- Add additional fixes for systemd_networkd_t

- Allow systemd-logind to manage user_tmpfs_t - Allow systemd-logind to mount /run/user/1000 to get gdm working - Dontaudit attempts to setsched on the kernel_t threads - Allow munin mail plugins to read network systcl - Fix git_system_enable_homedirs boolean - Make cimtest script 03_defineVS.py of ComputerSystem group working - Make abrt-java-connector working - Allow net_admin cap for fence_virtd running as fenced_t - Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla
2014-03-14 11:01:06 +01:00 · 2014-03-14 11:01:06 +01:00 · 3f9fe17186
parent 0575d649c8
commit 3f9fe17186
3 changed files with 510 additions and 374 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -21386,7 +21386,7 @@ index 8ce99ff..0819898 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
 diff --git a/devicekit.te b/devicekit.te
-index 77a5003..73f2867 100644
+index 77a5003..b605240 100644
 --- a/devicekit.te
 +++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@ -21431,7 +21431,7 @@ index 77a5003..73f2867 100644
 allow devicekit_disk_t self:process { getsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,17 +79,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
 manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@ -21444,6 +21444,14 @@ index 77a5003..73f2867 100644
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
 kernel_read_software_raid_state(devicekit_disk_t)
+ kernel_read_system_state(devicekit_disk_t)
+ kernel_read_vm_sysctls(devicekit_disk_t)
+ kernel_request_load_module(devicekit_disk_t)
+-kernel_setsched(devicekit_disk_t)
+kernel_dontaudit_setsched(devicekit_disk_t)
+ 
+ corecmd_exec_bin(devicekit_disk_t)
+ corecmd_exec_shell(devicekit_disk_t)
@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
 
 dev_getattr_all_chr_files(devicekit_disk_t)
@ -21537,7 +21545,7 @@ index 77a5003..73f2867 100644
 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
 
 manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -224,7 +236,7 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
+@@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
 kernel_read_fs_sysctls(devicekit_power_t)
 kernel_read_network_state(devicekit_power_t)
 kernel_read_system_state(devicekit_power_t)
@ -21546,6 +21554,12 @@ index 77a5003..73f2867 100644
 kernel_rw_kernel_sysctl(devicekit_power_t)
 kernel_rw_vm_sysctls(devicekit_power_t)
 kernel_search_debugfs(devicekit_power_t)
+ kernel_write_proc_files(devicekit_power_t)
+-kernel_setsched(devicekit_power_t)
+kernel_dontaudit_setsched(devicekit_power_t)
+ 
+ corecmd_exec_bin(devicekit_power_t)
+ corecmd_exec_shell(devicekit_power_t)
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
@ -23578,7 +23592,7 @@ index 0000000..89401fe
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..5e91008
+index 0000000..ea0f2d3
 --- /dev/null
 +++ b/docker.te
@@ -0,0 +1,260 @@
@ -23763,7 +23777,7 @@ index 0000000..5e91008
 +allow docker_t docker_var_lib_t:chr_file mounton;
 +can_exec(docker_t, docker_var_lib_t)
 +
-+kernel_setsched(docker_t)
+kernel_dontaudit_setsched(docker_t)
 +kernel_get_sysvipc_info(docker_t)
 +kernel_request_load_module(docker_t)
 +kernel_mounton_messages(docker_t)
@ -27743,7 +27757,7 @@ index 1e29af1..6c64f55 100644
 +		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
 +')
 diff --git a/git.te b/git.te
-index dc49c71..72aa729 100644
+index dc49c71..3ef1e93 100644
 --- a/git.te
 +++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@ -27812,17 +27826,18 @@ index dc49c71..72aa729 100644
 corenet_all_recvfrom_unlabeled(git_system_t)
 corenet_all_recvfrom_netlabel(git_system_t)
 corenet_tcp_sendrecv_generic_if(git_system_t)
-@@ -176,6 +172,9 @@ logging_send_syslog_msg(git_system_t)
+@@ -176,6 +172,10 @@ logging_send_syslog_msg(git_system_t)
 
 tunable_policy(`git_system_enable_homedirs',`
 	userdom_search_user_home_dirs(git_system_t)
 +	list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
+	list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
 +	read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
 +
 ')
 
 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -215,48 +214,48 @@ tunable_policy(`git_system_use_nfs',`
+@@ -215,48 +215,48 @@ tunable_policy(`git_system_use_nfs',`
 # CGI policy
 #
 
@ -27893,7 +27908,7 @@ index dc49c71..72aa729 100644
 ')
 
 ########################################
-@@ -266,12 +265,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -266,12 +266,9 @@ tunable_policy(`git_cgi_use_nfs',`
 
 allow git_daemon self:fifo_file rw_fifo_file_perms;
 
@ -32464,7 +32479,7 @@ index e151378..04d173d 100644
 fs_getattr_xattr_fs(zookeeper_server_t)
 
 diff --git a/hal.te b/hal.te
-index bbccc79..6c6524a 100644
+index bbccc79..435ac42 100644
 --- a/hal.te
 +++ b/hal.te
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
@ -32475,6 +32490,15 @@ index bbccc79..6c6524a 100644
 
 miscfiles_read_localization(hald_domain)
 
+@@ -116,7 +115,7 @@ kernel_rw_irq_sysctls(hald_t)
+ kernel_rw_vm_sysctls(hald_t)
+ kernel_write_proc_files(hald_t)
+ kernel_rw_net_sysctls(hald_t)
+-kernel_setsched(hald_t)
+kernel_dontaudit_setsched(hald_t)
+ kernel_request_load_module(hald_t)
+ 
+ corecmd_exec_all_executables(hald_t)
@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
 
 dev_rw_input_dev(hald_keymap_t)
@ -33790,7 +33814,7 @@ index 1a35420..2ea1241 100644
 	logging_search_logs($1)
 	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index ca020fa..a25fc7f 100644
+index ca020fa..7f7047f 100644
 --- a/iscsi.te
 +++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@ -33834,7 +33858,8 @@ index ca020fa..a25fc7f 100644
 +kernel_request_load_module(iscsid_t)
 kernel_read_network_state(iscsid_t)
 kernel_read_system_state(iscsid_t)
- kernel_setsched(iscsid_t)
+-kernel_setsched(iscsid_t)
+kernel_dontaudit_setsched(iscsid_t)
 +kernel_request_load_module(iscsid_t)
 
 -corenet_all_recvfrom_unlabeled(iscsid_t)
@ -44365,7 +44390,7 @@ index 6194b80..03c6414 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..dfd8d3a 100644
+index 11ac8e4..ad56dac 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@ -44768,34 +44793,34 @@ index 11ac8e4..dfd8d3a 100644
 -	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
 +	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
+')
+
+optional_policy(`
+	java_domtrans(mozilla_t)
 ')
 
 optional_policy(`
 -	java_exec(mozilla_t)
 -	java_manage_generic_home_content(mozilla_t)
 -	java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+	java_domtrans(mozilla_t)
+	lpd_domtrans_lpr(mozilla_t)
 ')
 
 optional_policy(`
 -	lpd_run_lpr(mozilla_t, mozilla_roles)
-+	lpd_domtrans_lpr(mozilla_t)
+	mplayer_domtrans(mozilla_t)
+	mplayer_read_user_home_files(mozilla_t)
 ')
 
 optional_policy(`
 -	mplayer_exec(mozilla_t)
 -	mplayer_manage_generic_home_content(mozilla_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+	mplayer_domtrans(mozilla_t)
-+	mplayer_read_user_home_files(mozilla_t)
+	nscd_socket_use(mozilla_t)
 ')
 
 optional_policy(`
 -	pulseaudio_run(mozilla_t, mozilla_roles)
-+	nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
 +	#pulseaudio_role(mozilla_roles, mozilla_t)
 +	pulseaudio_exec(mozilla_t)
 +	pulseaudio_stream_connect(mozilla_t)
@ -44803,7 +44828,7 @@ index 11ac8e4..dfd8d3a 100644
 ')
 
 optional_policy(`
-@@ -300,259 +324,243 @@ optional_policy(`
+@@ -300,259 +324,247 @@ optional_policy(`
 
 ########################################
 #
@ -45066,12 +45091,12 @@ index 11ac8e4..dfd8d3a 100644
 
 -userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 -userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
- 
+-
 -userdom_manage_user_home_content_dirs(mozilla_plugin_t)
 -userdom_manage_user_home_content_files(mozilla_plugin_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-
+systemd_read_logind_sessions_files(mozilla_plugin_t)
+ 
 -userdom_write_user_tmp_sockets(mozilla_plugin_t)
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
@ -45095,24 +45120,26 @@ index 11ac8e4..dfd8d3a 100644
 -ifndef(`enable_mls',`
 -	fs_list_dos(mozilla_plugin_t)
 -	fs_read_dos_files(mozilla_plugin_t)
-
-	fs_search_removable(mozilla_plugin_t)
-	fs_read_removable_files(mozilla_plugin_t)
-	fs_read_removable_symlinks(mozilla_plugin_t)
 +userdom_read_user_home_content_files(mozilla_plugin_t)
 +userdom_read_user_home_content_symlinks(mozilla_plugin_t)
 +userdom_read_home_certs(mozilla_plugin_t)
 +userdom_read_home_audio_files(mozilla_plugin_t)
 +userdom_exec_user_tmp_files(mozilla_plugin_t)
 
-	fs_read_iso9660_files(mozilla_plugin_t)
-')
+-	fs_search_removable(mozilla_plugin_t)
+-	fs_read_removable_files(mozilla_plugin_t)
+-	fs_read_removable_symlinks(mozilla_plugin_t)
 +userdom_home_manager(mozilla_plugin_t)
 
+-	fs_read_iso9660_files(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
+	corenet_tcp_connect_all_ports(mozilla_plugin_t)
+ ')
+ 
 -tunable_policy(`allow_execmem',`
 -	allow mozilla_plugin_t self:process execmem;
-+tunable_policy(`mozilla_plugin_can_network_connect',`
-+	corenet_tcp_connect_all_ports(mozilla_plugin_t)
+optional_policy(`
+    abrt_stream_connect(mozilla_plugin_t)
 ')
 
 -tunable_policy(`mozilla_execstack',`
@ -45196,7 +45223,7 @@ index 11ac8e4..dfd8d3a 100644
 ')
 
 optional_policy(`
-@@ -560,7 +568,11 @@ optional_policy(`
+@@ -560,7 +572,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -45209,7 +45236,7 @@ index 11ac8e4..dfd8d3a 100644
 ')
 
 optional_policy(`
-@@ -568,108 +580,131 @@ optional_policy(`
+@@ -568,108 +584,131 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47689,7 +47716,7 @@ index b744fe3..900d083 100644
 +	admin_pattern($1, munin_content_t)
 ')
 diff --git a/munin.te b/munin.te
-index b708708..0deb9fa 100644
+index b708708..7bdfb65 100644
 --- a/munin.te
 +++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@ -47835,7 +47862,7 @@ index b708708..0deb9fa 100644
 ####################################
 #
 # Mail local policy
-@@ -279,27 +273,36 @@ optional_policy(`
+@@ -279,27 +273,38 @@ optional_policy(`
 
 allow mail_munin_plugin_t self:capability dac_override;
 
@ -47844,6 +47871,8 @@ index b708708..0deb9fa 100644
 +
 rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
+kernel_read_net_sysctls(mail_munin_plugin_t)
+
 dev_read_urand(mail_munin_plugin_t)
 
 logging_read_generic_logs(mail_munin_plugin_t)
@ -47876,7 +47905,7 @@ index b708708..0deb9fa 100644
 ')
 
 optional_policy(`
-@@ -339,7 +342,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +344,7 @@ dev_read_rand(services_munin_plugin_t)
 sysnet_read_config(services_munin_plugin_t)
 
 optional_policy(`
@ -47885,7 +47914,7 @@ index b708708..0deb9fa 100644
 ')
 
 optional_policy(`
-@@ -361,7 +364,11 @@ optional_policy(`
+@@ -361,7 +366,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47898,7 +47927,7 @@ index b708708..0deb9fa 100644
 ')
 
 optional_policy(`
-@@ -393,6 +400,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +402,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
 
 kernel_read_network_state(system_munin_plugin_t)
 kernel_read_all_sysctls(system_munin_plugin_t)
@ -47906,7 +47935,7 @@ index b708708..0deb9fa 100644
 
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +429,32 @@ optional_policy(`
+@@ -421,3 +431,32 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(unconfined_munin_plugin_t)
 ')
@ -50505,7 +50534,7 @@ index 86dc29d..1cd0d0e 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
 ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..5e67bb6 100644
+index 55f2009..bb85ae6 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -50611,7 +50640,7 @@ index 55f2009..5e67bb6 100644
 kernel_request_load_module(NetworkManager_t)
 kernel_read_debugfs(NetworkManager_t)
 kernel_rw_net_sysctls(NetworkManager_t)
-+kernel_setsched(NetworkManager_t)
+kernel_dontaudit_setsched(NetworkManager_t)
 
 -corenet_all_recvfrom_unlabeled(NetworkManager_t)
 corenet_all_recvfrom_netlabel(NetworkManager_t)
@ -59727,7 +59756,7 @@ index d2fc677..ded726f 100644
 ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 608f454..100a122 100644
+index 608f454..aa814c8 100644
 --- a/pegasus.te
 +++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -60221,6 +60250,14 @@ index 608f454..100a122 100644
 ')
 
 optional_policy(`
+@@ -180,6 +493,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+    virt_getattr_images(pegasus_t)
+ 	virt_domtrans(pegasus_t)
+ 	virt_stream_connect(pegasus_t)
+ 	virt_manage_config(pegasus_t)
 diff --git a/pesign.fc b/pesign.fc
 new file mode 100644
 index 0000000..7b54c39
@ -72534,7 +72571,7 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
 ')
 diff --git a/quota.te b/quota.te
-index f47c8e8..a0251fe 100644
+index f47c8e8..3710974 100644
 --- a/quota.te
 +++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@ -72570,7 +72607,7 @@ index f47c8e8..a0251fe 100644
 allow quota_t quota_db_t:file { manage_file_perms quotaon };
 files_root_filetrans(quota_t, quota_db_t, file)
 files_boot_filetrans(quota_t, quota_db_t, file)
-@@ -48,7 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file)
+@@ -48,24 +44,15 @@ files_var_filetrans(quota_t, quota_db_t, file)
 files_spool_filetrans(quota_t, quota_db_t, file)
 userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
 
@ -72578,7 +72615,10 @@ index f47c8e8..a0251fe 100644
 kernel_list_proc(quota_t)
 kernel_read_proc_symlinks(quota_t)
 kernel_read_kernel_sysctls(quota_t)
-@@ -58,14 +53,6 @@ dev_read_sysfs(quota_t)
+-kernel_setsched(quota_t)
+kernel_dontaudit_setsched(quota_t)
+ 
+ dev_read_sysfs(quota_t)
 dev_getattr_all_blk_files(quota_t)
 dev_getattr_all_chr_files(quota_t)
 
@ -73265,7 +73305,7 @@ index 951db7f..c0cabe8 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
 ')
 diff --git a/raid.te b/raid.te
-index c99753f..c5d944b 100644
+index c99753f..2d260c2 100644
 --- a/raid.te
 +++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@ -73319,7 +73359,7 @@ index c99753f..c5d944b 100644
 kernel_read_kernel_sysctls(mdadm_t)
 kernel_request_load_module(mdadm_t)
 kernel_rw_software_raid_state(mdadm_t)
-+kernel_setsched(mdadm_t)
+kernel_dontaudit_setsched(mdadm_t)
 
 corecmd_exec_bin(mdadm_t)
 corecmd_exec_shell(mdadm_t)
@ -76540,7 +76580,7 @@ index c8bdea2..1337d42 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..e7fe8c7 100644
+index 6cf79c4..8980ac4 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -76899,9 +76939,10 @@ index 6cf79c4..e7fe8c7 100644
 # fenced local policy
 #
 
- allow fenced_t self:capability { sys_rawio sys_resource };
+-allow fenced_t self:capability { sys_rawio sys_resource };
 -allow fenced_t self:process { getsched signal_perms };
 -allow fenced_t self:tcp_socket { accept listen };
+allow fenced_t self:capability { net_admin sys_rawio sys_resource };
 +allow fenced_t self:process { getsched setpgid signal_perms };
 +
 +allow fenced_t self:tcp_socket create_stream_socket_perms;
@ -79132,7 +79173,7 @@ index 0bf13c2..d59aef7 100644
 		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
 		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..2497a03 100644
+index 2da9fca..09e0307 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@ -79324,7 +79365,8 @@ index 2da9fca..2497a03 100644
 +kernel_read_system_state(nfsd_t)
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
+-kernel_setsched(nfsd_t)
+kernel_dontaudit_setsched(nfsd_t)
 kernel_request_load_module(nfsd_t)
 -# kernel_mounton_proc(nfsd_t)
 +kernel_mounton_proc(nfsd_t)
@ -85782,7 +85824,7 @@ index 98c9e0a..d4aa009 100644
 	files_search_pids($1)
 	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 299756b..0e798f1 100644
+index 299756b..453eb03 100644
 --- a/sblim.te
 +++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -85888,7 +85930,7 @@ index 299756b..0e798f1 100644
 ')
 
 optional_policy(`
-@@ -117,6 +133,32 @@ optional_policy(`
+@@ -117,6 +133,33 @@ optional_policy(`
 # Reposd local policy
 #
 
@ -85916,6 +85958,7 @@ index 299756b..0e798f1 100644
 +auth_use_nsswitch(sblim_sfcbd_t)
 +
 +corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
 +
 +dev_read_rand(sblim_sfcbd_t)
 +dev_read_urand(sblim_sfcbd_t)
@ -97799,7 +97842,7 @@ index a4f20bc..6351bcb 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..fddb027 100644
+index facdee8..f2c0191 100644
 --- a/virt.if
 +++ b/virt.if
@@ -1,120 +1,51 @@
@ -98250,17 +98293,35 @@ index facdee8..fddb027 100644
 	manage_files_pattern($1, virt_etc_t, virt_etc_t)
 	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +251,25 @@ interface(`virt_manage_config',`
 
 ########################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	virt image files.
+##	Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_getattr_content',`
+	gen_require(`
+		type virt_content_t;
+	')
+
+    allow $1 virt_content_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
 +##	Allow domain to manage virt image files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -450,8 +286,7 @@ interface(`virt_read_content',`
+@@ -450,8 +304,7 @@ interface(`virt_read_content',`
 
 ########################################
 ## <summary>
@ -98270,7 +98331,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -459,35 +294,17 @@ interface(`virt_read_content',`
+@@ -459,35 +312,17 @@ interface(`virt_read_content',`
 ##	</summary>
 ## </param>
 #
@ -98309,7 +98370,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +330,37 @@ interface(`virt_manage_virt_content',`
 ##	</summary>
 ## </param>
 #
@ -98373,7 +98434,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +368,21 @@ interface(`virt_home_filetrans_virt_content',`
 ##	</summary>
 ## </param>
 #
@ -98416,7 +98477,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +390,36 @@ interface(`virt_manage_svirt_home_content',`
 ##	</summary>
 ## </param>
 #
@ -98465,7 +98526,7 @@ index facdee8..fddb027 100644
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
-@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +428,36 @@ interface(`virt_relabel_svirt_home_content',`
 ##	</summary>
 ## </param>
 #
@ -98529,7 +98590,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +465,38 @@ interface(`virt_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -98596,7 +98657,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +504,58 @@ interface(`virt_manage_generic_virt_home_content',`
 ##	</summary>
 ## </param>
 #
@ -98635,14 +98696,31 @@ index facdee8..fddb027 100644
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 +## <rolecap/>
+#
+interface(`virt_read_log',`
+	gen_require(`
+		type virt_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	virt log files.
+## </summary>
+## <param name="domain">
+ ##	<summary>
+-##	The name of the object being created.
+##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 #
 -interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_read_log',`
+interface(`virt_append_log',`
 	gen_require(`
 -		type virt_home_t;
 +		type virt_log_t;
@ -98650,47 +98728,21 @@ index facdee8..fddb027 100644
 
 -	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
 +	logging_search_logs($1)
-+	read_files_pattern($1, virt_log_t, virt_log_t)
- ')
- 
- ########################################
- ## <summary>
-##	Read virt pid files.
-+##	Allow the specified domain to append
-+##	virt log files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
- ##	</summary>
- ## </param>
- #
-interface(`virt_read_pid_files',`
-+interface(`virt_append_log',`
- 	gen_require(`
-		type virt_var_run_t;
-+		type virt_log_t;
- 	')
- 
-	files_search_pids($1)
-	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	logging_search_logs($1)
 +	append_files_pattern($1, virt_log_t, virt_log_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt pid files.
+-##	Read virt pid files.
 +##	Allow domain to manage virt log files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
+@@ -781,19 +563,19 @@ interface(`virt_home_filetrans_virt_home',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_pid_files',`
+-interface(`virt_read_pid_files',`
 +interface(`virt_manage_log',`
 	gen_require(`
 -		type virt_var_run_t;
@ -98698,12 +98750,37 @@ index facdee8..fddb027 100644
 	')
 
 -	files_search_pids($1)
-	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+-	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
 +	manage_dirs_pattern($1, virt_log_t, virt_log_t)
 +	manage_files_pattern($1, virt_log_t, virt_log_t)
 +	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
 ')
 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt pid files.
+##	Allow domain to getattr virt image direcories
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -801,18 +583,18 @@ interface(`virt_read_pid_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_manage_pid_files',`
+interface(`virt_getattr_images',`
+ 	gen_require(`
+-		type virt_var_run_t;
+		attribute virt_image_type;
+ 	')
+ 
+-	files_search_pids($1)
+-	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+	virt_search_lib($1)
+	allow $1 virt_image_type:file getattr_file_perms;
+ ')
+ 
 ########################################
 ## <summary>
 -##	Search virt lib directories.
@ -98711,7 +98788,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +602,18 @@ interface(`virt_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
@ -98735,7 +98812,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +621,73 @@ interface(`virt_search_lib',`
 ##	</summary>
 ## </param>
 #
@ -98814,7 +98891,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -860,74 +658,265 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
 ##	</summary>
 ## </param>
 #
@ -98877,10 +98954,12 @@ index facdee8..fddb027 100644
 +    manage_dirs_pattern($1, virt_image_t, virt_image_t)
 +    manage_files_pattern($1, virt_image_t, virt_image_t)
 +    read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in virt pid
+-##	directories with a private type.
 +##	Execute virt server in the virt domain.
 +## </summary>
 +## <param name="domain">
@ -98900,12 +98979,10 @@ index facdee8..fddb027 100644
 +	allow $1 virtd_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, virtd_t)
- ')
- 
- ########################################
- ## <summary>
-##	Create objects in virt pid
-##	directories with a private type.
+')
+
+########################################
+## <summary>
 +##	Ptrace the svirt domain
 +## </summary>
 +## <param name="domain">
@ -98925,12 +99002,13 @@ index facdee8..fddb027 100644
 +#######################################
 +## <summary>
 +##	Execute Sandbox Files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
 +#
 +interface(`virt_exec_sandbox_files',`
 +	gen_require(`
@ -98943,13 +99021,14 @@ index facdee8..fddb027 100644
 +#######################################
 +## <summary>
 +##	Manage Sandbox Files
- ## </summary>
- ## <param name="domain">
+## </summary>
+## <param name="domain">
 ##	<summary>
- ##	Domain allowed access.
+-##	The type of the object to be created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private type">
+-## <param name="object">
 +#
 +interface(`virt_manage_sandbox_files',`
 +	gen_require(`
@ -98969,11 +99048,11 @@ index facdee8..fddb027 100644
 +## </summary>
 +## <param name="domain">
 ##	<summary>
-##	The type of the object to be created.
+-##	The object class of the object being created.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object">
+-## <param name="name" optional="true">
 +#
 +interface(`virt_relabel_sandbox_filesystem',`
 +	gen_require(`
@ -98989,14 +99068,16 @@ index facdee8..fddb027 100644
 +## </summary>
 +## <param name="domain">
 ##	<summary>
-##	The object class of the object being created.
+-##	The name of the object being created.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
-+#
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`virt_pid_filetrans',`
 +interface(`virt_mounton_sandbox_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_var_run_t;
 +		type svirt_sandbox_file_t;
 +	')
 +
@ -99008,17 +99089,13 @@ index facdee8..fddb027 100644
 +##	Connect to virt over a unix domain stream socket.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
-##	The name of the object being created.
+##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
-## <infoflow type="write" weight="10"/>
- #
-interface(`virt_pid_filetrans',`
+##	</summary>
+## </param>
+#
 +interface(`virt_stream_connect_sandbox',`
- 	gen_require(`
-		type virt_var_run_t;
+	gen_require(`
 +		attribute svirt_sandbox_domain;
 +		type svirt_sandbox_file_t;
 	')
@ -99074,10 +99151,11 @@ index facdee8..fddb027 100644
 +	optional_policy(`
 +		ptchown_run(virt_domain, $2)
 +	')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Append virt log files.
 +##	Do not audit attempts to write virt daemon unnamed pipes.
 +## </summary>
 +## <param name="domain">
@ -99093,16 +99171,15 @@ index facdee8..fddb027 100644
 +
 +	dontaudit $1 virtd_t:fd use;
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Append virt log files.
+')
+
+########################################
+## <summary>
 +##	Send a sigkill to virtual machines
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -935,19 +924,17 @@ interface(`virt_read_log',`
+@@ -935,19 +961,17 @@ interface(`virt_read_log',`
 ##	</summary>
 ## </param>
 #
@ -99126,7 +99203,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -955,20 +942,17 @@ interface(`virt_append_log',`
+@@ -955,20 +979,17 @@ interface(`virt_append_log',`
 ##	</summary>
 ## </param>
 #
@ -99151,7 +99228,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -976,18 +960,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
 ##	</summary>
 ## </param>
 #
@ -99174,7 +99251,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -995,36 +978,57 @@ interface(`virt_search_images',`
+@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
 ##	</summary>
 ## </param>
 #
@ -99251,7 +99328,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1032,20 +1036,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
 ##	</summary>
 ## </param>
 #
@ -99287,7 +99364,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1053,37 +1065,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1102,131 @@ interface(`virt_rw_all_image_chr_files',`
 ##	</summary>
 ## </param>
 #
@ -99433,7 +99510,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1091,36 +1197,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1234,54 @@ interface(`virt_manage_virt_cache',`
 ##	</summary>
 ## </param>
 #
@ -99507,7 +99584,7 @@ index facdee8..fddb027 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1136,50 +1260,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1297,36 @@ interface(`virt_manage_images',`
 #
 interface(`virt_admin',`
 	gen_require(`
@ -99549,8 +99626,7 @@ index facdee8..fddb027 100644
 -
 -	files_search_tmp($1)
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+	allow $1 virt_domain:process signal_perms;
- 
+-
 -	files_search_etc($1)
 -	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
 -
@ -99559,7 +99635,8 @@ index facdee8..fddb027 100644
 -
 -	files_search_pids($1)
 -	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-
+	allow $1 virt_domain:process signal_perms;
+ 
 -	files_search_var($1)
 -	admin_pattern($1, svirt_cache_t)
 -
@ -99580,7 +99657,7 @@ index facdee8..fddb027 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..1bbfa18 100644
+index f03dcf5..fb96958 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,197 @@
@ -100274,7 +100351,7 @@ index f03dcf5..1bbfa18 100644
 logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 
 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,16 +370,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +370,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
 
@ -100296,10 +100373,11 @@ index f03dcf5..1bbfa18 100644
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
-@@ -520,6 +383,7 @@ kernel_read_kernel_sysctls(virtd_t)
+ kernel_read_kernel_sysctls(virtd_t)
 kernel_request_load_module(virtd_t)
 kernel_search_debugfs(virtd_t)
- kernel_setsched(virtd_t)
+-kernel_setsched(virtd_t)
+kernel_dontaudit_setsched(virtd_t)
 +kernel_write_proc_files(virtd_t)
 
 corecmd_exec_bin(virtd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 35%{?dist}
+Release: 36%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -580,6 +580,19 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Fri Mar 14 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-36
+- Add additional fixes for systemd_networkd_t
+- Allow systemd-logind to manage user_tmpfs_t
+- Allow systemd-logind to mount /run/user/1000 to get gdm working
+- Dontaudit attempts to setsched on the kernel_t threads
+- Allow munin mail plugins to read network systcl
+- Fix git_system_enable_homedirs boolean
+- Make cimtest script 03_defineVS.py of ComputerSystem group working
+- Make  abrt-java-connector working
+- Allow net_admin cap for fence_virtd running as fenced_t
+- Allow vmtools_helper_t to execute bin_t
+- Add support for /usr/share/joomla
+
 * Thu Mar 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-35
 - sshd to read network sysctls
 - Allow vmtools_helper_t to execute bin_t