- Fix virt_use_samba boolean

- Looks like all domains that use dbus libraries are now reading /dev/uran - Add glance_use_fusefs() boolean - Allow tgtd to read /proc/net/psched - Additional access required for gear management of openshift directories - Allow sys_ptrace for mock-build - Fix mock_read_lib_files() interface - Allow mock-build to write all inherited ttys and ptys - Allow spamd to create razor home dirs with correct labeling - Clean up sysnet_use_ldap() - systemd calling needs to be optional - Allow init_t to setattr/relabelfrom dhcp state files
2014-04-25 09:09:15 +02:00 · 2014-04-25 09:09:15 +02:00 · 3f5abd2216
parent 345f520dd6
commit 3f5abd2216
3 changed files with 249 additions and 119 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -8744,7 +8744,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..806e1cc 100644
+index cf04cb5..e0615d1 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -8785,7 +8785,7 @@ index cf04cb5..806e1cc 100644
 
 # Transitions only allowed from domains to other domains
 neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
 allow domain self:dir list_dir_perms;
 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 allow domain self:file rw_file_perms;
@ -8827,13 +8827,14 @@ index cf04cb5..806e1cc 100644
 +# All executables should be able to search the directory they are in
 +corecmd_search_bin(domain)
 +
+
 +tunable_policy(`domain_kernel_load_modules',`
 +	kernel_request_load_module(domain)
 +')
 
 ifdef(`hide_broken_symptoms',`
 	# This check is in the general socket
-@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
 ')
 
 optional_policy(`
@ -8852,7 +8853,7 @@ index cf04cb5..806e1cc 100644
 ')
 
 optional_policy(`
-@@ -133,6 +190,9 @@ optional_policy(`
+@@ -133,6 +191,9 @@ optional_policy(`
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)
 	xserver_dontaudit_rw_xdm_pipes(domain)
@ -8862,7 +8863,7 @@ index cf04cb5..806e1cc 100644
 ')
 
 ########################################
-@@ -147,12 +207,18 @@ optional_policy(`
+@@ -147,12 +208,18 @@ optional_policy(`
 # Use/sendto/connectto sockets created by any domain.
 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
 
@ -8882,7 +8883,7 @@ index cf04cb5..806e1cc 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +232,346 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +233,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
@ -9086,6 +9087,7 @@ index cf04cb5..806e1cc 100644
 +	systemd_filetrans_named_content(named_filetrans_domain)
 +	systemd_filetrans_named_hostname(named_filetrans_domain)
 +	systemd_filetrans_home_content(named_filetrans_domain)
+    systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
 +')
 +
 +optional_policy(`
@ -27067,7 +27069,7 @@ index 3efd5b6..0bd3a26 100644
 +	allow $1 login_pgm:process sigchld;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..73376ca 100644
+index 09b791d..ff0708e 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -27338,17 +27340,37 @@ index 09b791d..73376ca 100644
 files_list_var_lib(nsswitch_domain)
 
 # read /etc/nsswitch.conf
-@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
 
 sysnet_dns_name_resolve(nsswitch_domain)
 
-tunable_policy(`authlogin_nsswitch_use_ldap',`
-	files_list_var_lib(nsswitch_domain)
 +systemd_hostnamed_read_config(nsswitch_domain)
+
+
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+-	files_list_var_lib(nsswitch_domain)
+    allow nsswitch_domain self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+	corenet_tcp_sendrecv_generic_if(nsswitch_domain)
+	corenet_tcp_sendrecv_generic_node(nsswitch_domain)
+	corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
+	corenet_tcp_connect_ldap_port(nsswitch_domain)
+	corenet_sendrecv_ldap_client_packets(nsswitch_domain)
+')
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+	# Support for LDAPS
+	dev_read_rand(nsswitch_domain)
+	# LDAP Configuration using encrypted requires
+	dev_read_urand(nsswitch_domain)
+	sysnet_read_config(nsswitch_domain)
+')
 
 +tunable_policy(`authlogin_nsswitch_use_ldap',`
 	miscfiles_read_generic_certs(nsswitch_domain)
- 	sysnet_use_ldap(nsswitch_domain)
+-	sysnet_use_ldap(nsswitch_domain)
 ')
 
 optional_policy(`
@ -27359,10 +27381,11 @@ index 09b791d..73376ca 100644
 +
 +optional_policy(`
 +	tunable_policy(`authlogin_nsswitch_use_ldap',`
+        ldap_read_certs(nsswitch_domain)
 		ldap_stream_connect(nsswitch_domain)
 	')
 ')
-@@ -438,6 +480,7 @@ optional_policy(`
+@@ -438,6 +501,7 @@ optional_policy(`
 	likewise_stream_connect_lsassd(nsswitch_domain)
 ')
 
@ -27370,7 +27393,7 @@ index 09b791d..73376ca 100644
 optional_policy(`
 	kerberos_use(nsswitch_domain)
 ')
-@@ -456,10 +499,145 @@ optional_policy(`
+@@ -456,10 +520,145 @@ optional_policy(`
 
 optional_policy(`
 	sssd_stream_connect(nsswitch_domain)
@ -31296,7 +31319,7 @@ index 0d4c8d3..e6ffda3 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..d6d434a 100644
+index 312cd04..3c62b4c 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -31493,7 +31516,7 @@ index 312cd04..d6d434a 100644
 
 init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 
@ -31517,11 +31540,12 @@ index 312cd04..d6d434a 100644
 +optional_policy(`
 +	bind_read_dnssec_keys(ipsec_mgmt_t)
 +	bind_read_config(ipsec_mgmt_t)
+	bind_read_state(ipsec_mgmt_t)
 +')
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +364,10 @@ optional_policy(`
+@@ -322,6 +365,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31532,7 +31556,7 @@ index 312cd04..d6d434a 100644
 	modutils_domtrans_insmod(ipsec_mgmt_t)
 ')
 
-@@ -335,7 +381,7 @@ optional_policy(`
+@@ -335,7 +382,7 @@ optional_policy(`
 #
 
 allow racoon_t self:capability { net_admin net_bind_service };
@ -31541,7 +31565,7 @@ index 312cd04..d6d434a 100644
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
 
@ -31561,7 +31585,7 @@ index 312cd04..d6d434a 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
 
-@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
 
@ -31574,7 +31598,7 @@ index 312cd04..d6d434a 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t)
 
 locallogin_use_fds(setkey_t)
 
@ -37506,7 +37530,7 @@ index 40edc18..a072ac2 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..1c0de21 100644
+index 2cea692..e094fc0 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -37843,17 +37867,22 @@ index 2cea692..1c0de21 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
 	corenet_tcp_sendrecv_ldap_port($1)
-@@ -763,6 +968,9 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
+ 
+ 	# Support for LDAPS
+ 	dev_read_rand($1)
+	# LDAP Configuration using encrypted requires
 	dev_read_urand($1)
 
 	sysnet_read_config($1)
 +
-+	# LDAP Configuration using encrypted requires
-+	dev_read_urand($1)
+	optional_policy(`
+		ldap_read_certs($1)
+	')
 ')
 
 ########################################
-@@ -784,7 +992,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
 	allow $1 self:udp_socket create_socket_perms;
 
 	corenet_all_recvfrom_unlabeled($1)
@ -37861,7 +37890,7 @@ index 2cea692..1c0de21 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1003,115 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1005,115 @@ interface(`sysnet_use_portmap',`
 
 	sysnet_read_config($1)
 ')
@ -37978,7 +38007,7 @@ index 2cea692..1c0de21 100644
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..b0a854f 100644
+index a392fc4..f1782ee 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -38208,7 +38237,7 @@ index a392fc4..b0a854f 100644
 	vmware_append_log(dhcpc_t)
 ')
 
-@@ -264,12 +312,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +312,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
 allow ifconfig_t self:msg { send receive };
 # Create UDP sockets, necessary when called from dhcpc
 allow ifconfig_t self:udp_socket create_socket_perms;
@ -38225,6 +38254,7 @@ index a392fc4..b0a854f 100644
 +can_exec(ifconfig_t, ifconfig_exec_t)
 +
 +manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
 +create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
 +files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
 +allow ifconfig_t ifconfig_var_run_t:file mounton;
@ -38232,7 +38262,7 @@ index a392fc4..b0a854f 100644
 kernel_use_fds(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
-@@ -279,14 +338,31 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +339,32 @@ kernel_rw_net_sysctls(ifconfig_t)
 
 corenet_rw_tun_tap_dev(ifconfig_t)
 
@ -38249,7 +38279,8 @@ index a392fc4..b0a854f 100644
 +dev_unmount_sysfs_fs(ifconfig_t)
 
 domain_use_interactive_fds(ifconfig_t)
- 
+domain_read_all_domains_state(ifconfig_t)
+
 +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
 +
 +files_dontaudit_rw_inherited_pipes(ifconfig_t)
@ -38257,14 +38288,14 @@ index a392fc4..b0a854f 100644
 +files_dontaudit_read_root_files(ifconfig_t)
 +files_rw_inherited_tmp_file(ifconfig_t)
 +files_dontaudit_rw_var_files(ifconfig_t)
-+
+ 
 files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
 +files_read_usr_files(ifconfig_t)
 
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,24 +375,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +377,50 @@ term_dontaudit_use_all_ptys(ifconfig_t)
 term_dontaudit_use_ptmx(ifconfig_t)
 term_dontaudit_use_generic_ptys(ifconfig_t)
 
@ -38292,8 +38323,13 @@ index a392fc4..b0a854f 100644
 +userdom_use_inherited_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
 
+optional_policy(`
+	hostname_exec(ifconfig_t)
+')
+
 ifdef(`distro_ubuntu',`
-@@ -325,7 +399,22 @@ ifdef(`distro_ubuntu',`
+ 	optional_policy(`
+ 		unconfined_domain(ifconfig_t)
 	')
 ')
 
@ -38316,7 +38352,7 @@ index a392fc4..b0a854f 100644
 	optional_policy(`
 		dev_dontaudit_rw_cardmgr(ifconfig_t)
 	')
-@@ -336,7 +425,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +431,11 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
@ -38329,7 +38365,7 @@ index a392fc4..b0a854f 100644
 ')
 
 optional_policy(`
-@@ -350,7 +443,15 @@ optional_policy(`
+@@ -350,7 +449,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38346,7 +38382,7 @@ index a392fc4..b0a854f 100644
 ')
 
 optional_policy(`
-@@ -371,3 +472,13 @@ optional_policy(`
+@@ -371,3 +478,13 @@ optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
@ -38417,10 +38453,10 @@ index 0000000..916c8ed
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..8bca1d7
+index 0000000..24b2af3
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1440 @@
+@@ -0,0 +1,1458 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -38792,6 +38828,24 @@ index 0000000..8bca1d7
 +
 +######################################
 +## <summary>
+##	Dontaudit attempts to write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
+	gen_require(`
+		type systemd_logind_sessions_t;
+	')
+
+	dontaudit $1 systemd_logind_sessions_t:fifo_file write;
+')
+
+######################################
+## <summary>
 +##	Write systemd inhibit pipes.
 +## </summary>
 +## <param name="domain">
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -19874,7 +19874,7 @@ index dda905b..ccd0ba9 100644
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb..2b84a85 100644
+index 62d22cb..89671dd 100644
 --- a/dbus.if
 +++ b/dbus.if
@@ -1,4 +1,4 @@
@ -19999,7 +19999,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -103,91 +129,82 @@ template(`dbus_role_template',`
+@@ -103,91 +129,84 @@ template(`dbus_role_template',`
 #
 interface(`dbus_system_bus_client',`
 	gen_require(`
@ -20021,6 +20021,8 @@ index 62d22cb..2b84a85 100644
 -	files_search_var_lib($1)
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 +	files_search_var_lib($1)
+
+	dev_read_urand($1)
 
 +	# For connecting to the bus
 	files_search_pids($1)
@ -20123,7 +20125,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
@ -20148,7 +20150,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -211,57 +231,39 @@ interface(`dbus_session_bus_client',`
+@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',`
 ##	</summary>
 ## </param>
 #
@ -20220,7 +20222,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -269,15 +271,19 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',`
 ##	</summary>
 ## </param>
 #
@ -20246,7 +20248,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -285,44 +291,52 @@ interface(`dbus_send_session_bus',`
+@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',`
 ##	</summary>
 ## </param>
 #
@ -20313,7 +20315,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -330,18 +344,18 @@ interface(`dbus_send_spec_session_bus',`
+@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
@ -20337,7 +20339,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -349,20 +363,18 @@ interface(`dbus_read_config',`
+@@ -349,20 +365,18 @@ interface(`dbus_read_config',`
 ##	</summary>
 ## </param>
 #
@ -20363,7 +20365,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -370,26 +382,20 @@ interface(`dbus_read_lib_files',`
+@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',`
 ##	</summary>
 ## </param>
 #
@ -20396,7 +20398,7 @@ index 62d22cb..2b84a85 100644
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
-@@ -397,81 +403,67 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',`
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
@ -20506,7 +20508,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -479,18 +471,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',`
 ##	</summary>
 ## </param>
 #
@ -20530,7 +20532,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -498,98 +490,80 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +492,80 @@ interface(`dbus_connect_system_bus',`
 ##	</summary>
 ## </param>
 #
@ -20657,7 +20659,7 @@ index 62d22cb..2b84a85 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -597,28 +571,49 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +573,49 @@ interface(`dbus_use_system_bus_fds',`
 ##	</summary>
 ## </param>
 #
@ -22165,7 +22167,7 @@ index c697edb..31d45bf 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
 ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..36e32aa 100644
+index 98a24b9..5b576ff 100644
 --- a/dhcp.te
 +++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@ -22194,23 +22196,39 @@ index 98a24b9..36e32aa 100644
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
 
-@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
+@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
 
 logging_send_syslog_msg(dhcpd_t)
 
 -miscfiles_read_localization(dhcpd_t)
 -
+sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
- 	sysnet_use_ldap(dhcpd_t)
- ')
+ userdom_dontaudit_search_user_home_dirs(dhcpd_t)
 
-+ifdef(`distro_gentoo',`
-+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ tunable_policy(`dhcpd_use_ldap',`
+-	sysnet_use_ldap(dhcpd_t)
+    allow dhcpd_t self:tcp_socket create_socket_perms;
 +')
 +
+tunable_policy(`dhcpd_use_ldap',`
+    corenet_tcp_sendrecv_generic_if(dhcpd_t)
+    corenet_tcp_sendrecv_generic_node(dhcpd_t)
+    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+    corenet_tcp_connect_ldap_port(dhcpd_t)
+    corenet_sendrecv_ldap_client_packets(dhcpd_t)
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+	ldap_read_certs(dhcpd_t)
+')
+
+ifdef(`distro_gentoo',`
+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ ')
+ 
 optional_policy(`
 +	# used for dynamic DNS
 	bind_read_dnssec_keys(dhcpd_t)
@ -24089,10 +24107,10 @@ index 0000000..1048292
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..acaabd3
+index 0000000..4b54a05
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,267 @@
+@@ -0,0 +1,268 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@ -24319,6 +24337,7 @@ index 0000000..acaabd3
 +modutils_domtrans_insmod(docker_t)
 +
 +systemd_status_all_unit_files(docker_t)
+systemd_start_systemd_services(docker_t)
 +
 +userdom_stream_connect(docker_t)
 +userdom_search_user_home_content(docker_t)
@ -28246,10 +28265,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..e6a1c7c
+index 0000000..7f1639a
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,105 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@ -28277,7 +28296,7 @@ index 0000000..e6a1c7c
 +#
 +# gear local policy
 +#
-+allow gear_t self:capability chown;
+allow gear_t self:capability { chown net_admin fowner dac_override };
 +allow gear_t self:capability2 block_suspend;
 +allow gear_t self:process { getattr signal_perms };
 +allow gear_t self:fifo_file rw_fifo_file_perms;
@ -28351,6 +28370,10 @@ index 0000000..e6a1c7c
 +optional_policy(`
 +	docker_stream_connect(gear_t)
 +')
+
+optional_policy(`
+	openshift_manage_lib_files(gear_t)
+')
 diff --git a/geoclue.fc b/geoclue.fc
 new file mode 100644
 index 0000000..a97f14f
@ -28946,11 +28969,20 @@ index 9eacb2c..229782f 100644
 	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
 	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index 5cd0909..a304d35 100644
+index 5cd0909..1464b4d 100644
 --- a/glance.te
 +++ b/glance.te
-@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
+@@ -5,10 +5,16 @@ policy_module(glance, 1.1.0)
+ # Declarations
+ #
 
+## <desc>
+## <p>
+## Allow glance domain to manage fuse files
+## </p>
+## </desc>
+gen_tunable(glance_use_fusefs, false)
+
 attribute glance_domain;
 
 -type glance_registry_t, glance_domain;
@ -28959,7 +28991,7 @@ index 5cd0909..a304d35 100644
 init_daemon_domain(glance_registry_t, glance_registry_exec_t)
 
 type glance_registry_initrc_exec_t;
-@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
+@@ -17,8 +23,10 @@ init_script_file(glance_registry_initrc_exec_t)
 type glance_registry_tmp_t;
 files_tmp_file(glance_registry_tmp_t)
 
@ -28972,7 +29004,7 @@ index 5cd0909..a304d35 100644
 init_daemon_domain(glance_api_t, glance_api_exec_t)
 
 type glance_api_initrc_exec_t;
-@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
+@@ -41,6 +49,7 @@ files_pid_file(glance_var_run_t)
 # Common local policy
 #
 
@ -28980,7 +29012,7 @@ index 5cd0909..a304d35 100644
 allow glance_domain self:fifo_file rw_fifo_file_perms;
 allow glance_domain self:unix_stream_socket create_stream_socket_perms;
 allow glance_domain self:tcp_socket { accept listen };
-@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +65,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
 manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 
@ -29011,6 +29043,15 @@ index 5cd0909..a304d35 100644
 -
 sysnet_dns_name_resolve(glance_domain)
 
+tunable_policy(`glance_use_fusefs',`
+	fs_manage_fusefs_dirs(glance_domain)
+	fs_manage_fusefs_files(glance_domain)
+	fs_read_fusefs_symlinks(glance_domain)
+	fs_getattr_fusefs(glance_domain)
+')
+
+
+
 +optional_policy(`
 +    mysql_read_db_lnk_files(glance_domain)
 +')
@ -29018,7 +29059,7 @@ index 5cd0909..a304d35 100644
 ########################################
 #
 # Registry local policy
-@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +106,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
 manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
 files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
 
@ -29033,7 +29074,7 @@ index 5cd0909..a304d35 100644
 
 logging_send_syslog_msg(glance_registry_t)
 
-@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +132,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
 files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
 can_exec(glance_api_t, glance_tmp_t)
 
@ -43398,10 +43439,10 @@ index 0000000..8d0e473
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/mock.if b/mock.if
 new file mode 100644
-index 0000000..6568bfe
+index 0000000..f5b98e6
 --- /dev/null
 +++ b/mock.if
-@@ -0,0 +1,310 @@
+@@ -0,0 +1,311 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@ -43457,6 +43498,7 @@ index 0000000..6568bfe
 +	')
 +
 +	files_search_var_lib($1)
+    list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
 +	read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
 +')
 +
@ -43714,10 +43756,10 @@ index 0000000..6568bfe
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..fc64201
+index 0000000..1bf717f
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,277 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@ -43912,7 +43954,7 @@ index 0000000..fc64201
 +#
 +# mock_build local policy
 +#
-+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
 +dontaudit mock_build_t self:capability audit_write;
 +allow mock_build_t self:process { fork setsched setpgid signal_perms };
 +allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@ -43989,6 +44031,7 @@ index 0000000..fc64201
 +
 +libs_exec_ldconfig(mock_build_t)
 +
+term_use_all_inherited_terms(mock_build_t)
 +userdom_use_inherited_user_ptys(mock_build_t)
 +
 +tunable_policy(`mock_enable_homedirs',`
@ -79241,7 +79284,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
 ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..c820b6f 100644
+index d32e1a2..54838ad 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@ -79262,7 +79305,7 @@ index d32e1a2..c820b6f 100644
 
 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
 files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -50,25 +49,49 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +49,50 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
 files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
 
 kernel_read_network_state(rhsmcertd_t)
@ -79271,6 +79314,7 @@ index d32e1a2..c820b6f 100644
 +kernel_read_sysctl(rhsmcertd_t)
 +
 +corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
 +corenet_tcp_connect_squid_port(rhsmcertd_t)
 
 corecmd_exec_bin(rhsmcertd_t)
@ -88224,7 +88268,7 @@ index 12700b4..fde3c8d 100644
 +    unconfined_domain(unconfined_sendmail_t)
 ')
 diff --git a/sensord.fc b/sensord.fc
-index 8185d5a..97926d2 100644
+index 8185d5a..9be989a 100644
 --- a/sensord.fc
 +++ b/sensord.fc
@@ -1,5 +1,9 @@
@ -88234,7 +88278,7 @@ index 8185d5a..97926d2 100644
 
 /usr/sbin/sensord	--	gen_context(system_u:object_r:sensord_exec_t,s0)
 
-+/var/log/sensord\.rrd	--	gen_context(system_u:object_r:sensord_log_t,s0)
+/var/log/sensor.*		gen_context(system_u:object_r:sensord_log_t,s0)
 +
 /var/run/sensord\.pid	--	gen_context(system_u:object_r:sensord_var_run_t,s0)
 diff --git a/sensord.if b/sensord.if
@ -89414,7 +89458,7 @@ index e2544e1..d3fbd78 100644
 +	xserver_xdm_append_log(shutdown_t)
 ')
 diff --git a/slocate.te b/slocate.te
-index 7292dc0..41c780f 100644
+index 7292dc0..ce903d6 100644
 --- a/slocate.te
 +++ b/slocate.te
@@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
@ -89425,6 +89469,15 @@ index 7292dc0..41c780f 100644
 
 ifdef(`enable_mls',`
 	files_dontaudit_getattr_all_dirs(locate_t)
+@@ -71,3 +70,8 @@ ifdef(`enable_mls',`
+ optional_policy(`
+ 	cron_system_entry(locate_t, locate_exec_t)
+ ')
+
+optional_policy(`
+	mock_getattr_lib(locate_t)
+')
+
 diff --git a/slpd.if b/slpd.if
 index ca32e89..98278dd 100644
 --- a/slpd.if
@ -91463,7 +91516,7 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..c76586c 100644
+index cc58e35..4f35a1b 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@ -91937,17 +91990,17 @@ index cc58e35..c76586c 100644
 allow spamd_t self:unix_dgram_socket sendto;
 -allow spamd_t self:unix_stream_socket { accept connectto listen };
 -allow spamd_t self:tcp_socket { accept listen };
-
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
+ 
 -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-+allow spamd_t self:unix_stream_socket connectto;
-+allow spamd_t self:tcp_socket create_stream_socket_perms;
-+allow spamd_t self:udp_socket create_socket_perms;
- 
+-
 -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@ -92130,7 +92183,7 @@ index cc58e35..c76586c 100644
 ')
 
 optional_policy(`
-@@ -455,7 +533,12 @@ optional_policy(`
+@@ -455,7 +533,17 @@ optional_policy(`
 optional_policy(`
 	razor_domtrans(spamd_t)
 	razor_read_lib_files(spamd_t)
@ -92141,10 +92194,15 @@ index cc58e35..c76586c 100644
 +	tunable_policy(`spamd_enable_home_dirs',`
 +		razor_manage_user_home_files(spamd_t)
 +	')
+')
+
+optional_policy(`
+    spamassassin_filetrans_home_content(spamd_t)
+    spamassassin_filetrans_admin_home_content(spamd_t)
 ')
 
 optional_policy(`
-@@ -463,9 +546,9 @@ optional_policy(`
+@@ -463,9 +551,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -92155,7 +92213,7 @@ index cc58e35..c76586c 100644
 ')
 
 optional_policy(`
-@@ -474,32 +557,32 @@ optional_policy(`
+@@ -474,32 +562,32 @@ optional_policy(`
 
 ########################################
 #
@ -92198,7 +92256,7 @@ index cc58e35..c76586c 100644
 
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +591,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t)
 
 domain_use_interactive_fds(spamd_update_t)
 
@ -95958,7 +96016,7 @@ index 5406b6e..dc5b46e 100644
 	admin_pattern($1, tgtd_tmpfs_t)
 ')
 diff --git a/tgtd.te b/tgtd.te
-index d010963..5ecc3bf 100644
+index d010963..3822bc7 100644
 --- a/tgtd.te
 +++ b/tgtd.te
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@ -95970,8 +96028,11 @@ index d010963..5ecc3bf 100644
 allow tgtd_t self:capability2 block_suspend;
 allow tgtd_t self:process { setrlimit signal };
 allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -58,13 +58,13 @@ kernel_read_system_state(tgtd_t)
+@@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
+ 
+ kernel_read_system_state(tgtd_t)
 kernel_read_fs_sysctls(tgtd_t)
+kernel_read_network_state(tgtd_t)
 
 corenet_all_recvfrom_netlabel(tgtd_t)
 -corenet_all_recvfrom_unlabeled(tgtd_t)
@ -95985,7 +96046,7 @@ index d010963..5ecc3bf 100644
 corenet_tcp_sendrecv_iscsi_port(tgtd_t)
 
 corenet_sendrecv_iscsi_client_packets(tgtd_t)
-@@ -72,16 +72,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
+@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
 
 dev_read_sysfs(tgtd_t)
 
@ -101047,7 +101108,7 @@ index facdee8..88dcafb 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..fe84861 100644
+index f03dcf5..25f4104 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,212 @@
@ -101909,7 +101970,7 @@ index f03dcf5..fe84861 100644
 
 tunable_policy(`virt_use_samba',`
 -	fs_manage_cifs_files(virtd_t)
-+	fs_manage_nfs_files(virtd_t)
+	fs_manage_cifs_dirs(virtd_t)
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
@ -102020,16 +102081,7 @@ index f03dcf5..fe84861 100644
 +allow virt_domain self:tcp_socket create_stream_socket_perms;
 +allow virt_domain self:udp_socket create_socket_perms;
 +allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
- 
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
-allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
-
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
 +list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
 +read_files_pattern(virt_domain, virt_content_t, virt_content_t)
 +dontaudit virt_domain virt_content_t:file write_file_perms;
@ -102047,17 +102099,30 @@ index f03dcf5..fe84861 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
-+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
 
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+-allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+-
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-
 -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+ 
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@ -102089,18 +102154,15 @@ index f03dcf5..fe84861 100644
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
 
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
 
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-allow virsh_t svirt_lxc_domain:process transition;
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
 
-allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
- 
 -can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
 +
@ -102132,7 +102194,7 @@ index f03dcf5..fe84861 100644
 +files_read_mnt_symlinks(virt_domain)
 +files_read_var_files(virt_domain)
 +files_search_all(virt_domain)
- 
+
 +fs_getattr_xattr_fs(virt_domain)
 +fs_getattr_tmpfs(virt_domain)
 +fs_rw_anon_inodefs_files(virt_domain)
@ -102221,7 +102283,7 @@ index f03dcf5..fe84861 100644
 +	fs_read_cifs_symlinks(virt_domain)
 +	fs_getattr_cifs(virt_domain)
 +')
-+
+ 
 +tunable_policy(`virt_use_usb',`
 +	dev_rw_usbfs(virt_domain)
 +	dev_read_sysfs(virt_domain)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 47%{?dist}
+Release: 48%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,20 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Fri Apr 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-48
+- Fix virt_use_samba boolean
+- Looks like all domains that use dbus libraries are now reading /dev/urand
+- Add glance_use_fusefs() boolean
+- Allow tgtd to read /proc/net/psched
+- Additional access required for gear management of openshift directories
+- Allow sys_ptrace for mock-build
+- Fix mock_read_lib_files() interface
+- Allow mock-build to write all inherited ttys and ptys
+- Allow spamd to create razor home dirs with correct labeling
+- Clean up sysnet_use_ldap()
+- systemd calling needs to be optional
+- Allow init_t to setattr/relabelfrom dhcp state files
+
 * Wed Apr 23 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-47
 - mongod should not be a part of cloudforms.pp
 - Fix labeling in snapper.fc