- Allow bumblebeed to send signal to insmod

- Dontaudit attempts by crond_t net_admin caused by journald - Allow the docker daemon to mounton tty_device_t - Add addtional snapper fixes to allo relabel file_t - Allow setattr for all mountpoints - Allow snapperd to write all dirs - Add support for /etc/sysconfig/snapper - Allow mozilla_plugin to getsession - Add labeling for thttpd - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolea - Add support for ipset - Add support for /dev/sclp_line0 - Add modutils_signal_insmod() - Add files_relabelto_all_mountpoints() interface - Allow the docker daemon to mounton tty_device_t - Allow all systemd domains to read /proc/1 - Login programs talking to journald are attempting to net_admin, add dontaudit - init is not gettar on processes as shutdown time - Add systemd_hostnamed_manage_config() interface - Make unconfined_service_t valid in enforcing - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - Add lvm_read_metadata()
2014-02-27 12:34:10 +01:00 · 2014-02-27 12:34:10 +01:00 · 439063013f
commit 439063013f
parent 2a6e2e714e
3 changed files with 473 additions and 321 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2992,10 +2992,10 @@ index 0000000..8ba9c95
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 7caefc3..536a4bd 100644
+index 7caefc3..516f7bb 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,162 +1,197 @@
+@@ -1,162 +1,200 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -3040,6 +3040,7 @@ index 7caefc3..536a4bd 100644
 -/etc/vhosts	--	gen_context(system_u:object_r:httpd_config_t,s0)
 -/etc/WebCalendar(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 -/etc/zabbix/web(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/thttpd\.conf       -- gen_context(system_u:object_r:httpd_config_t,s0)
 +/etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
 +/etc/WebCalendar(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@ -3112,6 +3113,7 @@ index 7caefc3..536a4bd 100644
 +/usr/sbin/php-fpm       --  gen_context(system_u:object_r:httpd_exec_t,s0)
 +/usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
 +/usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/thttpd        -- gen_context(system_u:object_r:httpd_exec_t,s0)
 +
 +ifdef(`distro_suse', `
 +/usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
@ -3249,6 +3251,7 @@ index 7caefc3..536a4bd 100644
 /var/log/roundcubemail(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
 -/var/log/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/thttpd\.log.*  -- gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/php_errors\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/z-push(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +ifdef(`distro_debian', `
@ -3282,6 +3285,7 @@ index 7caefc3..536a4bd 100644
 +/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/nginx.*            gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/thttpd\.pid    -- gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
 +
@ -3331,7 +3335,6 @@ index 7caefc3..536a4bd 100644
 +/var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
-+
 diff --git a/apache.if b/apache.if
 index f6eb485..51b128e 100644
 --- a/apache.if
@ -10107,10 +10110,10 @@ index 0000000..de66654
 +')
 diff --git a/bumblebee.te b/bumblebee.te
 new file mode 100644
-index 0000000..fe923e3
+index 0000000..1076e6a
 --- /dev/null
 +++ b/bumblebee.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,60 @@
 +policy_module(bumblebee, 1.0.0)
 +
 +########################################
@ -10158,6 +10161,7 @@ index 0000000..fe923e3
 +logging_send_syslog_msg(bumblebee_t)
 +
 +modutils_domtrans_insmod(bumblebee_t)
+modutils_signal_insmod(bumblebee_t)
 +
 +sysnet_dns_name_resolve(bumblebee_t)
 +
@ -16522,7 +16526,7 @@ index 1303b30..72481a7 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
 ')
 diff --git a/cron.te b/cron.te
-index 7de3859..ce147f1 100644
+index 7de3859..4e6ebcd 100644
 --- a/cron.te
 +++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
@ -16722,7 +16726,7 @@ index 7de3859..ce147f1 100644
 selinux_get_fs_mount(admin_crontab_t)
 selinux_validate_context(admin_crontab_t)
 selinux_compute_access_vector(admin_crontab_t)
-@@ -204,12 +148,14 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,22 +148,26 @@ selinux_compute_relabel_context(admin_crontab_t)
 selinux_compute_user_contexts(admin_crontab_t)
 
 tunable_policy(`fcron_crond',`
@ -16738,7 +16742,9 @@ index 7de3859..ce147f1 100644
 #
 
 allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-@@ -218,8 +164,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
+-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
+ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;
 allow crond_t self:fifo_file rw_fifo_file_perms;
@ -23445,10 +23451,10 @@ index 0000000..89401fe
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..a1e6966
+index 0000000..75d51ed
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,239 @@
+@@ -0,0 +1,240 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@ -23657,6 +23663,7 @@ index 0000000..a1e6966
 +term_use_ptmx(docker_t)
 +term_getattr_pty_fs(docker_t)
 +term_relabel_pty_fs(docker_t)
+term_mounton_unallocated_ttys(docker_t)
 +
 +modutils_domtrans_insmod(docker_t)
 +
@ -39632,10 +39639,24 @@ index d314333..da30c5d 100644
 +	')
 ')
 diff --git a/lsm.te b/lsm.te
-index 4ec0eea..5bf5627 100644
+index 4ec0eea..0f702df 100644
 --- a/lsm.te
 +++ b/lsm.te
-@@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
+@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
+ #
+ # Declarations
+ #
+## <desc>
+##	<p>
+##	Determine whether lsmd_plugin can
+##	connect to all TCP ports.
+##	</p>
+## </desc>
+gen_tunable(lsmd_plugin_connect_any, false)
+ 
+ type lsmd_t;
+ type lsmd_exec_t;
+@@ -12,6 +19,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
 type lsmd_var_run_t;
 files_pid_file(lsmd_var_run_t)
 
@ -39653,7 +39674,7 @@ index 4ec0eea..5bf5627 100644
 ########################################
 #
 # Local policy
-@@ -26,4 +37,36 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
 
@ -39667,6 +39688,7 @@ index 4ec0eea..5bf5627 100644
 +#
 +
 +allow lsmd_plugin_t self:udp_socket create_socket_perms;
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
 +
 +domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
 +allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
@ -39678,12 +39700,22 @@ index 4ec0eea..5bf5627 100644
 +manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
 +files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
 +
+tunable_policy(`lsmd_plugin_connect_any',`
+	corenet_tcp_connect_all_ports(lsmd_plugin_t)
+	corenet_sendrecv_all_packets(lsmd_plugin_t)
+	corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
+')
+
 +kernel_read_system_state(lsmd_plugin_t)
 +
 +dev_read_urand(lsmd_plugin_t)
 +
 +corecmd_exec_bin(lsmd_plugin_t)
 +
+corenet_tcp_connect_http_port(lsmd_plugin_t)
+corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
+corenet_tcp_connect_ssh_port(lsmd_plugin_t)
+
 +init_stream_connect(lsmd_plugin_t)
 +init_dontaudit_rw_stream_socket(lsmd_plugin_t)
 +
@ -44133,7 +44165,7 @@ index 6194b80..03c6414 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..ea784b3 100644
+index 11ac8e4..dfd8d3a 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@ -44571,7 +44603,7 @@ index 11ac8e4..ea784b3 100644
 ')
 
 optional_policy(`
-@@ -300,259 +324,241 @@ optional_policy(`
+@@ -300,259 +324,243 @@ optional_policy(`
 
 ########################################
 #
@ -44585,7 +44617,7 @@ index 11ac8e4..ea784b3 100644
 +dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
 +dontaudit mozilla_plugin_t self:capability2 block_suspend;
 +
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
 +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 +allow mozilla_plugin_t self:netlink_socket create_socket_perms;
 +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@ -44670,6 +44702,8 @@ index 11ac8e4..ea784b3 100644
 kernel_request_load_module(mozilla_plugin_t)
 kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
 +files_dontaudit_read_root_files(mozilla_plugin_t)
+kernel_dontaudit_list_all_proc(mozilla_plugin_t)
+kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
 
 corecmd_exec_bin(mozilla_plugin_t)
 corecmd_exec_shell(mozilla_plugin_t)
@ -44962,7 +44996,7 @@ index 11ac8e4..ea784b3 100644
 ')
 
 optional_policy(`
-@@ -560,7 +566,11 @@ optional_policy(`
+@@ -560,7 +568,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -44975,7 +45009,7 @@ index 11ac8e4..ea784b3 100644
 ')
 
 optional_policy(`
-@@ -568,108 +578,131 @@ optional_policy(`
+@@ -568,108 +580,131 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -48293,7 +48327,7 @@ index 687af38..404ed6d 100644
 +	mysql_stream_connect($1)
 ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe..d053405 100644
+index 7584bbe..ae0d53a 100644
 --- a/mysql.te
 +++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@ -48453,7 +48487,7 @@ index 7584bbe..d053405 100644
 	seutil_sigchld_newrole(mysqld_t)
 ')
 
-@@ -155,21 +160,17 @@ optional_policy(`
+@@ -155,21 +160,18 @@ optional_policy(`
 
 #######################################
 #
@ -48463,6 +48497,7 @@ index 7584bbe..d053405 100644
 
 -allow mysqld_safe_t self:capability { chown dac_override fowner kill };
 +allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
 allow mysqld_safe_t self:process { setsched getsched setrlimit };
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
@ -48479,7 +48514,7 @@ index 7584bbe..d053405 100644
 
 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +178,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +179,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 
 manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@ -48490,7 +48525,7 @@ index 7584bbe..d053405 100644
 
 kernel_read_system_state(mysqld_safe_t)
 kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
 corecmd_exec_bin(mysqld_safe_t)
 corecmd_exec_shell(mysqld_safe_t)
 
@ -48526,7 +48561,7 @@ index 7584bbe..d053405 100644
 
 optional_policy(`
 	hostname_exec(mysqld_safe_t)
-@@ -209,7 +216,7 @@ optional_policy(`
+@@ -209,7 +217,7 @@ optional_policy(`
 
 ########################################
 #
@ -48535,7 +48570,7 @@ index 7584bbe..d053405 100644
 #
 
 allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
 allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
 allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
 
@ -48553,7 +48588,7 @@ index 7584bbe..d053405 100644
 
 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
 
-@@ -230,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
 
@ -50258,7 +50293,7 @@ index 86dc29d..993ecf5 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
 ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..8562dec 100644
+index 55f2009..5e67bb6 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -50624,7 +50659,7 @@ index 55f2009..8562dec 100644
 +	systemd_write_inhibit_pipes(NetworkManager_t)
 +	systemd_read_logind_sessions_files(NetworkManager_t)
 +	systemd_dbus_chat_logind(NetworkManager_t)
-+	systemd_hostnamed_read_config(NetworkManager_t)
+    systemd_hostnamed_manage_config(NetworkManager_t)
 +')
 +
 +optional_policy(`
@ -80070,7 +80105,7 @@ index ef3b225..d248cd3 100644
 	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/rpm.te b/rpm.te
-index 6fc360e..4e28c91 100644
+index 6fc360e..44f9739 100644
 --- a/rpm.te
 +++ b/rpm.te
@@ -1,15 +1,13 @@
@ -80474,7 +80509,7 @@ index 6fc360e..4e28c91 100644
 
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -363,41 +385,67 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,68 @@ ifdef(`distro_redhat',`
 	')
 ')
 
@ -80512,6 +80547,7 @@ index 6fc360e..4e28c91 100644
 -	')
 +    optional_policy(`
 +        systemd_dbus_chat_logind(rpm_script_t)
+        systemd_dbus_chat_timedated(rpm_script_t)
 +    ')
 +')
 +
@ -80553,7 +80589,7 @@ index 6fc360e..4e28c91 100644
 
 	optional_policy(`
 		java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +457,6 @@ optional_policy(`
+@@ -409,6 +458,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -83828,10 +83864,10 @@ index 0000000..b7db254
 +# Empty
 diff --git a/sandbox.if b/sandbox.if
 new file mode 100644
-index 0000000..8a6ad19
+index 0000000..89bc443
 --- /dev/null
 +++ b/sandbox.if
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,57 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@ -83862,6 +83898,7 @@ index 0000000..8a6ad19
 +	allow sandbox_domain $1:process { sigchld signull };
 +	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
 +	dontaudit sandbox_domain $1:process signal;
+	dontaudit sandbox_domain $1:key { link read search view };
 +	dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
 +')
 +
@ -83966,10 +84003,10 @@ index 0000000..6caef63
 +/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
 diff --git a/sandboxX.if b/sandboxX.if
 new file mode 100644
-index 0000000..e30b346
+index 0000000..3258f45
 --- /dev/null
 +++ b/sandboxX.if
-@@ -0,0 +1,393 @@
+@@ -0,0 +1,394 @@
 +
 +## <summary>policy for sandboxX </summary>
 +
@ -84011,6 +84048,7 @@ index 0000000..e30b346
 +	dontaudit sandbox_xserver_t $1:file read;
 +	allow sandbox_x_domain sandbox_x_domain:process signal;
 +	# Dontaudit leaked file descriptors
+	dontaudit sandbox_x_domain $1:key { link read search view };
 +	dontaudit sandbox_x_domain $1:fifo_file { read write };
 +	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
 +	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
@ -88492,13 +88530,14 @@ index cbfe369..6594af3 100644
 	files_search_var_lib($1)
 diff --git a/snapper.fc b/snapper.fc
 new file mode 100644
-index 0000000..1cb1360
+index 0000000..ab5d7e7
 --- /dev/null
 +++ b/snapper.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,6 @@
 +/usr/sbin/snapperd		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
 +
 +/etc/snapper(/.*)?          gen_context(system_u:object_r:snapperd_conf_t,s0)
+/etc/sysconfig/snapper  --  gen_context(system_u:object_r:snapperd_conf_t,s0)
 +
 +/var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
 diff --git a/snapper.if b/snapper.if
@ -88551,10 +88590,10 @@ index 0000000..94105ee
 +')
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..a299f53
+index 0000000..01ade60
 --- /dev/null
 +++ b/snapper.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,70 @@
 +policy_module(snapper, 1.0.0)
 +
 +########################################
@ -88599,6 +88638,10 @@ index 0000000..a299f53
 +corecmd_exec_shell(snapperd_t)
 +corecmd_exec_bin(snapperd_t)
 +
+files_write_all_dirs(snapperd_t)
+files_setattr_all_mountpoints(snapperd_t)
+files_relabelto_all_mountpoints(snapperd_t)
+files_relabelfrom_isid_type(snapperd_t)
 +files_read_all_files(snapperd_t)
 +files_list_all(snapperd_t)
 +
@ -88948,7 +88991,7 @@ index 634c6b4..e1edfd9 100644
 
 ########################################
 diff --git a/sosreport.te b/sosreport.te
-index f2f507d..3d93f55 100644
+index f2f507d..0d4a35c 100644
 --- a/sosreport.te
 +++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@ -89016,16 +89059,17 @@ index f2f507d..3d93f55 100644
 
 corecmd_exec_all_executables(sosreport_t)
 
-@@ -69,6 +89,8 @@ dev_read_urand(sosreport_t)
+@@ -69,6 +89,9 @@ dev_read_urand(sosreport_t)
 dev_read_raw_memory(sosreport_t)
 dev_read_sysfs(sosreport_t)
 dev_rw_generic_usb_dev(sosreport_t)
+dev_rw_lvm_control(sosreport_t)
 +dev_getattr_all_chr_files(sosreport_t)
 +dev_getattr_all_blk_files(sosreport_t)
 
 domain_getattr_all_domains(sosreport_t)
 domain_read_all_domains_state(sosreport_t)
-@@ -83,7 +105,6 @@ files_list_all(sosreport_t)
+@@ -83,7 +106,6 @@ files_list_all(sosreport_t)
 files_read_config_files(sosreport_t)
 files_read_generic_tmp_files(sosreport_t)
 files_read_non_auth_files(sosreport_t)
@ -89033,7 +89077,7 @@ index f2f507d..3d93f55 100644
 files_read_var_lib_files(sosreport_t)
 files_read_var_symlinks(sosreport_t)
 files_read_kernel_modules(sosreport_t)
-@@ -92,25 +113,35 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -92,25 +114,35 @@ files_manage_etc_runtime_files(sosreport_t)
 files_etc_filetrans_etc_runtime(sosreport_t, file)
 
 fs_getattr_all_fs(sosreport_t)
@ -89072,10 +89116,14 @@ index f2f507d..3d93f55 100644
 
 optional_policy(`
 	abrt_manage_pid_files(sosreport_t)
-@@ -119,6 +150,10 @@ optional_policy(`
+@@ -119,6 +151,14 @@ optional_policy(`
 ')
 
 optional_policy(`
+    bootloader_exec(sosreport_t)
+')
+
+optional_policy(`
 +	brctl_domtrans(sosreport_t)
 +')
 +
@ -89083,10 +89131,11 @@ index f2f507d..3d93f55 100644
 	cups_stream_connect(sosreport_t)
 ')
 
-@@ -127,6 +162,15 @@ optional_policy(`
+@@ -127,6 +167,16 @@ optional_policy(`
 ')
 
 optional_policy(`
+    lvm_read_config(sosreport_t)
 +    lvm_dontaudit_access_check_lock(sosreport_t)
 +')
 +
@ -89099,7 +89148,7 @@ index f2f507d..3d93f55 100644
 	fstools_domtrans(sosreport_t)
 ')
 
-@@ -136,6 +180,10 @@ optional_policy(`
+@@ -136,6 +186,10 @@ optional_policy(`
 	optional_policy(`
 		hal_dbus_chat(sosreport_t)
 	')
@ -89110,7 +89159,7 @@ index f2f507d..3d93f55 100644
 ')
 
 optional_policy(`
-@@ -147,13 +195,34 @@ optional_policy(`
+@@ -147,13 +201,34 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -580,6 +580,35 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Feb 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-28
+- Allow bumblebeed to send signal to insmod
+- Dontaudit attempts by crond_t net_admin caused by journald
+- Allow the docker daemon to mounton tty_device_t
+- Add addtional snapper fixes to allo relabel file_t
+- Allow setattr for all mountpoints
+- Allow snapperd to write all dirs
+- Add support for /etc/sysconfig/snapper
+- Allow mozilla_plugin to getsession
+- Add labeling for thttpd
+- Allow sosreport to execute grub2-probe
+- Allow NM to manage hostname config file
+- Allow systemd_timedated_t to dbus chat with rpm_script_t
+- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
+- Add lsmd_plugin_connect_any boolea
+- Add support for ipset
+- Add support for /dev/sclp_line0
+- Add modutils_signal_insmod()
+- Add files_relabelto_all_mountpoints() interface
+- Allow the docker daemon to mounton tty_device_t
+- Allow all systemd domains to read /proc/1
+- Login programs talking to journald are attempting to net_admin, add dontaudit
+- init is not gettar on processes as shutdown time
+- Add systemd_hostnamed_manage_config() interface
+- Make unconfined_service_t valid in enforcing
+- Remove transition for temp dirs created by init_t
+- gdm-simple-slave uses use setsockopt
+- Add lvm_read_metadata()
+
 * Mon Feb 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-27
 - Make unconfined_service_t valid in enforcing
 - Remove transition for temp dirs created by init_t