* Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108

- Fix labels, improve sysnet_manage_config interface. - Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t. - Dontaudit network connections related to thumb_t. BZ(1187981) - Remove sysnet_filetrans_named_content from fail2ban
2015-02-04 13:06:40 +01:00 · 2015-02-04 13:06:40 +01:00 · 203031a6db
commit 203031a6db
parent 1808b757f1
3 changed files with 134 additions and 108 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -25701,10 +25701,10 @@ index 6bf0ecc..b036584 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..635442b 100644
+index 8b40377..5a2c173 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
-@@ -26,28 +26,59 @@ gen_require(`
+@@ -26,28 +26,66 @@ gen_require(`
 #
 
 ## <desc>
@ -25754,6 +25754,13 @@ index 8b40377..635442b 100644
 +
 +## <desc>
 +##	<p>
+##	Allows xdm_t to bind on vnc_port_t(5910)
+##	</p>
+## </desc>
+gen_tunable(xdm_bind_vnc_tcp_port, false)
+
+## <desc>
+##	<p>
 +##	Support X userspace object manager
 +##	</p>
 ## </desc>
@ -25773,7 +25780,7 @@ index 8b40377..635442b 100644
 
 # X Events
 attribute xevent_type;
-@@ -107,44 +138,54 @@ xserver_object_types_template(remote)
+@@ -107,44 +145,54 @@ xserver_object_types_template(remote)
 xserver_common_x_domain_template(remote, remote_t)
 
 type user_fonts_t;
@ -25829,7 +25836,7 @@ index 8b40377..635442b 100644
 typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
 userdom_user_tmp_file(xauth_tmp_t)
 
-@@ -155,19 +196,28 @@ dev_associate(xconsole_device_t)
+@@ -155,19 +203,28 @@ dev_associate(xconsole_device_t)
 fs_associate_tmpfs(xconsole_device_t)
 files_associate_tmp(xconsole_device_t)
 
@ -25861,7 +25868,7 @@ index 8b40377..635442b 100644
 
 type xdm_var_lib_t;
 files_type(xdm_var_lib_t)
-@@ -175,13 +225,21 @@ files_type(xdm_var_lib_t)
+@@ -175,13 +232,21 @@ files_type(xdm_var_lib_t)
 type xdm_var_run_t;
 files_pid_file(xdm_var_run_t)
 
@ -25886,7 +25893,7 @@ index 8b40377..635442b 100644
 # type for /var/lib/xkb
 type xkb_var_lib_t;
 files_type(xkb_var_lib_t)
-@@ -194,15 +252,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -194,15 +259,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
 init_system_domain(xserver_t, xserver_exec_t)
 ubac_constrained(xserver_t)
 
@ -25907,7 +25914,7 @@ index 8b40377..635442b 100644
 
 type xsession_exec_t;
 corecmd_executable_file(xsession_exec_t)
-@@ -226,21 +282,35 @@ optional_policy(`
+@@ -226,21 +289,35 @@ optional_policy(`
 #
 
 allow iceauth_t iceauth_home_t:file manage_file_perms;
@ -25950,7 +25957,7 @@ index 8b40377..635442b 100644
 ')
 
 ########################################
-@@ -248,48 +318,91 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +325,91 @@ tunable_policy(`use_samba_home_dirs',`
 # Xauth local policy
 #
 
@ -26042,18 +26049,18 @@ index 8b40377..635442b 100644
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
 ')
 
 optional_policy(`
+	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+')
+
+optional_policy(`
 +	ssh_use_ptys(xauth_t)
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
 	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +413,103 @@ optional_policy(`
+@@ -300,64 +420,103 @@ optional_policy(`
 # XDM Local policy
 #
 
@ -26081,14 +26088,14 @@ index 8b40377..635442b 100644
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 +allow xdm_t self:dbus { send_msg acquire_svc };
-+
+ 
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 +allow xdm_t xauth_home_t:file manage_file_perms;
 +
 +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
- 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+
 +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +xserver_filetrans_home_content(xdm_t)
@ -26170,7 +26177,7 @@ index 8b40377..635442b 100644
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +518,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 
@ -26203,7 +26210,7 @@ index 8b40377..635442b 100644
 corenet_all_recvfrom_netlabel(xdm_t)
 corenet_tcp_sendrecv_generic_if(xdm_t)
 corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -26257,7 +26264,7 @@ index 8b40377..635442b 100644
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -431,9 +604,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +611,28 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -26286,7 +26293,7 @@ index 8b40377..635442b 100644
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +634,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -26335,7 +26342,7 @@ index 8b40377..635442b 100644
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +681,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +688,155 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -26497,10 +26504,15 @@ index 8b40377..635442b 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -503,11 +843,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +849,31 @@ tunable_policy(`xdm_sysadm_login',`
+ #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
- optional_policy(`
+tunable_policy(`xdm_bind_vnc_tcp_port',`
+    corenet_tcp_bind_vnc_port(xdm_t)
+')
+
+optional_policy(`
 +	accountsd_read_lib_files(xdm_t)
 +	accountsd_dbus_chat(xdm_t)
 +')
@ -26513,7 +26525,7 @@ index 8b40377..635442b 100644
 +	boinc_dontaudit_getattr_lib(xdm_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
 	alsa_domtrans(xdm_t)
 +	alsa_read_rw_config(xdm_t)
 ')
@ -26524,7 +26536,7 @@ index 8b40377..635442b 100644
 ')
 
 optional_policy(`
-@@ -517,9 +872,34 @@ optional_policy(`
+@@ -517,9 +883,34 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -26560,7 +26572,7 @@ index 8b40377..635442b 100644
 	')
 ')
 
-@@ -530,6 +910,20 @@ optional_policy(`
+@@ -530,6 +921,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26581,7 +26593,7 @@ index 8b40377..635442b 100644
 	hostname_exec(xdm_t)
 ')
 
-@@ -547,28 +941,78 @@ optional_policy(`
+@@ -547,28 +952,78 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26669,7 +26681,7 @@ index 8b40377..635442b 100644
 ')
 
 optional_policy(`
-@@ -580,6 +1024,14 @@ optional_policy(`
+@@ -580,6 +1035,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26684,7 +26696,7 @@ index 8b40377..635442b 100644
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -594,7 +1046,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1057,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -26693,7 +26705,7 @@ index 8b40377..635442b 100644
 
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1056,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1067,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -26706,7 +26718,7 @@ index 8b40377..635442b 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1073,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1084,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -26722,7 +26734,7 @@ index 8b40377..635442b 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1089,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1100,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
 
@ -26733,7 +26745,7 @@ index 8b40377..635442b 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1104,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1115,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -26770,7 +26782,7 @@ index 8b40377..635442b 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1150,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1161,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -26802,7 +26814,7 @@ index 8b40377..635442b 100644
 
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1183,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1194,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
 
@ -26817,7 +26829,7 @@ index 8b40377..635442b 100644
 mls_xwin_read_to_clearance(xserver_t)
 
 selinux_validate_context(xserver_t)
-@@ -718,20 +1204,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1215,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
 
@ -26841,7 +26853,7 @@ index 8b40377..635442b 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1223,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1234,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
@ -26850,7 +26862,7 @@ index 8b40377..635442b 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1267,50 @@ optional_policy(`
+@@ -785,17 +1278,50 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26903,7 +26915,7 @@ index 8b40377..635442b 100644
 ')
 
 optional_policy(`
-@@ -803,6 +1318,10 @@ optional_policy(`
+@@ -803,6 +1329,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26914,7 +26926,7 @@ index 8b40377..635442b 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -818,18 +1337,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1348,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -26939,7 +26951,7 @@ index 8b40377..635442b 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1371,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -26974,7 +26986,7 @@ index 8b40377..635442b 100644
 ')
 
 optional_policy(`
-@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1436,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -26983,7 +26995,7 @@ index 8b40377..635442b 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1490,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -27015,7 +27027,7 @@ index 8b40377..635442b 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1525,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1536,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
@ -30997,7 +31009,7 @@ index 79a45f6..b88e8a2 100644
 +	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..32af6e4 100644
+index 17eda24..1381948 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -31875,7 +31887,7 @@ index 17eda24..32af6e4 100644
 +		sysnet_relabelfrom_dhcpc_state(initrc_t)
 +		sysnet_relabelfrom_net_conf(initrc_t)
 +		sysnet_relabelto_net_conf(initrc_t)
-+		sysnet_filetrans_named_content(initrc_t)
+		#sysnet_filetrans_named_content(initrc_t)
 +	')
 +
 +	optional_policy(`
@ -39130,10 +39142,10 @@ index 1447687..d5e6fb9 100644
 seutil_read_config(setrans_t)
 
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..bdc6d52 100644
+index 40edc18..963b974 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -17,23 +17,28 @@ ifdef(`distro_debian',`
+@@ -17,23 +17,27 @@ ifdef(`distro_debian',`
 /etc/dhclient.*conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
@ -39146,10 +39158,10 @@ index 40edc18..bdc6d52 100644
 +/etc/hosts[^/]*		--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/resolv\.conf.*		gen_context(system_u:object_r:net_conf_t,s0)
 /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
 +/etc/ntp\.conf		--	gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/\.resolv\.conf\.NetworkManager gen_context(system_u:object_r:net_conf_t,s0)
 
 -/etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
 +/etc/dhcp3?(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
@ -39162,11 +39174,11 @@ index 40edc18..bdc6d52 100644
 +/var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 +/var/run/systemd/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
 ')
-+/var/run/NetworkManager/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/NetworkManager/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
 
 #
 # /sbin
-@@ -44,6 +49,7 @@ ifdef(`distro_redhat',`
+@@ -44,6 +48,7 @@ ifdef(`distro_redhat',`
 /sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@ -39174,7 +39186,7 @@ index 40edc18..bdc6d52 100644
 /sbin/ipx_configure	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_interface	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -55,6 +61,21 @@ ifdef(`distro_redhat',`
+@@ -55,6 +60,21 @@ ifdef(`distro_redhat',`
 #
 # /usr
 #
@ -39196,7 +39208,7 @@ index 40edc18..bdc6d52 100644
 /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 
 #
-@@ -77,3 +98,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +97,6 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
@ -39204,7 +39216,7 @@ index 40edc18..bdc6d52 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..b52919c 100644
+index 2cea692..fcd75c1 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -39355,10 +39367,14 @@ index 2cea692..b52919c 100644
 		read_files_pattern($1, net_conf_t, net_conf_t)
 	')
 ')
-@@ -440,6 +538,40 @@ interface(`sysnet_etc_filetrans_config',`
- 	files_etc_filetrans($1, net_conf_t, file, $2)
- ')
+@@ -438,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',`
+ 	')
 
+ 	files_etc_filetrans($1, net_conf_t, file, $2)
+	files_etc_filetrans($1, net_conf_t, lnk_file, $2)
+
+')
+
 +########################################
 +## <summary>
 +##	Transition content to the type used for
@ -39391,12 +39407,19 @@ index 2cea692..b52919c 100644
 +	')
 +
 +	filetrans_pattern($1, $2, net_conf_t, $3, $4)
-+')
-+
+ ')
+ 
 #######################################
- ## <summary>
- ##	Create, read, write, and delete network config files.
-@@ -463,12 +595,45 @@ interface(`sysnet_manage_config',`
+@@ -453,7 +587,7 @@ interface(`sysnet_etc_filetrans_config',`
+ interface(`sysnet_manage_config',`
+ 	gen_require(`
+ 		type net_conf_t;
+-	')
+        ')
+ 
+ 	allow $1 net_conf_t:file manage_file_perms;
+ 
+@@ -463,7 +597,42 @@ interface(`sysnet_manage_config',`
 	')
 
 	ifdef(`distro_redhat',`
@ -39404,11 +39427,13 @@ index 2cea692..b52919c 100644
 +        init_search_pid_dirs($1)
 +		allow $1 net_conf_t:dir list_dir_perms;
 		manage_files_pattern($1, net_conf_t, net_conf_t)
- 	')
- ')
- 
- #######################################
- ## <summary>
+		manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
+	')
+    sysnet_filetrans_named_content($1)
+')
+
+#######################################
+## <summary>
 +##	Create, read, write, and delete network config dirs.
 +## </summary>
 +## <param name="domain">
@ -39434,15 +39459,10 @@ index 2cea692..b52919c 100644
 +        init_search_pid_dirs($1)
 +		allow $1 net_conf_t:dir list_dir_perms;
 +		manage_dirs_pattern($1, net_conf_t, net_conf_t)
-+	')
-+')
-+
-+#######################################
-+## <summary>
- ##	Read the dhcp client pid file.
- ## </summary>
- ## <param name="domain">
-@@ -501,6 +666,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+ 	')
+ ')
+ 
+@@ -501,6 +670,7 @@ interface(`sysnet_delete_dhcpc_pid',`
 		type dhcpc_var_run_t;
 	')
 
@ -39450,7 +39470,7 @@ index 2cea692..b52919c 100644
 	allow $1 dhcpc_var_run_t:file unlink;
 ')
 
-@@ -610,6 +776,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -610,6 +780,25 @@ interface(`sysnet_signull_ifconfig',`
 
 ########################################
 ## <summary>
@ -39476,7 +39496,7 @@ index 2cea692..b52919c 100644
 ##	Read the DHCP configuration files.
 ## </summary>
 ## <param name="domain">
-@@ -626,6 +811,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -626,6 +815,7 @@ interface(`sysnet_read_dhcp_config',`
 	files_search_etc($1)
 	allow $1 dhcp_etc_t:dir list_dir_perms;
 	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@ -39484,7 +39504,7 @@ index 2cea692..b52919c 100644
 ')
 
 ########################################
-@@ -647,6 +833,26 @@ interface(`sysnet_search_dhcp_state',`
+@@ -647,6 +837,26 @@ interface(`sysnet_search_dhcp_state',`
 	allow $1 dhcp_state_t:dir search_dir_perms;
 ')
 
@ -39511,7 +39531,7 @@ index 2cea692..b52919c 100644
 ########################################
 ## <summary>
 ##	Create DHCP state data.
-@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -711,8 +921,6 @@ interface(`sysnet_dns_name_resolve',`
 	allow $1 self:udp_socket create_socket_perms;
 	allow $1 self:netlink_route_socket r_netlink_socket_perms;
 
@ -39520,7 +39540,7 @@ index 2cea692..b52919c 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +928,11 @@ interface(`sysnet_dns_name_resolve',`
 	corenet_tcp_sendrecv_dns_port($1)
 	corenet_udp_sendrecv_dns_port($1)
 	corenet_tcp_connect_dns_port($1)
@ -39532,7 +39552,7 @@ index 2cea692..b52919c 100644
 	sysnet_read_config($1)
 
 	optional_policy(`
-@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +961,6 @@ interface(`sysnet_use_ldap',`
 
 	allow $1 self:tcp_socket create_socket_perms;
 
@ -39541,7 +39561,7 @@ index 2cea692..b52919c 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
 	corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +969,14 @@ interface(`sysnet_use_ldap',`
 
 	# Support for LDAPS
 	dev_read_rand($1)
@ -39556,7 +39576,7 @@ index 2cea692..b52919c 100644
 ')
 
 ########################################
-@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +998,6 @@ interface(`sysnet_use_portmap',`
 	allow $1 self:udp_socket create_socket_perms;
 
 	corenet_all_recvfrom_unlabeled($1)
@ -39564,7 +39584,7 @@ index 2cea692..b52919c 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1005,120 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1009,122 @@ interface(`sysnet_use_portmap',`
 
 	sysnet_read_config($1)
 ')
@ -39634,6 +39654,7 @@ index 2cea692..b52919c 100644
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
+	files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
 +	files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
 +	files_etc_filetrans($1, net_conf_t, file, "denyhosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts")
@ -39644,8 +39665,9 @@ index 2cea692..b52919c 100644
 +	init_pid_filetrans($1, net_conf_t, dir, "network")
 +
 +	optional_policy(`
-+		networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
-+	')
+	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+    ')
 +')
 +
 +########################################
@ -41601,10 +41623,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..db531dc
+index 0000000..3ebbad0
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,707 @@
+@@ -0,0 +1,706 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -41863,7 +41885,6 @@ index 0000000..db531dc
 +
 +auth_read_passwd(systemd_networkd_t)
 +
-+sysnet_filetrans_named_content(systemd_networkd_t)
 +sysnet_manage_config(systemd_networkd_t)
 +sysnet_manage_config_dirs(systemd_networkd_t)
 +
@ -42610,7 +42631,7 @@ index 9a1650d..d7e8a01 100644
 
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..880b174 100644
+index 39f185f..a253f3f 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -42769,12 +42790,11 @@ index 39f185f..880b174 100644
 
 seutil_read_config(udev_t)
 seutil_read_default_contexts(udev_t)
-@@ -169,7 +191,11 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,7 +191,10 @@ sysnet_read_dhcpc_pid(udev_t)
 sysnet_delete_dhcpc_pid(udev_t)
 sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 -sysnet_etc_filetrans_config(udev_t)
-+sysnet_filetrans_named_content(udev_t)
 +#sysnet_etc_filetrans_config(udev_t)
 +
 +systemd_login_read_pid_files(udev_t)
@ -42782,7 +42802,7 @@ index 39f185f..880b174 100644
 
 userdom_dontaudit_search_user_home_content(udev_t)
 
-@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +220,9 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -42801,7 +42821,7 @@ index 39f185f..880b174 100644
 
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
-@@ -242,6 +261,7 @@ optional_policy(`
+@@ -242,6 +260,7 @@ optional_policy(`
 
 optional_policy(`
 	cups_domtrans_config(udev_t)
@ -42809,7 +42829,7 @@ index 39f185f..880b174 100644
 ')
 
 optional_policy(`
-@@ -249,17 +269,31 @@ optional_policy(`
+@@ -249,17 +268,31 @@ optional_policy(`
 	dbus_use_system_bus_fds(udev_t)
 
 	optional_policy(`
@ -42843,7 +42863,7 @@ index 39f185f..880b174 100644
 ')
 
 optional_policy(`
-@@ -289,6 +323,10 @@ optional_policy(`
+@@ -289,6 +322,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42854,7 +42874,7 @@ index 39f185f..880b174 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -303,6 +341,15 @@ optional_policy(`
+@@ -303,6 +340,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42870,7 +42890,7 @@ index 39f185f..880b174 100644
 	unconfined_signal(udev_t)
 ')
 
-@@ -315,6 +362,7 @@ optional_policy(`
+@@ -315,6 +361,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -27741,7 +27741,7 @@ index 50d0084..94e1936 100644
 
 	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..9ebb247 100644
+index cf0e567..6c3ce35 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@ -27769,7 +27769,7 @@ index cf0e567..9ebb247 100644
 files_list_var(fail2ban_t)
 files_dontaudit_list_tmp(fail2ban_t)
 
-@@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t)
+@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
 auth_use_nsswitch(fail2ban_t)
 
 logging_read_all_logs(fail2ban_t)
@ -27785,7 +27785,6 @@ index cf0e567..9ebb247 100644
 -sysnet_etc_filetrans_config(fail2ban_t)
 -
 -mta_send_mail(fail2ban_t)
-+sysnet_filetrans_named_content(fail2ban_t)
 
 optional_policy(`
 	apache_read_log(fail2ban_t)
@ -27812,7 +27811,7 @@ index cf0e567..9ebb247 100644
 	iptables_domtrans(fail2ban_t)
 ')
 
-@@ -118,6 +130,10 @@ optional_policy(`
+@@ -118,6 +129,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -27823,7 +27822,7 @@ index cf0e567..9ebb247 100644
 	shorewall_domtrans(fail2ban_t)
 ')
 
-@@ -131,22 +147,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 
@ -101816,10 +101815,10 @@ index 0000000..9524b50
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..02ed710
+index 0000000..e80cde4
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,162 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -101891,6 +101890,7 @@ index 0000000..02ed710
 +corecmd_exec_shell(thumb_t)
 +
 +corenet_tcp_connect_xserver_port(thumb_t)
+corenet_dontaudit_tcp_connect_all_ports(thumb_t)
 +
 +dev_read_sysfs(thumb_t)
 +dev_read_urand(thumb_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 107%{?dist}
+Release: 108%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -605,6 +605,12 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
+- Fix labels, improve sysnet_manage_config interface.
+- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
+- Dontaudit network connections related to thumb_t. BZ(1187981)
+- Remove sysnet_filetrans_named_content from fail2ban
+
 * Thu Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107
 - Fix labels on new location of resolv.conf
 - syslog is not writing to the audit socket