- Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)

- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182) - Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t. - init_t domain should be running without unconfined_domain attribute. - Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill. - Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions. - systemd needs to access /dev/rfkill on early boot. - Allow dspam to read /etc/passwd
2015-12-07 09:19:29 +01:00 · 2015-12-07 09:19:29 +01:00 · 2b449e6e35
commit 2b449e6e35
parent 71a663b812
4 changed files with 164 additions and 59 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -32286,7 +32286,7 @@ index bc0ffc8..37b8ea5 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..af3877f 100644
+index 79a45f6..e69fa39 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -33416,7 +33416,7 @@ index 79a45f6..af3877f 100644
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2418,492 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2418,511 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -33909,8 +33909,27 @@ index 79a45f6..af3877f 100644
 +	files_search_var_lib($1)
 +	read_files_pattern($1, init_var_lib_t, init_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Search systemd lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`init_search_var_lib_dirs',`
 +	gen_require(`
 +		type init_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..6d9bef0 100644
+index 17eda24..91eaead 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -34135,7 +34154,7 @@ index 17eda24..6d9bef0 100644
 # file descriptors inherited from the rootfs:
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +257,62 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +257,64 @@ fs_list_inotifyfs(init_t)
 fs_write_ramfs_sockets(init_t)
 mcs_process_set_categories(init_t)
@ -34198,12 +34217,14 @@ index 17eda24..6d9bef0 100644
 -miscfiles_read_localization(init_t)
 +userdom_transition_login_userdomain(init_t)
 +userdom_noatsecure_login_userdomain(init_t)
 +userdom_sigchld_login_userdomain(init_t)
 +
 +allow init_t self:process setsched;
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +321,239 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +323,240 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -34306,6 +34327,7 @@ index 17eda24..6d9bef0 100644
 +dev_relabel_all_dev_files(init_t)
 +dev_manage_sysfs_dirs(init_t)
 +dev_relabel_sysfs_dirs(init_t)
 +dev_rw_wireless(init_t)
 +
 +files_search_all(init_t)
 +files_mounton_all_mountpoints(init_t)
@ -34452,10 +34474,11 @@ index 17eda24..6d9bef0 100644
 ')
 optional_policy(`
-@@ -216,7 +561,31 @@ optional_policy(`
+@@ -216,7 +564,30 @@ optional_policy(`
 ')
 optional_policy(`
 -	unconfined_domain(init_t)
 +	rpcbind_filetrans_named_content(init_t)
 +	rpcbind_relabel_sock_file(init_t)
 +')
@ -34478,13 +34501,12 @@ index 17eda24..6d9bef0 100644
 +')
 +
 +optional_policy(`
 	unconfined_domain(init_t)
 +	domain_named_filetrans(init_t)
 +	unconfined_server_domtrans(init_t)
 ')
 ########################################
-@@ -225,9 +594,9 @@ optional_policy(`
+@@ -225,9 +596,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -34496,7 +34518,7 @@ index 17eda24..6d9bef0 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +627,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +629,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -34513,7 +34535,7 @@ index 17eda24..6d9bef0 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +652,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +654,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -34556,7 +34578,7 @@ index 17eda24..6d9bef0 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +689,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +691,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -34568,7 +34590,7 @@ index 17eda24..6d9bef0 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +701,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +703,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -34579,7 +34601,7 @@ index 17eda24..6d9bef0 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +712,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +714,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -34589,7 +34611,7 @@ index 17eda24..6d9bef0 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +721,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +723,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -34597,7 +34619,7 @@ index 17eda24..6d9bef0 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +728,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +730,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -34605,7 +34627,7 @@ index 17eda24..6d9bef0 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +736,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +738,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -34623,7 +34645,7 @@ index 17eda24..6d9bef0 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +754,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +756,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -34637,7 +34659,7 @@ index 17eda24..6d9bef0 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +769,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +771,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -34651,7 +34673,7 @@ index 17eda24..6d9bef0 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +782,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +784,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -34662,7 +34684,7 @@ index 17eda24..6d9bef0 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +795,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +797,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -34670,7 +34692,7 @@ index 17eda24..6d9bef0 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +814,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +816,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -34694,7 +34716,7 @@ index 17eda24..6d9bef0 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +847,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +849,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -34702,7 +34724,7 @@ index 17eda24..6d9bef0 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +881,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +883,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -34713,7 +34735,7 @@ index 17eda24..6d9bef0 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +905,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +907,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -34722,7 +34744,7 @@ index 17eda24..6d9bef0 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +920,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +922,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -34730,7 +34752,7 @@ index 17eda24..6d9bef0 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +941,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +943,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -34738,7 +34760,7 @@ index 17eda24..6d9bef0 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +951,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +953,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -34783,7 +34805,7 @@ index 17eda24..6d9bef0 100644
 	')
 	optional_policy(`
-@@ -559,14 +996,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +998,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -34815,7 +34837,7 @@ index 17eda24..6d9bef0 100644
 	')
 ')
-@@ -577,6 +1031,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1033,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -34855,7 +34877,7 @@ index 17eda24..6d9bef0 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1076,8 @@ optional_policy(`
+@@ -589,6 +1078,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -34864,7 +34886,7 @@ index 17eda24..6d9bef0 100644
 ')
 optional_policy(`
-@@ -610,6 +1099,7 @@ optional_policy(`
+@@ -610,6 +1101,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -34872,7 +34894,7 @@ index 17eda24..6d9bef0 100644
 ')
 optional_policy(`
-@@ -626,6 +1116,17 @@ optional_policy(`
+@@ -626,6 +1118,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -34890,7 +34912,7 @@ index 17eda24..6d9bef0 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1143,13 @@ optional_policy(`
+@@ -642,9 +1145,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -34904,7 +34926,7 @@ index 17eda24..6d9bef0 100644
 	')
 	optional_policy(`
-@@ -657,15 +1162,11 @@ optional_policy(`
+@@ -657,15 +1164,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -34922,7 +34944,7 @@ index 17eda24..6d9bef0 100644
 ')
 optional_policy(`
-@@ -686,6 +1187,15 @@ optional_policy(`
+@@ -686,6 +1189,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -34938,7 +34960,7 @@ index 17eda24..6d9bef0 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1236,7 @@ optional_policy(`
+@@ -726,6 +1238,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -34946,7 +34968,7 @@ index 17eda24..6d9bef0 100644
 ')
 optional_policy(`
-@@ -743,7 +1254,13 @@ optional_policy(`
+@@ -743,7 +1256,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -34961,7 +34983,7 @@ index 17eda24..6d9bef0 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1283,10 @@ optional_policy(`
+@@ -766,6 +1285,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -34972,7 +34994,7 @@ index 17eda24..6d9bef0 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1296,20 @@ optional_policy(`
+@@ -775,10 +1298,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -34993,7 +35015,7 @@ index 17eda24..6d9bef0 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1318,10 @@ optional_policy(`
+@@ -787,6 +1320,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -35004,7 +35026,7 @@ index 17eda24..6d9bef0 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1343,6 @@ optional_policy(`
+@@ -808,8 +1345,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -35013,7 +35035,7 @@ index 17eda24..6d9bef0 100644
 ')
 optional_policy(`
-@@ -818,6 +1351,10 @@ optional_policy(`
+@@ -818,6 +1353,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -35024,7 +35046,7 @@ index 17eda24..6d9bef0 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1364,12 @@ optional_policy(`
+@@ -827,10 +1366,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -35037,7 +35059,7 @@ index 17eda24..6d9bef0 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1396,60 @@ optional_policy(`
+@@ -857,21 +1398,60 @@ optional_policy(`
 ')
 optional_policy(`
@ -35099,7 +35121,7 @@ index 17eda24..6d9bef0 100644
 ')
 optional_policy(`
-@@ -887,6 +1465,10 @@ optional_policy(`
+@@ -887,6 +1467,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -35110,7 +35132,7 @@ index 17eda24..6d9bef0 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1479,218 @@ optional_policy(`
+@@ -897,3 +1481,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -38292,7 +38314,7 @@ index 59b04c1..e1ec2e8 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b91740..5c1669a 100644
+index 6b91740..3af8a10 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@ -38333,7 +38355,7 @@ index 6b91740..5c1669a 100644
 /sbin/lvreduce		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvremove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvrename		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -89,8 +96,75 @@ ifdef(`distro_gentoo',`
+@@ -89,8 +96,76 @@ ifdef(`distro_gentoo',`
 #
 # /usr
 #
@ -38363,6 +38385,7 @@ index 6b91740..5c1669a 100644
 +/usr/sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvmpolld      --  gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvmlockd      --  gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvreduce		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvremove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvrename		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@ -38411,7 +38434,7 @@ index 6b91740..5c1669a 100644
 #
 # /var
-@@ -98,5 +172,9 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +173,9 @@ ifdef(`distro_gentoo',`
 /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
 /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@ -43456,10 +43479,10 @@ index a392fc4..78fa512 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..85ef000
+index 0000000..884ac5c
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,59 @@
 +HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +/root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +
@ -43482,6 +43505,7 @@ index 0000000..85ef000
 +/usr/lib/systemd/system/systemd-machined\.service	--	gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-networkd\.service     gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-vconsole-setup\.service		gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-rfkill\.service	--	gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-time.*\.service	--	gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
 +/usr/lib/systemd/system/.*halt.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
 +/usr/lib/systemd/system/.*hibernate.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
@ -43492,6 +43516,7 @@ index 0000000..85ef000
 +/usr/lib/systemd/system/.*suspend.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
 +/usr/lib/systemd/systemd-hostnamed	--	gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
 +/usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
 +/usr/lib/systemd/systemd-rfkill     --  gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
 +/usr/lib/systemd/systemd-sysctl		--	gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
 +/usr/lib/systemd/systemd-timedated	--	gen_context(system_u:object_r:systemd_timedated_exec_t,s0)
 +/usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
@ -43501,6 +43526,7 @@ index 0000000..85ef000
 +/usr/lib/systemd/systemd-tmpfiles --	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 +
 +/var/lib/machines(/.*)?			gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
 +/var/lib/systemd/rfkill(/.*)?         gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 +/var/lib/systemd/linger(/.*)?  		gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
 +/var/lib/random-seed 		gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
 +/usr/var/lib/random-seed 	gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
@ -45164,10 +45190,10 @@ index 0000000..c253b33
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..3358b07
+index 0000000..decb7c3
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,791 @@
+@@ -0,0 +1,822 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -45246,6 +45272,14 @@ index 0000000..3358b07
 +type hostname_etc_t;
 +files_config_file(hostname_etc_t)
 +
 +systemd_domain_template(systemd_rfkill)
 +
 +type systemd_rfkill_unit_file_t;
 +systemd_unit_file(systemd_rfkill_unit_file_t)
 +
 +type systemd_rfkill_var_lib_t;
 +files_type(systemd_rfkill_var_lib_t)
 +
 +systemd_domain_template(systemd_timedated)
 +typeattribute systemd_timedated_t systemd_domain;
 +typealias systemd_timedated_t alias gnomeclock_t;
@ -45518,6 +45552,8 @@ index 0000000..3358b07
 +sysnet_manage_config(systemd_networkd_t)
 +sysnet_manage_config_dirs(systemd_networkd_t)
 +
 +systemd_dbus_chat_hostnamed(systemd_networkd_t)
 +
 +init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif")
 +
 +optional_policy(`
@ -45820,8 +45856,29 @@ index 0000000..3358b07
 +
 +#######################################
 +#
 +# rfkill policy
 +#
 +
 +allow systemd_rfkill_t self:capability net_admin;
 +
 +manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
 +
 +kernel_dgram_send(systemd_rfkill_t)
 +
 +dev_read_sysfs(systemd_rfkill_t)
 +dev_rw_wireless(systemd_rfkill_t)
 +
 +init_search_var_lib_dirs(systemd_rfkill_t)
 +
 +optional_policy(`
 +    udev_read_db(systemd_rfkill_t)
 +')
 +
 +#######################################
 +#
 +# Timedated policy
 +#
 +
 +allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
 +allow systemd_timedated_t self:process { getattr getsched setfscreate };
 +allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
@ -47372,7 +47429,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..c0265be 100644
+index 9dc60c6..cb235f4 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -50674,7 +50731,7 @@ index 9dc60c6..c0265be 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4622,1727 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4622,1763 @@ interface(`userdom_dbus_send_all_users',`
 	')
 	allow $1 userdomain:dbus send_msg;
@ -52216,6 +52273,42 @@ index 9dc60c6..c0265be 100644
 +
 +########################################
 +## <summary>
 +##	Allow caller noatsecure permission.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_noatsecure_login_userdomain',`
 +	gen_require(`
 +		attribute login_userdomain;
 +	')
 +
 +	allow $1 login_userdomain:process noatsecure ;
 +')
 +
 +########################################
 +## <summary>
 +##	Allow caller to send sigchld to login userdomain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_sigchld_login_userdomain',`
 +	gen_require(`
 +		attribute login_userdomain;
 +	')
 +
 +	allow $1 login_userdomain:process sigchld;
 +')
 +
 +########################################
 +## <summary>
 +##	Add caller login userdomain attribute.
 +## </summary>
 +## <param name="domain">
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -27037,7 +27037,7 @@ index 18f2452..a446210 100644
 +
 ')
 diff --git a/dspam.te b/dspam.te
-index ef62363..1ec4d89 100644
+index ef62363..0841716 100644
 --- a/dspam.te
 +++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@ -27063,7 +27063,7 @@ index ef62363..1ec4d89 100644
 files_search_spool(dspam_t)
-@@ -64,14 +73,30 @@ auth_use_nsswitch(dspam_t)
+@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
 logging_send_syslog_msg(dspam_t)
@ -27075,6 +27075,8 @@ index ef62363..1ec4d89 100644
 +
 +	read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
 +
 +    auth_read_passwd(dspam_script_t)
 +
 +	files_search_var_lib(dspam_script_t)
 +
 +	domain_dontaudit_read_all_domains_state(dspam_script_t)
@ -27099,7 +27101,7 @@ index ef62363..1ec4d89 100644
 ')
 optional_policy(`
-@@ -87,3 +112,12 @@ optional_policy(`
+@@ -87,3 +114,12 @@ optional_policy(`
 	postgresql_tcp_connect(dspam_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 161%{?dist}
+Release: 162%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -664,6 +664,16 @@ exit 0
 %endif
 %changelog
 * Mon Dec 07 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-162
 - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
 - Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
 - Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
 - init_t domain should be running without unconfined_domain attribute.
 - Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
 - Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
 - systemd needs to access /dev/rfkill on early boot.
 - Allow dspam to read /etc/passwd
 * Mon Nov 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-161
 - Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177)