- Allow block_suspend cap2 for systemd-logind and rw dri device

- Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs
2014-03-04 10:17:06 +01:00 · 2014-03-04 10:17:06 +01:00 · 08fe2e457e
parent 18bb7ec6a3
commit 08fe2e457e
3 changed files with 300 additions and 178 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -22720,7 +22720,7 @@ index 8274418..0069d82 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..115c533 100644
+index 6bf0ecc..0d55916 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@ -23704,7 +23704,7 @@ index 6bf0ecc..115c533 100644
 ')
 
 ########################################
-@@ -1284,10 +1679,624 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -24331,6 +24331,25 @@ index 6bf0ecc..115c533 100644
 +
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
+
+########################################
+## <summary>
+##	Manage keys for xdm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_keys',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:key { read write };
+')
+
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
 index 8b40377..a02343f 100644
 --- a/policy/modules/services/xserver.te
@ -27522,7 +27541,7 @@ index 016a770..1effeb4 100644
 +	files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
 +')
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 3f48d30..90a20cf 100644
+index 3f48d30..1fb0cde 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
@@ -13,9 +13,15 @@ role system_r types fsadm_t;
@ -27541,7 +27560,15 @@ index 3f48d30..90a20cf 100644
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
-@@ -41,10 +47,21 @@ allow fsadm_t self:msg { send receive };
+@@ -26,6 +32,7 @@ files_type(swapfile_t)
+ 
+ # ipc_lock is for losetup
+ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
+dontaudit fsadm_t self:capability net_admin;
+ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+ allow fsadm_t self:fd use;
+ allow fsadm_t self:fifo_file rw_fifo_file_perms;
+@@ -41,10 +48,21 @@ allow fsadm_t self:msg { send receive };
 
 can_exec(fsadm_t, fsadm_exec_t)
 
@ -27565,7 +27592,7 @@ index 3f48d30..90a20cf 100644
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
-@@ -53,6 +70,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+@@ -53,6 +71,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
 # Enable swapping to files
 allow fsadm_t swapfile_t:file { rw_file_perms swapon };
 
@ -27573,7 +27600,7 @@ index 3f48d30..90a20cf 100644
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)
 kernel_request_load_module(fsadm_t)
-@@ -101,6 +119,8 @@ files_read_usr_files(fsadm_t)
+@@ -101,6 +120,8 @@ files_read_usr_files(fsadm_t)
 files_read_etc_files(fsadm_t)
 files_manage_lost_found(fsadm_t)
 files_manage_isid_type_dirs(fsadm_t)
@ -27582,7 +27609,7 @@ index 3f48d30..90a20cf 100644
 # Write to /etc/mtab.
 files_manage_etc_runtime_files(fsadm_t)
 files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -112,7 +132,6 @@ files_read_isid_type_files(fsadm_t)
+@@ -112,7 +133,6 @@ files_read_isid_type_files(fsadm_t)
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
 fs_rw_ramfs_pipes(fsadm_t)
@ -27590,7 +27617,7 @@ index 3f48d30..90a20cf 100644
 # remount file system to apply changes
 fs_remount_xattr_fs(fsadm_t)
 # for /dev/shm
-@@ -120,6 +139,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +140,9 @@ fs_list_auto_mountpoints(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
@ -27600,7 +27627,7 @@ index 3f48d30..90a20cf 100644
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
-@@ -133,21 +155,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +156,27 @@ storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
 storage_raw_write_removable_device(fsadm_t)
 storage_read_scsi_generic(fsadm_t)
@ -27630,7 +27657,7 @@ index 3f48d30..90a20cf 100644
 
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -166,6 +194,11 @@ optional_policy(`
+@@ -166,6 +195,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -27642,7 +27669,7 @@ index 3f48d30..90a20cf 100644
 	hal_dontaudit_write_log(fsadm_t)
 ')
 
-@@ -179,6 +212,10 @@ optional_policy(`
+@@ -179,6 +213,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -27653,7 +27680,7 @@ index 3f48d30..90a20cf 100644
 	nis_use_ypbind(fsadm_t)
 ')
 
-@@ -192,6 +229,10 @@ optional_policy(`
+@@ -192,6 +230,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28026,7 +28053,7 @@ index bc0ffc8..8de430d 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..b822c29 100644
+index 79a45f6..89b43aa 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -28413,7 +28440,7 @@ index 79a45f6..b822c29 100644
 ')
 
 ########################################
-@@ -743,22 +923,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +923,24 @@ interface(`init_write_initctl',`
 interface(`init_telinit',`
 	gen_require(`
 		type initctl_t;
@ -28438,6 +28465,7 @@ index 79a45f6..b822c29 100644
 -	')
 +	ps_process_pattern($1, init_t)
 +	allow $1 init_t:process signal;
+	dontaudit $1 self:capability net_admin;
 +	# upstart uses a datagram socket instead of initctl pipe
 +	allow $1 self:unix_dgram_socket create_socket_perms;
 +	allow $1 init_t:unix_dgram_socket sendto;
@ -28446,7 +28474,7 @@ index 79a45f6..b822c29 100644
 ')
 
 ########################################
-@@ -787,7 +968,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +969,7 @@ interface(`init_rw_initctl',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -28455,7 +28483,7 @@ index 79a45f6..b822c29 100644
 ##	</summary>
 ## </param>
 #
-@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1012,12 @@ interface(`init_script_file_entry_type',`
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
@ -28470,7 +28498,7 @@ index 79a45f6..b822c29 100644
 
 	ifdef(`distro_gentoo',`
 		gen_require(`
-@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1028,11 @@ interface(`init_spec_domtrans_script',`
 	')
 
 	ifdef(`enable_mcs',`
@ -28484,7 +28512,7 @@ index 79a45f6..b822c29 100644
 	')
 ')
 
-@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1048,41 @@ interface(`init_spec_domtrans_script',`
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -28530,7 +28558,7 @@ index 79a45f6..b822c29 100644
 ')
 
 ########################################
-@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1138,14 @@ interface(`init_script_file_domtrans',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
@ -28545,7 +28573,7 @@ index 79a45f6..b822c29 100644
 	files_search_etc($1)
 ')
 
-@@ -1012,6 +1221,42 @@ interface(`init_read_state',`
+@@ -1012,6 +1222,42 @@ interface(`init_read_state',`
 
 ########################################
 ## <summary>
@ -28588,7 +28616,7 @@ index 79a45f6..b822c29 100644
 ##	Ptrace init
 ## </summary>
 ## <param name="domain">
-@@ -1026,7 +1271,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1272,9 @@ interface(`init_ptrace',`
 		type init_t;
 	')
 
@ -28599,7 +28627,7 @@ index 79a45f6..b822c29 100644
 ')
 
 ########################################
-@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1373,25 @@ interface(`init_getattr_all_script_files',`
 
 ########################################
 ## <summary>
@ -28625,7 +28653,7 @@ index 79a45f6..b822c29 100644
 ##	Read all init script files.
 ## </summary>
 ## <param name="domain">
-@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1411,24 @@ interface(`init_read_all_script_files',`
 
 #######################################
 ## <summary>
@ -28650,7 +28678,7 @@ index 79a45f6..b822c29 100644
 ##	Dontaudit read all init script files.
 ## </summary>
 ## <param name="domain">
-@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1480,7 @@ interface(`init_read_script_state',`
 	')
 
 	kernel_search_proc($1)
@ -28664,7 +28692,7 @@ index 79a45f6..b822c29 100644
 ')
 
 ########################################
-@@ -1314,7 +1593,7 @@ interface(`init_signal_script',`
+@@ -1314,7 +1594,7 @@ interface(`init_signal_script',`
 
 ########################################
 ## <summary>
@ -28673,7 +28701,7 @@ index 79a45f6..b822c29 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1322,17 +1601,17 @@ interface(`init_signal_script',`
+@@ -1322,17 +1602,17 @@ interface(`init_signal_script',`
 ##	</summary>
 ## </param>
 #
@ -28694,7 +28722,7 @@ index 79a45f6..b822c29 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1340,17 +1619,17 @@ interface(`init_signull_script',`
+@@ -1340,17 +1620,17 @@ interface(`init_signull_script',`
 ##	</summary>
 ## </param>
 #
@ -28715,7 +28743,7 @@ index 79a45f6..b822c29 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1358,7 +1637,25 @@ interface(`init_rw_script_pipes',`
+@@ -1358,7 +1638,25 @@ interface(`init_rw_script_pipes',`
 ##	</summary>
 ## </param>
 #
@ -28742,7 +28770,7 @@ index 79a45f6..b822c29 100644
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
-@@ -1440,6 +1737,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1738,27 @@ interface(`init_dbus_send_script',`
 ########################################
 ## <summary>
 ##	Send and receive messages from
@ -28770,7 +28798,7 @@ index 79a45f6..b822c29 100644
 ##	init scripts over dbus.
 ## </summary>
 ## <param name="domain">
-@@ -1547,6 +1865,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1866,25 @@ interface(`init_getattr_script_status_files',`
 
 ########################################
 ## <summary>
@ -28796,7 +28824,7 @@ index 79a45f6..b822c29 100644
 ##	Do not audit attempts to read init script
 ##	status files.
 ## </summary>
-@@ -1605,6 +1942,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +1943,24 @@ interface(`init_rw_script_tmp_files',`
 
 ########################################
 ## <summary>
@ -28821,7 +28849,7 @@ index 79a45f6..b822c29 100644
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
-@@ -1677,6 +2032,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2033,43 @@ interface(`init_read_utmp',`
 
 ########################################
 ## <summary>
@ -28865,7 +28893,7 @@ index 79a45f6..b822c29 100644
 ##	Do not audit attempts to write utmp.
 ## </summary>
 ## <param name="domain">
-@@ -1765,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2158,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
 
@ -28874,7 +28902,7 @@ index 79a45f6..b822c29 100644
 ')
 
 ########################################
-@@ -1806,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,6 +2199,133 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
@ -29008,7 +29036,7 @@ index 79a45f6..b822c29 100644
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2360,450 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -30837,7 +30865,7 @@ index 17eda24..e8e4114 100644
 +    ')
 + ')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..05d25b0 100644
+index 662e79b..08589f8 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,23 @@
@ -30865,10 +30893,11 @@ index 662e79b..05d25b0 100644
 
 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
-@@ -26,16 +35,23 @@
+@@ -26,16 +35,24 @@
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/nm-libreswan-service   --  gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 +/usr/libexec/strongswan/.*	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@ -32288,7 +32317,7 @@ index 0e3c2a9..ea9bd57 100644
 +	userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
 +')
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..050a2ac 100644
+index 446fa99..6043534 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@ -32412,7 +32441,15 @@ index 446fa99..050a2ac 100644
 	unconfined_shell_domtrans(local_login_t)
 ')
 
-@@ -202,7 +198,7 @@ optional_policy(`
+@@ -195,6 +191,7 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_read_xdm_tmp_files(local_login_t)
+ 	xserver_rw_xdm_tmp_files(local_login_t)
+    xserver_rw_xdm_keys(local_login_t)
+ ')
+ 
+ #################################
+@@ -202,7 +199,7 @@ optional_policy(`
 # Sulogin local policy
 #
 
@ -32421,7 +32458,7 @@ index 446fa99..050a2ac 100644
 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;
-@@ -215,18 +211,27 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,18 +212,27 @@ allow sulogin_t self:sem create_sem_perms;
 allow sulogin_t self:msgq create_msgq_perms;
 allow sulogin_t self:msg { send receive };
 
@ -32449,7 +32486,7 @@ index 446fa99..050a2ac 100644
 
 logging_send_syslog_msg(sulogin_t)
 
-@@ -235,17 +240,28 @@ seutil_read_default_contexts(sulogin_t)
+@@ -235,17 +241,28 @@ seutil_read_default_contexts(sulogin_t)
 
 userdom_use_unpriv_users_fds(sulogin_t)
 
@ -32480,7 +32517,7 @@ index 446fa99..050a2ac 100644
 	init_getpgid(sulogin_t)
 ', `
 	allow sulogin_t self:process setexec;
-@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +273,3 @@ ifdef(`sulogin_no_pam', `
 	selinux_compute_relabel_context(sulogin_t)
 	selinux_compute_user_contexts(sulogin_t)
 ')
@ -39476,10 +39513,10 @@ index 0000000..8bca1d7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..4b0bb47
+index 0000000..e0c3372
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,636 @@
+@@ -0,0 +1,638 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -39563,6 +39600,7 @@ index 0000000..4b0bb47
 +
 +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
 +allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
+allow systemd_logind_t self:capability2 block_suspend;
 +allow systemd_logind_t self:process getcap;
 +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@ -39590,7 +39628,7 @@ index 0000000..4b0bb47
 +dev_getattr_all_blk_files(systemd_logind_t)
 +dev_rw_sysfs(systemd_logind_t)
 +dev_rw_input_dev(systemd_logind_t)
-+dev_rw_inherited_dri(systemd_logind_t)
+dev_rw_dri(systemd_logind_t)
 +dev_setattr_all_chr_files(systemd_logind_t)
 +dev_setattr_dri_dev(systemd_logind_t)
 +dev_setattr_generic_usb_dev(systemd_logind_t)
@ -39696,7 +39734,7 @@ index 0000000..4b0bb47
 +# Local policy
 +#
 +
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override net_admin };
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
 +allow systemd_passwd_agent_t self:process { setsockcreate };
 +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 +
@ -39740,7 +39778,7 @@ index 0000000..4b0bb47
 +# Local policy
 +#
 +
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin };
+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
 +allow systemd_tmpfiles_t self:process { setfscreate };
 +
 +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@ -40090,6 +40128,7 @@ index 0000000..4b0bb47
 +# Common rules for systemd domains
 +#
 +allow systemd_domain self:process { setfscreate signal_perms };
+dontaudit systemd_domain self:capability net_admin;
 +
 +dev_read_urand(systemd_domain)
 +
@ -46039,7 +46078,7 @@ index 9dc60c6..771d5b9 100644
 +')
 +
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..799a5cc 100644
+index f4ac38d..711759c 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@ -46128,7 +46167,7 @@ index f4ac38d..799a5cc 100644
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
-@@ -70,26 +83,383 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,384 @@ ubac_constrained(user_home_dir_t)
 
 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -46188,6 +46227,7 @@ index f4ac38d..799a5cc 100644
 +
 +allow userdomain userdomain:process signull;
 +allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
+dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
 +
 +# Nautilus causes this avc
 +domain_dontaudit_access_check(unpriv_userdomain)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -68,7 +68,7 @@ index 1a93dc5..40dda9e 100644
 -/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 -/var/spool/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/abrt.if b/abrt.if
-index 058d908..70eb89d 100644
+index 058d908..1e5378d 100644
 --- a/abrt.if
 +++ b/abrt.if
@@ -1,4 +1,26 @@
@ -344,7 +344,7 @@ index 058d908..70eb89d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -288,39 +407,172 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +407,173 @@ interface(`abrt_manage_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -527,6 +527,7 @@ index 058d908..70eb89d 100644
 +	files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
 +	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
 +	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
 +	files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
 +')
 +
@ -10752,7 +10753,7 @@ index 008f8ef..144c074 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..6f366b4 100644
+index 550b287..b988f57 100644
 --- a/certmonger.te
 +++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@ -10789,7 +10790,7 @@ index 550b287..6f366b4 100644
 
 corenet_all_recvfrom_unlabeled(certmonger_t)
 corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,16 +55,23 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
 
 corenet_sendrecv_certmaster_client_packets(certmonger_t)
 corenet_tcp_connect_certmaster_port(certmonger_t)
@ -10812,9 +10813,11 @@ index 550b287..6f366b4 100644
 
 -files_read_usr_files(certmonger_t)
 files_list_tmp(certmonger_t)
+files_list_home(certmonger_t)
 
 fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +83,18 @@ init_getattr_all_script_files(certmonger_t)
+ 
+@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
 
 logging_send_syslog_msg(certmonger_t)
 
@ -10835,7 +10838,7 @@ index 550b287..6f366b4 100644
 ')
 
 optional_policy(`
-@@ -92,11 +107,47 @@ optional_policy(`
+@@ -92,11 +108,47 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20127,7 +20130,7 @@ index 62d22cb..2d33fcd 100644
 +	dontaudit system_bus_type $1:dbus send_msg;
 ')
 diff --git a/dbus.te b/dbus.te
-index c9998c8..163708f 100644
+index c9998c8..8b8b691 100644
 --- a/dbus.te
 +++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@ -20250,7 +20253,7 @@ index c9998c8..163708f 100644
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +121,160 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
@ -20355,6 +20358,7 @@ index c9998c8..163708f 100644
 +# system_bus_type rules
 #
 +role system_r types system_bus_type;
+dontaudit system_bus_type self:capability net_admin;
 +
 +fs_search_all(system_bus_type)
 +
@ -20424,7 +20428,7 @@ index c9998c8..163708f 100644
 kernel_read_kernel_sysctls(session_bus_type)
 
 corecmd_list_bin(session_bus_type)
-@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +283,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
 
@ -20449,7 +20453,7 @@ index c9998c8..163708f 100644
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
-@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +302,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
 
@ -20457,7 +20461,7 @@ index c9998c8..163708f 100644
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
-@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +311,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 
 logging_send_audit_msgs(session_bus_type)
@ -20499,7 +20503,7 @@ index c9998c8..163708f 100644
 ')
 
 ########################################
-@@ -244,5 +347,6 @@ optional_policy(`
+@@ -244,5 +348,6 @@ optional_policy(`
 # Unconfined access to this module
 #
 
@ -33116,10 +33120,10 @@ index 0000000..9278f85
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..deb738f
+index 0000000..70c67d3
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,38 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@ -33141,6 +33145,23 @@ index 0000000..deb738f
 +	domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
 +')
 +
+########################################
+## <summary>
+##	Connect to ipa-otpd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_stream_connect_otpd',`
+	gen_require(`
+		type ipa_otpd_t;
+	')
+    allow $1 ipa_otpd_t:unix_stream_socket connectto;
+')
+
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
 index 0000000..0fd2678
@ -36378,7 +36399,7 @@ index f6c00d8..c0946cf 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
 ')
 diff --git a/kerberos.te b/kerberos.te
-index 8833d59..ff53b77 100644
+index 8833d59..534f815 100644
 --- a/kerberos.te
 +++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@ -36582,7 +36603,7 @@ index 8833d59..ff53b77 100644
 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
 
 allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -201,56 +228,57 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -201,71 +228,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
 
 manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
@ -36653,7 +36674,14 @@ index 8833d59..ff53b77 100644
 sysnet_use_ldap(krb5kdc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +289,11 @@ optional_policy(`
+ userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+ 
+ optional_policy(`
+    ipa_stream_connect_otpd(krb5kdc_t)
+')
+
+optional_policy(`
+ 	ldap_stream_connect(krb5kdc_t)
 ')
 
 optional_policy(`
@ -36667,7 +36695,7 @@ index 8833d59..ff53b77 100644
 ')
 
 optional_policy(`
-@@ -273,6 +301,10 @@ optional_policy(`
+@@ -273,6 +305,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36678,7 +36706,7 @@ index 8833d59..ff53b77 100644
 	udev_read_db(krb5kdc_t)
 ')
 
-@@ -281,10 +313,12 @@ optional_policy(`
+@@ -281,10 +317,12 @@ optional_policy(`
 # kpropd local policy
 #
 
@ -36694,7 +36722,7 @@ index 8833d59..ff53b77 100644
 
 allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
 
-@@ -303,26 +337,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +341,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
 
 corecmd_exec_bin(kpropd_t)
 
@ -38115,7 +38143,7 @@ index 3602712..fc7b071 100644
 +	allow $1 slapd_unit_file_t:service all_service_perms;
 ')
 diff --git a/ldap.te b/ldap.te
-index 4c2b111..6effd5f 100644
+index 4c2b111..deb2d7d 100644
 --- a/ldap.te
 +++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@ -38137,7 +38165,18 @@ index 4c2b111..6effd5f 100644
 allow slapd_t self:fifo_file rw_fifo_file_perms;
 allow slapd_t self:tcp_socket { accept listen };
 
-@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -69,9 +72,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+ 
+ manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+ logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+ 
+ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+@@ -93,7 +94,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctls(slapd_t)
 
@ -38145,7 +38184,7 @@ index 4c2b111..6effd5f 100644
 corenet_all_recvfrom_netlabel(slapd_t)
 corenet_tcp_sendrecv_generic_if(slapd_t)
 corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -115,15 +117,14 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,15 +115,14 @@ fs_getattr_all_fs(slapd_t)
 fs_search_auto_mountpoints(slapd_t)
 
 files_read_etc_runtime_files(slapd_t)
@ -38162,7 +38201,7 @@ index 4c2b111..6effd5f 100644
 
 userdom_dontaudit_use_unpriv_user_fds(slapd_t)
 userdom_dontaudit_search_user_home_dirs(slapd_t)
-@@ -131,9 +132,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
+@@ -131,9 +130,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
 optional_policy(`
 	kerberos_manage_host_rcache(slapd_t)
 	kerberos_read_keytab(slapd_t)
@ -39192,7 +39231,7 @@ index 2fb9b2e..08974e3 100644
 
 /usr/share/printconf/.*	--	gen_context(system_u:object_r:printconf_t,s0)
 diff --git a/lpd.if b/lpd.if
-index 6256371..7826e38 100644
+index 6256371..ce2acb8 100644
 --- a/lpd.if
 +++ b/lpd.if
@@ -1,44 +1,49 @@
@ -39317,7 +39356,12 @@ index 6256371..7826e38 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',`
+@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',`
+ 	manage_dirs_pattern($1, print_spool_t, print_spool_t)
+ 	manage_files_pattern($1, print_spool_t, print_spool_t)
+ 	manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
+    manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
+ ')
 
 ########################################
 ## <summary>
@ -39326,7 +39370,7 @@ index 6256371..7826e38 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',`
+@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',`
 
 ########################################
 ## <summary>
@ -39335,7 +39379,7 @@ index 6256371..7826e38 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -200,12 +202,11 @@ interface(`lpd_read_config',`
+@@ -200,12 +203,11 @@ interface(`lpd_read_config',`
 ##	</summary>
 ## </param>
 #
@ -39349,7 +39393,7 @@ index 6256371..7826e38 100644
 	domtrans_pattern($1, lpr_exec_t, lpr_t)
 ')
 
-@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',`
+@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',`
 
 ########################################
 ## <summary>
@ -39359,7 +39403,7 @@ index 6256371..7826e38 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',`
+@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',`
 		type lpr_exec_t;
 	')
 
@ -47493,10 +47537,10 @@ index b744fe3..900d083 100644
 +	admin_pattern($1, munin_content_t)
 ')
 diff --git a/munin.te b/munin.te
-index b708708..16b96d0 100644
+index b708708..0deb9fa 100644
 --- a/munin.te
 +++ b/munin.te
-@@ -44,12 +44,15 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
+@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
 munin_plugin_template(system)
 munin_plugin_template(unconfined)
 
@ -47513,7 +47557,14 @@ index b708708..16b96d0 100644
 allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
 
 allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -62,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+ 
+ read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+ 
+allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms;
+
+ allow munin_plugin_domain munin_exec_t:file read_file_perms;
+ 
+ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
 
 manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
 
@ -47538,7 +47589,7 @@ index b708708..16b96d0 100644
 
 optional_policy(`
 	nscd_use(munin_plugin_domain)
-@@ -118,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 
@ -47547,7 +47598,7 @@ index b708708..16b96d0 100644
 
 manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
 manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -134,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
 corecmd_exec_bin(munin_t)
 corecmd_exec_shell(munin_t)
 
@ -47555,7 +47606,7 @@ index b708708..16b96d0 100644
 corenet_all_recvfrom_netlabel(munin_t)
 corenet_tcp_sendrecv_generic_if(munin_t)
 corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -157,7 +153,6 @@ domain_use_interactive_fds(munin_t)
+@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
 domain_read_all_domains_state(munin_t)
 
 files_read_etc_runtime_files(munin_t)
@ -47563,7 +47614,7 @@ index b708708..16b96d0 100644
 files_list_spool(munin_t)
 
 fs_getattr_all_fs(munin_t)
-@@ -169,7 +164,6 @@ logging_send_syslog_msg(munin_t)
+@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
 logging_read_all_logs(munin_t)
 
 miscfiles_read_fonts(munin_t)
@ -47571,7 +47622,7 @@ index b708708..16b96d0 100644
 miscfiles_setattr_fonts_cache_dirs(munin_t)
 
 sysnet_exec_ifconfig(munin_t)
-@@ -177,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
 userdom_dontaudit_use_unpriv_user_fds(munin_t)
 userdom_dontaudit_search_user_home_dirs(munin_t)
 
@ -47585,7 +47636,7 @@ index b708708..16b96d0 100644
 
 optional_policy(`
 	cron_system_entry(munin_t, munin_exec_t)
-@@ -217,7 +204,6 @@ optional_policy(`
+@@ -217,7 +206,6 @@ optional_policy(`
 
 optional_policy(`
 	postfix_list_spool(munin_t)
@ -47593,7 +47644,7 @@ index b708708..16b96d0 100644
 ')
 
 optional_policy(`
-@@ -246,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
 
 rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
@ -47621,7 +47672,7 @@ index b708708..16b96d0 100644
 
 sysnet_read_config(disk_munin_plugin_t)
 
-@@ -272,6 +260,10 @@ optional_policy(`
+@@ -272,6 +262,10 @@ optional_policy(`
 	fstools_exec(disk_munin_plugin_t)
 ')
 
@ -47632,7 +47683,7 @@ index b708708..16b96d0 100644
 ####################################
 #
 # Mail local policy
-@@ -279,27 +271,36 @@ optional_policy(`
+@@ -279,27 +273,36 @@ optional_policy(`
 
 allow mail_munin_plugin_t self:capability dac_override;
 
@ -47673,7 +47724,7 @@ index b708708..16b96d0 100644
 ')
 
 optional_policy(`
-@@ -339,7 +340,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +342,7 @@ dev_read_rand(services_munin_plugin_t)
 sysnet_read_config(services_munin_plugin_t)
 
 optional_policy(`
@ -47682,7 +47733,7 @@ index b708708..16b96d0 100644
 ')
 
 optional_policy(`
-@@ -361,7 +362,11 @@ optional_policy(`
+@@ -361,7 +364,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47695,7 +47746,7 @@ index b708708..16b96d0 100644
 ')
 
 optional_policy(`
-@@ -393,6 +398,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +400,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
 
 kernel_read_network_state(system_munin_plugin_t)
 kernel_read_all_sysctls(system_munin_plugin_t)
@ -47703,7 +47754,7 @@ index b708708..16b96d0 100644
 
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +427,32 @@ optional_policy(`
+@@ -421,3 +429,32 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(unconfined_munin_plugin_t)
 ')
@ -49873,7 +49924,7 @@ index 94b9734..bb9c83e 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..993ecf5 100644
+index 86dc29d..1cd0d0e 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
@@ -2,7 +2,7 @@
@ -49953,28 +50004,10 @@ index 86dc29d..993ecf5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',`
+@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',`
+ 	domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+ ')
 
- ########################################
- ## <summary>
-##	Execute networkmanager scripts with
-##	an automatic domain transition to initrc.
-+##	Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
- ##	</summary>
- ## </param>
- #
-+interface(`networkmanager_NetworkManagerrc_domtrans',`
-+	gen_require(`
-+		type NetworkManager_NetworkManagerrc_exec_t;
-+	')
-+
-+	NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
-+')
-+
 +#######################################
 +## <summary>
 +##      Execute NetworkManager scripts with an automatic domain transition to initrc.
@ -49985,7 +50018,7 @@ index 86dc29d..993ecf5 100644
 +##      </summary>
 +## </param>
 +#
- interface(`networkmanager_initrc_domtrans',`
+interface(`networkmanager_initrc_domtrans',`
 +        gen_require(`
 +                type NetworkManager_initrc_exec_t;
 +        ')
@ -49993,16 +50026,19 @@ index 86dc29d..993ecf5 100644
 +        init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Execute networkmanager scripts with
+-##	an automatic domain transition to initrc.
 +##	Execute NetworkManager server in the NetworkManager domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to transition.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -104,18 +124,23 @@ interface(`networkmanager_domtrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`networkmanager_initrc_domtrans',`
 +interface(`networkmanager_systemctl',`
 	gen_require(`
 -		type NetworkManager_initrc_exec_t;
@ -50026,7 +50062,7 @@ index 86dc29d..993ecf5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -155,7 +198,29 @@ interface(`networkmanager_read_state',`
+@@ -155,7 +180,29 @@ interface(`networkmanager_read_state',`
 
 ########################################
 ## <summary>
@ -50057,7 +50093,7 @@ index 86dc29d..993ecf5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -211,9 +276,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -211,9 +258,28 @@ interface(`networkmanager_read_lib_files',`
 	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 ')
 
@ -50087,7 +50123,7 @@ index 86dc29d..993ecf5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -221,19 +305,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -221,19 +287,18 @@ interface(`networkmanager_read_lib_files',`
 ##	</summary>
 ## </param>
 #
@ -50108,11 +50144,11 @@ index 86dc29d..993ecf5 100644
 ########################################
 ## <summary>
 -##	Read networkmanager pid files.
-+##	Read NetworkManager PID files.
+##	Manage NetworkManager PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -241,13 +324,13 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +306,13 @@ interface(`networkmanager_append_log_files',`
 ##	</summary>
 ## </param>
 #
@ -50128,23 +50164,43 @@ index 86dc29d..993ecf5 100644
 ')
 
 ####################################
-@@ -272,12 +355,12 @@ interface(`networkmanager_stream_connect',`
+@@ -272,14 +337,33 @@ interface(`networkmanager_stream_connect',`
 
 ########################################
 ## <summary>
 -##	All of the rules required to
 -##	administrate an networkmanager environment.
-+##	Execute NetworkManager in the NetworkManager domain, and
-+##	allow the specified role the NetworkManager domain.
+##	Delete NetworkManager PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-+##	Domain allowed to transition.
+ ##	Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`networkmanager_delete_pid_files',`
+	gen_require(`
+		type NetworkManager_var_run_t;
+	')
+
+	files_search_pids($1)
+    delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute NetworkManager in the NetworkManager domain, and
+##	allow the specified role the NetworkManager domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
 ## <param name="role">
-@@ -287,33 +370,132 @@ interface(`networkmanager_stream_connect',`
+ ##	<summary>
+ ##	Role allowed access.
+@@ -287,33 +371,132 @@ interface(`networkmanager_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
@ -77644,7 +77700,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
 ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..413f4b8 100644
+index d32e1a2..a87ab50 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@ -77665,11 +77721,12 @@ index d32e1a2..413f4b8 100644
 
 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
 files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,23 +51,44 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,23 +51,45 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
 kernel_read_network_state(rhsmcertd_t)
 kernel_read_system_state(rhsmcertd_t)
 
 +corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_squid_port(rhsmcertd_t)
 +
 corecmd_exec_bin(rhsmcertd_t)
 +corecmd_exec_shell(rhsmcertd_t)
@ -80109,7 +80166,7 @@ index ef3b225..d248cd3 100644
 	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/rpm.te b/rpm.te
-index 6fc360e..44f9739 100644
+index 6fc360e..1abda8b 100644
 --- a/rpm.te
 +++ b/rpm.te
@@ -1,15 +1,13 @@
@ -80513,7 +80570,7 @@ index 6fc360e..44f9739 100644
 
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -363,41 +385,68 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,69 @@ ifdef(`distro_redhat',`
 	')
 ')
 
@ -80552,6 +80609,7 @@ index 6fc360e..44f9739 100644
 +    optional_policy(`
 +        systemd_dbus_chat_logind(rpm_script_t)
 +        systemd_dbus_chat_timedated(rpm_script_t)
+        systemd_dbus_chat_localed(rpm_script_t)
 +    ')
 +')
 +
@ -80593,7 +80651,7 @@ index 6fc360e..44f9739 100644
 
 	optional_policy(`
 		java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +458,6 @@ optional_policy(`
+@@ -409,6 +459,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -82560,7 +82618,7 @@ index 50d07fb..bada62f 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..3504791 100644
+index 2b7c441..e411600 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@ -82904,7 +82962,7 @@ index 2b7c441..3504791 100644
 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
 allow smbd_t samba_share_t:filesystem { getattr quotaget };
 
-@@ -298,20 +304,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -298,65 +304,64 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
 
@ -82935,7 +82993,10 @@ index 2b7c441..3504791 100644
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
-@@ -321,42 +333,34 @@ kernel_read_kernel_sysctls(smbd_t)
+ kernel_read_network_state(smbd_t)
+ kernel_read_fs_sysctls(smbd_t)
+ kernel_read_kernel_sysctls(smbd_t)
+kernel_read_usermodehelper_state(smbd_t)
 kernel_read_software_raid_state(smbd_t)
 kernel_read_system_state(smbd_t)
 
@ -82990,7 +83051,7 @@ index 2b7c441..3504791 100644
 
 fs_getattr_all_fs(smbd_t)
 fs_getattr_all_dirs(smbd_t)
-@@ -366,44 +370,53 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +371,53 @@ fs_getattr_rpc_dirs(smbd_t)
 fs_list_inotifyfs(smbd_t)
 fs_get_all_fs_quotas(smbd_t)
 
@ -83056,7 +83117,7 @@ index 2b7c441..3504791 100644
 ')
 
 tunable_policy(`samba_domain_controller',`
-@@ -419,20 +432,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +433,10 @@ tunable_policy(`samba_domain_controller',`
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
@ -83079,7 +83140,7 @@ index 2b7c441..3504791 100644
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
-@@ -441,6 +444,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +445,7 @@ tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_named_sockets(smbd_t)
 ')
 
@ -83087,7 +83148,7 @@ index 2b7c441..3504791 100644
 tunable_policy(`samba_share_fusefs',`
 	fs_manage_fusefs_dirs(smbd_t)
 	fs_manage_fusefs_files(smbd_t)
-@@ -448,17 +452,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,17 +453,6 @@ tunable_policy(`samba_share_fusefs',`
 	fs_search_fusefs(smbd_t)
 ')
 
@ -83105,7 +83166,7 @@ index 2b7c441..3504791 100644
 optional_policy(`
 	ccs_read_config(smbd_t)
 ')
-@@ -466,6 +459,7 @@ optional_policy(`
+@@ -466,6 +460,7 @@ optional_policy(`
 optional_policy(`
 	ctdbd_stream_connect(smbd_t)
 	ctdbd_manage_lib_files(smbd_t)
@ -83113,7 +83174,7 @@ index 2b7c441..3504791 100644
 ')
 
 optional_policy(`
-@@ -479,6 +473,11 @@ optional_policy(`
+@@ -479,6 +474,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -83125,7 +83186,7 @@ index 2b7c441..3504791 100644
 	lpd_exec_lpr(smbd_t)
 ')
 
-@@ -488,6 +487,10 @@ optional_policy(`
+@@ -488,6 +488,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -83136,7 +83197,7 @@ index 2b7c441..3504791 100644
 	rpc_search_nfs_state_data(smbd_t)
 ')
 
-@@ -499,9 +502,33 @@ optional_policy(`
+@@ -499,9 +503,33 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
 
@ -83171,7 +83232,7 @@ index 2b7c441..3504791 100644
 #
 
 dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +540,11 @@ allow nmbd_t self:msg { send receive };
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -83186,7 +83247,7 @@ index 2b7c441..3504791 100644
 
 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
 manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +556,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -83210,7 +83271,7 @@ index 2b7c441..3504791 100644
 
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +573,42 @@ kernel_read_network_state(nmbd_t)
 kernel_read_software_raid_state(nmbd_t)
 kernel_read_system_state(nmbd_t)
 
@ -83277,7 +83338,7 @@ index 2b7c441..3504791 100644
 ')
 
 optional_policy(`
-@@ -606,16 +620,22 @@ optional_policy(`
+@@ -606,16 +621,22 @@ optional_policy(`
 
 ########################################
 #
@ -83304,7 +83365,7 @@ index 2b7c441..3504791 100644
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
 
-@@ -627,16 +647,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +648,11 @@ domain_use_interactive_fds(smbcontrol_t)
 
 dev_read_urand(smbcontrol_t)
 
@ -83322,7 +83383,7 @@ index 2b7c441..3504791 100644
 
 optional_policy(`
 	ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +659,23 @@ optional_policy(`
+@@ -644,22 +660,23 @@ optional_policy(`
 
 ########################################
 #
@ -83354,7 +83415,7 @@ index 2b7c441..3504791 100644
 
 allow smbmount_t samba_secrets_t:file manage_file_perms;
 
-@@ -668,26 +684,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
 
@ -83390,7 +83451,7 @@ index 2b7c441..3504791 100644
 
 fs_getattr_cifs(smbmount_t)
 fs_mount_cifs(smbmount_t)
-@@ -699,58 +711,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
 
@ -83482,7 +83543,7 @@ index 2b7c441..3504791 100644
 
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +790,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
 manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 
@ -83506,7 +83567,7 @@ index 2b7c441..3504791 100644
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -777,36 +804,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +805,25 @@ kernel_read_network_state(swat_t)
 
 corecmd_search_bin(swat_t)
 
@ -83549,7 +83610,7 @@ index 2b7c441..3504791 100644
 
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
-@@ -818,10 +834,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +835,11 @@ logging_send_syslog_msg(swat_t)
 logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
 
@ -83563,7 +83624,7 @@ index 2b7c441..3504791 100644
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
-@@ -840,17 +857,20 @@ optional_policy(`
+@@ -840,17 +858,20 @@ optional_policy(`
 # Winbind local policy
 #
 
@ -83589,7 +83650,7 @@ index 2b7c441..3504791 100644
 
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +880,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
 
 manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -83600,7 +83661,7 @@ index 2b7c441..3504791 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +891,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 
 rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
 
@ -83630,7 +83691,7 @@ index 2b7c441..3504791 100644
 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
 
 kernel_read_network_state(winbind_t)
-@@ -898,13 +914,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +915,17 @@ kernel_read_system_state(winbind_t)
 
 corecmd_exec_bin(winbind_t)
 
@ -83651,7 +83712,7 @@ index 2b7c441..3504791 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +932,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
 
@ -83662,7 +83723,7 @@ index 2b7c441..3504791 100644
 
 fs_getattr_all_fs(winbind_t)
 fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +940,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +941,39 @@ auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
 auth_manage_cache(winbind_t)
 
@ -83704,7 +83765,7 @@ index 2b7c441..3504791 100644
 ')
 
 optional_policy(`
-@@ -959,31 +988,29 @@ optional_policy(`
+@@ -959,31 +989,29 @@ optional_policy(`
 # Winbind helper local policy
 #
 
@ -83742,7 +83803,7 @@ index 2b7c441..3504791 100644
 
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1024,38 @@ optional_policy(`
+@@ -997,25 +1025,38 @@ optional_policy(`
 
 ########################################
 #
@ -101919,7 +101980,7 @@ index 7a7f342..afedcba 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/vpn.te b/vpn.te
-index 95b26d1..55557cb 100644
+index 95b26d1..28e0030 100644
 --- a/vpn.te
 +++ b/vpn.te
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
@ -102023,14 +102084,16 @@ index 95b26d1..55557cb 100644
 
 optional_policy(`
 	dbus_system_bus_client(vpnc_t)
-@@ -125,7 +122,3 @@ optional_policy(`
+@@ -124,8 +121,5 @@ optional_policy(`
+ 
 optional_policy(`
 	networkmanager_attach_tun_iface(vpnc_t)
- ')
+-')
 -
 -optional_policy(`
 -	seutil_use_newrole_fds(vpnc_t)
-')
+    networkmanager_delete_pid_files(vpnc_t)
+ ')
 diff --git a/w3c.fc b/w3c.fc
 index 463c799..227feaf 100644
 --- a/w3c.fc
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -580,6 +580,25 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Mar 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-30
+- Allow block_suspend cap2 for systemd-logind and rw dri device
+- Add labeling for /usr/libexec/nm-libreswan-service
+- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working
+- Add xserver_rw_xdm_keys()
+- Allow rpm_script_t to dbus chat also with systemd-located
+- Fix ipa_stream_connect_otpd()
+- update lpd_manage_spool() interface
+- Allow krb5kdc to stream connect to ipa-otpd
+- Add ipa_stream_connect_otpd() interface
+- Allow vpnc to unlink NM pids
+- Add networkmanager_delete_pid_files()
+- Allow munin plugins to access unconfined plugins
+- update abrt_filetrans_named_content to cover /var/spool/debug
+- Label /var/spool/debug as abrt_var_cache_t
+- Allow rhsmcertd to connect to squid port
+- Make docker_transition_unconfined as optional boolean
+- Allow certmonger to list home dirs
+
 * Fri Feb 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-29
 - Make docker as permissive domain