* Fri Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-99

- Add files_dontaudit_list_security_dirs() interface. - Added seutil_dontaudit_access_check_semanage_module_store interface. - Allow docker to create /root/.docker - Allow rlogind to use also rlogin ports - dontaudit list security dirs for samba domain - Dontaudit couchdb to list /var
2014-12-02 13:05:01 +01:00 · 2014-12-02 13:05:01 +01:00 · 1c8cf318c6
commit 1c8cf318c6
parent 1929f5bfe8
3 changed files with 127 additions and 54 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -9008,7 +9008,7 @@ index 6a1e4d1..7ac2831 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..a0d747a 100644
+index cf04cb5..42c468a 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -9157,7 +9157,7 @@ index cf04cb5..a0d747a 100644
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,356 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,360 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
@ -9270,6 +9270,10 @@ index cf04cb5..a0d747a 100644
 +')
 +
 +optional_policy(`
 +    dbus_filetrans_named_content_system(named_filetrans_domain)
 +')
 +
 +optional_policy(`
 +	devicekit_filetrans_named_content(named_filetrans_domain)
 +')
 +
@ -9782,7 +9786,7 @@ index b876c48..ad25566 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..6eef570 100644
+index f962f76..eafba08 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -13098,7 +13102,7 @@ index f962f76..6eef570 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6573,10 +7950,839 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7950,857 @@ interface(`files_polyinstantiate_all',`
 ##	</summary>
 ## </param>
 #
@ -13577,6 +13581,24 @@ index f962f76..6eef570 100644
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to read security dirs 
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_dontaudit_list_security_dirs',`
 +	gen_require(`
 +		attribute security_file_type;
 +	')
 +
 +	dontaudit $1 security_file_type:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	rw any files inherited from another process
 +## </summary>
 +## <param name="domain">
@ -22291,7 +22313,7 @@ index 76d9f66..5c271ce 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..eb9cefe 100644
+index fe0c682..3ad1b1f 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@ -22846,7 +22868,7 @@ index fe0c682..eb9cefe 100644
 ')
 ######################################
-@@ -754,3 +874,150 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +874,151 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
@ -22992,6 +23014,7 @@ index fe0c682..eb9cefe 100644
 +	')
 +
 +	systemd_exec_systemctl($1)
 +    init_reload_services($1)
 +	allow $1 sshd_unit_file_t:file manage_file_perms;
 +	allow $1 sshd_unit_file_t:service manage_service_perms;
 +
@ -32319,7 +32342,7 @@ index 662e79b..ad9ef4e 100644
 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..e6ffda3 100644
+index 0d4c8d3..9395313 100644
 --- a/policy/modules/system/ipsec.if
 +++ b/policy/modules/system/ipsec.if
@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',`
@ -32480,7 +32503,7 @@ index 0d4c8d3..e6ffda3 100644
 ')
 ########################################
-@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +479,27 @@ interface(`ipsec_run_setkey',`
 	ipsec_domtrans_setkey($1)
 	role $2 types setkey_t;
 ')
@ -32502,6 +32525,7 @@ index 0d4c8d3..e6ffda3 100644
 +    ')
 +
 +    systemd_exec_systemctl($1)
 +    init_reload_services($1)
 +    allow $1 ipsec_mgmt_unit_file_t:file read_file_perms;
 +    allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms;
 +
@ -32868,7 +32892,7 @@ index 73a1c4e..af8050d 100644
 +/usr/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index c42fbc3..174cfdb 100644
+index c42fbc3..277fe6c 100644
 --- a/policy/modules/system/iptables.if
 +++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@ -32882,7 +32906,7 @@ index c42fbc3..174cfdb 100644
 ')
 ########################################
-@@ -86,6 +82,29 @@ interface(`iptables_initrc_domtrans',`
+@@ -86,6 +82,30 @@ interface(`iptables_initrc_domtrans',`
 	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
 ')
@ -32903,6 +32927,7 @@ index c42fbc3..174cfdb 100644
 +	')
 +
 +	systemd_exec_systemctl($1)
 +    init_reload_services($1)
 +	allow $1 iptables_unit_file_t:file read_file_perms;
 +	allow $1 iptables_unit_file_t:service manage_service_perms;
 +
@ -38932,7 +38957,7 @@ index 1447687..d5e6fb9 100644
 seutil_read_config(setrans_t)
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..04ea6dd 100644
+index 40edc18..8896a27 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
@@ -17,22 +17,25 @@ ifdef(`distro_debian',`
@ -38965,7 +38990,15 @@ index 40edc18..04ea6dd 100644
 ')
 #
-@@ -55,6 +58,21 @@ ifdef(`distro_redhat',`
+@@ -44,6 +47,7 @@ ifdef(`distro_redhat',`
 /sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 +/sbin/iw		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_configure	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_interface	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -55,6 +59,21 @@ ifdef(`distro_redhat',`
 #
 # /usr
 #
@ -38987,7 +39020,7 @@ index 40edc18..04ea6dd 100644
 /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 #
-@@ -77,3 +95,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +96,6 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -16306,7 +16306,7 @@ index 715a826..a1cbdb2 100644
 +	')
 ')
 diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..0d8ca8f 100644
+index ae1c1b1..6238c82 100644
 --- a/couchdb.te
 +++ b/couchdb.te
@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
@ -16348,30 +16348,34 @@ index ae1c1b1..0d8ca8f 100644
 corecmd_exec_bin(couchdb_t)
 corecmd_exec_shell(couchdb_t)
-@@ -75,14 +79,20 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +79,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
 corenet_tcp_bind_couchdb_port(couchdb_t)
 corenet_tcp_sendrecv_couchdb_port(couchdb_t)
 +# disksup tries to monitor the local disks
 +fs_getattr_all_files(couchdb_t)
 +fs_getattr_all_dirs(couchdb_t)
 +fs_getattr_all_fs(couchdb_t)
 +files_getattr_all_mountpoints(couchdb_t)
 +files_search_all_mountpoints(couchdb_t)
 +files_getattr_lost_found_dirs(couchdb_t)
 +files_dontaudit_list_var(couchdb_t)
 +
 dev_list_sysfs(couchdb_t)
 dev_read_sysfs(couchdb_t)
 dev_read_urand(couchdb_t)
 -files_read_usr_files(couchdb_t)
-
+auth_use_nsswitch(couchdb_t)
 fs_getattr_xattr_fs(couchdb_t)
- auth_use_nsswitch(couchdb_t)
+-fs_getattr_xattr_fs(couchdb_t)
 -miscfiles_read_localization(couchdb_t)
 +optional_policy(`
 +    rpc_read_nfs_state_data(couchdb_t)
 +')
-+
+ 
-+
+-auth_use_nsswitch(couchdb_t)
 -miscfiles_read_localization(couchdb_t)
 diff --git a/courier.fc b/courier.fc
 index 2f017a0..defdc87 100644
 --- a/courier.fc
@ -24705,10 +24709,12 @@ index c7bb4e7..e6fe2f40 100644
 sysnet_etc_filetrans_config(dnssec_triggerd_t)
 diff --git a/docker.fc b/docker.fc
 new file mode 100644
-index 0000000..fd679a1
+index 0000000..41ac874
 --- /dev/null
 +++ b/docker.fc
-@@ -0,0 +1,18 @@
+@@ -0,0 +1,21 @@
 +/root/\.docker	gen_context(system_u:object_r:docker_home_t,s0)
 +
 +/usr/bin/docker			--	gen_context(system_u:object_r:docker_exec_t,s0)
 +
 +/usr/lib/systemd/system/docker.service		--	gen_context(system_u:object_r:docker_unit_file_t,s0)
@ -24727,12 +24733,13 @@ index 0000000..fd679a1
 +/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:docker_share_t,s0)
 +/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:docker_share_t,s0)
 +/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
 +
 diff --git a/docker.if b/docker.if
 new file mode 100644
-index 0000000..114764c
+index 0000000..0fa769b
 --- /dev/null
 +++ b/docker.if
-@@ -0,0 +1,366 @@
+@@ -0,0 +1,369 @@
 +
 +## <summary>The open-source application container engine.</summary>
 +
@ -25019,8 +25026,9 @@ index 0000000..114764c
 +    gen_require(`
 +        type docker_var_lib_t;
 +        type docker_share_t;
-+	type docker_log_t;
+    	type docker_log_t;
-+	type docker_var_run_t;
+	    type docker_var_run_t;
 +        type docker_home_t;
 +    ')
 +
 +    files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
@ -25033,6 +25041,7 @@ index 0000000..114764c
 +    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
 +    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
 +    filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
 +    userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
 +')
 +
 +########################################
@ -25099,12 +25108,13 @@ index 0000000..114764c
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
 +
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..17a2829
+index 0000000..ed22198
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,285 @@
+@@ -0,0 +1,293 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@ -25136,6 +25146,9 @@ index 0000000..17a2829
 +type docker_var_lib_t;
 +files_type(docker_var_lib_t)
 +
 +type docker_home_t;
 +userdom_user_home_content(docker_home_t)
 +
 +type docker_lock_t;
 +files_lock_file(docker_lock_t)
 +
@ -25172,6 +25185,11 @@ index 0000000..17a2829
 +allow docker_t self:udp_socket create_socket_perms;
 +allow docker_t self:capability2 block_suspend;
 +
 +manage_files_pattern(docker_t, docker_home_t, docker_home_t)
 +manage_dirs_pattern(docker_t, docker_home_t, docker_home_t)
 +manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t)
 +userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker")
 +
 +manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
 +manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
 +files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
@ -25201,7 +25219,7 @@ index 0000000..17a2829
 +manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
 +allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto };
 +can_exec(docker_t, docker_share_t)
-+docker_filetrans_named_content(docker_t)
+#docker_filetrans_named_content(docker_t)
 +
 +manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
 +manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
@ -83860,7 +83878,7 @@ index 050479d..0e1b364 100644
 		type rlogind_home_t;
 	')
 diff --git a/rlogin.te b/rlogin.te
-index ee27948..2a5413a 100644
+index ee27948..c2826a1 100644
 --- a/rlogin.te
 +++ b/rlogin.te
@@ -34,7 +34,9 @@ files_pid_file(rlogind_var_run_t)
@ -83890,7 +83908,18 @@ index ee27948..2a5413a 100644
 corenet_all_recvfrom_netlabel(rlogind_t)
 corenet_tcp_sendrecv_generic_if(rlogind_t)
 corenet_tcp_sendrecv_generic_node(rlogind_t)
-@@ -73,6 +73,7 @@ fs_getattr_all_fs(rlogind_t)
+@@ -65,6 +65,10 @@ corenet_sendrecv_rlogind_server_packets(rlogind_t)
 corenet_tcp_bind_rlogind_port(rlogind_t)
 corenet_tcp_sendrecv_rlogind_port(rlogind_t)
 +corenet_sendrecv_rlogin_server_packets(rlogind_t)
 +corenet_tcp_bind_rlogin_port(rlogind_t)
 +corenet_tcp_sendrecv_rlogin_port(rlogind_t)
 +
 dev_read_urand(rlogind_t)
 domain_interactive_fd(rlogind_t)
@@ -73,6 +77,7 @@ fs_getattr_all_fs(rlogind_t)
 fs_search_auto_mountpoints(rlogind_t)
 auth_domtrans_chk_passwd(rlogind_t)
@ -83898,7 +83927,7 @@ index ee27948..2a5413a 100644
 auth_rw_login_records(rlogind_t)
 auth_use_nsswitch(rlogind_t)
-@@ -83,29 +84,23 @@ init_rw_utmp(rlogind_t)
+@@ -83,29 +88,23 @@ init_rw_utmp(rlogind_t)
 logging_send_syslog_msg(rlogind_t)
@ -88468,7 +88497,7 @@ index 50d07fb..dc069c8 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..3fb8192 100644
+index 2b7c441..b2692f5 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@ -89077,7 +89106,7 @@ index 2b7c441..3fb8192 100644
 	rpc_search_nfs_state_data(smbd_t)
 ')
-@@ -499,9 +522,44 @@ optional_policy(`
+@@ -499,9 +522,47 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
@ -89096,6 +89125,7 @@ index 2b7c441..3fb8192 100644
 +    files_dontaudit_read_security_files(smbd_t)
 +	fs_read_noxattr_fs_files(nmbd_t) 
 +	files_read_non_security_files(nmbd_t) 
 +    files_dontaudit_list_security_dirs(nmbd_t)
 +    files_dontaudit_search_security_files(nmbd_t)
 +    files_dontaudit_read_security_files(nmbd_t)
 +')
@ -89105,11 +89135,13 @@ index 2b7c441..3fb8192 100644
 +	fs_manage_noxattr_fs_files(smbd_t) 
 +	files_manage_non_security_files(smbd_t)
 +    files_manage_non_security_dirs(smbd_t)
 +    files_dontaudit_list_security_dirs(smbd_t)
 +    files_dontaudit_search_security_files(smbd_t)
 +    files_dontaudit_read_security_files(smbd_t)
 +	fs_manage_noxattr_fs_files(nmbd_t) 
 +	files_manage_non_security_files(nmbd_t)
 +    files_manage_non_security_dirs(nmbd_t)
 +    files_dontaudit_list_security_dirs(nmbd_t)
 +    files_dontaudit_search_security_files(nmbd_t)
 +    files_dontaudit_read_security_files(nmbd_t)
 +')
@ -89123,7 +89155,7 @@ index 2b7c441..3fb8192 100644
 #
 dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +570,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +573,11 @@ allow nmbd_t self:msg { send receive };
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -89138,7 +89170,7 @@ index 2b7c441..3fb8192 100644
 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
 manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +586,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +589,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -89162,7 +89194,7 @@ index 2b7c441..3fb8192 100644
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +602,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +605,44 @@ kernel_read_kernel_sysctls(nmbd_t)
 kernel_read_network_state(nmbd_t)
 kernel_read_software_raid_state(nmbd_t)
 kernel_read_system_state(nmbd_t)
@ -89231,7 +89263,7 @@ index 2b7c441..3fb8192 100644
 ')
 optional_policy(`
-@@ -606,16 +652,22 @@ optional_policy(`
+@@ -606,16 +655,22 @@ optional_policy(`
 ########################################
 #
@ -89258,7 +89290,7 @@ index 2b7c441..3fb8192 100644
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +679,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +682,11 @@ domain_use_interactive_fds(smbcontrol_t)
 dev_read_urand(smbcontrol_t)
@ -89276,7 +89308,7 @@ index 2b7c441..3fb8192 100644
 optional_policy(`
 	ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +691,23 @@ optional_policy(`
+@@ -644,22 +694,23 @@ optional_policy(`
 ########################################
 #
@ -89308,7 +89340,7 @@ index 2b7c441..3fb8192 100644
 allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +716,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +719,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@ -89344,7 +89376,7 @@ index 2b7c441..3fb8192 100644
 fs_getattr_cifs(smbmount_t)
 fs_mount_cifs(smbmount_t)
-@@ -699,58 +743,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +746,77 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
@ -89436,7 +89468,7 @@ index 2b7c441..3fb8192 100644
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +822,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +825,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
 manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
 files_pid_filetrans(swat_t, swat_var_run_t, file)
@ -89460,7 +89492,7 @@ index 2b7c441..3fb8192 100644
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -777,36 +836,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +839,25 @@ kernel_read_network_state(swat_t)
 corecmd_search_bin(swat_t)
@ -89503,7 +89535,7 @@ index 2b7c441..3fb8192 100644
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
-@@ -818,10 +866,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +869,11 @@ logging_send_syslog_msg(swat_t)
 logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
@ -89517,7 +89549,7 @@ index 2b7c441..3fb8192 100644
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
-@@ -840,17 +889,20 @@ optional_policy(`
+@@ -840,17 +892,20 @@ optional_policy(`
 # Winbind local policy
 #
@ -89543,7 +89575,7 @@ index 2b7c441..3fb8192 100644
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +912,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +915,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
 manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -89554,7 +89586,7 @@ index 2b7c441..3fb8192 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +923,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +926,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@ -89607,7 +89639,7 @@ index 2b7c441..3fb8192 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +965,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +968,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
@ -89666,7 +89698,7 @@ index 2b7c441..3fb8192 100644
 ')
 optional_policy(`
-@@ -959,31 +1026,35 @@ optional_policy(`
+@@ -959,31 +1029,35 @@ optional_policy(`
 # Winbind helper local policy
 #
@ -89709,7 +89741,7 @@ index 2b7c441..3fb8192 100644
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1068,38 @@ optional_policy(`
+@@ -997,25 +1071,38 @@ optional_policy(`
 ########################################
 #
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 98%{?dist}
+Release: 99%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,6 +604,14 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-99
 - Add files_dontaudit_list_security_dirs() interface.
 - Added seutil_dontaudit_access_check_semanage_module_store interface.
 - Allow docker to create /root/.docker
 - Allow rlogind to use also rlogin ports
 - dontaudit list security dirs for samba domain
 - Dontaudit couchdb to list /var
 * Fri Nov 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-98
 - Update to have all _systemctl() interface also init_reload_services()
 - Dontaudit access check on SELinux module store for sssd.