- pki needs another port

- Add more labels for cluster scripts - Fix label on nfs-utils scripts directories - Fixes for cluster - Allow gatherd to read /dev/rand and /dev/urand - abrt leaks fifo files
2011-08-31 22:51:47 +02:00 · 2011-08-31 22:51:47 +02:00 · 392fd7310f
commit 392fd7310f
parent e6877a0621
2 changed files with 158 additions and 68 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -10968,7 +10968,7 @@ index 223ad43..d95e720 100644
 	rsync_exec(yam_t)
 ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..f8f940f 100644
+index 3fae11a..d653b7f 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@ -11119,7 +11119,18 @@ index 3fae11a..f8f940f 100644
 /usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -286,6 +290,7 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +271,10 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/cluster/SAPDatabase	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/cluster/SAPInstance	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/cluster/fence_scsi_check\.pl	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/cluster/checkquorum	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
@@ -286,6 +294,7 @@ ifdef(`distro_gentoo',`
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
@ -11127,7 +11138,7 @@ index 3fae11a..f8f940f 100644
 /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
-@@ -293,8 +298,10 @@ ifdef(`distro_gentoo',`
+@@ -293,8 +302,10 @@ ifdef(`distro_gentoo',`
 /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@ -11139,18 +11150,21 @@ index 3fae11a..f8f940f 100644
 ifdef(`distro_gentoo', `
 /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -307,9 +314,8 @@ ifdef(`distro_redhat', `
+@@ -306,10 +317,11 @@ ifdef(`distro_redhat', `
 /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
 /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/.*/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib64/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib64/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nfs-utils/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/oracle/xe/apps(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +325,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +331,11 @@ ifdef(`distro_redhat', `
 /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -11162,7 +11176,7 @@ index 3fae11a..f8f940f 100644
 /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +371,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +377,7 @@ ifdef(`distro_redhat', `
 ifdef(`distro_suse', `
 /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
@ -11171,7 +11185,7 @@ index 3fae11a..f8f940f 100644
 /usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
 ')
-@@ -375,8 +383,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +389,9 @@ ifdef(`distro_suse', `
 /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -11182,7 +11196,7 @@ index 3fae11a..f8f940f 100644
 /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
 /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +394,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +400,4 @@ ifdef(`distro_suse', `
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -12323,7 +12337,7 @@ index 4f3b542..5a41e58 100644
 	corenet_udp_recvfrom_labeled($1, $2)
 	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..85d03ed 100644
+index 99b71cb..807f958 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@ -12497,10 +12511,10 @@ index 99b71cb..85d03ed 100644
 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pingd, tcp,9125,s0)
 +network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9446, s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
-+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
-+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
-+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
 +network_port(pki_ra, tcp,12888-12889,s0)
 +network_port(pki_tps, tcp,7888-7889,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
@ -16175,7 +16189,7 @@ index 22821ff..20251b0 100644
 ########################################
 #
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..63e494f 100644
+index 97fcdac..5923a0a 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -16309,15 +16323,16 @@ index 97fcdac..63e494f 100644
 	dev_search_sysfs($1)
 ')
-@@ -803,6 +870,7 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +870,8 @@ interface(`fs_manage_cgroup_files',`
 	')
 	manage_files_pattern($1, cgroup_t, cgroup_t)
 +	manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
 +	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
-@@ -1107,6 +1175,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1176,24 @@ interface(`fs_read_noxattr_fs_files',`
 ########################################
 ## <summary>
@ -16342,7 +16357,7 @@ index 97fcdac..63e494f 100644
 ##	Do not audit attempts to read all
 ##	noxattrfs files.
 ## </summary>
-@@ -1265,6 +1351,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
 ########################################
 ## <summary>
@ -16385,7 +16400,7 @@ index 97fcdac..63e494f 100644
 ##	Do not audit attempts to read or
 ##	write files on a CIFS or SMB filesystem.
 ## </summary>
-@@ -1279,7 +1401,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1402,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
 		type cifs_t;
 	')
@ -16394,7 +16409,7 @@ index 97fcdac..63e494f 100644
 ')
 ########################################
-@@ -1542,6 +1664,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1665,25 @@ interface(`fs_cifs_domtrans',`
 	domain_auto_transition_pattern($1, cifs_t, $2)
 ')
@ -16420,7 +16435,7 @@ index 97fcdac..63e494f 100644
 #######################################
 ## <summary>
 ##	Create, read, write, and delete dirs
-@@ -2148,6 +2289,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2290,7 @@ interface(`fs_list_inotifyfs',`
 	')
 	allow $1 inotifyfs_t:dir list_dir_perms;
@ -16428,7 +16443,7 @@ index 97fcdac..63e494f 100644
 ')
 ########################################
-@@ -2480,6 +2622,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2623,7 @@ interface(`fs_read_nfs_files',`
 		type nfs_t;
 	')
@ -16436,7 +16451,7 @@ index 97fcdac..63e494f 100644
 	allow $1 nfs_t:dir list_dir_perms;
 	read_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -2518,6 +2661,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2662,7 @@ interface(`fs_write_nfs_files',`
 		type nfs_t;
 	')
@ -16444,7 +16459,7 @@ index 97fcdac..63e494f 100644
 	allow $1 nfs_t:dir list_dir_perms;
 	write_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -2544,6 +2688,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2689,25 @@ interface(`fs_exec_nfs_files',`
 ########################################
 ## <summary>
@ -16470,7 +16485,7 @@ index 97fcdac..63e494f 100644
 ##	Append files
 ##	on a NFS filesystem.
 ## </summary>
-@@ -2584,6 +2747,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2748,42 @@ interface(`fs_dontaudit_append_nfs_files',`
 ########################################
 ## <summary>
@ -16513,7 +16528,7 @@ index 97fcdac..63e494f 100644
 ##	Do not audit attempts to read or
 ##	write files on a NFS filesystem.
 ## </summary>
-@@ -2598,7 +2797,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2798,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 		type nfs_t;
 	')
@ -16522,7 +16537,7 @@ index 97fcdac..63e494f 100644
 ')
 ########################################
-@@ -2736,7 +2935,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2936,7 @@ interface(`fs_search_removable',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -16531,7 +16546,7 @@ index 97fcdac..63e494f 100644
 ##	</summary>
 ## </param>
 #
-@@ -2772,7 +2971,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +2972,7 @@ interface(`fs_read_removable_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -16540,7 +16555,7 @@ index 97fcdac..63e494f 100644
 ##	</summary>
 ## </param>
 #
-@@ -2965,6 +3164,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3165,7 @@ interface(`fs_manage_nfs_dirs',`
 		type nfs_t;
 	')
@ -16548,7 +16563,7 @@ index 97fcdac..63e494f 100644
 	allow $1 nfs_t:dir manage_dir_perms;
 ')
-@@ -3005,6 +3205,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3206,7 @@ interface(`fs_manage_nfs_files',`
 		type nfs_t;
 	')
@ -16556,7 +16571,7 @@ index 97fcdac..63e494f 100644
 	manage_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -3045,6 +3246,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3247,7 @@ interface(`fs_manage_nfs_symlinks',`
 		type nfs_t;
 	')
@ -16564,7 +16579,7 @@ index 97fcdac..63e494f 100644
 	manage_lnk_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -3958,6 +4160,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4161,42 @@ interface(`fs_dontaudit_list_tmpfs',`
 ########################################
 ## <summary>
@ -16607,7 +16622,7 @@ index 97fcdac..63e494f 100644
 ##	Create, read, write, and delete
 ##	tmpfs directories
 ## </summary>
-@@ -4175,6 +4413,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4414,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 ########################################
 ## <summary>
@ -16632,7 +16647,7 @@ index 97fcdac..63e494f 100644
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4457,6 +4713,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4714,8 @@ interface(`fs_mount_all_fs',`
 	')
 	allow $1 filesystem_type:filesystem mount;
@ -16641,7 +16656,7 @@ index 97fcdac..63e494f 100644
 ')
 ########################################
-@@ -4503,7 +4761,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4762,7 @@ interface(`fs_unmount_all_fs',`
 ## <desc>
 ##	<p>
 ##	Allow the specified domain to
@ -16650,7 +16665,7 @@ index 97fcdac..63e494f 100644
 ##	Example attributes:
 ##	</p>
 ##	<ul>
-@@ -4866,3 +5124,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5125,24 @@ interface(`fs_unconfined',`
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -27797,7 +27812,7 @@ index 5220c9d..a2e6830 100644
 ## <summary>
 ##	Allow the specified domain to read corosync's log files.
 diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..f0f7e1a 100644
+index 04969e5..c3176a6 100644
 --- a/policy/modules/services/corosync.te
 +++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
@ -27840,7 +27855,7 @@ index 04969e5..f0f7e1a 100644
 auth_use_nsswitch(corosync_t)
-@@ -83,19 +89,42 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +89,44 @@ logging_send_syslog_msg(corosync_t)
 miscfiles_read_localization(corosync_t)
@ -27878,12 +27893,14 @@ index 04969e5..f0f7e1a 100644
 -	rhcs_rw_gfs_controld_semaphores(corosync_t)
 +optional_policy(`
 +	rhcs_getattr_fenced(corosync_t)
 +	# to communication with RHCS
 +	rhcs_rw_cluster_shm(corosync_t)
 +	rhcs_rw_cluster_semaphores(corosync_t)
 +	rhcs_stream_connect_cluster(corosync_t)
 +	rhcs_read_cluster_lib_files(corosync_t)
 +	rhcs_manage_cluster_lib_files(corosync_t)
 +	rhcs_relabel_cluster_lib_files(corosync_t)
 ')
 optional_policy(`
@ -35592,21 +35609,22 @@ index a627b34..c4cfc6d 100644
 optional_policy(`
 	seutil_sigchld_newrole(gpm_t)
 diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..d9232fe 100644
+index 03742d8..b28c4f9 100644
 --- a/policy/modules/services/gpsd.te
 +++ b/policy/modules/services/gpsd.te
-@@ -24,8 +24,8 @@ files_pid_file(gpsd_var_run_t)
+@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
 # gpsd local policy
 #
 -allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
 -allow gpsd_t self:process setsched;
 +allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
 +dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace };
 +allow gpsd_t self:process { setsched signal_perms };
 allow gpsd_t self:shm create_shm_perms;
 allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,14 +38,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+@@ -38,14 +39,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
 manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
 files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
@ -35629,7 +35647,7 @@ index 03742d8..d9232fe 100644
 term_use_unallocated_ttys(gpsd_t)
 term_setattr_unallocated_ttys(gpsd_t)
-@@ -56,6 +63,12 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +64,12 @@ logging_send_syslog_msg(gpsd_t)
 miscfiles_read_localization(gpsd_t)
 optional_policy(`
@ -40358,7 +40376,7 @@ index 343cee3..f8c4fb6 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..8d3091f 100644
+index 64268e4..ee1f72b 100644
 --- a/policy/modules/services/mta.te
 +++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@ -40506,7 +40524,7 @@ index 64268e4..8d3091f 100644
 ')
 optional_policy(`
-@@ -189,6 +187,10 @@ optional_policy(`
+@@ -189,9 +187,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -40517,7 +40535,14 @@ index 64268e4..8d3091f 100644
 	smartmon_read_tmp_files(system_mail_t)
 ')
-@@ -199,15 +201,16 @@ optional_policy(`
+optional_policy(`
 +	abrt_rw_fifo_file(mta_user_agent)
 +')
 +
 # should break this up among sections:
 optional_policy(`
@@ -199,15 +205,16 @@ optional_policy(`
 	arpwatch_search_data(mailserver_delivery)
 	arpwatch_manage_tmp_files(mta_user_agent)
@ -40538,7 +40563,7 @@ index 64268e4..8d3091f 100644
 ########################################
 #
 # Mailserver delivery local policy
-@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +227,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@ -40548,7 +40573,7 @@ index 64268e4..8d3091f 100644
 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +246,10 @@ optional_policy(`
+@@ -242,6 +250,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -40559,7 +40584,7 @@ index 64268e4..8d3091f 100644
 	# so MTA can access /var/lib/mailman/mail/wrapper
 	files_search_var_lib(mailserver_delivery)
-@@ -249,16 +257,25 @@ optional_policy(`
+@@ -249,16 +261,25 @@ optional_policy(`
 	mailman_read_data_symlinks(mailserver_delivery)
 ')
@ -40587,7 +40612,7 @@ index 64268e4..8d3091f 100644
 # Create dead.letter in user home directories.
 userdom_manage_user_home_content_files(user_mail_t)
 userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +309,44 @@ optional_policy(`
+@@ -292,3 +313,44 @@ optional_policy(`
 	postfix_read_config(user_mail_t)
 	postfix_list_spool(user_mail_t)
 ')
@ -48241,7 +48266,7 @@ index c2ba53b..853eeb5 100644
 /var/log/cluster/fenced\.log.*		--	gen_context(system_u:object_r:fenced_var_log_t,s0)
 /var/log/cluster/gfs_controld\.log.*	--	gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
 diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..175c89b 100644
+index de37806..a21e737 100644
 --- a/policy/modules/services/rhcs.if
 +++ b/policy/modules/services/rhcs.if
@@ -13,7 +13,7 @@
@ -48289,7 +48314,32 @@ index de37806..175c89b 100644
 ## </param>
 #
 interface(`rhcs_domtrans_dlm_controld',`
-@@ -169,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -133,6 +132,24 @@ interface(`rhcs_domtrans_fenced',`
 	domtrans_pattern($1, fenced_exec_t, fenced_t)
 ')
 +#####################################
 +## <summary>
 +##  Allow a domain to getattr on fenced executable.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed to transition.
 +##  </summary>
 +## </param>
 +#
 +interface(`rhcs_getattr_fenced',`
 +    gen_require(`
 +        type fenced_t, fenced_exec_t;
 +    ')
 +
 +	allow $1 fenced_exec_t:file getattr;
 +')
 +
 ######################################
 ## <summary>
 ##	Allow read and write access to fenced semaphores.
@@ -169,9 +186,8 @@ interface(`rhcs_stream_connect_fenced',`
 		type fenced_var_run_t, fenced_t;
 	')
@ -48300,7 +48350,7 @@ index de37806..175c89b 100644
 ')
 #####################################
-@@ -335,6 +333,65 @@ interface(`rhcs_rw_groupd_shm',`
+@@ -335,6 +351,65 @@ interface(`rhcs_rw_groupd_shm',`
 	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 ')
@ -48366,7 +48416,7 @@ index de37806..175c89b 100644
 ######################################
 ## <summary>
 ##	Execute a domain transition to run qdiskd.
-@@ -353,3 +410,60 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -353,3 +428,80 @@ interface(`rhcs_domtrans_qdiskd',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
 ')
@ -48427,8 +48477,28 @@ index de37806..175c89b 100644
 +    files_search_var_lib($1)
 +    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
 +
 +####################################
 +## <summary>
 +##  Allow domain to relabel cluster lib files
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`rhcs_relabel_cluster_lib_files',`
 +    gen_require(`
 +        type cluster_var_lib_t;
 +    ')
 +
 +    files_search_var_lib($1)
 +    relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
 diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..ac994a8 100644
+index 93c896a..8c29c39 100644
 --- a/policy/modules/services/rhcs.te
 +++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0)
@ -48477,7 +48547,15 @@ index 93c896a..ac994a8 100644
 #####################################
 #
 # dlm_controld local policy
-@@ -55,20 +70,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -46,6 +61,7 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence
 stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 kernel_read_system_state(dlm_controld_t)
 +kernel_rw_net_sysctls(dlm_controld_t)
 dev_rw_dlm_control(dlm_controld_t)
 dev_rw_sysfs(dlm_controld_t)
@@ -55,20 +71,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
 init_rw_script_tmp_files(dlm_controld_t)
@ -48500,7 +48578,7 @@ index 93c896a..ac994a8 100644
 can_exec(fenced_t, fenced_exec_t)
-@@ -82,8 +94,13 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,8 +95,13 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -48514,7 +48592,7 @@ index 93c896a..ac994a8 100644
 corenet_tcp_connect_http_port(fenced_t)
 dev_read_sysfs(fenced_t)
-@@ -105,8 +122,24 @@ tunable_policy(`fenced_can_network_connect',`
+@@ -105,8 +123,24 @@ tunable_policy(`fenced_can_network_connect',`
 ')
 optional_policy(`
@ -48540,7 +48618,7 @@ index 93c896a..ac994a8 100644
 ')
 optional_policy(`
-@@ -114,13 +147,37 @@ optional_policy(`
+@@ -114,13 +148,37 @@ optional_policy(`
 	lvm_read_config(fenced_t)
 ')
@ -48579,7 +48657,7 @@ index 93c896a..ac994a8 100644
 allow gfs_controld_t self:shm create_shm_perms;
 allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +196,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +197,6 @@ storage_getattr_removable_dev(gfs_controld_t)
 init_rw_script_tmp_files(gfs_controld_t)
 optional_policy(`
@ -48590,7 +48668,7 @@ index 93c896a..ac994a8 100644
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
 ')
-@@ -154,9 +207,10 @@ optional_policy(`
+@@ -154,9 +208,10 @@ optional_policy(`
 allow groupd_t self:capability { sys_nice sys_resource };
 allow groupd_t self:process setsched;
@ -48602,7 +48680,7 @@ index 93c896a..ac994a8 100644
 dev_list_sysfs(groupd_t)
 files_read_etc_files(groupd_t)
-@@ -168,8 +222,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +223,7 @@ init_rw_script_tmp_files(groupd_t)
 # qdiskd local policy
 #
@ -48612,7 +48690,7 @@ index 93c896a..ac994a8 100644
 allow qdiskd_t self:tcp_socket create_stream_socket_perms;
 allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +252,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +253,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
 files_dontaudit_getattr_all_pipes(qdiskd_t)
 files_read_etc_files(qdiskd_t)
@ -48621,7 +48699,7 @@ index 93c896a..ac994a8 100644
 storage_raw_read_removable_device(qdiskd_t)
 storage_raw_write_removable_device(qdiskd_t)
 storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +262,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +263,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
 auth_use_nsswitch(qdiskd_t)
 optional_policy(`
@ -48632,7 +48710,7 @@ index 93c896a..ac994a8 100644
 	netutils_domtrans_ping(qdiskd_t)
 ')
-@@ -223,18 +274,28 @@ optional_policy(`
+@@ -223,18 +275,28 @@ optional_policy(`
 # rhcs domains common policy
 #
@ -51390,10 +51468,10 @@ index 0000000..8aef188
 +
 diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
 new file mode 100644
-index 0000000..785c2f3
+index 0000000..ea10ecc
 --- /dev/null
 +++ b/policy/modules/services/sblim.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,105 @@
 +policy_module(sblim, 1.0.0)
 +
 +########################################
@ -51433,6 +51511,9 @@ index 0000000..785c2f3
 +
 +corenet_tcp_connect_repository_port(sblim_gatherd_t)
 +
 +dev_read_rand(sblim_gatherd_t)
 +dev_read_urand(sblim_gatherd_t)
 +
 +domain_read_all_domains_state(sblim_gatherd_t)
 +
 +fs_getattr_all_fs(sblim_gatherd_t)
@ -55758,7 +55839,7 @@ index 7c5d8d8..d83a9a2 100644
 +	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
 ')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..2ffbc3a 100644
+index 3eca020..60a0e6a 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@ -55998,7 +56079,8 @@ index 3eca020..2ffbc3a 100644
 +allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 +allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow virtd_t self:tcp_socket create_stream_socket_perms;
- allow virtd_t self:tun_socket create_socket_perms;
+-allow virtd_t self:tun_socket create_socket_perms;
 +allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 +allow virtd_t self:rawip_socket create_socket_perms;
 allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -466,6 +466,14 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Wed Aug 31 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-24
 - pki needs another port
 - Add more labels for cluster scripts
 - Fix label on nfs-utils scripts directories
 - Fixes for cluster
 - Allow gatherd to read /dev/rand and /dev/urand
 - abrt leaks fifo files
 * Tue Aug 30 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-23
 - Add glance policy
 - Allow mdadm setsched