Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

2014-10-12 07:15:47 -04:00 · 2014-10-12 07:15:47 -04:00 · 3e4dce057d
commit 3e4dce057d
parent d3cbfbfff6 a76f317a36
6 changed files with 754 additions and 332 deletions
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -2460,3 +2460,17 @@ gear = module
 # naemon policy
 #
 naemon = module
+
+# Layer: contrib
+# Module: brltty
+#
+# brltty policy
+#
+brltty = module
+
+# Layer: contrib
+# Module: cpuplug
+#
+# cpuplug policy
+#
+cpuplug = module
--- a/permissivedomains.pp
+++ b/permissivedomains.pp
--- a/permissivedomains.te
+++ b/permissivedomains.te
@ -55,3 +55,17 @@ optional_policy(`
    ')
    permissive naemon_t;
 ')
+
+optional_policy(`
+    gen_require(`
+            type brltty_t;
+    ')
+    permissive brltty_t;
+')
+
+optional_policy(`
+    gen_require(`
+            type cpuplug_t;
+    ')
+    permissive cpuplug_t;
+')
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5466,7 +5466,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..6b99aea 100644
+index b191055..57afd42 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5540,7 +5540,7 @@ index b191055..6b99aea 100644
 # reserved_port_t is the type of INET port numbers below 1024.
 #
 type reserved_port_t, port_type, reserved_port_type;
-@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
 network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@ -5557,6 +5557,7 @@ index b191055..6b99aea 100644
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
+network_port(brlp, tcp,4101,s0)
 network_port(biff) # no defined portcon
 network_port(certmaster, tcp,51235,s0)
 +network_port(collectd, udp,25826,s0)
@ -5617,7 +5618,7 @@ index b191055..6b99aea 100644
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +176,54 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +177,54 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5686,7 +5687,7 @@ index b191055..6b99aea 100644
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +231,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +232,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mxi, tcp,8005,s0, udp,8005,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
@ -5727,7 +5728,7 @@ index b191055..6b99aea 100644
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-@@ -213,68 +268,79 @@ network_port(postgrey, tcp,60000,s0)
+@@ -213,68 +269,79 @@ network_port(postgrey, tcp,60000,s0)
 network_port(pptp, tcp,1723,s0, udp,1723,s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@ -5739,9 +5740,11 @@ index b191055..6b99aea 100644
 network_port(puppet, tcp, 8140, s0)
 network_port(pxe, udp,4011,s0)
 network_port(pyzor, udp,24441,s0)
+-network_port(radacct, udp,1646,s0, udp,1813,s0)
+-network_port(radius, udp,1645,s0, udp,1812,s0)
 +network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
- network_port(radacct, udp,1646,s0, udp,1813,s0)
- network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)
+network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0)
 network_port(radsec, tcp,2083,s0)
 network_port(razor, tcp,2703,s0)
 +network_port(time, tcp,37,s0, udp,37,s0)
@ -5818,7 +5821,7 @@ index b191055..6b99aea 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +354,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +355,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
@ -5845,7 +5848,7 @@ index b191055..6b99aea 100644
 
 ########################################
 #
-@@ -333,6 +403,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +404,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5854,7 +5857,7 @@ index b191055..6b99aea 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -345,9 +417,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +418,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -6019,7 +6022,7 @@ index b31c054..5e37a40 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..a3c0103 100644
+index 76f285e..03d4787 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -7297,6 +7300,15 @@ index 76f285e..a3c0103 100644
 ##	Getattr generic the USB devices.
 ## </summary>
 ## <param name="domain">
+@@ -4123,7 +4766,7 @@ interface(`dev_write_urand',`
+ #
+ interface(`dev_getattr_generic_usb_dev',`
+ 	gen_require(`
+-		type usb_device_t;
+		type usb_device_t,device_t;
+ 	')
+ 
+ 	getattr_chr_files_pattern($1, device_t, usb_device_t)
@@ -4409,9 +5052,9 @@ interface(`dev_rw_usbfs',`
 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
@ -8827,7 +8839,7 @@ index 6a1e4d1..1b9b0b5 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..8fd98fc 100644
+index cf04cb5..16c88de 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -8926,7 +8938,7 @@ index cf04cb5..8fd98fc 100644
 
 ifdef(`hide_broken_symptoms',`
 	# This check is in the general socket
-@@ -121,8 +173,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +173,19 @@ tunable_policy(`global_ssp',`
 ')
 
 optional_policy(`
@ -8942,10 +8954,11 @@ index cf04cb5..8fd98fc 100644
 +optional_policy(`
 +	miscfiles_read_localization(domain)
 +	miscfiles_read_man_pages(domain)
+	miscfiles_read_fonts(domain)
 ')
 
 optional_policy(`
-@@ -133,6 +195,9 @@ optional_policy(`
+@@ -133,6 +196,9 @@ optional_policy(`
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)
 	xserver_dontaudit_rw_xdm_pipes(domain)
@ -8955,7 +8968,7 @@ index cf04cb5..8fd98fc 100644
 ')
 
 ########################################
-@@ -147,12 +212,18 @@ optional_policy(`
+@@ -147,12 +213,18 @@ optional_policy(`
 # Use/sendto/connectto sockets created by any domain.
 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
 
@ -8975,7 +8988,7 @@ index cf04cb5..8fd98fc 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +237,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
@ -29122,7 +29135,7 @@ index bc0ffc8..7198bd9 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..c4546e2 100644
+index 79a45f6..f142c45 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -30144,7 +30157,7 @@ index 79a45f6..c4546e2 100644
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2380,470 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2380,473 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -30608,12 +30621,15 @@ index 79a45f6..c4546e2 100644
 +		type initrc_var_run_t;
 +		type machineid_t;
 +		type initctl_t;
+        type systemd_unit_file_t;
 +	')
 +
 +	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 +	files_pid_filetrans($1, init_var_run_t, file, "random-seed")
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +	files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
+	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
+	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index 17eda24..dd417eb 100644
@ -32270,7 +32286,7 @@ index 0d4c8d3..e6ffda3 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..3c62b4c 100644
+index 312cd04..efe343f 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -32455,7 +32471,15 @@ index 312cd04..3c62b4c 100644
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
 
-@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -269,6 +305,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+ files_read_etc_files(ipsec_mgmt_t)
+ files_exec_etc_files(ipsec_mgmt_t)
+ files_read_etc_runtime_files(ipsec_mgmt_t)
+files_list_kernel_modules(ipsec_mgmt_t)
+ files_read_usr_files(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+@@ -278,9 +315,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
 
 term_use_console(ipsec_mgmt_t)
@ -32467,7 +32491,7 @@ index 312cd04..3c62b4c 100644
 
 init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +326,23 @@ init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 
@ -32496,7 +32520,7 @@ index 312cd04..3c62b4c 100644
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +365,10 @@ optional_policy(`
+@@ -322,6 +366,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -32507,7 +32531,7 @@ index 312cd04..3c62b4c 100644
 	modutils_domtrans_insmod(ipsec_mgmt_t)
 ')
 
-@@ -335,7 +382,7 @@ optional_policy(`
+@@ -335,7 +383,7 @@ optional_policy(`
 #
 
 allow racoon_t self:capability { net_admin net_bind_service };
@ -32516,7 +32540,7 @@ index 312cd04..3c62b4c 100644
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +418,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
 
@ -32536,7 +32560,7 @@ index 312cd04..3c62b4c 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
 
-@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +448,10 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
 
@ -32549,7 +32573,7 @@ index 312cd04..3c62b4c 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +485,8 @@ corenet_setcontext_all_spds(setkey_t)
 
 locallogin_use_fds(setkey_t)
 
@ -43068,7 +43092,7 @@ index db75976..1ee08ec 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..3104d12 100644
+index 9dc60c6..d04015e 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -45700,15 +45724,35 @@ index 9dc60c6..3104d12 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2692,19 +3517,43 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3517,13 @@ interface(`userdom_read_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_rw_user_tmpfs_files',`
 -	gen_require(`
 -		type user_tmpfs_t;
 -	')
+-
+-	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+-	allow $1 user_tmpfs_t:dir list_dir_perms;
+-	fs_search_tmpfs($1)
 +    refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
 +    userdom_rw_user_tmp_files($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete user tmpfs files.
+##	Manage user tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2713,13 +3532,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_manage_user_tmpfs_files',`
+    refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.')
+    userdom_manage_user_tmp_files($1)
 +')
 +
 +########################################
@ -45725,11 +45769,7 @@ index 9dc60c6..3104d12 100644
 +    refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
 +    userdom_rw_inherited_user_tmp_files($1)
 +')
- 
-	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	allow $1 user_tmpfs_t:dir list_dir_perms;
-	fs_search_tmpfs($1)
+
 +########################################
 +## <summary>
 +##	Execute user tmpfs files.
@ -45743,20 +45783,18 @@ index 9dc60c6..3104d12 100644
 +interface(`userdom_execute_user_tmpfs_files',`
 +    refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
 +    userdom_execute_user_tmp_files($1)
- ')
- 
- ########################################
- ## <summary>
-##	Create, read, write, and delete user tmpfs files.
+')
+
+########################################
+## <summary>
 +##	Execute user tmpfs files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2712,14 +3561,12 @@ interface(`userdom_rw_user_tmpfs_files',`
- ##	</summary>
- ## </param>
- #
-interface(`userdom_manage_user_tmpfs_files',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`userdom_execute_user_tmp_files',`
 	gen_require(`
 -		type user_tmpfs_t;
@ -45770,7 +45808,7 @@ index 9dc60c6..3104d12 100644
 ')
 
 ########################################
-@@ -2814,6 +3661,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3676,24 @@ interface(`userdom_use_user_ttys',`
 
 ########################################
 ## <summary>
@ -45795,7 +45833,7 @@ index 9dc60c6..3104d12 100644
 ##	Read and write a user domain pty.
 ## </summary>
 ## <param name="domain">
-@@ -2832,22 +3697,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3712,34 @@ interface(`userdom_use_user_ptys',`
 
 ########################################
 ## <summary>
@ -45838,7 +45876,7 @@ index 9dc60c6..3104d12 100644
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-@@ -2856,14 +3733,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3748,33 @@ interface(`userdom_use_user_ptys',`
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -45876,7 +45914,7 @@ index 9dc60c6..3104d12 100644
 ')
 
 ########################################
-@@ -2882,8 +3778,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3793,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
 		type user_tty_device_t, user_devpts_t;
 	')
 
@ -45906,7 +45944,7 @@ index 9dc60c6..3104d12 100644
 ')
 
 ########################################
-@@ -2955,69 +3870,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3885,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
@ -46007,7 +46045,7 @@ index 9dc60c6..3104d12 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3025,12 +3939,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3954,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 ##	</summary>
 ## </param>
 #
@ -46022,7 +46060,7 @@ index 9dc60c6..3104d12 100644
 ')
 
 ########################################
-@@ -3094,7 +4008,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4023,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -46031,7 +46069,7 @@ index 9dc60c6..3104d12 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
-@@ -3110,29 +4024,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4039,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -46065,7 +46103,7 @@ index 9dc60c6..3104d12 100644
 ')
 
 ########################################
-@@ -3214,7 +4112,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4127,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
 
@ -46092,7 +46130,7 @@ index 9dc60c6..3104d12 100644
 ')
 
 ########################################
-@@ -3269,12 +4185,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4200,13 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
 
@ -46108,7 +46146,7 @@ index 9dc60c6..3104d12 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3282,54 +4199,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4214,122 @@ interface(`userdom_write_user_tmp_files',`
 ##	</summary>
 ## </param>
 #
@ -46166,54 +46204,45 @@ index 9dc60c6..3104d12 100644
 	gen_require(`
 -		attribute userdomain;
 +		type user_tmp_t;
- 	')
- 
-	allow $1 userdomain:process getattr;
+	')
+
 +	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Inherit the file descriptors from all user domains
+')
+
+########################################
+## <summary>
 +##	Allow domain to read/write inherited users
 +##	fifo files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3337,18 +4256,17 @@ interface(`userdom_getattr_all_users',`
- ##	</summary>
- ## </param>
- #
-interface(`userdom_use_all_users_fds',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`userdom_rw_inherited_user_pipes',`
- 	gen_require(`
- 		attribute userdomain;
- 	')
- 
-	allow $1 userdomain:fd use;
+	gen_require(`
+		attribute userdomain;
+	')
+
 +	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Do not audit attempts to inherit the file
-##	descriptors from any user domains.
+')
+
+########################################
+## <summary>
 +##	Do not audit attempts to use user ttys.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3356,12 +4274,87 @@ interface(`userdom_use_all_users_fds',`
- ##	</summary>
- ## </param>
- #
-interface(`userdom_dontaudit_use_all_users_fds',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
 +interface(`userdom_dontaudit_use_user_ttys',`
- 	gen_require(`
-		attribute userdomain;
+	gen_require(`
 +		type user_tty_device_t;
- 	')
- 
-	dontaudit $1 userdomain:fd use;
+	')
+
 +	dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
 +')
 +
@ -46250,50 +46279,10 @@ index 9dc60c6..3104d12 100644
 +interface(`userdom_getattr_all_users',`
 +	gen_require(`
 +		attribute userdomain;
-+	')
-+
-+	allow $1 userdomain:process getattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Inherit the file descriptors from all user domains
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_use_all_users_fds',`
-+	gen_require(`
-+		attribute userdomain;
-+	')
-+
-+	allow $1 userdomain:fd use;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to inherit the file
-+##	descriptors from any user domains.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_use_all_users_fds',`
-+	gen_require(`
-+		attribute userdomain;
-+	')
-+
-+	dontaudit $1 userdomain:fd use;
 	')
 
- ########################################
-@@ -3382,6 +4375,42 @@ interface(`userdom_signal_all_users',`
+ 	allow $1 userdomain:process getattr;
+@@ -3382,6 +4390,42 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
 
@ -46336,7 +46325,7 @@ index 9dc60c6..3104d12 100644
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4431,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4446,60 @@ interface(`userdom_sigchld_all_users',`
 
 ########################################
 ## <summary>
@ -46397,7 +46386,7 @@ index 9dc60c6..3104d12 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4518,1686 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4533,1686 @@ interface(`userdom_dbus_send_all_users',`
 	')
 
 	allow $1 userdomain:dbus send_msg;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 82%{?dist}
+Release: 85%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,41 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Oct 06 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-85
+- Allow nova domains to getattr on all filesystems.
+- ALlow zebra for user/group look-ups.
+- Allow lsmd to search own plguins.
+- Allow sssd to read selinux config to add SELinux user mapping.
+- Allow swift to connect to all ephemeral ports by default.
+- Allow NetworkManager to create Bluetooth SDP sockets
+- Allow keepalived manage snmp var lib sock files. BZ(1102228)
+- Added policy for blrtty. BZ(1083162)
+- Allow rhsmcertd manage rpm db. BZ(#1134173)
+- Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173)
+- Label /usr/libexec/rhsmd as rhsmcertd_exec_t
+- Fix broken interfaces
+- Added sendmail_domtrans_unconfined interface
+- Added support for cpuplug. BZ (#1077831)
+- Fix bug in drbd policy, BZ (#1134883)
+- Make keystone_cgi_script_t domain. BZ (#1138424)
+- fix dev_getattr_generic_usb_dev interface
+- Label 4101 tcp port as brlp port
+- Allow libreswan to connect to VPN via NM-libreswan.
+- Add userdom_manage_user_tmpfs_files interface
+
+* Tue Sep 30 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-84
+- Allow all domains to read fonts
+- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
+- Allow pki-tomcat to change SELinux object identity.
+- Allow radious to connect to apache ports to do OCSP check
+- Allow git cgi scripts to create content in /tmp
+- Allow cockpit-session to do GSSAPI logins.
+
+* Mon Sep 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-83
+- Make sure /run/systemd/generator and system is labeled correctly on creation.
+- Additional access required by usbmuxd
+- Allow sensord read in /proc BZ(#1143799)
+
 * Thu Sep 18 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-82
 - Allow du running in logwatch_t read hwdata.
 - Allow sys_admin capability for antivirus domians.