* Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13

- Remove file_t from the system and realias it with unlabeled_
2014-01-13 12:25:57 +01:00 · 2014-01-13 12:25:57 +01:00 · 5bd1f1afd6
commit 5bd1f1afd6
parent 0a96c38442
3 changed files with 377 additions and 111 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -9408,7 +9408,7 @@ index b876c48..27f60c6 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..5c44da2 100644
+index f962f76..68d8f79 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -10418,10 +10418,19 @@ index f962f76..5c44da2 100644
 ')
 ########################################
-@@ -3150,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3142,10 +3678,29 @@ interface(`files_etc_filetrans_etc_runtime',`
- 
+ #
- ########################################
+ interface(`files_getattr_isid_type_dirs',`
- ## <summary>
+ 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 +	')
 +
 +	allow $1 unlabeled_t:dir getattr;
 +')
 +
 +########################################
 +## <summary>
 +##	Setattr of directories on new filesystems
 +##	that have not yet been labeled.
 +## </summary>
@ -10433,21 +10442,63 @@ index f962f76..5c44da2 100644
 +#
 +interface(`files_setattr_isid_type_dirs',`
 +	gen_require(`
-+		type file_t;
+		type unlabeled_t;
 +	')
 +
 +	allow $1 file_t:dir setattr;
 +')
 +
 +########################################
 +## <summary>
 ##	Do not audit attempts to search directories on new filesystems
 ##	that have not yet been labeled.
 ## </summary>
@@ -3223,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',`
 	delete_dirs_pattern($1, file_t, file_t)
 	')
 -	allow $1 file_t:dir getattr;
 +	allow $1 unlabeled_t:dir setattr;
 ')
 ########################################
@@ -3161,10 +3716,10 @@ interface(`files_getattr_isid_type_dirs',`
 #
 interface(`files_dontaudit_search_isid_type_dirs',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	dontaudit $1 file_t:dir search_dir_perms;
 +	dontaudit $1 unlabeled_t:dir search_dir_perms;
 ')
 ########################################
@@ -3180,10 +3735,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
 #
 interface(`files_list_isid_type_dirs',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:dir list_dir_perms;
 +	allow $1 unlabeled_t:dir list_dir_perms;
 ')
 ########################################
@@ -3199,10 +3754,10 @@ interface(`files_list_isid_type_dirs',`
 #
 interface(`files_rw_isid_type_dirs',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:dir rw_dir_perms;
 +	allow $1 unlabeled_t:dir rw_dir_perms;
 ')
 ########################################
@@ -3218,10 +3773,66 @@ interface(`files_rw_isid_type_dirs',`
 #
 interface(`files_delete_isid_type_dirs',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 +	')
 +
 +	delete_dirs_pattern($1, unlabeled_t, unlabeled_t)
 +')
 +########################################
 +## <summary>
 +##	Execute files on new filesystems
@ -10461,10 +10512,10 @@ index f962f76..5c44da2 100644
 +#
 +interface(`files_exec_isid_files',`
 +	gen_require(`
-+		type file_t;
+		type unlabeled_t;
 +	')
 +
-+	can_exec($1, file_t)
+	can_exec($1, unlabeled_t)
 +')
 +
 +########################################
@ -10480,10 +10531,10 @@ index f962f76..5c44da2 100644
 +#
 +interface(`files_mounton_isid',`
 +	gen_require(`
-+		type file_t;
+		type unlabeled_t;
 +	')
 +
-+	allow $1 file_t:dir mounton;
+	allow $1 unlabeled_t:dir mounton;
 +')
 +
 +########################################
@ -10499,18 +10550,183 @@ index f962f76..5c44da2 100644
 +#
 +interface(`files_relabelfrom_isid_type',`
 +	gen_require(`
-+		type file_t;
+		type unlabeled_t;
 	')
 -	delete_dirs_pattern($1, file_t, file_t)
 +	dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
 ')
 ########################################
@@ -3237,10 +3848,10 @@ interface(`files_delete_isid_type_dirs',`
 #
 interface(`files_manage_isid_type_dirs',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:dir manage_dir_perms;
 +	allow $1 unlabeled_t:dir manage_dir_perms;
 ')
 ########################################
@@ -3256,10 +3867,10 @@ interface(`files_manage_isid_type_dirs',`
 #
 interface(`files_mounton_isid_type_dirs',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:dir { search_dir_perms mounton };
 +	allow $1 unlabeled_t:dir { search_dir_perms mounton };
 ')
 ########################################
@@ -3275,10 +3886,10 @@ interface(`files_mounton_isid_type_dirs',`
 #
 interface(`files_read_isid_type_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:file read_file_perms;
 +	allow $1 unlabeled_t:file read_file_perms;
 ')
 ########################################
@@ -3294,10 +3905,10 @@ interface(`files_read_isid_type_files',`
 #
 interface(`files_delete_isid_type_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	delete_files_pattern($1, file_t, file_t)
 +	delete_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 ########################################
@@ -3313,10 +3924,10 @@ interface(`files_delete_isid_type_files',`
 #
 interface(`files_delete_isid_type_symlinks',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	delete_lnk_files_pattern($1, file_t, file_t)
 +	delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 ########################################
@@ -3332,10 +3943,10 @@ interface(`files_delete_isid_type_symlinks',`
 #
 interface(`files_delete_isid_type_fifo_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	delete_fifo_files_pattern($1, file_t, file_t)
 +	delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 ########################################
@@ -3351,10 +3962,10 @@ interface(`files_delete_isid_type_fifo_files',`
 #
 interface(`files_delete_isid_type_sock_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	delete_sock_files_pattern($1, file_t, file_t)
 +	delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 ########################################
@@ -3370,10 +3981,10 @@ interface(`files_delete_isid_type_sock_files',`
 #
 interface(`files_delete_isid_type_blk_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	delete_blk_files_pattern($1, file_t, file_t)
 +	delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 ########################################
@@ -3389,10 +4000,10 @@ interface(`files_delete_isid_type_blk_files',`
 #
 interface(`files_dontaudit_write_isid_chr_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	dontaudit $1 file_t:chr_file write;
 +	dontaudit $1 unlabeled_t:chr_file write;
 ')
 ########################################
@@ -3408,10 +4019,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
 #
 interface(`files_delete_isid_type_chr_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	delete_chr_files_pattern($1, file_t, file_t)
 +	delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 ########################################
@@ -3427,10 +4038,10 @@ interface(`files_delete_isid_type_chr_files',`
 #
 interface(`files_manage_isid_type_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:file manage_file_perms;
 +	allow $1 unlabeled_t:file manage_file_perms;
 ')
 ########################################
@@ -3446,10 +4057,10 @@ interface(`files_manage_isid_type_files',`
 #
 interface(`files_manage_isid_type_symlinks',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:lnk_file manage_lnk_file_perms;
 +	allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
 ')
 ########################################
@@ -3465,10 +4076,29 @@ interface(`files_manage_isid_type_symlinks',`
 #
 interface(`files_rw_isid_type_blk_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 +	')
 +
-+	dontaudit $1 file_t:dir_file_class_set relabelfrom;
+	allow $1 unlabeled_t:blk_file rw_blk_file_perms;
 +')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
@@ -3473,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',`
 ########################################
 ## <summary>
 +##	rw any files inherited from another process
 +##	on new filesystems that have not yet been labeled.
 +## </summary>
@ -10522,17 +10738,40 @@ index f962f76..5c44da2 100644
 +#
 +interface(`files_rw_inherited_isid_type_files',`
 +	gen_require(`
-+		type file_t;
+		type unlabeled_t;
-+	')
+ 	')
-+
+ 
-+	allow $1 file_t:file rw_inherited_file_perms;
+-	allow $1 file_t:blk_file rw_blk_file_perms;
-+')
+	allow $1 unlabeled_t:file rw_inherited_file_perms;
-+
+ ')
-+########################################
+ 
-+## <summary>
+ ########################################
- ##	Create, read, write, and delete block device nodes
+@@ -3484,10 +4114,10 @@ interface(`files_rw_isid_type_blk_files',`
- ##	on new filesystems that have not yet been labeled.
+ #
- ## </summary>
+ interface(`files_manage_isid_type_blk_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:blk_file manage_blk_file_perms;
 +	allow $1 unlabeled_t:blk_file manage_blk_file_perms;
 ')
 ########################################
@@ -3503,10 +4133,10 @@ interface(`files_manage_isid_type_blk_files',`
 #
 interface(`files_manage_isid_type_chr_files',`
 	gen_require(`
 -		type file_t;
 +		type unlabeled_t;
 	')
 -	allow $1 file_t:chr_file manage_chr_file_perms;
 +	allow $1 unlabeled_t:chr_file manage_chr_file_perms;
 ')
 ########################################
@@ -3814,20 +4444,38 @@ interface(`files_list_mnt',`
 ######################################
@ -10939,7 +11178,7 @@ index f962f76..5c44da2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4482,44 +5384,134 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,59 +5384,149 @@ interface(`files_setattr_all_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
@ -10989,19 +11228,23 @@ index f962f76..5c44da2 100644
 ##	<summary>
 -##	Domain not to audit.
 +##	Domain allowed access.
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
-+#
+ #
 -interface(`files_dontaudit_getattr_all_tmp_files',`
 +interface(`files_read_inherited_tmp_files',`
-+	gen_require(`
+ 	gen_require(`
-+		attribute tmpfile;
+ 		attribute tmpfile;
-+	')
+ 	')
-+
+ 
 -	dontaudit $1 tmpfile:file getattr;
 +	allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Allow attempts to get the attributes
 -##	of all tmp files.
 +##	Allow caller to append inherited tmp files.
 +## </summary>
 +## <param name="domain">
@ -11084,9 +11327,24 @@ index f962f76..5c44da2 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_dontaudit_getattr_all_tmp_files',`
 +	gen_require(`
 +		attribute tmpfile;
 +	')
 +
 +	dontaudit $1 tmpfile:file getattr;
 +')
 +
 +########################################
 +## <summary>
 +##	Allow attempts to get the attributes
 +##	of all tmp files.
 ## </summary>
- ## </param>
+ ## <param name="domain">
- #
+ ##	<summary>
@@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',`
 ## </summary>
 ## <param name="domain">
@ -11491,7 +11749,7 @@ index f962f76..5c44da2 100644
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -6025,27 +7192,46 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,21 +7192,40 @@ interface(`files_dontaudit_search_pids',`
 ########################################
 ## <summary>
@ -11515,13 +11773,11 @@ index f962f76..5c44da2 100644
 	')
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 -	list_dirs_pattern($1, var_t, var_run_t)
 +	dontaudit $1 pidfile:dir search_dir_perms;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Read generic process ID files.
 +##	List the contents of the runtime process
 +##	ID directories (/var/run).
 +## </summary>
@ -11537,15 +11793,9 @@ index f962f76..5c44da2 100644
 +	')
 +
 +	files_search_pids($1)
-+	list_dirs_pattern($1, var_t, var_run_t)
+ 	list_dirs_pattern($1, var_t, var_run_t)
-+')
+ ')
-+
+ 
 +########################################
 +## <summary>
 +##	Read generic process ID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',`
 		type var_t, var_run_t;
 	')
@ -12829,7 +13079,7 @@ index f962f76..5c44da2 100644
 +	allow $1 etc_t:service status;
 ')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..0335af9 100644
+index 1a03abd..dfcd2ad 100644
 --- a/policy/modules/kernel/files.te
 +++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@ -12849,7 +13099,7 @@ index 1a03abd..0335af9 100644
 # For labeling types that are to be polyinstantiated
 attribute polydir;
-@@ -48,28 +52,45 @@ attribute usercanread;
+@@ -48,47 +52,55 @@ attribute usercanread;
 #
 type boot_t;
 files_mountpoint(boot_t)
@ -12897,15 +13147,19 @@ index 1a03abd..0335af9 100644
 files_type(etc_runtime_t)
 #Temporarily in policy until FC5 dissappears
 typealias etc_runtime_t alias firstboot_rw_t;
@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
 #
 type file_t;
 files_mountpoint(file_t)
 +files_base_file(file_t)
 kernel_rootfs_mountpoint(file_t)
 sid file gen_context(system_u:object_r:file_t,s0)
-@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
+ #
 -# file_t is the default type of a file that has not yet been
 -# assigned an extended attribute (EA) value (when using a filesystem
 -# that supports EAs).
 -#
 -type file_t;
 -files_mountpoint(file_t)
 -kernel_rootfs_mountpoint(file_t)
 -sid file gen_context(system_u:object_r:file_t,s0)
 -
 -#
 # home_root_t is the type for the directory where user home directories
 # are created
 #
 type home_root_t;
@ -12913,7 +13167,7 @@ index 1a03abd..0335af9 100644
 files_mountpoint(home_root_t)
 files_poly_parent(home_root_t)
-@@ -96,12 +119,13 @@ files_poly_parent(home_root_t)
+@@ -96,12 +108,13 @@ files_poly_parent(home_root_t)
 # lost_found_t is the type for the lost+found directories.
 #
 type lost_found_t;
@ -12928,7 +13182,7 @@ index 1a03abd..0335af9 100644
 files_mountpoint(mnt_t)
 #
-@@ -123,6 +147,7 @@ files_type(readable_t)
+@@ -123,6 +136,7 @@ files_type(readable_t)
 # root_t is the type for rootfs and the root directory.
 #
 type root_t;
@ -12936,7 +13190,7 @@ index 1a03abd..0335af9 100644
 files_mountpoint(root_t)
 files_poly_parent(root_t)
 kernel_rootfs_mountpoint(root_t)
-@@ -133,45 +158,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,45 +147,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
 #
 type src_t;
 files_mountpoint(src_t)
@ -12991,7 +13245,7 @@ index 1a03abd..0335af9 100644
 files_lock_file(var_lock_t)
 files_mountpoint(var_lock_t)
-@@ -180,6 +214,7 @@ files_mountpoint(var_lock_t)
+@@ -180,6 +203,7 @@ files_mountpoint(var_lock_t)
 # used for pid and other runtime files.
 #
 type var_run_t;
@ -12999,7 +13253,7 @@ index 1a03abd..0335af9 100644
 files_pid_file(var_run_t)
 files_mountpoint(var_run_t)
-@@ -187,7 +222,9 @@ files_mountpoint(var_run_t)
+@@ -187,7 +211,9 @@ files_mountpoint(var_run_t)
 # var_spool_t is the type of /var/spool
 #
 type var_spool_t;
@ -13009,7 +13263,7 @@ index 1a03abd..0335af9 100644
 ########################################
 #
-@@ -224,12 +261,13 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -224,12 +250,13 @@ fs_associate_tmpfs(tmpfsfile)
 #
 # Create/access any file in a labeled filesystem;
@ -15284,7 +15538,7 @@ index e100d88..2b0a5b3 100644
 +	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
 ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..88cbe95 100644
+index 8dbab4c..b33d885 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -15335,15 +15589,22 @@ index 8dbab4c..88cbe95 100644
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +178,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 type unlabeled_t;
 fs_associate(unlabeled_t)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 +allow unlabeled_t self:filesystem associate;
 +
 +# Need the following because we are type alias of file_t.
 +files_mountpoint(unlabeled_t)
 +files_base_file(unlabeled_t)
 +kernel_rootfs_mountpoint(unlabeled_t)
 +sid file gen_context(system_u:object_r:unlabeled_t,s0)
 +typealias unlabeled_t alias file_t;
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +203,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +210,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #
@ -15351,7 +15612,7 @@ index 8dbab4c..88cbe95 100644
 allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +255,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
 corenet_in_generic_if(unlabeled_t)
 corenet_in_generic_node(unlabeled_t)
@ -15359,7 +15620,7 @@ index 8dbab4c..88cbe95 100644
 corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +265,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
@ -15385,7 +15646,7 @@ index 8dbab4c..88cbe95 100644
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
-@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +288,8 @@ fs_unmount_all_fs(kernel_t)
 selinux_load_policy(kernel_t)
@ -15395,7 +15656,7 @@ index 8dbab4c..88cbe95 100644
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-@@ -277,25 +296,49 @@ files_list_root(kernel_t)
+@@ -277,25 +303,49 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
@ -15445,7 +15706,7 @@ index 8dbab4c..88cbe95 100644
 ')
 optional_policy(`
-@@ -305,6 +348,19 @@ optional_policy(`
+@@ -305,6 +355,19 @@ optional_policy(`
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
@ -15465,7 +15726,7 @@ index 8dbab4c..88cbe95 100644
 ')
 optional_policy(`
-@@ -312,6 +368,10 @@ optional_policy(`
+@@ -312,6 +375,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -15476,7 +15737,7 @@ index 8dbab4c..88cbe95 100644
 	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +392,6 @@ optional_policy(`
+@@ -332,9 +399,6 @@ optional_policy(`
 	sysnet_read_config(kernel_t)
@ -15486,7 +15747,7 @@ index 8dbab4c..88cbe95 100644
 	rpc_udp_rw_nfs_sockets(kernel_t)
 	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +400,7 @@ optional_policy(`
+@@ -343,9 +407,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -15497,7 +15758,7 @@ index 8dbab4c..88cbe95 100644
 	')
 	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +409,7 @@ optional_policy(`
+@@ -354,7 +416,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -15506,7 +15767,7 @@ index 8dbab4c..88cbe95 100644
 	')
 ')
-@@ -367,6 +422,15 @@ optional_policy(`
+@@ -367,6 +429,15 @@ optional_policy(`
 	unconfined_domain_noaudit(kernel_t)
 ')
@ -15522,7 +15783,7 @@ index 8dbab4c..88cbe95 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +480,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
 allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -71040,7 +71040,7 @@ index 951db7f..c0cabe8 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
 ')
 diff --git a/raid.te b/raid.te
-index c99753f..5e27523 100644
+index c99753f..2eb5455 100644
 --- a/raid.te
 +++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@ -71059,7 +71059,7 @@ index c99753f..5e27523 100644
 type mdadm_var_run_t alias mdadm_map_t;
 files_pid_file(mdadm_var_run_t)
 dev_associate(mdadm_var_run_t)
-@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t)
+@@ -25,44 +34,64 @@ dev_associate(mdadm_var_run_t)
 #
 allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@ -71098,10 +71098,12 @@ index c99753f..5e27523 100644
 corecmd_exec_bin(mdadm_t)
 corecmd_exec_shell(mdadm_t)
-@@ -49,20 +69,29 @@ corecmd_exec_shell(mdadm_t)
+ 
 dev_rw_sysfs(mdadm_t)
- dev_dontaudit_getattr_all_blk_files(mdadm_t)
+-dev_dontaudit_getattr_all_blk_files(mdadm_t)
- dev_dontaudit_getattr_all_chr_files(mdadm_t)
+-dev_dontaudit_getattr_all_chr_files(mdadm_t)
 +dev_dontaudit_read_all_blk_files(mdadm_t)
 +dev_dontaudit_read_all_chr_files(mdadm_t)
 +dev_read_crash(mdadm_t)
 +dev_read_framebuffer(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
@ -76722,7 +76724,7 @@ index 0bf13c2..d59aef7 100644
 		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
 		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..11e7bfe 100644
+index 2da9fca..2497a03 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@ -77028,7 +77030,7 @@ index 2da9fca..11e7bfe 100644
 miscfiles_read_generic_certs(gssd_t)
 userdom_signal_all_users(gssd_t)
-+userdom_read_all_users_keys(gssd_t)
+userdom_manage_all_users_keys(gssd_t)
 -tunable_policy(`allow_gssd_read_tmp',`
 +tunable_policy(`gssd_read_tmp',`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -576,7 +576,10 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
-* Mon Jan 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-12
+* Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
 - Remove file_t from the system and realias it with unlabeled_t
 * Thu Jan 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-12
 - Add gluster fixes
 - Remove ability to transition to unconfined_t from confined domains
 - Additional allow rules to get libvirt-lxc containers working with docker