Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

2013-09-11 08:30:28 -04:00 · 2013-09-11 08:30:28 -04:00 · 17171d8f6b
commit 17171d8f6b
parent 3f48339246 4b478253e7
3 changed files with 649 additions and 348 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -8721,7 +8721,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..2b917b5 100644
+index cf04cb5..5a40b38 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -8858,7 +8858,7 @@ index cf04cb5..2b917b5 100644
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,297 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
@ -9027,6 +9027,7 @@ index cf04cb5..2b917b5 100644
 +	systemd_login_reboot(unconfined_domain_type)
 +	systemd_login_halt(unconfined_domain_type)
 +	systemd_login_undefined(unconfined_domain_type)
 +	systemd_filetrans_named_content(named_filetrans_domain)
 +	systemd_filetrans_named_hostname(named_filetrans_domain)
 +')
 +
@ -22814,7 +22815,7 @@ index 6bf0ecc..9b46e11 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..93b05fa 100644
+index 2696452..adbe339 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -23179,7 +23180,7 @@ index 2696452..93b05fa 100644
 +	allow xdm_t self:process ptrace;
 +')
 +
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
@ -27633,7 +27634,7 @@ index 24e7804..c4155c7 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..df6af48 100644
+index dd3be8d..b717a9e 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@ -27681,7 +27682,7 @@ index dd3be8d..df6af48 100644
 # Mark file type as a daemon run directory
 attribute daemonrundir;
-@@ -35,12 +57,13 @@ attribute daemonrundir;
+@@ -35,12 +57,14 @@ attribute daemonrundir;
 #
 # init_t is the domain of the init process.
 #
@ -27690,13 +27691,14 @@ index dd3be8d..df6af48 100644
 type init_exec_t;
 domain_type(init_t)
 domain_entry_file(init_t, init_exec_t)
 +domain_role_change_exemption(init_t)
 kernel_domtrans_to(init_t, init_exec_t)
 role system_r types init_t;
 +init_initrc_domain(init_t)
 #
 # init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +72,15 @@ type init_var_run_t;
+@@ -49,6 +73,15 @@ type init_var_run_t;
 files_pid_file(init_var_run_t)
 #
@ -27712,7 +27714,7 @@ index dd3be8d..df6af48 100644
 # initctl_t is the type of the named pipe created
 # by init during initialization.  This pipe is used
 # to communicate with init.
-@@ -57,7 +89,7 @@ type initctl_t;
+@@ -57,7 +90,7 @@ type initctl_t;
 files_type(initctl_t)
 mls_trusted_object(initctl_t)
@ -27721,7 +27723,7 @@ index dd3be8d..df6af48 100644
 type initrc_exec_t, init_script_file_type;
 domain_type(initrc_t)
 domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +98,8 @@ role system_r types initrc_t;
+@@ -66,6 +99,8 @@ role system_r types initrc_t;
 # of the below init_upstart tunable
 # but this has a typeattribute in it
 corecmd_shell_entry_type(initrc_t)
@ -27730,7 +27732,7 @@ index dd3be8d..df6af48 100644
 type initrc_devpts_t;
 term_pty(initrc_devpts_t)
-@@ -98,7 +132,8 @@ ifdef(`enable_mls',`
+@@ -98,7 +133,8 @@ ifdef(`enable_mls',`
 #
 # Use capabilities. old rule:
@ -27740,7 +27742,7 @@ index dd3be8d..df6af48 100644
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
-@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +146,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
 # Re-exec itself
 can_exec(init_t, init_exec_t)
@ -27780,7 +27782,7 @@ index dd3be8d..df6af48 100644
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +182,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@ -27799,7 +27801,7 @@ index dd3be8d..df6af48 100644
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
-@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
@ -27820,7 +27822,7 @@ index dd3be8d..df6af48 100644
 # file descriptors inherited from the rootfs:
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +223,49 @@ fs_list_inotifyfs(init_t)
 fs_write_ramfs_sockets(init_t)
 mcs_process_set_categories(init_t)
@ -27873,7 +27875,7 @@ index dd3be8d..df6af48 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +274,182 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -28064,7 +28066,7 @@ index dd3be8d..df6af48 100644
 ')
 optional_policy(`
-@@ -216,7 +456,29 @@ optional_policy(`
+@@ -216,7 +457,29 @@ optional_policy(`
 ')
 optional_policy(`
@ -28094,7 +28096,7 @@ index dd3be8d..df6af48 100644
 ')
 ########################################
-@@ -225,8 +487,9 @@ optional_policy(`
+@@ -225,8 +488,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -28106,7 +28108,7 @@ index dd3be8d..df6af48 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -257,12 +520,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +521,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -28123,7 +28125,7 @@ index dd3be8d..df6af48 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +545,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -28166,7 +28168,7 @@ index dd3be8d..df6af48 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +582,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +583,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -28178,7 +28180,7 @@ index dd3be8d..df6af48 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -312,8 +594,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +595,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -28189,7 +28191,7 @@ index dd3be8d..df6af48 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -321,8 +605,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +606,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -28199,7 +28201,7 @@ index dd3be8d..df6af48 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -331,7 +614,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +615,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -28207,7 +28209,7 @@ index dd3be8d..df6af48 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -339,6 +621,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -28215,7 +28217,7 @@ index dd3be8d..df6af48 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -346,14 +629,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +630,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -28233,7 +28235,7 @@ index dd3be8d..df6af48 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -363,8 +647,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +648,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -28247,7 +28249,7 @@ index dd3be8d..df6af48 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -374,10 +662,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +663,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -28261,7 +28263,7 @@ index dd3be8d..df6af48 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -386,6 +675,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +676,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -28269,7 +28271,7 @@ index dd3be8d..df6af48 100644
 selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +687,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +688,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -28277,7 +28279,7 @@ index dd3be8d..df6af48 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -415,20 +706,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +707,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -28301,7 +28303,7 @@ index dd3be8d..df6af48 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +739,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +740,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -28309,7 +28311,7 @@ index dd3be8d..df6af48 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +773,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +774,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -28320,7 +28322,7 @@ index dd3be8d..df6af48 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -505,7 +797,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +798,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -28329,7 +28331,7 @@ index dd3be8d..df6af48 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -520,6 +812,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +813,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -28337,7 +28339,7 @@ index dd3be8d..df6af48 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +833,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +834,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -28345,7 +28347,7 @@ index dd3be8d..df6af48 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +843,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +844,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -28390,7 +28392,7 @@ index dd3be8d..df6af48 100644
 	')
 	optional_policy(`
-@@ -558,14 +888,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +889,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -28422,7 +28424,7 @@ index dd3be8d..df6af48 100644
 	')
 ')
-@@ -576,6 +923,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +924,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -28462,7 +28464,7 @@ index dd3be8d..df6af48 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +968,8 @@ optional_policy(`
+@@ -588,6 +969,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -28471,7 +28473,7 @@ index dd3be8d..df6af48 100644
 ')
 optional_policy(`
-@@ -609,6 +991,7 @@ optional_policy(`
+@@ -609,6 +992,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -28479,7 +28481,7 @@ index dd3be8d..df6af48 100644
 ')
 optional_policy(`
-@@ -625,6 +1008,17 @@ optional_policy(`
+@@ -625,6 +1009,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -28497,7 +28499,7 @@ index dd3be8d..df6af48 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -641,9 +1035,13 @@ optional_policy(`
+@@ -641,9 +1036,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -28511,7 +28513,7 @@ index dd3be8d..df6af48 100644
 	')
 	optional_policy(`
-@@ -656,15 +1054,11 @@ optional_policy(`
+@@ -656,15 +1055,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -28529,7 +28531,7 @@ index dd3be8d..df6af48 100644
 ')
 optional_policy(`
-@@ -685,6 +1079,15 @@ optional_policy(`
+@@ -685,6 +1080,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -28545,7 +28547,7 @@ index dd3be8d..df6af48 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -725,6 +1128,7 @@ optional_policy(`
+@@ -725,6 +1129,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -28553,7 +28555,7 @@ index dd3be8d..df6af48 100644
 ')
 optional_policy(`
-@@ -742,7 +1146,13 @@ optional_policy(`
+@@ -742,7 +1147,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -28568,7 +28570,7 @@ index dd3be8d..df6af48 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -765,6 +1175,10 @@ optional_policy(`
+@@ -765,6 +1176,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -28579,7 +28581,7 @@ index dd3be8d..df6af48 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -774,10 +1188,20 @@ optional_policy(`
+@@ -774,10 +1189,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -28600,7 +28602,7 @@ index dd3be8d..df6af48 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -786,6 +1210,10 @@ optional_policy(`
+@@ -786,6 +1211,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -28611,7 +28613,7 @@ index dd3be8d..df6af48 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -807,8 +1235,6 @@ optional_policy(`
+@@ -807,8 +1236,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -28620,7 +28622,7 @@ index dd3be8d..df6af48 100644
 ')
 optional_policy(`
-@@ -817,6 +1243,10 @@ optional_policy(`
+@@ -817,6 +1244,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -28631,7 +28633,7 @@ index dd3be8d..df6af48 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -826,10 +1256,12 @@ optional_policy(`
+@@ -826,10 +1257,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -28644,7 +28646,7 @@ index dd3be8d..df6af48 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1288,28 @@ optional_policy(`
+@@ -856,12 +1289,28 @@ optional_policy(`
 ')
 optional_policy(`
@ -28674,7 +28676,7 @@ index dd3be8d..df6af48 100644
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1319,18 @@ optional_policy(`
+@@ -871,6 +1320,18 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -28693,7 +28695,7 @@ index dd3be8d..df6af48 100644
 ')
 optional_policy(`
-@@ -886,6 +1346,10 @@ optional_policy(`
+@@ -886,6 +1347,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -28704,7 +28706,7 @@ index dd3be8d..df6af48 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1360,196 @@ optional_policy(`
+@@ -896,3 +1361,196 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -29489,7 +29491,7 @@ index c42fbc3..174cfdb 100644
 ## <summary>
 ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..4abf7fd 100644
+index 5dfa44b..cafb28e 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@ -29600,8 +29602,8 @@ index 5dfa44b..4abf7fd 100644
 +')
 +
 +optional_policy(`
-+    quantum_rw_inherited_pipes(iptables_t)
+    neutron_rw_inherited_pipes(iptables_t)
-+    quantum_sigchld(iptables_t)
+    neutron_sigchld(iptables_t)
 ')
 optional_policy(`
@ -33463,7 +33465,7 @@ index d43f3b1..870bc36 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..9fcc183 100644
+index 3822072..270bde3 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@ -33869,7 +33871,7 @@ index 3822072..9fcc183 100644
 ##	Execute semanage in the semanage domain, and
 ##	allow the specified role the semanage domain,
 ##	and use the caller's terminal.
-@@ -1017,11 +1310,66 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1310,67 @@ interface(`seutil_domtrans_semanage',`
 #
 interface(`seutil_run_semanage',`
 	gen_require(`
@ -33935,12 +33937,15 @@ index 3822072..9fcc183 100644
 +	files_search_etc($1)
 +	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
 +	read_files_pattern($1, semanage_store_t, semanage_store_t)
 +	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
 ')
 ########################################
-@@ -1044,6 +1392,9 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1392,11 @@ interface(`seutil_manage_module_store',`
 	files_search_etc($1)
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
 +	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
 	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 +	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
 +	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
@ -33948,7 +33953,7 @@ index 3822072..9fcc183 100644
 ')
 #######################################
-@@ -1137,3 +1488,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1490,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
 	selinux_dontaudit_get_fs_mount($1)
 	seutil_dontaudit_read_config($1)
 ')
@ -39056,7 +39061,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..fc2fb65 100644
+index 3c5dba7..c4bc032 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -41746,7 +41751,7 @@ index 3c5dba7..fc2fb65 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4227,1518 @@ interface(`userdom_create_all_users_keys',`
 ##	</summary>
 ## </param>
 #
@ -42659,6 +42664,8 @@ index 3c5dba7..fc2fb65 100644
 +
 +	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
 +	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
 +	userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki")
 +	userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert")
 +')
 +
 +#######################################
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 77.1%{?dist}
+Release: 78%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -570,6 +570,33 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Sep 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-78
 - Allow block_suspend cap for samba-net
 - Allow t-mission-control to manage gabble cache files
 - Allow nslcd to read /sys/devices/system/cpu
 - Allow selinux_store to use symlinks
 - Allow xdm_t to transition to itself
 - Call neutron interfaces instead of quantum
 - Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t
 - Make sure directories in /run get created with the correct label
 - Make sure /root/.pki gets created with the right label
 - try to remove labeling for motion from zoneminder_exec_t to bin_t
 - Allow inetd_t to execute shell scripts
 - Allow cloud-init to read all domainstate
 - Fix to use quantum port
 - Add interface netowrkmanager_initrc_domtrans
 - Fix boinc_execmem
 - Allow t-mission-control to read gabble cache home
 - Add labeling for ~/.cache/telepathy/avatars/gabble
 - Allow memcache to read sysfs data
 - Cleanup antivirus policy and add additional fixes
 - Add boolean boinc_enable_execstack
 - Add support for couchdb in rabbitmq policy
 - Add interface couchdb_search_pid_dirs
 - Allow firewalld to read NM state
 - Allow systemd running as git_systemd to bind git port
 - Fix mozilla_plugin_rw_tmpfs_files()
 * Mon Sep 9 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-77.1
 - Fix nameing of rpm macro
 - Fix creating of checksum file off installed policy