- Allow swift to use tcp/6200 swift port

- ALlow swift to search apache configs - Remove duplicate .fc entry for Grilo plugin bookmarks - Remove duplicate .fc entry for telepathy-gabble - Additional allow rules for docker sandbox processes - Allow keepalived connect to agentx port - Allow neutron-ns-metadata to connectto own unix stream socket - Add support for tcp/6200 port - Remove ability for confined users to run xinit - New tool for managing wireless /usr/sbin/iw
2014-06-25 10:50:56 +02:00 · 2014-06-25 10:50:56 +02:00 · 24862fd309
parent e00cf0abb1
commit 24862fd309
3 changed files with 157 additions and 126 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5452,7 +5452,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..e19170b 100644
+index b191055..dab9975 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5712,7 +5712,7 @@ index b191055..e19170b 100644
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-@@ -213,68 +267,77 @@ network_port(postgrey, tcp,60000,s0)
+@@ -213,68 +267,78 @@ network_port(postgrey, tcp,60000,s0)
 network_port(pptp, tcp,1723,s0, udp,1723,s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@ -5770,6 +5770,7 @@ index b191055..e19170b 100644
 network_port(svn, tcp,3690,s0, udp,3690,s0)
 network_port(svrloc, tcp,427,s0, udp,427,s0)
 network_port(swat, tcp,901,s0)
+network_port(swift, tcp,6200,s0)
 network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
 -network_port(syslogd, udp,514,s0)
 +network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
@ -5801,7 +5802,7 @@ index b191055..e19170b 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +351,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +352,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
@ -5828,7 +5829,7 @@ index b191055..e19170b 100644
 
 ########################################
 #
-@@ -333,6 +400,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +401,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5837,7 +5838,7 @@ index b191055..e19170b 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -345,9 +414,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +415,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -14921,10 +14922,17 @@ index 8416beb..75c7b9d 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..089cc7a 100644
+index e7d1738..c0b17f8 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
+@@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
@ -14936,7 +14944,7 @@ index e7d1738..089cc7a 100644
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.
-@@ -53,6 +56,7 @@ type anon_inodefs_t;
+@@ -53,6 +57,7 @@ type anon_inodefs_t;
 fs_type(anon_inodefs_t)
 files_mountpoint(anon_inodefs_t)
 genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@ -14944,7 +14952,7 @@ index e7d1738..089cc7a 100644
 
 type bdev_t;
 fs_type(bdev_t)
-@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,12 +68,18 @@ fs_type(binfmt_misc_fs_t)
 files_mountpoint(binfmt_misc_fs_t)
 genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
 
@ -14964,7 +14972,7 @@ index e7d1738..089cc7a 100644
 fs_type(cgroup_t)
 files_mountpoint(cgroup_t)
 dev_associate_sysfs(cgroup_t)
-@@ -88,6 +98,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -88,6 +99,11 @@ fs_noxattr_type(ecryptfs_t)
 files_mountpoint(ecryptfs_t)
 genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
 
@ -14976,7 +14984,7 @@ index e7d1738..089cc7a 100644
 type futexfs_t;
 fs_type(futexfs_t)
 genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +111,7 @@ type hugetlbfs_t;
+@@ -96,6 +112,7 @@ type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@ -14984,7 +14992,7 @@ index e7d1738..089cc7a 100644
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
-@@ -118,13 +134,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +135,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
 
 type nfsd_fs_t;
 fs_type(nfsd_fs_t)
@ -15000,7 +15008,7 @@ index e7d1738..089cc7a 100644
 fs_type(pstore_t)
 files_mountpoint(pstore_t)
 dev_associate_sysfs(pstore_t)
-@@ -150,11 +167,6 @@ fs_type(spufs_t)
+@@ -150,11 +168,6 @@ fs_type(spufs_t)
 genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
 files_mountpoint(spufs_t)
 
@ -15012,7 +15020,7 @@ index e7d1738..089cc7a 100644
 type sysv_t;
 fs_noxattr_type(sysv_t)
 files_mountpoint(sysv_t)
-@@ -172,6 +184,8 @@ type vxfs_t;
+@@ -172,6 +185,8 @@ type vxfs_t;
 fs_noxattr_type(vxfs_t)
 files_mountpoint(vxfs_t)
 genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@ -15021,7 +15029,7 @@ index e7d1738..089cc7a 100644
 
 #
 # tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +196,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +197,8 @@ fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
@ -15030,7 +15038,7 @@ index e7d1738..089cc7a 100644
 
 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +277,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +278,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
@ -15039,7 +15047,7 @@ index e7d1738..089cc7a 100644
 files_mountpoint(removable_t)
 
 #
-@@ -280,6 +298,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +299,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@ -18603,7 +18611,7 @@ index 234a940..d340f20 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..46aa66e 100644
+index 0fef1fc..45ee29f 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
@ -18829,7 +18837,7 @@ index 0fef1fc..46aa66e 100644
 ')
 
 optional_policy(`
-@@ -52,11 +231,61 @@ optional_policy(`
+@@ -52,11 +231,60 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18874,6 +18882,7 @@ index 0fef1fc..46aa66e 100644
 ')
 
 optional_policy(`
+-	xserver_role(staff_r, staff_t)
 +    vmtools_run_helper(staff_t, staff_r)
 +')
 +
@ -18886,12 +18895,11 @@ index 0fef1fc..46aa66e 100644
 +')
 +
 +optional_policy(`
- 	xserver_role(staff_r, staff_t)
 +	xserver_read_log(staff_t)
 ')
 
 ifndef(`distro_redhat',`
-@@ -65,10 +294,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +293,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -18902,7 +18910,7 @@ index 0fef1fc..46aa66e 100644
 		cdrecord_role(staff_r, staff_t)
 	')
 
-@@ -78,10 +303,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +302,6 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
@ -18913,7 +18921,7 @@ index 0fef1fc..46aa66e 100644
 	')
 
 	optional_policy(`
-@@ -101,10 +322,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +321,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -18924,7 +18932,7 @@ index 0fef1fc..46aa66e 100644
 		java_role(staff_r, staff_t)
 	')
 
-@@ -125,10 +342,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +341,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -18935,7 +18943,7 @@ index 0fef1fc..46aa66e 100644
 		pyzor_role(staff_r, staff_t)
 	')
 
-@@ -141,10 +354,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +353,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -18946,7 +18954,7 @@ index 0fef1fc..46aa66e 100644
 		spamassassin_role(staff_r, staff_t)
 	')
 
-@@ -176,3 +385,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +384,22 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
@ -20645,7 +20653,7 @@ index 3835596..fbca2be 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..c175ba4 100644
+index 6d77e81..79ee03d 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@ -20761,10 +20769,11 @@ index 6d77e81..c175ba4 100644
 ')
 
 optional_policy(`
-@@ -25,6 +118,18 @@ optional_policy(`
+@@ -25,11 +118,19 @@ optional_policy(`
 ')
 
 optional_policy(`
+-	vlock_run(user_t, user_r)
 +	setroubleshoot_dontaudit_stream_connect(user_t)
 +')
 +
@ -20774,13 +20783,15 @@ index 6d77e81..c175ba4 100644
 +
 +optional_policy(`
 +	usbmuxd_stream_connect(user_t)
-+')
-+
-+optional_policy(`
- 	vlock_run(user_t, user_r)
 ')
 
-@@ -102,10 +207,6 @@ ifndef(`distro_redhat',`
+ optional_policy(`
+-	xserver_role(user_r, user_t)
+	vlock_run(user_t, user_r)
+ ')
+ 
+ ifndef(`distro_redhat',`
+@@ -102,10 +203,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -20791,7 +20802,7 @@ index 6d77e81..c175ba4 100644
 		postgresql_role(user_r, user_t)
 	')
 
-@@ -128,7 +229,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +225,6 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		ssh_role_template(user, user_r, user_t)
 	')
@ -20799,7 +20810,7 @@ index 6d77e81..c175ba4 100644
 	optional_policy(`
 		su_role_template(user, user_r, user_t)
 	')
-@@ -161,3 +261,19 @@ ifndef(`distro_redhat',`
+@@ -161,3 +257,19 @@ ifndef(`distro_redhat',`
 		wireshark_role(user_r, user_t)
 	')
 ')
@ -22959,10 +22970,10 @@ index 8274418..4eee56a 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..2469c27 100644
+index 6bf0ecc..44be5f2 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
-@@ -18,100 +18,37 @@
+@@ -18,100 +18,36 @@
 #
 interface(`xserver_restricted_role',`
 	gen_require(`
@ -22970,13 +22981,12 @@ index 6bf0ecc..2469c27 100644
 -		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
 -		type iceauth_t, iceauth_exec_t, iceauth_home_t;
 -		type xauth_t, xauth_exec_t, xauth_home_t;
-+		type xserver_t, xauth_t, iceauth_t;
+		type xauth_t, iceauth_t;
 +		attribute dridomain, x_userdomain;
 	')
 
- 	role $1 types { xserver_t xauth_t iceauth_t };
-+	typeattribute $2 x_userdomain, dridomain;
- 
+-	role $1 types { xserver_t xauth_t iceauth_t };
+-
 -	# Xserver read/write client shm
 -	allow xserver_t $2:fd use;
 -	allow xserver_t $2:shm rw_shm_perms;
@ -23044,30 +23054,31 @@ index 6bf0ecc..2469c27 100644
 -	dev_rw_usbfs($2)
 -
 -	miscfiles_read_fonts($2)
-+    xserver_common_x_domain_template(user,$2)
-+    xserver_stream_connect_xdm($2)
-+    xserver_xdm_append_log($2)
+	role $1 types { xauth_t iceauth_t };
+	typeattribute $2 x_userdomain, dridomain;
 
 -	xserver_common_x_domain_template(user, $2)
 -	xserver_domtrans($2)
 -	xserver_unconfined($2)
 -	xserver_xsession_entry_type($2)
 -	xserver_dontaudit_write_log($2)
-	xserver_stream_connect_xdm($2)
+	xserver_common_x_domain_template(user,$2)
+ 	xserver_stream_connect_xdm($2)
 -	# certain apps want to read xdm.pid file
 -	xserver_read_xdm_pid($2)
 -	# gnome-session creates socket under /tmp/.ICE-unix/
 -	xserver_create_xdm_tmp_sockets($2)
 -	# Needed for escd, remove if we get escd policy
 -	xserver_manage_xdm_tmp_files($2)
-+	modutils_run_insmod(xserver_t, $1)
-+	xserver_dri_domain($2)
-+')
+	xserver_xdm_append_log($2)
 
 -	# Client write xserver shm
 -	tunable_policy(`allow_write_xshm',`
 -		allow $2 xserver_t:shm rw_shm_perms;
 -		allow $2 xserver_tmpfs_t:file rw_file_perms;
+	xserver_dri_domain($2)
+')
+
 +########################################
 +## <summary>
 +##	Domain wants to use direct io devices
@ -23087,7 +23098,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -143,13 +80,15 @@ interface(`xserver_role',`
+@@ -143,13 +79,15 @@ interface(`xserver_role',`
 	allow $2 xserver_tmpfs_t:file rw_file_perms;
 
 	allow $2 iceauth_home_t:file manage_file_perms;
@ -23105,7 +23116,7 @@ index 6bf0ecc..2469c27 100644
 	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
 	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
 
-@@ -162,7 +101,6 @@ interface(`xserver_role',`
+@@ -162,7 +100,6 @@ interface(`xserver_role',`
 	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@ -23113,7 +23124,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 #######################################
-@@ -197,7 +135,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +134,7 @@ interface(`xserver_ro_session',`
 	allow $1 xserver_t:process signal;
 
 	# Read /tmp/.X0-lock
@ -23122,7 +23133,7 @@ index 6bf0ecc..2469c27 100644
 
 	# Client read xserver shm
 	allow $1 xserver_t:fd use;
-@@ -227,7 +165,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +164,7 @@ interface(`xserver_rw_session',`
 		type xserver_t, xserver_tmpfs_t;
 	')
 
@ -23131,7 +23142,7 @@ index 6bf0ecc..2469c27 100644
 	allow $1 xserver_t:shm rw_shm_perms;
 	allow $1 xserver_tmpfs_t:file rw_file_perms;
 ')
-@@ -255,7 +193,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +192,7 @@ interface(`xserver_non_drawing_client',`
 
 	allow $1 self:x_gc { create setattr };
 
@ -23140,7 +23151,7 @@ index 6bf0ecc..2469c27 100644
 	allow $1 xserver_t:unix_stream_socket connectto;
 
 	allow $1 xextension_t:x_extension { query use };
-@@ -282,7 +220,7 @@ interface(`xserver_non_drawing_client',`
+@@ -282,7 +219,7 @@ interface(`xserver_non_drawing_client',`
 interface(`xserver_user_client',`
 	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
 	gen_require(`
@ -23149,7 +23160,7 @@ index 6bf0ecc..2469c27 100644
 		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
 	')
 
-@@ -291,14 +229,14 @@ interface(`xserver_user_client',`
+@@ -291,14 +228,14 @@ interface(`xserver_user_client',`
 	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
@ -23169,7 +23180,7 @@ index 6bf0ecc..2469c27 100644
 	dontaudit $1 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
-@@ -316,7 +254,7 @@ interface(`xserver_user_client',`
+@@ -316,7 +253,7 @@ interface(`xserver_user_client',`
 	xserver_read_xdm_tmp_files($1)
 
 	# Client write xserver shm
@ -23178,7 +23189,7 @@ index 6bf0ecc..2469c27 100644
 		allow $1 xserver_t:shm rw_shm_perms;
 		allow $1 xserver_tmpfs_t:file rw_file_perms;
 	')
-@@ -342,19 +280,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +279,23 @@ interface(`xserver_user_client',`
 #
 template(`xserver_common_x_domain_template',`
 	gen_require(`
@ -23205,7 +23216,7 @@ index 6bf0ecc..2469c27 100644
 	')
 
 	##############################
-@@ -383,9 +325,18 @@ template(`xserver_common_x_domain_template',`
+@@ -383,9 +324,18 @@ template(`xserver_common_x_domain_template',`
 	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
 	# can receive default events
 	allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
@ -23225,7 +23236,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 #######################################
-@@ -444,8 +395,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +394,9 @@ template(`xserver_object_types_template',`
 #
 template(`xserver_user_x_domain_template',`
 	gen_require(`
@ -23237,7 +23248,7 @@ index 6bf0ecc..2469c27 100644
 	')
 
 	allow $2 self:shm create_shm_perms;
-@@ -456,11 +408,13 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +407,13 @@ template(`xserver_user_x_domain_template',`
 	allow $2 xauth_home_t:file read_file_perms;
 	allow $2 iceauth_home_t:file read_file_perms;
 
@ -23254,7 +23265,7 @@ index 6bf0ecc..2469c27 100644
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
-@@ -472,20 +426,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +425,26 @@ template(`xserver_user_x_domain_template',`
 	# for .xsession-errors
 	userdom_dontaudit_write_user_home_content_files($2)
 
@ -23285,7 +23296,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -517,6 +477,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +476,7 @@ interface(`xserver_use_user_fonts',`
 	# Read per user fonts
 	allow $1 user_fonts_t:dir list_dir_perms;
 	allow $1 user_fonts_t:file read_file_perms;
@ -23293,7 +23304,7 @@ index 6bf0ecc..2469c27 100644
 
 	# Manipulate the global font cache
 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +508,42 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +507,42 @@ interface(`xserver_domtrans_xauth',`
 	domtrans_pattern($1, xauth_exec_t, xauth_t)
 ')
 
@ -23336,7 +23347,7 @@ index 6bf0ecc..2469c27 100644
 ########################################
 ## <summary>
 ##	Create a Xauthority file in the user home directory.
-@@ -567,6 +564,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
+@@ -567,6 +563,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
 
 ########################################
 ## <summary>
@ -23361,7 +23372,7 @@ index 6bf0ecc..2469c27 100644
 ##	Read all users fonts, user font configurations,
 ##	and manage all users font caches.
 ## </summary>
-@@ -598,6 +613,25 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +612,25 @@ interface(`xserver_read_user_xauth',`
 
 	allow $1 xauth_home_t:file read_file_perms;
 	userdom_search_user_home_dirs($1)
@ -23387,7 +23398,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -615,7 +649,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +648,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')
 
@ -23396,7 +23407,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -638,6 +672,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +671,25 @@ interface(`xserver_rw_console',`
 
 ########################################
 ## <summary>
@ -23422,7 +23433,7 @@ index 6bf0ecc..2469c27 100644
 ##	Use file descriptors for xdm.
 ## </summary>
 ## <param name="domain">
-@@ -651,7 +704,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +703,7 @@ interface(`xserver_use_xdm_fds',`
 		type xdm_t;
 	')
 
@ -23431,7 +23442,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -670,7 +723,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +722,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
 		type xdm_t;
 	')
 
@ -23440,7 +23451,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -688,7 +741,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +740,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')
 
@ -23449,7 +23460,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -703,12 +756,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +755,11 @@ interface(`xserver_rw_xdm_pipes',`
 ## </param>
 #
 interface(`xserver_dontaudit_rw_xdm_pipes',`
@ -23463,7 +23474,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -765,11 +817,92 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +816,92 @@ interface(`xserver_manage_xdm_spool_files',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
@ -23558,7 +23569,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -793,6 +926,21 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +925,21 @@ interface(`xserver_read_xdm_rw_config',`
 
 ########################################
 ## <summary>
@ -23580,7 +23591,7 @@ index 6bf0ecc..2469c27 100644
 ##	Set the attributes of XDM temporary directories.
 ## </summary>
 ## <param name="domain">
-@@ -802,11 +950,23 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -802,11 +949,23 @@ interface(`xserver_read_xdm_rw_config',`
 ## </param>
 #
 interface(`xserver_setattr_xdm_tmp_dirs',`
@ -23608,7 +23619,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -821,13 +981,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -821,13 +980,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 ## </param>
 #
 interface(`xserver_create_xdm_tmp_sockets',`
@ -23624,7 +23635,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -846,7 +1001,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1000,26 @@ interface(`xserver_read_xdm_pid',`
 	')
 
 	files_search_pids($1)
@ -23652,7 +23663,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -864,7 +1038,26 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -864,7 +1037,26 @@ interface(`xserver_read_xdm_lib_files',`
 		type xdm_var_lib_t;
 	')
 
@ -23680,7 +23691,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -938,26 +1131,45 @@ interface(`xserver_getattr_log',`
+@@ -938,17 +1130,36 @@ interface(`xserver_getattr_log',`
 	')
 
 	logging_search_logs($1)
@ -23698,13 +23709,11 @@ index 6bf0ecc..2469c27 100644
 ## <param name="domain">
 -##	<summary>
 -##	Domain to not audit.
-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
-interface(`xserver_dontaudit_write_log',`
+## </param>
+#
 +interface(`xserver_read_log',`
 +    gen_require(`
 +        type xserver_log_t;
@ -23722,11 +23731,10 @@ index 6bf0ecc..2469c27 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`xserver_dontaudit_write_log',`
- 	gen_require(`
+ ##	</summary>
+ ## </param>
+ #
+@@ -957,7 +1168,7 @@ interface(`xserver_dontaudit_write_log',`
 		type xserver_log_t;
 	')
 
@ -23735,7 +23743,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -1004,7 +1216,7 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,7 +1215,7 @@ interface(`xserver_read_xkb_libs',`
 
 ########################################
 ## <summary>
@ -23744,7 +23752,7 @@ index 6bf0ecc..2469c27 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1012,51 +1224,117 @@ interface(`xserver_read_xkb_libs',`
+@@ -1012,51 +1223,117 @@ interface(`xserver_read_xkb_libs',`
 ##	</summary>
 ## </param>
 #
@ -23878,7 +23886,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -1070,11 +1348,38 @@ interface(`xserver_rw_xdm_tmp_files',`
+@@ -1070,11 +1347,38 @@ interface(`xserver_rw_xdm_tmp_files',`
 ## </param>
 #
 interface(`xserver_manage_xdm_tmp_files',`
@ -23921,7 +23929,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -1089,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1089,11 +1393,8 @@ interface(`xserver_manage_xdm_tmp_files',`
 ## </param>
 #
 interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
@ -23935,7 +23943,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -1111,8 +1413,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1412,10 @@ interface(`xserver_domtrans',`
 		type xserver_t, xserver_exec_t;
 	')
 
@ -23947,7 +23955,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -1210,6 +1514,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1513,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
 
 ########################################
 ## <summary>
@ -23973,7 +23981,7 @@ index 6bf0ecc..2469c27 100644
 ##	Connect to the X server over a unix domain
 ##	stream socket.
 ## </summary>
-@@ -1226,6 +1549,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1548,26 @@ interface(`xserver_stream_connect',`
 
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -24000,7 +24008,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -1251,7 +1594,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1593,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -24009,7 +24017,7 @@ index 6bf0ecc..2469c27 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1261,13 +1604,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1603,27 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -24038,7 +24046,7 @@ index 6bf0ecc..2469c27 100644
 ')
 
 ########################################
-@@ -1284,10 +1641,657 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1640,657 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -24699,7 +24707,7 @@ index 6bf0ecc..2469c27 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..e3f28af 100644
+index 8b40377..0777a7f 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -26141,9 +26149,9 @@ index 8b40377..e3f28af 100644
 +miscfiles_read_hwdata(x_userdomain)
 +
 +#xserver_common_x_domain_template(user, x_userdomain)
-+xserver_domtrans(x_userdomain)
+#xserver_domtrans(x_userdomain)
 +#xserver_unconfined(x_userdomain)
-+xserver_xsession_entry_type(x_userdomain)
+#xserver_xsession_entry_type(x_userdomain)
 +xserver_dontaudit_write_log(x_userdomain)
 +#xserver_stream_connect_xdm(x_userdomain)
 +# certain apps want to read xdm.pid file
@ -37748,7 +37756,7 @@ index 1447687..d5e6fb9 100644
 seutil_read_config(setrans_t)
 
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..a072ac2 100644
+index 40edc18..b39e137 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
@@ -17,22 +17,24 @@ ifdef(`distro_debian',`
@ -37780,7 +37788,7 @@ index 40edc18..a072ac2 100644
 ')
 
 #
-@@ -55,6 +57,20 @@ ifdef(`distro_redhat',`
+@@ -55,6 +57,21 @@ ifdef(`distro_redhat',`
 #
 # /usr
 #
@ -37792,6 +37800,7 @@ index 40edc18..a072ac2 100644
 +/usr/sbin/ethtool	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 +/usr/sbin/ifconfig	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 +/usr/sbin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/iw		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 +/usr/sbin/ipx_configure	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 +/usr/sbin/ipx_interface	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 +/usr/sbin/ipx_internal_net --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@ -37801,7 +37810,7 @@ index 40edc18..a072ac2 100644
 /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 
 #
-@@ -77,3 +93,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +94,6 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -29868,10 +29868,10 @@ index 4e95c7e..0000000
 -
 -miscfiles_read_localization(glusterd_t)
 diff --git a/gnome.fc b/gnome.fc
-index e39de43..6a6db28 100644
+index e39de43..5edcb83 100644
 --- a/gnome.fc
 +++ b/gnome.fc
-@@ -1,15 +1,61 @@
+@@ -1,15 +1,60 @@
 -HOME_DIR/\.gconf(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 -HOME_DIR/\.gconfd(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 -HOME_DIR/\.gnome(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
@ -29889,7 +29889,6 @@ index e39de43..6a6db28 100644
 +HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 +HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
-+HOME_DIR/\.grl-bookmarks		gen_context(system_u:object_r:gstreamer_home_t,s0)
 +HOME_DIR/\.grl-metadata-store		gen_context(system_u:object_r:gstreamer_home_t,s0)
 +HOME_DIR/\.grl-bookmarks		gen_context(system_u:object_r:gstreamer_home_t,s0)
 +HOME_DIR/\.gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
@ -37198,7 +37197,7 @@ index 0000000..0d61849
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..2c08717
+index 0000000..879ab65
 --- /dev/null
 +++ b/keepalived.te
@@ -0,0 +1,55 @@
@ -37237,16 +37236,16 @@ index 0000000..2c08717
 +kernel_read_system_state(keepalived_t)
 +kernel_read_network_state(keepalived_t)
 +
+auth_use_nsswitch(keepalived_t)
+
 +corecmd_exec_bin(keepalived_t)
 +corecmd_exec_shell(keepalived_t)
 +
-+corenet_tcp_connect_snmp_port(keepalived_t)
-+
-+auth_use_nsswitch(keepalived_t)
-+
 +corenet_tcp_connect_connlcli_port(keepalived_t)
 +corenet_tcp_connect_http_port(keepalived_t)
 +corenet_tcp_connect_smtp_port(keepalived_t)
+corenet_tcp_connect_snmp_port(keepalived_t)
+corenet_tcp_connect_agentx_port(keepalived_t)
 +
 +dev_read_urand(keepalived_t)
 +
@ -73994,7 +73993,7 @@ index afc0068..3105104 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..e815665 100644
+index 8644d8b..ddc4c31 100644
 --- a/quantum.te
 +++ b/quantum.te
@@ -5,92 +5,146 @@ policy_module(quantum, 1.1.0)
@ -74049,7 +74048,7 @@ index 8644d8b..e815665 100644
 +allow neutron_t self:fifo_file rw_fifo_file_perms;
 +allow neutron_t self:key manage_key_perms;
 +allow neutron_t self:tcp_socket { accept listen };
-+allow neutron_t self:unix_stream_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen connectto };
 +allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
 +allow neutron_t self:rawip_socket create_socket_perms;
 +allow neutron_t self:packet_socket create_socket_perms;
@ -94752,10 +94751,10 @@ index 0000000..6a1f575
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..d3fe02a
+index 0000000..3d21c49
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,126 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@ -94842,9 +94841,12 @@ index 0000000..d3fe02a
 +
 +# bug in swift
 +corenet_tcp_bind_xserver_port(swift_t)
+
+corenet_tcp_bind_swift_port(swift_t)
 +corenet_tcp_bind_http_cache_port(swift_t)
 +
 +corenet_tcp_connect_xserver_port(swift_t)
+corenet_tcp_connect_swift_port(swift_t)
 +
 +corecmd_exec_shell(swift_t)
 +corecmd_exec_bin(swift_t)
@ -94872,6 +94874,10 @@ index 0000000..d3fe02a
 +')
 +
 +optional_policy(`
+    apache_search_config(swift_t)
+')
+
+optional_policy(`
 +    rpm_exec(swift_t)
 +    rpm_dontaudit_manage_db(swift_t)
 +')
@ -95242,14 +95248,14 @@ index b26d44a..5ab05dc 100644
 -
 -miscfiles_read_localization(tcsd_t)
 diff --git a/telepathy.fc b/telepathy.fc
-index 6c7f8f8..107300a 100644
+index 6c7f8f8..03fc880 100644
 --- a/telepathy.fc
 +++ b/telepathy.fc
-@@ -1,35 +1,24 @@
+@@ -1,35 +1,23 @@
 -HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
 +HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
 HOME_DIR/\.cache/telepathy(/.*)?	gen_context(system_u:object_r:telepathy_cache_home_t, s0)
- HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+-HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
 HOME_DIR/\.cache/telepathy/logger(/.*)?	gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
 -HOME_DIR/\.cache/telepathy/gabble(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
 -HOME_DIR/\.cache/wocky(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
@ -101923,7 +101929,7 @@ index facdee8..88dcafb 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..f74be5f 100644
+index f03dcf5..d3fb1c1 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,212 @@
@ -103387,7 +103393,7 @@ index f03dcf5..f74be5f 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1133,303 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1133,307 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
 
@ -103500,6 +103506,7 @@ index f03dcf5..f74be5f 100644
 +fs_list_inotifyfs(svirt_sandbox_domain)
 +fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
 +fs_read_fusefs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
 +
 +auth_dontaudit_read_passwd(svirt_sandbox_domain)
 +auth_dontaudit_read_login_records(svirt_sandbox_domain)
@ -103646,13 +103653,15 @@ index f03dcf5..f74be5f 100644
 +tunable_policy(`virt_use_nfs',`
 +	fs_manage_nfs_dirs(svirt_sandbox_domain)
 +	fs_manage_nfs_files(svirt_sandbox_domain)
-+	fs_read_nfs_symlinks(svirt_sandbox_domain)
+	fs_manage_nfs_named_sockets(svirt_sandbox_domain)
+	fs_manage_nfs_symlinks(svirt_sandbox_domain)
 +')
 +
 +tunable_policy(`virt_use_samba',`
 +	fs_manage_cifs_files(svirt_sandbox_domain)
 +	fs_manage_cifs_dirs(svirt_sandbox_domain)
-+	fs_read_cifs_symlinks(svirt_sandbox_domain)
+	fs_manage_cifs_named_sockets(svirt_sandbox_domain)
+	fs_manage_cifs_symlinks(svirt_sandbox_domain)
 ')
 
 ########################################
@ -103711,6 +103720,7 @@ index f03dcf5..f74be5f 100644
 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
 -corenet_tcp_connect_all_ports(svirt_lxc_net_t)
 +kernel_read_irq_sysctls(svirt_lxc_net_t)
+kernel_read_messages(svirt_lxc_net_t)
 
 +dev_read_sysfs(svirt_lxc_net_t)
 dev_getattr_mtrr_dev(svirt_lxc_net_t)
@ -103828,7 +103838,7 @@ index f03dcf5..f74be5f 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 
-@@ -1174,12 +1442,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1446,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
 
@ -103843,7 +103853,7 @@ index f03dcf5..f74be5f 100644
 sysnet_read_config(virt_qmf_t)
 
 optional_policy(`
-@@ -1192,9 +1460,8 @@ optional_policy(`
+@@ -1192,9 +1464,8 @@ optional_policy(`
 
 ########################################
 #
@ -103854,7 +103864,7 @@ index f03dcf5..f74be5f 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1474,216 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1478,216 @@ kernel_read_network_state(virt_bridgehelper_t)
 
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 61%{?dist}
+Release: 62%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -600,6 +600,18 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Jun 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-62
+- Allow swift to use tcp/6200 swift port
+- ALlow swift to search apache configs
+- Remove duplicate .fc entry for Grilo plugin bookmarks
+- Remove duplicate .fc entry for telepathy-gabble
+- Additional allow rules for docker sandbox processes
+- Allow keepalived connect to agentx port
+- Allow neutron-ns-metadata to connectto own unix stream socket
+- Add support for tcp/6200 port
+- Remove ability for confined users to run xinit
+- New tool for managing wireless /usr/sbin/iw
+
 * Fri Jun 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-61
 - Add back MLS policy