- Fix openshift_search_lib

- Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working
2013-06-04 08:43:23 +02:00 · 2013-06-04 08:43:23 +02:00 · 574431f1a2
parent 88eb5b40ad
commit 574431f1a2
3 changed files with 965 additions and 422 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -1,8 +1,8 @@
 diff --git a/abrt.fc b/abrt.fc
-index e4f84de..ad5a65f 100644
+index e4f84de..4e4cbd4 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,30 +1,39 @@
+@@ -1,30 +1,40 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
@ -15,6 +15,7 @@ index e4f84de..ad5a65f 100644
 +/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
 +
 +/usr/bin/abrt-dump-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
 +/usr/bin/abrt-uefioops-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
 +/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 +/usr/bin/abrt-watch-log         --      gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
 +
@ -517,7 +518,7 @@ index 058d908..702b716 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index cc43d25..ffbe9e5 100644
+index cc43d25..5e60ff3 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -1,4 +1,4 @@
@ -666,7 +667,8 @@ index cc43d25..ffbe9e5 100644
 +# abrt local policy
 #
- allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
 +allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
 dontaudit abrt_t self:capability sys_rawio;
 allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
 +
@ -939,7 +941,7 @@ index cc43d25..ffbe9e5 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +410,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 dev_read_urand(abrt_retrace_worker_t)
@ -981,8 +983,10 @@ index cc43d25..ffbe9e5 100644
 kernel_read_kernel_sysctls(abrt_dump_oops_t)
 kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +450,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+ domain_use_interactive_fds(abrt_dump_oops_t)
 fs_list_inotifyfs(abrt_dump_oops_t)
 +fs_list_pstorefs(abrt_dump_oops_t)
 logging_read_generic_logs(abrt_dump_oops_t)
 +logging_send_syslog_msg(abrt_dump_oops_t)
@ -999,7 +1003,7 @@ index cc43d25..ffbe9e5 100644
 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +467,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
 corecmd_exec_bin(abrt_watch_log_t)
 logging_read_all_logs(abrt_watch_log_t)
@ -10385,10 +10389,10 @@ index 0000000..5977d96
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..ba0a059
+index 0000000..f4a8884
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,237 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@ -10596,6 +10600,7 @@ index 0000000..ba0a059
 +
 +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
 +ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
 +ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
 +
 +manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
 +manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
@ -12168,7 +12173,7 @@ index 8e27a37..825f537 100644
 +	ps_process_pattern($1, colord_t)
 +')
 diff --git a/colord.te b/colord.te
-index 09f18e2..f0cade4 100644
+index 09f18e2..9d70983 100644
 --- a/colord.te
 +++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@ -12219,8 +12224,9 @@ index 09f18e2..f0cade4 100644
 files_list_mnt(colord_t)
 -files_read_usr_files(colord_t)
- fs_getattr_noxattr_fs(colord_t)
+-fs_getattr_noxattr_fs(colord_t)
 -fs_getattr_tmpfs(colord_t)
 +fs_getattr_all_fs(colord_t)
 fs_list_noxattr_fs(colord_t)
 fs_read_noxattr_fs_files(colord_t)
 fs_search_all(colord_t)
@ -22900,7 +22906,7 @@ index 21d7b84..0e272bd 100644
 /etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
 diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..839999e 100644
+index 5cf6ac6..62547ee 100644
 --- a/firewalld.if
 +++ b/firewalld.if
@@ -2,6 +2,66 @@
@ -22970,18 +22976,37 @@ index 5cf6ac6..839999e 100644
 ##	Send and receive messages from
 ##	firewalld over dbus.
 ## </summary>
-@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',`
+@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
 ########################################
 ## <summary>
 -##	All of the rules required to
 -##	administrate an firewalld environment.
 +##	Dontaudit attempts to write
 +##	firewalld tmp files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`firewalld_dontaudit_write_tmp_files',`
 +	gen_require(`
 +		type firewalld_tmp_t;
 +	')
 +
 +	dontaudit $1 firewalld_tmp_t:file write;
 +')
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
 +##	an firewalld environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -45,10 +105,14 @@ interface(`firewalld_admin',`
+@@ -45,10 +124,14 @@ interface(`firewalld_admin',`
 		type firewalld_var_log_t;
 	')
@ -22998,7 +23023,7 @@ index 5cf6ac6..839999e 100644
 	domain_system_change_exemption($1)
 	role_transition $2 firewalld_initrc_exec_t system_r;
 	allow $2 system_r;
-@@ -59,6 +123,9 @@ interface(`firewalld_admin',`
+@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, firewalld_var_log_t)
@ -28202,6 +28227,298 @@ index 25f09ae..3085534 100644
 optional_policy(`
 	chronyd_rw_shm(gpsd_t)
 	chronyd_stream_connect(gpsd_t)
 diff --git a/gssproxy.fc b/gssproxy.fc
 new file mode 100644
 index 0000000..404ae4f
 --- /dev/null
 +++ b/gssproxy.fc
@@ -0,0 +1,7 @@
 +/usr/lib/systemd/system/gssproxy.service		--	gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
 +
 +/usr/sbin/gssproxy		--	gen_context(system_u:object_r:gssproxy_exec_t,s0)
 +
 +/var/lib/gssproxy(/.*)?		gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
 +
 +/var/run/gssproxy.pid		--	gen_context(system_u:object_r:gssproxy_var_run_t,s0)
 diff --git a/gssproxy.if b/gssproxy.if
 new file mode 100644
 index 0000000..072ddb0
 --- /dev/null
 +++ b/gssproxy.if
@@ -0,0 +1,203 @@
 +
 +## <summary>policy for gssproxy</summary>
 +
 +########################################
 +## <summary>
 +##	Execute TEMPLATE in the gssproxy domin.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`gssproxy_domtrans',`
 +	gen_require(`
 +		type gssproxy_t, gssproxy_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Search gssproxy lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gssproxy_search_lib',`
 +	gen_require(`
 +		type gssproxy_var_lib_t;
 +	')
 +
 +	allow $1 gssproxy_var_lib_t:dir search_dir_perms;
 +	files_search_var_lib($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Read gssproxy lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gssproxy_read_lib_files',`
 +	gen_require(`
 +		type gssproxy_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage gssproxy lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gssproxy_manage_lib_files',`
 +	gen_require(`
 +		type gssproxy_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage gssproxy lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gssproxy_manage_lib_dirs',`
 +	gen_require(`
 +		type gssproxy_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read gssproxy PID files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gssproxy_read_pid_files',`
 +	gen_require(`
 +		type gssproxy_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Execute gssproxy server in the gssproxy domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
 +interface(`gssproxy_systemctl',`
 +	gen_require(`
 +		type gssproxy_t;
 +		type gssproxy_unit_file_t;
 +	')
 +
 +	systemd_exec_systemctl($1)
 +        systemd_read_fifo_file_password_run($1)
 +	allow $1 gssproxy_unit_file_t:file read_file_perms;
 +	allow $1 gssproxy_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, gssproxy_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Connect to gssproxy over an unix
 +##	domain stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gssproxy_stream_connect',`
 +	gen_require(`
 +		type gssproxy_t, gssproxy_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
 +')
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
 +##	an gssproxy environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	Role allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`gssproxy_admin',`
 +	gen_require(`
 +		type gssproxy_t;
 +		type gssproxy_var_lib_t;
 +		type gssproxy_var_run_t;
 +	type gssproxy_unit_file_t;
 +	')
 +
 +	allow $1 gssproxy_t:process { ptrace signal_perms };
 +	ps_process_pattern($1, gssproxy_t)
 +
 +	files_search_var_lib($1)
 +	admin_pattern($1, gssproxy_var_lib_t)
 +
 +	files_search_pids($1)
 +	admin_pattern($1, gssproxy_var_run_t)
 +
 +	gssproxy_systemctl($1)
 +	admin_pattern($1, gssproxy_unit_file_t)
 +	allow $1 gssproxy_unit_file_t:service all_service_perms;
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
 diff --git a/gssproxy.te b/gssproxy.te
 new file mode 100644
 index 0000000..6f0253c
 --- /dev/null
 +++ b/gssproxy.te
@@ -0,0 +1,64 @@
 +policy_module(gssproxy, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type gssproxy_t;
 +type gssproxy_exec_t;
 +init_daemon_domain(gssproxy_t, gssproxy_exec_t)
 +
 +type gssproxy_var_lib_t;
 +files_type(gssproxy_var_lib_t)
 +
 +type gssproxy_var_run_t;
 +files_pid_file(gssproxy_var_run_t)
 +
 +type gssproxy_unit_file_t;
 +systemd_unit_file(gssproxy_unit_file_t)
 +
 +########################################
 +#
 +# gssproxy local policy
 +#
 +allow gssproxy_t self:capability2 block_suspend;
 +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
 +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
 +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
 +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
 +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
 +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
 +
 +manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
 +manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
 +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
 +files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file })
 +
 +kernel_rw_rpc_sysctls(gssproxy_t)
 +
 +domain_use_interactive_fds(gssproxy_t)
 +
 +files_read_etc_files(gssproxy_t)
 +
 +auth_use_nsswitch(gssproxy_t)
 +
 +dev_read_urand(gssproxy_t)
 +
 +logging_send_syslog_msg(gssproxy_t)
 +
 +miscfiles_read_localization(gssproxy_t)
 +
 +userdom_manage_user_tmp_dirs(gssproxy_t)
 +userdom_manage_user_tmp_files(gssproxy_t)
 +
 +optional_policy(`
 +	kerberos_use(gssproxy_t)
 +')
 +
 +optional_policy(`
 +	kerberos_keytab_template(gssproxy, gssproxy_t)
 +	kerberos_manage_host_rcache(gssproxy_t)
 +')
 diff --git a/guest.te b/guest.te
 index d928711..93d2d83 100644
 --- a/guest.te
@ -48498,10 +48815,10 @@ index 0000000..f2d6119
 +/var/run/openshift(/.*)?               gen_context(system_u:object_r:openshift_var_run_t,s0)
 diff --git a/openshift.if b/openshift.if
 new file mode 100644
-index 0000000..0dd82f8
+index 0000000..6c841fa
 --- /dev/null
 +++ b/openshift.if
-@@ -0,0 +1,656 @@
+@@ -0,0 +1,676 @@
 +
 +## <summary> policy for openshift </summary>
 +
@ -48740,7 +49057,27 @@ index 0000000..0dd82f8
 +		type openshift_var_lib_t;
 +	')
 +
-+	allow $1 openshift_var_lib_t:dir search_dir_perms;
+    search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
 +    getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
 +	files_search_var_lib($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Getattr openshift lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`openshift_getattr_lib',`
 +	gen_require(`
 +		type openshift_var_lib_t;
 +	')
 +
 +    getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
 +	files_search_var_lib($1)
 +')
 +
@ -48986,7 +49323,7 @@ index 0000000..0dd82f8
 +##	</summary>
 +## </param>
 +#
-+template(`openshift_net_type',`
+interface(`openshift_net_type',`
 +	gen_require(`
 +		attribute openshift_net_domain;
 +	')
@ -57211,7 +57548,7 @@ index cd8b8b9..cde0d62 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
 ')
 diff --git a/ppp.te b/ppp.te
-index b2b5dba..49bdf0d 100644
+index b2b5dba..7b8a7d1 100644
 --- a/ppp.te
 +++ b/ppp.te
@@ -1,4 +1,4 @@
@ -57402,14 +57739,14 @@ index b2b5dba..49bdf0d 100644
 -fs_getattr_all_fs(pppd_t)
 -fs_search_auto_mountpoints(pppd_t)
-
+# for scripts
 -term_use_unallocated_ttys(pppd_t)
 -term_setattr_unallocated_ttys(pppd_t)
 -term_ioctl_generic_ptys(pppd_t)
 -term_create_pty(pppd_t, pppd_devpts_t)
 -term_use_generic_ptys(pppd_t)
-+# for scripts
+-
 -init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
 init_read_utmp(pppd_t)
 -init_signal_script(pppd_t)
@ -57551,6 +57888,17 @@ index b2b5dba..49bdf0d 100644
 sysnet_exec_ifconfig(pptp_t)
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -299,6 +318,10 @@ optional_policy(`
 ')
 optional_policy(`
 +    gnome_dontaudit_search_config(pppd_t)
 +')
 +
 +optional_policy(`
 	dbus_system_domain(pppd_t, pppd_exec_t)
 	optional_policy(`
 diff --git a/prelink.fc b/prelink.fc
 index a90d623..62af9a4 100644
 --- a/prelink.fc
@ -69772,7 +70120,7 @@ index 0628d50..84f2fd7 100644
 +	allow rpm_script_t $1:process sigchld;
 ')
 diff --git a/rpm.te b/rpm.te
-index 5cbe81c..decdd95 100644
+index 5cbe81c..f79d5f4 100644
 --- a/rpm.te
 +++ b/rpm.te
@@ -1,15 +1,13 @@
@ -69830,7 +70178,13 @@ index 5cbe81c..decdd95 100644
 type rpm_script_tmp_t;
 files_tmp_file(rpm_script_tmp_t)
-@@ -75,23 +69,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec
+@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t)
 # rpm Local policy
 #
 +allow rpm_t self:capability2 block_suspend;
 allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
 allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
 allow rpm_t self:process { getattr setexec setfscreate setrlimit };
 allow rpm_t self:fd use;
 allow rpm_t self:fifo_file rw_fifo_file_perms;
@ -69864,7 +70218,7 @@ index 5cbe81c..decdd95 100644
 manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
-@@ -99,23 +98,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@ -69892,7 +70246,7 @@ index 5cbe81c..decdd95 100644
 kernel_read_crypto_sysctls(rpm_t)
 kernel_read_network_state(rpm_t)
-@@ -126,41 +121,34 @@ kernel_rw_irq_sysctls(rpm_t)
+@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t)
 corecmd_exec_all_executables(rpm_t)
@ -69948,7 +70302,7 @@ index 5cbe81c..decdd95 100644
 fs_getattr_all_dirs(rpm_t)
 fs_list_inotifyfs(rpm_t)
-@@ -183,29 +171,49 @@ selinux_compute_relabel_context(rpm_t)
+@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t)
 selinux_compute_user_contexts(rpm_t)
 storage_raw_write_fixed_disk(rpm_t)
@ -70000,7 +70354,7 @@ index 5cbe81c..decdd95 100644
 userdom_use_unpriv_users_fds(rpm_t)
 optional_policy(`
-@@ -224,13 +232,17 @@ optional_policy(`
+@@ -224,13 +233,17 @@ optional_policy(`
 		networkmanager_dbus_chat(rpm_t)
 	')
@ -70022,7 +70376,7 @@ index 5cbe81c..decdd95 100644
 ')
 ########################################
-@@ -239,19 +251,20 @@ optional_policy(`
+@@ -239,19 +252,20 @@ optional_policy(`
 #
 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
@ -70046,7 +70400,7 @@ index 5cbe81c..decdd95 100644
 allow rpm_script_t rpm_tmp_t:file read_file_perms;
 allow rpm_script_t rpm_script_tmp_t:dir mounton;
-@@ -267,8 +280,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@ -70057,7 +70411,7 @@ index 5cbe81c..decdd95 100644
 kernel_read_crypto_sysctls(rpm_script_t)
 kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +291,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t)
 kernel_list_all_proc(rpm_script_t)
 kernel_read_software_raid_state(rpm_script_t)
@ -70107,7 +70461,7 @@ index 5cbe81c..decdd95 100644
 mls_file_read_all_levels(rpm_script_t)
 mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +327,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
 term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
@ -70165,7 +70519,7 @@ index 5cbe81c..decdd95 100644
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -363,40 +377,54 @@ ifdef(`distro_redhat',`
+@@ -363,40 +378,54 @@ ifdef(`distro_redhat',`
 	')
 ')
@ -70230,7 +70584,7 @@ index 5cbe81c..decdd95 100644
 	unconfined_domtrans(rpm_script_t)
 	optional_policy(`
-@@ -409,6 +437,6 @@ optional_policy(`
+@@ -409,6 +438,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -87519,7 +87873,7 @@ index 9dec06c..7877729 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
 ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..4d026c1 100644
+index 1f22fba..a8390d3 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,94 +1,98 @@
@ -88168,7 +88522,7 @@ index 1f22fba..4d026c1 100644
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -520,24 +352,15 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t)
 corenet_all_recvfrom_netlabel(virtd_t)
 corenet_tcp_sendrecv_generic_if(virtd_t)
 corenet_tcp_sendrecv_generic_node(virtd_t)
@ -88190,12 +88544,13 @@ index 1f22fba..4d026c1 100644
 -corenet_tcp_sendrecv_soundd_port(virtd_t)
 -
 corenet_rw_tun_tap_dev(virtd_t)
 +corenet_relabel_tun_tap_dev(virtd_t)
 +dev_rw_vfio_dev(virtd_t)
 dev_rw_sysfs(virtd_t)
 dev_read_urand(virtd_t)
 dev_read_rand(virtd_t)
-@@ -548,22 +371,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t)
 dev_setattr_generic_usb_dev(virtd_t)
 dev_relabel_generic_usb_dev(virtd_t)
@ -88224,7 +88579,7 @@ index 1f22fba..4d026c1 100644
 fs_rw_anon_inodefs_files(virtd_t)
 fs_list_inotifyfs(virtd_t)
 fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +418,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t)
 auth_use_nsswitch(virtd_t)
@ -88244,7 +88599,7 @@ index 1f22fba..4d026c1 100644
 selinux_validate_context(virtd_t)
-@@ -613,18 +440,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t)
 sysnet_signull_ifconfig(virtd_t)
 sysnet_signal_ifconfig(virtd_t)
 sysnet_domtrans_ifconfig(virtd_t)
@ -88279,7 +88634,7 @@ index 1f22fba..4d026c1 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +466,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',`
 ')
 tunable_policy(`virt_use_samba',`
@ -88288,7 +88643,7 @@ index 1f22fba..4d026c1 100644
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
-@@ -658,95 +491,321 @@ optional_policy(`
+@@ -658,95 +492,321 @@ optional_policy(`
 	')
 	optional_policy(`
@ -88658,7 +89013,7 @@ index 1f22fba..4d026c1 100644
 manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +817,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@ -88688,7 +89043,7 @@ index 1f22fba..4d026c1 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +836,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -88715,7 +89070,7 @@ index 1f22fba..4d026c1 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +856,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -88747,7 +89102,7 @@ index 1f22fba..4d026c1 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
 	fs_manage_nfs_files(virsh_t)
-@@ -847,14 +889,20 @@ optional_policy(`
+@@ -847,14 +890,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -88769,7 +89124,7 @@ index 1f22fba..4d026c1 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -879,34 +927,44 @@ optional_policy(`
+@@ -879,34 +928,44 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -88823,7 +89178,7 @@ index 1f22fba..4d026c1 100644
 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +974,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
 allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@ -88841,7 +89196,7 @@ index 1f22fba..4d026c1 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +996,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -88852,7 +89207,7 @@ index 1f22fba..4d026c1 100644
 files_relabel_rootfs(virtd_lxc_t)
 files_mounton_non_security(virtd_lxc_t)
 files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1005,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
 files_list_isid_type_dirs(virtd_lxc_t)
 files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@ -88860,7 +89215,7 @@ index 1f22fba..4d026c1 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1017,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -88879,7 +89234,7 @@ index 1f22fba..4d026c1 100644
 term_use_generic_ptys(virtd_lxc_t)
 term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1031,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t)
 logging_send_syslog_msg(virtd_lxc_t)
@ -88924,7 +89279,7 @@ index 1f22fba..4d026c1 100644
 allow svirt_lxc_domain self:fifo_file manage_file_perms;
 allow svirt_lxc_domain self:sem create_sem_perms;
 allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1068,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
 allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
 allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@ -88951,7 +89306,7 @@ index 1f22fba..4d026c1 100644
 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1086,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@ -88970,7 +89325,7 @@ index 1f22fba..4d026c1 100644
 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
 corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1105,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
 files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
 files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
 files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@ -88997,7 +89352,7 @@ index 1f22fba..4d026c1 100644
 auth_dontaudit_read_login_records(svirt_lxc_domain)
 auth_dontaudit_write_login_records(svirt_lxc_domain)
 auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1130,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
 libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@ -89136,7 +89491,7 @@ index 1f22fba..4d026c1 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1228,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -89151,7 +89506,7 @@ index 1f22fba..4d026c1 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1183,9 +1246,8 @@ optional_policy(`
+@@ -1183,9 +1247,8 @@ optional_policy(`
 ########################################
 #
@ -89162,7 +89517,7 @@ index 1f22fba..4d026c1 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1260,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t)
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 47%{?dist}
+Release: 48%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -94,10 +94,6 @@ SELinux policy development and man page package
 %{_usr}/share/selinux/devel/example.*
 %{_usr}/share/selinux/devel/policy.*
 %post devel
 selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null 
 exit 0
 %package doc
 Summary: SELinux policy documentation
 Group: System Environment/Base
@ -534,6 +530,30 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Mon Jun 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-48
 - Fix openshift_search_lib
 - Add support for abrt-uefioops-oops
 - Allow colord to getattr any file system
 - Allow chrome processes to look at each other
 - Allow sys_ptrace for abrt_t
 - Add new policy for gssproxy
 - Dontaudit leaked file descriptor writes from firewalld
 - openshift_net_type is interface not template
 - Dontaudit pppd to search gnome config
 - Update openshift_search_lib() interface
 - Add fs_list_pstorefs()
 - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18
 - Better labels for raspberry pi devices
 - Allow init to create devpts_t directory
 - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18
 - Allow sysadm_t to build kernels
 - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18
 - Allow userdomains to stream connect to gssproxy
 - Dontaudit leaked file descriptor writes from firewalld
 - Allow xserver to read /dev/urandom
 - Add additional fixes for ipsec-mgmt
 - Make SSHing into an Openshift Enterprise Node working
 * Wed May 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-47
 - Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime
 - with the proper label.