_pid(init_t)
 +')
 +
 +optional_policy(`
@ -29777,7 +29799,7 @@ index 17eda24..17932ac 100644
 ')
 
 optional_policy(`
-@@ -216,7 +500,30 @@ optional_policy(`
+@@ -216,7 +501,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29808,7 +29830,7 @@ index 17eda24..17932ac 100644
 ')
 
 ########################################
-@@ -225,9 +532,9 @@ optional_policy(`
+@@ -225,9 +533,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -29820,7 +29842,7 @@ index 17eda24..17932ac 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +565,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +566,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -29837,7 +29859,7 @@ index 17eda24..17932ac 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +590,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +591,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -29880,7 +29902,7 @@ index 17eda24..17932ac 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +627,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +628,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -29892,7 +29914,7 @@ index 17eda24..17932ac 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +639,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +640,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -29903,7 +29925,7 @@ index 17eda24..17932ac 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +650,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +651,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -29913,7 +29935,7 @@ index 17eda24..17932ac 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +659,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +660,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -29921,7 +29943,7 @@ index 17eda24..17932ac 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +666,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +667,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -29929,7 +29951,7 @@ index 17eda24..17932ac 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +674,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +675,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -29947,7 +29969,7 @@ index 17eda24..17932ac 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +692,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +693,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -29961,7 +29983,7 @@ index 17eda24..17932ac 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +707,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +708,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -29975,7 +29997,7 @@ index 17eda24..17932ac 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +720,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +721,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -29986,7 +30008,7 @@ index 17eda24..17932ac 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +733,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +734,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -29994,7 +30016,7 @@ index 17eda24..17932ac 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +752,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +753,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -30018,7 +30040,7 @@ index 17eda24..17932ac 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +785,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +786,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -30026,7 +30048,7 @@ index 17eda24..17932ac 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +819,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +820,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -30037,7 +30059,7 @@ index 17eda24..17932ac 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +843,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +844,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -30046,7 +30068,7 @@ index 17eda24..17932ac 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +858,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +859,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -30054,7 +30076,7 @@ index 17eda24..17932ac 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +879,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +880,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -30062,7 +30084,7 @@ index 17eda24..17932ac 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +889,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +890,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -30107,7 +30129,7 @@ index 17eda24..17932ac 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +934,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +935,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -30139,7 +30161,7 @@ index 17eda24..17932ac 100644
 	')
 ')
 
-@@ -577,6 +969,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +970,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -30179,7 +30201,7 @@ index 17eda24..17932ac 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1014,8 @@ optional_policy(`
+@@ -589,6 +1015,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -30188,7 +30210,7 @@ index 17eda24..17932ac 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1037,7 @@ optional_policy(`
+@@ -610,6 +1038,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -30196,7 +30218,7 @@ index 17eda24..17932ac 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1054,17 @@ optional_policy(`
+@@ -626,6 +1055,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30214,7 +30236,7 @@ index 17eda24..17932ac 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1081,13 @@ optional_policy(`
+@@ -642,9 +1082,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -30228,7 +30250,7 @@ index 17eda24..17932ac 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1100,11 @@ optional_policy(`
+@@ -657,15 +1101,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30246,7 +30268,7 @@ index 17eda24..17932ac 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1125,15 @@ optional_policy(`
+@@ -686,6 +1126,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30262,7 +30284,7 @@ index 17eda24..17932ac 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1174,7 @@ optional_policy(`
+@@ -726,6 +1175,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -30270,7 +30292,7 @@ index 17eda24..17932ac 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1192,13 @@ optional_policy(`
+@@ -743,7 +1193,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30285,7 +30307,7 @@ index 17eda24..17932ac 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1221,10 @@ optional_policy(`
+@@ -766,6 +1222,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30296,7 +30318,7 @@ index 17eda24..17932ac 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1234,20 @@ optional_policy(`
+@@ -775,10 +1235,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30317,7 +30339,7 @@ index 17eda24..17932ac 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1256,10 @@ optional_policy(`
+@@ -787,6 +1257,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30328,7 +30350,7 @@ index 17eda24..17932ac 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1281,6 @@ optional_policy(`
+@@ -808,8 +1282,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -30337,7 +30359,7 @@ index 17eda24..17932ac 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1289,10 @@ optional_policy(`
+@@ -818,6 +1290,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30348,7 +30370,7 @@ index 17eda24..17932ac 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1302,12 @@ optional_policy(`
+@@ -827,10 +1303,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -30361,7 +30383,7 @@ index 17eda24..17932ac 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1334,60 @@ optional_policy(`
+@@ -857,21 +1335,60 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30423,7 +30445,7 @@ index 17eda24..17932ac 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1403,10 @@ optional_policy(`
+@@ -887,6 +1404,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30434,7 +30456,7 @@ index 17eda24..17932ac 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1417,218 @@ optional_policy(`
+@@ -897,3 +1418,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -32894,7 +32916,7 @@ index 4e94884..b144ffe 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..7b0ef85 100644
+index 59b04c1..19dc9ce 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -32945,7 +32967,15 @@ index 59b04c1..7b0ef85 100644
 
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
-@@ -76,6 +96,7 @@ files_type(syslogd_var_lib_t)
+@@ -71,11 +91,15 @@ init_script_file(syslogd_initrc_exec_t)
+ type syslogd_tmp_t;
+ files_tmp_file(syslogd_tmp_t)
+ 
+type syslogd_tmpfs_t;
+files_tmpfs_file(syslogd_tmpfs_t)
+
+ type syslogd_var_lib_t;
+ files_type(syslogd_var_lib_t)
 
 type syslogd_var_run_t;
 files_pid_file(syslogd_var_run_t)
@ -32953,7 +32983,7 @@ index 59b04c1..7b0ef85 100644
 
 type var_log_t;
 logging_log_file(var_log_t)
-@@ -94,6 +115,8 @@ ifdef(`enable_mls',`
+@@ -94,6 +118,8 @@ ifdef(`enable_mls',`
 allow auditctl_t self:capability { fsetid dac_read_search dac_override };
 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 
@ -32962,7 +32992,7 @@ index 59b04c1..7b0ef85 100644
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
 
-@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +137,7 @@ domain_use_interactive_fds(auditctl_t)
 
 mls_file_read_all_levels(auditctl_t)
 
@ -32971,7 +33001,7 @@ index 59b04c1..7b0ef85 100644
 
 init_dontaudit_use_fds(auditctl_t)
 
-@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +174,7 @@ kernel_read_kernel_sysctls(auditd_t)
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
 kernel_read_system_state(auditd_t)
@ -32979,7 +33009,7 @@ index 59b04c1..7b0ef85 100644
 
 dev_read_sysfs(auditd_t)
 
-@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +182,6 @@ fs_getattr_all_fs(auditd_t)
 fs_search_auto_mountpoints(auditd_t)
 fs_rw_anon_inodefs_files(auditd_t)
 
@ -32989,7 +33019,7 @@ index 59b04c1..7b0ef85 100644
 corenet_all_recvfrom_netlabel(auditd_t)
 corenet_tcp_sendrecv_generic_if(auditd_t)
 corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +207,17 @@ logging_send_syslog_msg(auditd_t)
 logging_domtrans_dispatcher(auditd_t)
 logging_signal_dispatcher(auditd_t)
 
@ -33011,7 +33041,7 @@ index 59b04c1..7b0ef85 100644
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 userdom_dontaudit_search_user_home_dirs(auditd_t)
 
-@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +262,29 @@ corecmd_exec_shell(audisp_t)
 
 domain_use_interactive_fds(audisp_t)
 
@ -33042,7 +33072,7 @@ index 59b04c1..7b0ef85 100644
 ')
 
 ########################################
-@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
 
 corecmd_exec_bin(audisp_remote_t)
 
@ -33050,7 +33080,7 @@ index 59b04c1..7b0ef85 100644
 corenet_all_recvfrom_netlabel(audisp_remote_t)
 corenet_tcp_sendrecv_generic_if(audisp_remote_t)
 corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +314,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
 
 files_read_etc_files(audisp_remote_t)
 
@ -33070,7 +33100,7 @@ index 59b04c1..7b0ef85 100644
 
 sysnet_dns_name_resolve(audisp_remote_t)
 
-@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +368,6 @@ files_read_etc_files(klogd_t)
 
 logging_send_syslog_msg(klogd_t)
 
@ -33078,7 +33108,7 @@ index 59b04c1..7b0ef85 100644
 
 mls_file_read_all_levels(klogd_t)
 
-@@ -355,13 +393,12 @@ optional_policy(`
+@@ -355,13 +396,12 @@ optional_policy(`
 # sys_admin for the integrated klog of syslog-ng and metalog
 # sys_nice for rsyslog
 # cjp: why net_admin!
@ -33095,7 +33125,7 @@ index 59b04c1..7b0ef85 100644
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -371,6 +408,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -371,6 +411,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
@ -33103,10 +33133,14 @@ index 59b04c1..7b0ef85 100644
 
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +427,42 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +430,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
+manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
+manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
+fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file })
+
 +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 files_search_var_lib(syslogd_t)
@ -33149,7 +33183,7 @@ index 59b04c1..7b0ef85 100644
 # syslog-ng can listen and connect on tcp port 514 (rsh)
 corenet_tcp_sendrecv_generic_if(syslogd_t)
 corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +472,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +479,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
@ -33158,7 +33192,7 @@ index 59b04c1..7b0ef85 100644
 corenet_tcp_connect_syslogd_port(syslogd_t)
 corenet_tcp_connect_postgresql_port(syslogd_t)
 corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +484,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +491,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
@ -33186,11 +33220,9 @@ index 59b04c1..7b0ef85 100644
 domain_use_interactive_fds(syslogd_t)
 
 files_read_etc_files(syslogd_t)
-@@ -447,14 +516,19 @@ files_read_kernel_symbol_table(syslogd_t)
- files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +524,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
-+fs_rw_tmpfs_files(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
 +fs_search_cgroup_dirs(syslogd_t)
 
@ -33206,7 +33238,7 @@ index 59b04c1..7b0ef85 100644
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +540,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +546,11 @@ init_use_fds(syslogd_t)
 
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
@ -33221,7 +33253,7 @@ index 59b04c1..7b0ef85 100644
 
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
-@@ -507,15 +581,40 @@ optional_policy(`
+@@ -507,15 +587,40 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -33262,7 +33294,7 @@ index 59b04c1..7b0ef85 100644
 ')
 
 optional_policy(`
-@@ -526,3 +625,26 @@ optional_policy(`
+@@ -526,3 +631,26 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
@ -39202,10 +39234,10 @@ index 0000000..1d9bdfd
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..1605309
+index 0000000..9785384
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,659 @@
+@@ -0,0 +1,635 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -39491,32 +39523,8 @@ index 0000000..1605309
 +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
 +fs_list_all(systemd_tmpfiles_t)
 +
-+files_getattr_all_dirs(systemd_tmpfiles_t)
-+files_getattr_all_files(systemd_tmpfiles_t)
-+files_getattr_all_sockets(systemd_tmpfiles_t)
-+files_getattr_all_symlinks(systemd_tmpfiles_t)
-+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
-+files_relabel_all_lock_files(systemd_tmpfiles_t)
-+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
-+files_relabel_all_pid_files(systemd_tmpfiles_t)
-+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
-+files_manage_all_pids(systemd_tmpfiles_t)
-+files_manage_all_pid_dirs(systemd_tmpfiles_t)
-+files_manage_all_locks(systemd_tmpfiles_t)
-+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
-+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_all_non_security_dirs(systemd_tmpfiles_t)
-+files_delete_all_non_security_files(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_purge_tmp(systemd_tmpfiles_t)
-+files_manage_generic_tmp_files(systemd_tmpfiles_t)
-+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
-+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-+files_relabel_all_tmp_files(systemd_tmpfiles_t)
+files_manage_non_auth_files(systemd_tmpfiles_t)
+files_relabel_non_auth_files(systemd_tmpfiles_t)
 +files_list_lost_found(systemd_tmpfiles_t)
 +
 +mls_file_read_all_levels(systemd_tmpfiles_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -578,6 +578,40 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Feb 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-23
+- Addopt corenet rules for unbound-anchor to rpm_script_t
+- Allow runuser to send send audit messages.
+- Allow postfix-local to search .forward in munin lib dirs
+- Allow udisks to connect to D-Bus
+- Allow spamd to connect to spamd port
+- Fix syntax error in snapper.te
+- Dontaudit osad to search gconf home files
+- Allow rhsmcertd to manage /etc/sysconf/rhn director
+- Fix pcp labeling to accept /usr/bin for all daemon binaries
+- Fix mcelog_read_log() interface
+- Allow iscsid to manage iscsi lib files
+- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
+- Make tuned_t as unconfined domain for RHEL7.0
+- Allow ABRT to read puppet certs
+- Add sys_time capability for virt-ga
+- Allow gemu-ga to domtrans to hwclock_t
+- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
+- Fix some AVCs in pcp policy
+- Add to bacula capability setgid and setuid and allow to bind to bacula ports
+- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
+- Add access rhnsd and osad to /etc/sysconfig/rhn
+- drbdadm executes drbdmeta
+- Fixes needed for docker
+- Allow epmd to manage /var/log/rabbitmq/startup_err file
+- Allow beam.smp connect to amqp port
+- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
+- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
+- Allow systemd_tmpfiles_t to manage all non security files on the system
+- Added labels for bacula ports
+- Fix label on /dev/vfio/vfio
+- Add kernel_mounton_messages() interface
+- init wants to manage lock files for iscsi
+
 * Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-22
 - Fix /dev/vfio/vfio labeling