- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow s

- Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab
2013-06-28 21:52:00 +02:00 · 2013-06-28 21:52:00 +02:00 · 2d4ef1c07b
commit 2d4ef1c07b
parent c23c3b2097
3 changed files with 659 additions and 524 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -6956,7 +6956,7 @@ index 1a7a97e..1d29dce 100644
 	domain_system_change_exemption($1)
 	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 3590e2f..5d9ac1d 100644
+index 3590e2f..e1494bd 100644
 --- a/apm.te
 +++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@ -6987,16 +6987,26 @@ index 3590e2f..5d9ac1d 100644
 allow apmd_t self:process { signal_perms getsession };
 allow apmd_t self:fifo_file rw_fifo_file_perms;
 allow apmd_t self:netlink_socket create_socket_perms;
-@@ -115,8 +118,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t)
+@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
 fs_dontaudit_getattr_all_symlinks(apmd_t)
 fs_dontaudit_getattr_all_pipes(apmd_t)
 fs_dontaudit_getattr_all_sockets(apmd_t)
 -selinux_search_fs(apmd_t)
 -
 -selinux_search_fs(apmd_t)
 +fs_read_cgroup_files(apmd_t)
 corecmd_exec_all_executables(apmd_t)
- domain_read_all_domains_state(apmd_t)
+@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
-@@ -136,17 +137,16 @@ libs_exec_lib_files(apmd_t)
+ auth_use_nsswitch(apmd_t)
 init_domtrans_script(apmd_t)
 +init_read_utmp(apmd_t)
 +init_telinit(apmd_t)
 libs_exec_ld_so(apmd_t)
 libs_exec_lib_files(apmd_t)
@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
 logging_send_audit_msgs(apmd_t)
 logging_send_syslog_msg(apmd_t)
@ -7016,7 +7026,7 @@ index 3590e2f..5d9ac1d 100644
 optional_policy(`
 	automount_domtrans(apmd_t)
-@@ -206,11 +206,15 @@ optional_policy(`
+@@ -206,11 +209,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -10908,7 +10918,7 @@ index 32e8265..0de4af3 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..1544e9b 100644
+index 914ee2d..72fab35 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -10926,7 +10936,7 @@ index 914ee2d..1544e9b 100644
 #
 -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_resource sys_time };
+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
 allow chronyd_t self:process { getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 +allow chronyd_t self:udp_socket create_socket_perms;
@ -19484,7 +19494,7 @@ index d294865..3b4f593 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
 diff --git a/devicekit.te b/devicekit.te
-index ff933af..101bc81 100644
+index ff933af..d75b565 100644
 --- a/devicekit.te
 +++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@ -19550,15 +19560,17 @@ index ff933af..101bc81 100644
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
-@@ -117,7 +119,6 @@ files_manage_boot_dirs(devicekit_disk_t)
+@@ -116,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
 files_manage_boot_dirs(devicekit_disk_t)
 files_manage_isid_type_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
 +files_manage_etc_files(devicekit_disk_t)
 files_read_etc_runtime_files(devicekit_disk_t)
 -files_read_usr_files(devicekit_disk_t)
 fs_getattr_all_fs(devicekit_disk_t)
 fs_list_inotifyfs(devicekit_disk_t)
-@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -134,16 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
 storage_raw_read_removable_device(devicekit_disk_t)
 storage_raw_write_removable_device(devicekit_disk_t)
@ -19579,7 +19591,7 @@ index ff933af..101bc81 100644
 	dbus_system_bus_client(devicekit_disk_t)
 	allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -167,6 +170,7 @@ optional_policy(`
+@@ -167,6 +171,7 @@ optional_policy(`
 optional_policy(`
 	mount_domtrans(devicekit_disk_t)
@ -19587,7 +19599,7 @@ index ff933af..101bc81 100644
 ')
 optional_policy(`
-@@ -180,6 +184,11 @@ optional_policy(`
+@@ -180,6 +185,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -19599,7 +19611,7 @@ index ff933af..101bc81 100644
 	udev_domtrans(devicekit_disk_t)
 	udev_read_db(devicekit_disk_t)
 ')
-@@ -188,12 +197,19 @@ optional_policy(`
+@@ -188,12 +198,19 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
@ -19620,7 +19632,7 @@ index ff933af..101bc81 100644
 allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -207,9 +224,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@ -19631,7 +19643,7 @@ index ff933af..101bc81 100644
 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
 manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t)
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_runtime_files(devicekit_power_t)
@ -19651,7 +19663,7 @@ index ff933af..101bc81 100644
 sysnet_domtrans_ifconfig(devicekit_power_t)
 sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +282,11 @@ optional_policy(`
+@@ -269,9 +283,11 @@ optional_policy(`
 optional_policy(`
 	cron_initrc_domtrans(devicekit_power_t)
@ -19663,7 +19675,7 @@ index ff933af..101bc81 100644
 	dbus_system_bus_client(devicekit_power_t)
 	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +317,11 @@ optional_policy(`
+@@ -302,8 +318,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -19676,7 +19688,7 @@ index ff933af..101bc81 100644
 	hal_manage_pid_dirs(devicekit_power_t)
 	hal_manage_pid_files(devicekit_power_t)
 ')
-@@ -341,3 +359,9 @@ optional_policy(`
+@@ -341,3 +360,9 @@ optional_policy(`
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
@ -30142,7 +30154,7 @@ index 16b1666..01673a4 100644
 -	admin_pattern($1, jabberd_var_run_t)
 ')
 diff --git a/jabber.te b/jabber.te
-index bb12c90..fb916e0 100644
+index bb12c90..62d511b 100644
 --- a/jabber.te
 +++ b/jabber.te
@@ -1,4 +1,4 @@
@ -30151,7 +30163,7 @@ index bb12c90..fb916e0 100644
 ########################################
 #
-@@ -9,129 +9,131 @@ attribute jabberd_domain;
+@@ -9,129 +9,133 @@ attribute jabberd_domain;
 jabber_domain_template(jabberd)
 jabber_domain_template(jabberd_router)
@ -30264,65 +30276,67 @@ index bb12c90..fb916e0 100644
 +userdom_dontaudit_search_user_home_dirs(jabberd_t)
 -manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
-+optional_policy(`
+miscfiles_read_certs(jabberd_t)
 +	seutil_sigchld_newrole(jabberd_t)
 +')
 -manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
 -files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
 +optional_policy(`
-+	udev_read_db(jabberd_t)
+	seutil_sigchld_newrole(jabberd_t)
 +')
 -kernel_read_kernel_sysctls(jabberd_t)
 +optional_policy(`
 +	udev_read_db(jabberd_t)
 +')
 -corenet_sendrecv_jabber_client_server_packets(jabberd_t)
 -corenet_tcp_bind_jabber_client_port(jabberd_t)
 -corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
 +######################################
 +#
 +# Local policy for pyicq-t
 +#
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
+-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
+-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
 +# need for /var/log/pyicq-t.log
 +manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
 +logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+-dev_read_rand(jabberd_t)
 -corenet_tcp_bind_jabber_interserver_port(jabberd_t)
 -corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
 +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
-dev_read_rand(jabberd_t)
+-domain_use_interactive_fds(jabberd_t)
 +files_search_spool(pyicqt_t)
 +manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
-domain_use_interactive_fds(jabberd_t)
+-files_read_etc_files(jabberd_t)
 -files_read_etc_runtime_files(jabberd_t)
 +corenet_tcp_bind_jabber_router_port(pyicqt_t)
 +corenet_tcp_connect_jabber_router_port(pyicqt_t)
-files_read_etc_files(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
 -files_read_etc_runtime_files(jabberd_t)
 +corecmd_exec_bin(pyicqt_t)
 -fs_search_auto_mountpoints(jabberd_t)
 +dev_read_urand(pyicqt_t)
 -sysnet_read_config(jabberd_t)
-+auth_use_nsswitch(pyicqt_t)
+dev_read_urand(pyicqt_t)
 -userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 -userdom_dontaudit_search_user_home_dirs(jabberd_t)
-+# needed for pyicq-t-mysql
+auth_use_nsswitch(pyicqt_t)
 +optional_policy(`
 +	corenet_tcp_connect_mysqld_port(pyicqt_t)
 +')
 +# needed for pyicq-t-mysql
 optional_policy(`
 -	udev_read_db(jabberd_t)
-+	sysnet_use_ldap(pyicqt_t)
+	corenet_tcp_connect_mysqld_port(pyicqt_t)
 ')
 -########################################
 +optional_policy(`
 +	sysnet_use_ldap(pyicqt_t)
 +')
 +
 +#######################################
 #
 -# Router local policy
@ -38524,7 +38538,7 @@ index 6194b80..5fe7031 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..0a31eec 100644
+index 6a306ee..cfaf593 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -1,4 +1,4 @@
@ -38968,7 +38982,7 @@ index 6a306ee..0a31eec 100644
 ')
 optional_policy(`
-@@ -300,221 +324,180 @@ optional_policy(`
+@@ -300,221 +324,181 @@ optional_policy(`
 ########################################
 #
@ -39169,14 +39183,14 @@ index 6a306ee..0a31eec 100644
 +dev_write_sound(mozilla_plugin_t)
 +# for nvidia driver
 dev_rw_xserver_misc(mozilla_plugin_t)
-
+dev_rwx_zero(mozilla_plugin_t)
 +dev_dontaudit_read_mtrr(mozilla_plugin_t)
 +xserver_dri_domain(mozilla_plugin_t)
 -dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
 -dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
 -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
 -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
 +dev_rwx_zero(mozilla_plugin_t)
 +dev_dontaudit_read_mtrr(mozilla_plugin_t)
 +dev_dontaudit_rw_dri(mozilla_plugin_t)
 +dev_dontaudit_getattr_all(mozilla_plugin_t)
 domain_use_interactive_fds(mozilla_plugin_t)
@ -39289,7 +39303,7 @@ index 6a306ee..0a31eec 100644
 ')
 optional_policy(`
-@@ -523,36 +506,48 @@ optional_policy(`
+@@ -523,36 +507,48 @@ optional_policy(`
 ')
 optional_policy(`
@ -39351,7 +39365,7 @@ index 6a306ee..0a31eec 100644
 ')
 optional_policy(`
-@@ -560,7 +555,7 @@ optional_policy(`
+@@ -560,7 +556,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -39360,7 +39374,7 @@ index 6a306ee..0a31eec 100644
 ')
 optional_policy(`
-@@ -568,108 +563,118 @@ optional_policy(`
+@@ -568,108 +564,118 @@ optional_policy(`
 ')
 optional_policy(`
@ -49486,10 +49500,10 @@ index 0000000..f2d6119
 +/var/run/openshift(/.*)?               gen_context(system_u:object_r:openshift_var_run_t,s0)
 diff --git a/openshift.if b/openshift.if
 new file mode 100644
-index 0000000..bddd4b3
+index 0000000..fdc4a03
 --- /dev/null
 +++ b/openshift.if
-@@ -0,0 +1,677 @@
+@@ -0,0 +1,700 @@
 +
 +## <summary> policy for openshift </summary>
 +
@ -49814,7 +49828,8 @@ index 0000000..bddd4b3
 +
 +########################################
 +## <summary>
-+##	Manage openshift lib dirs files.
+##	Create, read, write, and delete
 +##	openshift lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -49831,6 +49846,28 @@ index 0000000..bddd4b3
 +	manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage openshift lib content.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`openshift_manage_content',`
 +	gen_require(`
 +		attribute openshift_file_type;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_dirs_pattern($1, openshift_file_type, openshift_file_type)
 +	manage_files_pattern($1, openshift_file_type, openshift_file_type)
 +	manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type)
 +	manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
 +')
 +
 +#######################################
 +## <summary>
 +##	Create private objects in the
@ -89001,7 +89038,7 @@ index 9dec06c..7877729 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
 ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..253d98d 100644
+index 1f22fba..7a305c4 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,94 +1,98 @@
@ -89631,14 +89668,14 @@ index 1f22fba..253d98d 100644
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 -
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 -
 -can_exec(virtd_t, virt_tmp_t)
 -
 -kernel_read_crypto_sysctls(virtd_t)
@ -89774,15 +89811,16 @@ index 1f22fba..253d98d 100644
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
-@@ -658,95 +496,321 @@ optional_policy(`
+@@ -658,95 +496,325 @@ optional_policy(`
 	')
 	optional_policy(`
 -		firewalld_dbus_chat(virtd_t)
 +		hal_dbus_chat(virtd_t)
-+	')
+ 	')
-+
+ 
-+	optional_policy(`
+ 	optional_policy(`
 -		hal_dbus_chat(virtd_t)
 +		networkmanager_dbus_chat(virtd_t)
 	')
 +')
@ -89848,6 +89886,10 @@ index 1f22fba..253d98d 100644
 +')
 +
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_t)
 +')
 +
 +optional_policy(`
 +	kernel_read_xen_state(virtd_t)
 +	kernel_write_xen_state(virtd_t)
 +
@ -89981,21 +90023,18 @@ index 1f22fba..253d98d 100644
 +storage_raw_read_removable_device(virt_domain)
 -	optional_policy(`
-		hal_dbus_chat(virtd_t)
+-		networkmanager_dbus_chat(virtd_t)
 -	')
 +sysnet_read_config(virt_domain)
 -	optional_policy(`
-		networkmanager_dbus_chat(virtd_t)
+-		policykit_dbus_chat(virtd_t)
 -	')
 +term_use_all_inherited_terms(virt_domain)
 +term_getattr_pty_fs(virt_domain)
 +term_use_generic_ptys(virt_domain)
 +term_use_ptmx(virt_domain)
- 
+
 -	optional_policy(`
 -		policykit_dbus_chat(virtd_t)
 -	')
 +tunable_policy(`virt_use_execmem',`
 +	allow virt_domain self:process { execmem execstack };
 ')
@ -90144,7 +90183,7 @@ index 1f22fba..253d98d 100644
 manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +822,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +826,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@ -90157,12 +90196,12 @@ index 1f22fba..253d98d 100644
 -dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 -
 -allow virsh_t svirt_lxc_domain:process transition;
 -
 -can_exec(virsh_t, virsh_exec_t)
 +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +virt_filetrans_named_content(virsh_t)
 -can_exec(virsh_t, virsh_exec_t)
 -
 -virt_domtrans(virsh_t)
 -virt_manage_images(virsh_t)
 -virt_manage_config(virsh_t)
@ -90174,7 +90213,7 @@ index 1f22fba..253d98d 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +841,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -90201,7 +90240,7 @@ index 1f22fba..253d98d 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +861,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -90233,7 +90272,7 @@ index 1f22fba..253d98d 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
 	fs_manage_nfs_files(virsh_t)
-@@ -847,14 +894,20 @@ optional_policy(`
+@@ -847,14 +898,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -90255,7 +90294,7 @@ index 1f22fba..253d98d 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -879,34 +932,44 @@ optional_policy(`
+@@ -879,34 +936,44 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -90309,7 +90348,7 @@ index 1f22fba..253d98d 100644
 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +979,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +983,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
 allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@ -90327,7 +90366,7 @@ index 1f22fba..253d98d 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1001,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1005,8 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -90338,7 +90377,7 @@ index 1f22fba..253d98d 100644
 files_relabel_rootfs(virtd_lxc_t)
 files_mounton_non_security(virtd_lxc_t)
 files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1010,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1014,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
 files_list_isid_type_dirs(virtd_lxc_t)
 files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@ -90346,7 +90385,7 @@ index 1f22fba..253d98d 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1022,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1026,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -90365,7 +90404,7 @@ index 1f22fba..253d98d 100644
 term_use_generic_ptys(virtd_lxc_t)
 term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1036,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1040,40 @@ auth_use_nsswitch(virtd_lxc_t)
 logging_send_syslog_msg(virtd_lxc_t)
@ -90393,6 +90432,10 @@ index 1f22fba..253d98d 100644
 +')
 +
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
 +
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@ -90410,7 +90453,7 @@ index 1f22fba..253d98d 100644
 allow svirt_lxc_domain self:fifo_file manage_file_perms;
 allow svirt_lxc_domain self:sem create_sem_perms;
 allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1073,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
 allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
 allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@ -90437,7 +90480,7 @@ index 1f22fba..253d98d 100644
 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1091,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@ -90456,7 +90499,7 @@ index 1f22fba..253d98d 100644
 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
 corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1110,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
 files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
 files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
 files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@ -90483,7 +90526,7 @@ index 1f22fba..253d98d 100644
 auth_dontaudit_read_login_records(svirt_lxc_domain)
 auth_dontaudit_write_login_records(svirt_lxc_domain)
 auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1135,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1143,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
 libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@ -90622,7 +90665,7 @@ index 1f22fba..253d98d 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1233,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1241,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -90637,7 +90680,7 @@ index 1f22fba..253d98d 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1183,9 +1251,8 @@ optional_policy(`
+@@ -1183,9 +1259,8 @@ optional_policy(`
 ########################################
 #
@ -90648,7 +90691,7 @@ index 1f22fba..253d98d 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1265,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1273,114 @@ kernel_read_network_state(virt_bridgehelper_t)
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 57%{?dist}
+Release: 58%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -539,6 +539,20 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
 - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. 
 - Allow bootloader to manage generic log files 
 - Allow ftp to bind to port 989 
 - Fix label of new gear directory 
 - Add support for new directory /var/lib/openshift/gears/ 
 - Add openshift_manage_lib_dirs() 
 - allow virtd domains to manage setrans_var_run_t 
 - Allow useradd to manage all openshift content 
 - Add support so that mozilla_plugin_t can use dri devices 
 - Allow chronyd to change the scheduler 
 - Allow apmd to shut downthe system 
 - Devicekit_disk_t needs to manage /etc/fstab
 * Wed Jun 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-57
 - Make DSPAM to act as a LDA working
 - Allow ntop to create netlink socket