- virsh now does a setexeccon call

- Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-serv - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Allow systemd-timestamp to set SELinux context - Add support for /var/lib/systemd/linger - Fix ssh_sysadm_login to be working on MLS as expected
2013-02-14 19:06:59 +01:00 · 2013-02-14 19:06:59 +01:00 · 2599f2f590
parent 79355670f4
commit 2599f2f590
3 changed files with 296 additions and 130 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -220921,7 +220921,7 @@ index fe0c682..da12170 100644
 +	allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..94900fb 100644
+index 5fc0391..386c48c 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3)
@ -221187,7 +221187,6 @@ index 5fc0391..94900fb 100644
 +userdom_spec_domtrans_unpriv_users(sshd_t)
 +userdom_signal_unpriv_users(sshd_t)
 +userdom_dyntransition_unpriv_users(sshd_t)
 +userdom_dyntransition_admin_users(sshd_t)
 +
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
@ -221200,6 +221199,7 @@ index 5fc0391..94900fb 100644
 -	userdom_spec_domtrans_unpriv_users(sshd_t)
 -	userdom_signal_unpriv_users(sshd_t)
 +	userdom_spec_domtrans_all_users(sshd_t)
 +	userdom_dyntransition_admin_users(sshd_t)
 +')
 +
 +optional_policy(`
@ -226158,7 +226158,7 @@ index bb5c4a6..7ebb938 100644
 ')
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 9a4d3a7..b7b205c 100644
+index 9a4d3a7..9d960bb 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
@@ -1,6 +1,9 @@
@ -226183,7 +226183,7 @@ index 9a4d3a7..b7b205c 100644
 /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
 # because nowadays, /sbin/init is often a symlink to /sbin/upstart
 /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
-@@ -42,11 +50,23 @@ ifdef(`distro_gentoo', `
+@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', `
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
@ -226207,7 +226207,9 @@ index 9a4d3a7..b7b205c 100644
 #
 # /var
-@@ -55,6 +75,7 @@ ifdef(`distro_gentoo', `
+ #
 +/var/lib/systemd(/.*)?	gen_context(system_u:object_r:init_var_lib_t,s0)
 /var/run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
@ -226215,13 +226217,13 @@ index 9a4d3a7..b7b205c 100644
 ifdef(`distro_debian',`
 /var/run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -73,3 +94,4 @@ ifdef(`distro_suse', `
+@@ -73,3 +95,4 @@ ifdef(`distro_suse', `
 /var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..386109d 100644
+index 24e7804..c0ec978 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -106,6 +106,8 @@ interface(`init_domain',`
@ -226458,7 +226460,7 @@ index 24e7804..386109d 100644
 ')
 ########################################
-@@ -566,6 +622,24 @@ interface(`init_sigchld',`
+@@ -566,6 +622,58 @@ interface(`init_sigchld',`
 ########################################
 ## <summary>
@ -226479,11 +226481,45 @@ index 24e7804..386109d 100644
 +')
 +
 +########################################
 +## <summary>
 +##	Create objects in the init_var_lib_t directories
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="file_type">
 +##	<summary>
 +##	The type of the object to be created
 +##	</summary>
 +## </param>
 +## <param name="object_class">
 +##	<summary>
 +##	The object class.
 +##	</summary>
 +## </param>
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
 +#
 +interface(`init_var_lib_filetrans',`
 +	gen_require(`
 +		type init_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
 +')
 +
 +########################################
 +## <summary>
 ##	Connect to init with a unix socket.
 ## </summary>
 ## <param name="domain">
-@@ -576,10 +650,66 @@ interface(`init_sigchld',`
+@@ -576,10 +684,66 @@ interface(`init_sigchld',`
 #
 interface(`init_stream_connect',`
 	gen_require(`
@ -226552,7 +226588,7 @@ index 24e7804..386109d 100644
 ')
 ########################################
-@@ -743,22 +873,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +907,23 @@ interface(`init_write_initctl',`
 interface(`init_telinit',`
 	gen_require(`
 		type initctl_t;
@ -226585,7 +226621,7 @@ index 24e7804..386109d 100644
 ')
 ########################################
-@@ -787,7 +918,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +952,7 @@ interface(`init_rw_initctl',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -226594,7 +226630,7 @@ index 24e7804..386109d 100644
 ##	</summary>
 ## </param>
 #
-@@ -830,11 +961,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +995,12 @@ interface(`init_script_file_entry_type',`
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
@ -226609,7 +226645,7 @@ index 24e7804..386109d 100644
 	ifdef(`distro_gentoo',`
 		gen_require(`
-@@ -845,11 +977,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1011,11 @@ interface(`init_spec_domtrans_script',`
 	')
 	ifdef(`enable_mcs',`
@ -226623,7 +226659,7 @@ index 24e7804..386109d 100644
 	')
 ')
-@@ -865,19 +997,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1031,41 @@ interface(`init_spec_domtrans_script',`
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -226669,7 +226705,7 @@ index 24e7804..386109d 100644
 ')
 ########################################
-@@ -933,9 +1087,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1121,14 @@ interface(`init_script_file_domtrans',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
@ -226684,7 +226720,7 @@ index 24e7804..386109d 100644
 	files_search_etc($1)
 ')
-@@ -1026,7 +1185,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1219,9 @@ interface(`init_ptrace',`
 		type init_t;
 	')
@ -226695,7 +226731,7 @@ index 24e7804..386109d 100644
 ')
 ########################################
-@@ -1125,6 +1286,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1320,25 @@ interface(`init_getattr_all_script_files',`
 ########################################
 ## <summary>
@ -226721,7 +226757,7 @@ index 24e7804..386109d 100644
 ##	Read all init script files.
 ## </summary>
 ## <param name="domain">
-@@ -1144,6 +1324,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1358,24 @@ interface(`init_read_all_script_files',`
 #######################################
 ## <summary>
@ -226746,7 +226782,7 @@ index 24e7804..386109d 100644
 ##	Dontaudit read all init script files.
 ## </summary>
 ## <param name="domain">
-@@ -1195,12 +1393,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1427,7 @@ interface(`init_read_script_state',`
 	')
 	kernel_search_proc($1)
@ -226760,7 +226796,7 @@ index 24e7804..386109d 100644
 ')
 ########################################
-@@ -1440,6 +1633,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1667,27 @@ interface(`init_dbus_send_script',`
 ########################################
 ## <summary>
 ##	Send and receive messages from
@ -226788,7 +226824,7 @@ index 24e7804..386109d 100644
 ##	init scripts over dbus.
 ## </summary>
 ## <param name="domain">
-@@ -1526,6 +1740,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1526,6 +1774,25 @@ interface(`init_getattr_script_status_files',`
 ########################################
 ## <summary>
@ -226814,7 +226850,7 @@ index 24e7804..386109d 100644
 ##	Do not audit attempts to read init script
 ##	status files.
 ## </summary>
-@@ -1584,6 +1817,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1851,24 @@ interface(`init_rw_script_tmp_files',`
 ########################################
 ## <summary>
@ -226839,14 +226875,16 @@ index 24e7804..386109d 100644
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
-@@ -1656,6 +1907,43 @@ interface(`init_read_utmp',`
+@@ -1656,11 +1941,48 @@ interface(`init_read_utmp',`
 ########################################
 ## <summary>
 -##	Do not audit attempts to write utmp.
 +##	Read utmp.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@ -226880,10 +226918,15 @@ index 24e7804..386109d 100644
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to write utmp.
+##	Do not audit attempts to write utmp.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
-@@ -1744,7 +2032,7 @@ interface(`init_dontaudit_rw_utmp',`
+##	<summary>
 +##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1744,7 +2066,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
@ -226892,11 +226935,10 @@ index 24e7804..386109d 100644
 ')
 ########################################
-@@ -1785,7 +2073,134 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2107,133 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 -########################################
 +######################################
 +## <summary>
 +##  Allow search  directory in the /run/systemd directory.
@ -227024,11 +227066,10 @@ index 24e7804..386109d 100644
 +	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
 +')
 +
-+########################################
+ ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
- ## </summary>
+@@ -1819,3 +2268,283 @@ interface(`init_udp_recvfrom_all_daemons',`
@@ -1819,3 +2234,283 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -227313,7 +227354,7 @@ index 24e7804..386109d 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..b8592b4 100644
+index dd3be8d..4d9b509 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@ -227380,10 +227421,10 @@ index dd3be8d..b8592b4 100644
 files_pid_file(init_var_run_t)
 #
-+# init_var_lib_t is the type for /var/lib/random-seed
+# init_var_lib_t is the type for /var/lib/systemd
 +#
 +type init_var_lib_t;
-+files_pid_file(init_var_lib_t)
+files_type(init_var_lib_t)
 +
 +type machineid_t;
 +files_config_file(machineid_t)
@ -234737,10 +234778,10 @@ index b7686d5..9a50b11 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..4221a94
+index 0000000..595f756
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,39 @@
 +/bin/systemd-notify				--		gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 +/bin/systemctl					--	gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
 +/bin/systemd-tty-ask-password-agent		--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@ -234768,6 +234809,7 @@ index 0000000..4221a94
 +/usr/lib/systemd/systemd-logger	--	gen_context(system_u:object_r:systemd_logger_exec_t,s0)
 +/usr/lib/systemd/systemd-tmpfiles --	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 +
 +/var/lib/systemd/linger(/.*)?  		gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
 +/var/lib/random-seed 		gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
 +/usr/var/lib/random-seed 	gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
 +
@ -235828,10 +235870,10 @@ index 0000000..a4b0917
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..1131866
+index 0000000..c0a85ab
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,616 @@
+@@ -0,0 +1,624 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -235855,6 +235897,9 @@ index 0000000..1131866
 +type systemd_logind_sessions_t;
 +files_pid_file(systemd_logind_sessions_t)
 +
 +type systemd_logind_var_lib_t;
 +files_type(systemd_logind_var_lib_t)
 +
 +# /run/systemd/{seats, users}
 +type systemd_logind_var_run_t;
 +files_pid_file(systemd_logind_var_run_t)
@ -235918,13 +235963,17 @@ index 0000000..1131866
 +
 +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
 +allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
-+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:process { getcap };
 +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
 +
 +mls_file_read_all_levels(systemd_logind_t)
 +mls_file_write_all_levels(systemd_logind_t)
 +
 +manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
 +manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
 +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
 +
 +manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
 +manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
 +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
@ -236002,7 +236051,6 @@ index 0000000..1131866
 +logging_send_syslog_msg(systemd_logind_t)
 +logging_stream_connect_syslog(systemd_logind_t)
 +
 +
 +udev_read_db(systemd_logind_t)
 +udev_manage_rules_files(systemd_logind_t)
 +
@ -236350,7 +236398,7 @@ index 0000000..1131866
 +# Timedated policy
 +#
 +allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
-+allow systemd_timedated_t self:process { getattr getsched signal };
+allow systemd_timedated_t self:process { getattr getsched signal setfscreate };
 +allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
 +allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
 +allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
@ -236383,6 +236431,8 @@ index 0000000..1131866
 +miscfiles_manage_localization(systemd_timedated_t)
 +miscfiles_etc_filetrans_localization(systemd_timedated_t)
 +
 +seutil_read_file_contexts(systemd_timedated_t)
 +
 +userdom_read_all_users_state(systemd_timedated_t)
 +
 +optional_policy(`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -25955,7 +25955,7 @@ index d03fd43..f73c152 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
 ')
 diff --git a/gnome.te b/gnome.te
-index 20f726b..ac1375b 100644
+index 20f726b..eb0d80a 100644
 --- a/gnome.te
 +++ b/gnome.te
@@ -1,18 +1,36 @@
@ -25999,7 +25999,7 @@ index 20f726b..ac1375b 100644
 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
 typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
 typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,227 @@ type gconfd_exec_t;
+@@ -29,107 +47,228 @@ type gconfd_exec_t;
 typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
 typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
 userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@ -26210,6 +26210,7 @@ index 20f726b..ac1375b 100644
 -allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
 -gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
 +allow gkeyringd_domain config_home_t:dir add_entry_dir_perms;
 +allow gkeyringd_domain config_home_t:file write;
 -manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
@ -32457,7 +32458,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..5c6ac99 100644
+index 7bab8e5..3124cab 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -1,20 +1,18 @@
@ -32519,7 +32520,7 @@ index 7bab8e5..5c6ac99 100644
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,79 +52,91 @@ allow logrotate_t self:msg { send receive };
+@@ -48,79 +52,93 @@ allow logrotate_t self:msg { send receive };
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@ -32606,8 +32607,6 @@ index 7bab8e5..5c6ac99 100644
 logging_exec_all_logs(logrotate_t)
 -miscfiles_read_localization(logrotate_t)
 -
 -seutil_dontaudit_read_config(logrotate_t)
 +systemd_exec_systemctl(logrotate_t)
 +systemd_getattr_unit_files(logrotate_t)
 +systemd_start_all_unit_files(logrotate_t)
@ -32615,6 +32614,9 @@ index 7bab8e5..5c6ac99 100644
 +systemd_status_all_unit_files(logrotate_t)
 +init_stream_connect(logrotate_t)
 -seutil_dontaudit_read_config(logrotate_t)
 +miscfiles_read_hwdata(logrotate_t)
 -userdom_use_user_terminals(logrotate_t)
 +userdom_use_inherited_user_terminals(logrotate_t)
 userdom_list_user_home_dirs(logrotate_t)
@ -32639,7 +32641,7 @@ index 7bab8e5..5c6ac99 100644
 ')
 optional_policy(`
-@@ -140,11 +156,11 @@ optional_policy(`
+@@ -140,11 +158,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -32653,7 +32655,7 @@ index 7bab8e5..5c6ac99 100644
 ')
 optional_policy(`
-@@ -178,7 +194,7 @@ optional_policy(`
+@@ -178,7 +196,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -32662,7 +32664,7 @@ index 7bab8e5..5c6ac99 100644
 ')
 optional_policy(`
-@@ -198,21 +214,22 @@ optional_policy(`
+@@ -198,21 +216,22 @@ optional_policy(`
 ')
 optional_policy(`
@ -32689,7 +32691,7 @@ index 7bab8e5..5c6ac99 100644
 ')
 optional_policy(`
-@@ -228,10 +245,20 @@ optional_policy(`
+@@ -228,10 +247,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -32710,7 +32712,7 @@ index 7bab8e5..5c6ac99 100644
 	su_exec(logrotate_t)
 ')
-@@ -241,13 +268,11 @@ optional_policy(`
+@@ -241,13 +270,11 @@ optional_policy(`
 #######################################
 #
@ -41731,7 +41733,7 @@ index a1fb3c3..8fe1d63 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..96dbf6f 100644
+index 0e8508c..163b870 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
@@ -2,7 +2,7 @@
@ -41936,7 +41938,13 @@ index 0e8508c..96dbf6f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -212,12 +258,12 @@ interface(`networkmanager_read_pid_files',`
+@@ -207,17 +253,17 @@ interface(`networkmanager_read_pid_files',`
 	')
 	files_search_pids($1)
 -	allow $1 NetworkManager_var_run_t:file read_file_perms;
 +	read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
 ')
 ########################################
 ## <summary>
@ -47641,10 +47649,10 @@ index 0000000..1a26cd5
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..b89f7fc
+index 0000000..30757e2
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,463 @@
+@@ -0,0 +1,467 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
@ -47955,6 +47963,10 @@ index 0000000..b89f7fc
 +	ssh_dontaudit_search_user_home_dir(openshift_domain)
 +')
 +
 +optional_policy(`
 +	udev_read_pid_files(openshift_domain)
 +')
 +
 +#######################################################
 +#
 +# Policy for openshift user domain process
@ -48035,7 +48047,7 @@ index 0000000..b89f7fc
 +fs_read_cgroup_files(openshift_cgroup_read_t)
 +
 +allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
-+read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
 +
 +########################################
 +#
@ -49384,29 +49396,36 @@ index dfd46e4..9515043 100644
 /usr/share/Pegasus/mof(/.*)?/.*\.mof	gen_context(system_u:object_r:pegasus_mof_t,s0)
 diff --git a/pegasus.if b/pegasus.if
-index d2fc677..920b13f 100644
+index d2fc677..22b745a 100644
 --- a/pegasus.if
 +++ b/pegasus.if
-@@ -1,52 +1 @@
+@@ -1,52 +1,37 @@
 ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
-
+ 
 -########################################
-## <summary>
+######################################
 ## <summary>
 -##	All of the rules required to
 -##	administrate an pegasus environment.
-## </summary>
+##  Creates types and rules for a basic
 +##  openlmi init daemon domain.
 ## </summary>
 -## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
-## </param>
+## <param name="prefix">
 +##  <summary>
 +##  Prefix for the domain.
 +##  </summary>
 ## </param>
 -## <param name="role">
 -##	<summary>
 -##	Role allowed access.
 -##	</summary>
 -## </param>
 -## <rolecap/>
-#
+ #
 -interface(`pegasus_admin',`
 -	gen_require(`
 -		type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
@ -49439,18 +49458,46 @@ index d2fc677..920b13f 100644
 -
 -	files_search_pids($1)
 -	admin_pattern($1, pegasus_var_run_t)
-')
+template(`pegasus_openlmi_domain_template',`
 +    gen_require(`
 +        attribute pegasus_openlmi_domain;
 +    ')
 +
 +	##############################
 +	#
 +	# Declarations
 +	#
 +
 +	type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
 +	type $1_exec_t;
 +	init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
 +
 +	##############################
 +	#
 +	# Local policy
 +	#
 +	
 +	domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
 +
 +	kernel_read_system_state(pegasus_openlmi_$1_t)
 +	logging_send_syslog_msg(pegasus_openlmi_$1_t)
 ')
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..e440d35 100644
+index 7bcf327..0ff4cb5 100644
 --- a/pegasus.te
 +++ b/pegasus.te
-@@ -1,4 +1,4 @@
+@@ -1,17 +1,16 @@
 -policy_module(pegasus, 1.8.3)
 +policy_module(pegasus, 1.8.0)
 ########################################
 #
-@@ -9,9 +9,6 @@ type pegasus_t;
+ # Declarations
 #
 +attribute pegasus_openlmi_domain;
 +
 type pegasus_t;
 type pegasus_exec_t;
 init_daemon_domain(pegasus_t, pegasus_exec_t)
@ -49460,7 +49507,29 @@ index 7bcf327..e440d35 100644
 type pegasus_cache_t;
 files_type(pegasus_cache_t)
-@@ -39,11 +36,12 @@ allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac
+@@ -30,20 +29,33 @@ files_type(pegasus_mof_t)
 type pegasus_var_run_t;
 files_pid_file(pegasus_var_run_t)
 +# pegasus openlmi providers
 +#pegasus_openlmi_domain_template(account)
 +
 +#######################################
 +#
 +# pegasus openlmi providers local policy
 +#
 +
 +corecmd_exec_bin(pegasus_openlmi_domain)
 +
 +sysnet_read_config(pegasus_openlmi_domain)
 +
 ########################################
 #
 -# Local policy
 +# pegasus local policy
 #
 allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
 dontaudit pegasus_t self:capability sys_tty_config;
 allow pegasus_t self:process signal;
 allow pegasus_t self:fifo_file rw_fifo_file_perms;
@ -49476,7 +49545,7 @@ index 7bcf327..e440d35 100644
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
 manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +52,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +66,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
 manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -49507,7 +49576,7 @@ index 7bcf327..e440d35 100644
 kernel_read_network_state(pegasus_t)
 kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +78,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +92,21 @@ kernel_read_net_sysctls(pegasus_t)
 kernel_read_xen_state(pegasus_t)
 kernel_write_xen_state(pegasus_t)
@ -49540,7 +49609,7 @@ index 7bcf327..e440d35 100644
 corecmd_exec_bin(pegasus_t)
 corecmd_exec_shell(pegasus_t)
-@@ -114,6 +106,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +120,7 @@ files_getattr_all_dirs(pegasus_t)
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
@ -49548,7 +49617,7 @@ index 7bcf327..e440d35 100644
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +121,23 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +135,23 @@ init_stream_connect_script(pegasus_t)
 logging_send_audit_msgs(pegasus_t)
 logging_send_syslog_msg(pegasus_t)
@ -49578,7 +49647,7 @@ index 7bcf327..e440d35 100644
 ')
 optional_policy(`
-@@ -151,16 +149,15 @@ optional_policy(`
+@@ -151,16 +163,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -49598,7 +49667,7 @@ index 7bcf327..e440d35 100644
 ')
 optional_policy(`
-@@ -168,7 +165,7 @@ optional_policy(`
+@@ -168,7 +179,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -75467,7 +75536,7 @@ index 1499b0b..82fc7f6 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..9e4d192 100644
+index 4faa7e0..3a3ac18 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
@@ -1,4 +1,4 @@
@ -75955,17 +76024,17 @@ index 4faa7e0..9e4d192 100644
 allow spamd_t self:unix_dgram_socket sendto;
 -allow spamd_t self:unix_stream_socket { accept connectto listen };
 -allow spamd_t self:tcp_socket { accept listen };
-+allow spamd_t self:unix_stream_socket connectto;
+-
 +allow spamd_t self:tcp_socket create_stream_socket_perms;
 +allow spamd_t self:udp_socket create_socket_perms;
 -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-
+allow spamd_t self:unix_stream_socket connectto;
 +allow spamd_t self:tcp_socket create_stream_socket_perms;
 +allow spamd_t self:udp_socket create_socket_perms;
 -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@ -76170,7 +76239,7 @@ index 4faa7e0..9e4d192 100644
 ')
 optional_policy(`
-@@ -474,32 +552,30 @@ optional_policy(`
+@@ -474,32 +552,32 @@ optional_policy(`
 ########################################
 #
@ -76202,16 +76271,18 @@ index 4faa7e0..9e4d192 100644
 -corenet_tcp_sendrecv_generic_if(spamd_update_t)
 -corenet_tcp_sendrecv_generic_node(spamd_update_t)
 -corenet_tcp_sendrecv_all_ports(spamd_update_t)
-+kernel_read_system_state(spamd_update_t)
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
 -corenet_sendrecv_http_client_packets(spamd_update_t)
 +kernel_read_system_state(spamd_update_t)
 +
 +# for updating rules 
 corenet_tcp_connect_http_port(spamd_update_t)
 -corenet_tcp_sendrecv_http_port(spamd_update_t)
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +584,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
 domain_use_interactive_fds(spamd_update_t)
@ -79437,9 +79508,18 @@ index 38389e6..4847b43 100644
 +/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
 +/var/run/tgtd.*			-s	gen_context(system_u:object_r:tgtd_var_run_t,s0)
 diff --git a/tgtd.te b/tgtd.te
-index c93c973..0eff459 100644
+index c93c973..08aef1e 100644
 --- a/tgtd.te
 +++ b/tgtd.te
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
 # Local policy
 #
 -allow tgtd_t self:capability sys_resource;
 +allow tgtd_t self:capability { dac_override sys_resource };
 allow tgtd_t self:capability2 block_suspend;
 allow tgtd_t self:process { setrlimit signal };
 allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t)
 kernel_read_fs_sysctls(tgtd_t)
@ -79448,15 +79528,16 @@ index c93c973..0eff459 100644
 corenet_tcp_sendrecv_generic_if(tgtd_t)
 corenet_tcp_sendrecv_generic_node(tgtd_t)
 corenet_tcp_bind_generic_node(tgtd_t)
-@@ -69,16 +68,12 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+@@ -69,7 +68,7 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
 dev_read_sysfs(tgtd_t)
 -files_read_etc_files(tgtd_t)
-
+files_list_mnt(tgtd_t)
 fs_read_anon_inodefs_files(tgtd_t)
- storage_manage_fixed_disk(tgtd_t)
+@@ -77,8 +76,6 @@ storage_manage_fixed_disk(tgtd_t)
 logging_send_syslog_msg(tgtd_t)
@ -80827,30 +80908,45 @@ index e29db63..061fb98 100644
 	domain_system_change_exemption($1)
 	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 7116181..ffc2e44 100644
+index 7116181..9815e42 100644
 --- a/tuned.te
 +++ b/tuned.te
-@@ -31,8 +31,9 @@ files_pid_file(tuned_var_run_t)
+@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
 type tuned_log_t;
 logging_log_file(tuned_log_t)
 +type tuned_tmp_t;
 +files_tmp_file(tuned_tmp_t)
 +
 type tuned_var_run_t;
 files_pid_file(tuned_var_run_t)
@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t)
 allow tuned_t self:capability { sys_admin sys_nice };
 dontaudit tuned_t self:capability { dac_override sys_tty_config };
 -allow tuned_t self:process { setsched signal };
 +allow tuned_t self:process {  setsched signal };
 allow tuned_t self:fifo_file rw_fifo_file_perms;
 +allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow tuned_t self:udp_socket create_socket_perms;
 read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
 exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -44,7 +45,7 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+@@ -44,7 +49,11 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
 append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
 create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
 setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
 -logging_log_filetrans(tuned_t, tuned_log_t, file)
 +logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
 +
 +manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
 +manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
 +files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
 manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
 manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-@@ -57,6 +58,7 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +66,7 @@ kernel_request_load_module(tuned_t)
 kernel_rw_kernel_sysctl(tuned_t)
 kernel_rw_hotplug_sysctls(tuned_t)
 kernel_rw_vm_sysctls(tuned_t)
@ -80858,7 +80954,7 @@ index 7116181..ffc2e44 100644
 corecmd_exec_bin(tuned_t)
 corecmd_exec_shell(tuned_t)
-@@ -67,28 +69,44 @@ dev_read_urand(tuned_t)
+@@ -67,28 +77,44 @@ dev_read_urand(tuned_t)
 dev_rw_sysfs(tuned_t)
 dev_rw_netcontrol(tuned_t)
@ -80866,10 +80962,10 @@ index 7116181..ffc2e44 100644
 files_dontaudit_search_home(tuned_t)
 -files_dontaudit_list_tmp(tuned_t)
 +files_list_tmp(tuned_t)
 +
 +fs_getattr_all_fs(tuned_t)
 -fs_getattr_xattr_fs(tuned_t)
 +fs_getattr_all_fs(tuned_t)
 +
 +auth_use_nsswitch(tuned_t)
 logging_send_syslog_msg(tuned_t)
@ -84048,7 +84144,7 @@ index 9dec06c..d8a2b54 100644
 +	allow svirt_lxc_domain $1:process sigchld;
 ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..def6a6b 100644
+index 1f22fba..64b70d6 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,94 +1,98 @@
@ -84510,9 +84606,7 @@ index 1f22fba..def6a6b 100644
 -
 -dontaudit svirt_t virt_content_t:file write_file_perms;
 -dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-+allow svirt_tcg_t self:process { execmem execstack };
+-
 +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
 -append_files_pattern(svirt_t, virt_home_t, virt_home_t)
 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@ -84541,7 +84635,9 @@ index 1f22fba..def6a6b 100644
 -corenet_sendrecv_all_server_packets(svirt_t)
 -corenet_udp_bind_all_ports(svirt_t)
 -corenet_tcp_bind_all_ports(svirt_t)
-
+allow svirt_tcg_t self:process { execmem execstack };
 +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
 -corenet_sendrecv_all_client_packets(svirt_t)
 -corenet_tcp_connect_all_ports(svirt_t)
 +corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@ -85172,8 +85268,9 @@ index 1f22fba..def6a6b 100644
 +typealias virsh_exec_t alias xm_exec_t;
 -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
 -allow virsh_t self:process { getcap getsched setsched setcap signal };
 +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
- allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
 allow virsh_t self:fifo_file rw_fifo_file_perms;
 -allow virsh_t self:unix_stream_socket { accept connectto listen };
 -allow virsh_t self:tcp_socket { accept listen };
@ -85190,7 +85287,7 @@ index 1f22fba..def6a6b 100644
 manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +802,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +802,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@ -85203,12 +85300,12 @@ index 1f22fba..def6a6b 100644
 -dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 -
 -allow virsh_t svirt_lxc_domain:process transition;
 -
 -can_exec(virsh_t, virsh_exec_t)
 +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +virt_filetrans_named_content(virsh_t)
 -can_exec(virsh_t, virsh_exec_t)
 -
 -virt_domtrans(virsh_t)
 -virt_manage_images(virsh_t)
 -virt_manage_config(virsh_t)
@ -85216,10 +85313,11 @@ index 1f22fba..def6a6b 100644
 +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
 -kernel_read_crypto_sysctls(virsh_t)
 +kernel_write_proc_files(virsh_t)
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +820,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +821,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -85246,7 +85344,7 @@ index 1f22fba..def6a6b 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +840,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +841,21 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -85277,7 +85375,7 @@ index 1f22fba..def6a6b 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
 	fs_manage_nfs_files(virsh_t)
-@@ -847,6 +872,10 @@ optional_policy(`
+@@ -847,6 +873,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -85288,7 +85386,7 @@ index 1f22fba..def6a6b 100644
 	rpm_exec(virsh_t)
 ')
-@@ -854,7 +883,7 @@ optional_policy(`
+@@ -854,7 +884,7 @@ optional_policy(`
 	xen_manage_image_dirs(virsh_t)
 	xen_append_log(virsh_t)
 	xen_domtrans(virsh_t)
@ -85297,7 +85395,7 @@ index 1f22fba..def6a6b 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -879,34 +908,40 @@ optional_policy(`
+@@ -879,34 +909,40 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -85348,7 +85446,7 @@ index 1f22fba..def6a6b 100644
 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +951,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +952,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
 allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@ -85364,7 +85462,7 @@ index 1f22fba..def6a6b 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +971,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +972,8 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -85375,7 +85473,7 @@ index 1f22fba..def6a6b 100644
 files_relabel_rootfs(virtd_lxc_t)
 files_mounton_non_security(virtd_lxc_t)
 files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +980,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +981,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
 files_list_isid_type_dirs(virtd_lxc_t)
 files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@ -85383,7 +85481,7 @@ index 1f22fba..def6a6b 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +992,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +993,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -85402,7 +85500,7 @@ index 1f22fba..def6a6b 100644
 term_use_generic_ptys(virtd_lxc_t)
 term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1006,38 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,20 +1007,38 @@ auth_use_nsswitch(virtd_lxc_t)
 logging_send_syslog_msg(virtd_lxc_t)
@ -85447,7 +85545,7 @@ index 1f22fba..def6a6b 100644
 allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
 allow svirt_lxc_domain self:fifo_file manage_file_perms;
 allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1046,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,19 +1047,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
 allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
 allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@ -85467,7 +85565,7 @@ index 1f22fba..def6a6b 100644
 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1053,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1054,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@ -85486,7 +85584,7 @@ index 1f22fba..def6a6b 100644
 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
 corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1072,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1073,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
 files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
 files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
 files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@ -85513,7 +85611,7 @@ index 1f22fba..def6a6b 100644
 auth_dontaudit_read_login_records(svirt_lxc_domain)
 auth_dontaudit_write_login_records(svirt_lxc_domain)
 auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,11 +1097,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,11 +1098,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
 libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@ -85522,15 +85620,17 @@ index 1f22fba..def6a6b 100644
 miscfiles_read_fonts(svirt_lxc_domain)
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +systemd_read_unit_files(svirt_lxc_domain)
 +
 +userdom_use_inherited_user_terminals(svirt_lxc_domain)
 +
 +optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +')
 +
 +systemd_read_unit_files(svirt_lxc_domain)
 optional_policy(`
 	udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1115,67 @@ optional_policy(`
+@@ -1078,81 +1118,67 @@ optional_policy(`
 	apache_read_sys_content(svirt_lxc_domain)
 ')
@ -85638,7 +85738,7 @@ index 1f22fba..def6a6b 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1188,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1191,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -85653,7 +85753,7 @@ index 1f22fba..def6a6b 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1183,9 +1206,8 @@ optional_policy(`
+@@ -1183,9 +1209,8 @@ optional_policy(`
 ########################################
 #
@ -85664,7 +85764,7 @@ index 1f22fba..def6a6b 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1220,65 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1223,65 @@ kernel_read_network_state(virt_bridgehelper_t)
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@ -85731,7 +85831,7 @@ index 1f22fba..def6a6b 100644
 +
 +type svirt_socket_t;
 +role system_r types svirt_socket_t;
-+allow svirt_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
 diff --git a/vlock.te b/vlock.te
 index 9ead775..b5285e7 100644
 --- a/vlock.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -521,6 +521,22 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Thu Feb 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-13
 - virsh now does a setexeccon call
 - Additional rules required by openshift domains
 - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work
 - Allow spamd_update_t to search spamc_home_t
 - Avcs discovered by mounting an isci device under /mnt
 - Allow lspci running as logrotate to read pci.ids
 - Additional fix for networkmanager_read_pid_files()
 - Fix networkmanager_read_pid_files() interface
 - Allow all svirt domains to connect to svirt_socket_t
 - Allow virsh to set SELinux context for a process.
 - Allow tuned to create netlink_kobject_uevent_socket
 - Allow systemd-timestamp to set SELinux context
 - Add support for /var/lib/systemd/linger
 - Fix ssh_sysadm_login to be working on MLS as expected
 * Mon Feb 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-12
 - Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file
 - Add missing files_rw_inherited_tmp_files interface