* Fri Jun 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-61

- Add back MLS policy
2014-06-20 16:27:18 +02:00 · 2014-06-20 16:27:18 +02:00 · 211fb9932a
commit 211fb9932a
parent c04c318879
3 changed files with 109 additions and 68 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -27856,7 +27856,7 @@ index edece47..cb014fd 100644
 ')
 diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index 948ce2a..1b38e87 100644
+index 948ce2a..8cab8ae 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@ -27872,7 +27872,7 @@ index 948ce2a..1b38e87 100644
 /sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -36,14 +34,53 @@
+@@ -36,14 +34,55 @@
 /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@ -27920,8 +27920,10 @@ index 948ce2a..1b38e87 100644
 +/usr/sbin/scsi_info	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/sfdisk	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/swapoff	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/swapon.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/tune2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/xfs_growfs    --  gen_context(system_u:object_r:fsadm_exec_t,s0)
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
 +
@ -29903,7 +29905,7 @@ index 79a45f6..89b43aa 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..fc94c2a 100644
+index 17eda24..7c66e96 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -30177,7 +30179,7 @@ index 17eda24..fc94c2a 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +305,236 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +305,237 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -30413,7 +30415,8 @@ index 17eda24..fc94c2a 100644
 optional_policy(`
 -	nscd_use(init_t)
-+		networkmanager_stream_connect(init_t)
+	networkmanager_stream_connect(init_t)
 +	networkmanager_stream_connect(initrc_t)
 +')
 +
 +optional_policy(`
@ -30423,7 +30426,7 @@ index 17eda24..fc94c2a 100644
 ')
 optional_policy(`
-@@ -216,7 +542,31 @@ optional_policy(`
+@@ -216,7 +543,31 @@ optional_policy(`
 ')
 optional_policy(`
@ -30455,7 +30458,7 @@ index 17eda24..fc94c2a 100644
 ')
 ########################################
-@@ -225,9 +575,9 @@ optional_policy(`
+@@ -225,9 +576,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30467,7 +30470,7 @@ index 17eda24..fc94c2a 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +608,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +609,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -30484,7 +30487,7 @@ index 17eda24..fc94c2a 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +633,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +634,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -30527,7 +30530,7 @@ index 17eda24..fc94c2a 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +670,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +671,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -30539,7 +30542,7 @@ index 17eda24..fc94c2a 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +682,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +683,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -30550,7 +30553,7 @@ index 17eda24..fc94c2a 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +693,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +694,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -30560,7 +30563,7 @@ index 17eda24..fc94c2a 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +702,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +703,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -30568,7 +30571,7 @@ index 17eda24..fc94c2a 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +709,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +710,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -30576,7 +30579,7 @@ index 17eda24..fc94c2a 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +717,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +718,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -30594,7 +30597,7 @@ index 17eda24..fc94c2a 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +735,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +736,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -30608,7 +30611,7 @@ index 17eda24..fc94c2a 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +750,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +751,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -30622,7 +30625,7 @@ index 17eda24..fc94c2a 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +763,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +764,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -30633,7 +30636,7 @@ index 17eda24..fc94c2a 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +776,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +777,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -30641,7 +30644,7 @@ index 17eda24..fc94c2a 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +795,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +796,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -30665,7 +30668,7 @@ index 17eda24..fc94c2a 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +828,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +829,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -30673,7 +30676,7 @@ index 17eda24..fc94c2a 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +862,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +863,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -30684,7 +30687,7 @@ index 17eda24..fc94c2a 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +886,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +887,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -30693,7 +30696,7 @@ index 17eda24..fc94c2a 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +901,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +902,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -30701,7 +30704,7 @@ index 17eda24..fc94c2a 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +922,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +923,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -30709,7 +30712,7 @@ index 17eda24..fc94c2a 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +932,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +933,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -30754,7 +30757,7 @@ index 17eda24..fc94c2a 100644
 	')
 	optional_policy(`
-@@ -559,14 +977,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +978,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -30786,7 +30789,7 @@ index 17eda24..fc94c2a 100644
 	')
 ')
-@@ -577,6 +1012,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1013,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -30826,7 +30829,7 @@ index 17eda24..fc94c2a 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1057,8 @@ optional_policy(`
+@@ -589,6 +1058,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -30835,7 +30838,7 @@ index 17eda24..fc94c2a 100644
 ')
 optional_policy(`
-@@ -610,6 +1080,7 @@ optional_policy(`
+@@ -610,6 +1081,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -30843,7 +30846,7 @@ index 17eda24..fc94c2a 100644
 ')
 optional_policy(`
-@@ -626,6 +1097,17 @@ optional_policy(`
+@@ -626,6 +1098,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -30861,7 +30864,7 @@ index 17eda24..fc94c2a 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1124,13 @@ optional_policy(`
+@@ -642,9 +1125,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -30875,7 +30878,7 @@ index 17eda24..fc94c2a 100644
 	')
 	optional_policy(`
-@@ -657,15 +1143,11 @@ optional_policy(`
+@@ -657,15 +1144,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -30893,7 +30896,7 @@ index 17eda24..fc94c2a 100644
 ')
 optional_policy(`
-@@ -686,6 +1168,15 @@ optional_policy(`
+@@ -686,6 +1169,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -30909,7 +30912,7 @@ index 17eda24..fc94c2a 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1217,7 @@ optional_policy(`
+@@ -726,6 +1218,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -30917,7 +30920,7 @@ index 17eda24..fc94c2a 100644
 ')
 optional_policy(`
-@@ -743,7 +1235,13 @@ optional_policy(`
+@@ -743,7 +1236,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -30932,7 +30935,7 @@ index 17eda24..fc94c2a 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1264,10 @@ optional_policy(`
+@@ -766,6 +1265,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -30943,7 +30946,7 @@ index 17eda24..fc94c2a 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1277,20 @@ optional_policy(`
+@@ -775,10 +1278,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -30964,7 +30967,7 @@ index 17eda24..fc94c2a 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1299,10 @@ optional_policy(`
+@@ -787,6 +1300,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -30975,7 +30978,7 @@ index 17eda24..fc94c2a 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1324,6 @@ optional_policy(`
+@@ -808,8 +1325,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -30984,7 +30987,7 @@ index 17eda24..fc94c2a 100644
 ')
 optional_policy(`
-@@ -818,6 +1332,10 @@ optional_policy(`
+@@ -818,6 +1333,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -30995,7 +30998,7 @@ index 17eda24..fc94c2a 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1345,12 @@ optional_policy(`
+@@ -827,10 +1346,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -31008,7 +31011,7 @@ index 17eda24..fc94c2a 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1377,60 @@ optional_policy(`
+@@ -857,21 +1378,60 @@ optional_policy(`
 ')
 optional_policy(`
@ -31070,7 +31073,7 @@ index 17eda24..fc94c2a 100644
 ')
 optional_policy(`
-@@ -887,6 +1446,10 @@ optional_policy(`
+@@ -887,6 +1447,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -31081,7 +31084,7 @@ index 17eda24..fc94c2a 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1460,218 @@ optional_policy(`
+@@ -897,3 +1461,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -40196,10 +40199,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..898464f
+index 0000000..8af0084
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,679 @@
+@@ -0,0 +1,681 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -40298,6 +40301,8 @@ index 0000000..898464f
 +
 +fs_mount_tmpfs(systemd_logind_t)
 +fs_unmount_tmpfs(systemd_logind_t)
 +fs_manage_fusefs_dirs(systemd_logind_t)
 +fs_manage_fusefs_files(systemd_logind_t)
 +
 +manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
 +manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
@ -42270,7 +42275,7 @@ index db75976..8f5380f 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..9464dee 100644
+index 9dc60c6..d193211 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -43653,7 +43658,7 @@ index 9dc60c6..9464dee 100644
 +	')
 +
 +	optional_policy(`
-+		games_rw_data($1_usertype)
+        games_manage_data_files($1_usertype)
 +	')
 +
 +	optional_policy(`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -7486,7 +7486,7 @@ index f3c0aba..2b3352b 100644
 +	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
 ')
 diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..0b6be35 100644
+index 080bc4d..d49f4ef 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@ -7533,7 +7533,7 @@ index 080bc4d..0b6be35 100644
 corenet_udp_bind_snmp_port(apcupsd_t)
 corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +82,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,24 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
 dev_rw_generic_usb_dev(apcupsd_t)
@ -7543,8 +7543,8 @@ index 080bc4d..0b6be35 100644
 files_manage_etc_runtime_files(apcupsd_t)
 files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
- term_use_unallocated_ttys(apcupsd_t)
+-term_use_unallocated_ttys(apcupsd_t)
-+term_use_usb_ttys(apcupsd_t)
+term_use_all_terms(apcupsd_t)
 -logging_send_syslog_msg(apcupsd_t)
 +#apcupsd runs shutdown, probably need a shutdown domain
@ -7563,7 +7563,7 @@ index 080bc4d..0b6be35 100644
 optional_policy(`
 	hostname_exec(apcupsd_t)
-@@ -101,6 +115,11 @@ optional_policy(`
+@@ -101,6 +114,11 @@ optional_policy(`
 	shutdown_domtrans(apcupsd_t)
 ')
@ -7575,7 +7575,7 @@ index 080bc4d..0b6be35 100644
 ########################################
 #
 # CGI local policy
-@@ -108,20 +127,20 @@ optional_policy(`
+@@ -108,20 +126,20 @@ optional_policy(`
 optional_policy(`
 	apache_content_template(apcupsd_cgi)
@ -13159,7 +13159,7 @@ index c223f81..8b567c1 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
 ')
 diff --git a/cobbler.te b/cobbler.te
-index 5f306dd..1543aec 100644
+index 5f306dd..e01156f 100644
 --- a/cobbler.te
 +++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@ -13220,7 +13220,7 @@ index 5f306dd..1543aec 100644
 ')
 optional_policy(`
-@@ -179,12 +183,26 @@ optional_policy(`
+@@ -179,12 +183,22 @@ optional_policy(`
 optional_policy(`
 	dhcpd_domtrans(cobblerd_t)
 	dhcpd_initrc_domtrans(cobblerd_t)
@ -13235,10 +13235,6 @@ index 5f306dd..1543aec 100644
 +')
 +
 +optional_policy(`
 +    gnome_dontaudit_search_config(cobblerd_t)
 +')
 +
 +optional_policy(`
 +    libs_exec_ldconfig(cobblerd_t)
 +')
 +
@ -13247,7 +13243,7 @@ index 5f306dd..1543aec 100644
 ')
 optional_policy(`
-@@ -192,13 +210,13 @@ optional_policy(`
+@@ -192,13 +206,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -27988,6 +27984,34 @@ index 36838c2..a09e8b2 100644
 -	fs_read_nfs_files(sftpd_t)
 -	fs_read_nfs_symlinks(ftpd_t)
 -')
 diff --git a/games.if b/games.if
 index e2a3e0d..50ebd40 100644
 --- a/games.if
 +++ b/games.if
@@ -58,3 +58,23 @@ interface(`games_rw_data',`
 	files_search_var_lib($1)
 	rw_files_pattern($1, games_data_t, games_data_t)
 ')
 +
 +########################################
 +## <summary>
 +##	Manage games data files.
 +##	games data.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`games_manage_data_files',`
 +	gen_require(`
 +		type games_data_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, games_data_t, games_data_t)
 +')
 diff --git a/games.te b/games.te
 index e5b15fb..220622e 100644
 --- a/games.te
@ -28372,10 +28396,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..91ed5f4
+index 0000000..7a27337
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,140 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@ -28483,7 +28507,10 @@ index 0000000..91ed5f4
 +
 +mount_domtrans(gear_t)
 +
 +selinux_validate_context(gear_t)
 +
 +seutil_read_default_contexts(gear_t)
 +seutil_read_config(gear_t)
 +
 +sysnet_dns_name_resolve(gear_t)
 +
@ -28493,6 +28520,9 @@ index 0000000..91ed5f4
 +systemd_manage_all_unit_files(gear_t)
 +systemd_exec_systemctl(gear_t)
 +
 +usermanage_domtrans_useradd(gear_t)
 +usermanage_domtrans_passwd(gear_t)
 +
 +optional_policy(`
 +	hostname_exec(gear_t)
 +')
@ -73606,10 +73636,10 @@ index 83eb09e..b48c931 100644
 +')
 +
 diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..32dec67 100644
+index 70ab68b..2a8e41b 100644
 --- a/quantum.fc
 +++ b/quantum.fc
-@@ -1,10 +1,28 @@
+@@ -1,10 +1,31 @@
 -/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/neutron.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
@ -73621,6 +73651,9 @@ index 70ab68b..32dec67 100644
 +/usr/bin/neutron-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-l3-agent       --  gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-lbaas-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-metadata-agent    --  gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-netns-cleanup --  gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-ns-metadata-proxy --  gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-rootwrap	--	gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-linuxbridge-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-openvswitch-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -11,7 +11,7 @@
 %define BUILD_MINIMUM 1
 %endif
 %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
-%define BUILD_MLS 0
+%define BUILD_MLS 1
 %endif
 %define POLICYVER 29
 %define POLICYCOREUTILSVER 2.1.14-74
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 60%{?dist}
+Release: 61%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -600,6 +600,9 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Jun 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-61
 - Add back MLS policy
 * Thu Jun 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-60
 - Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy