* Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163

- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t. - Add ipsec_read_pid() interface
2015-12-09 14:42:39 +01:00 · 2015-12-09 14:42:39 +01:00 · 5c898c0814
commit 5c898c0814
parent 2b449e6e35
4 changed files with 96 additions and 54 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -22548,7 +22548,7 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..0371f63 100644
+index 2522ca6..a73a163 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@ -22754,7 +22754,11 @@ index 2522ca6..0371f63 100644
 	fstools_run(sysadm_t, sysadm_r)
 ')
-@@ -175,10 +249,27 @@ optional_policy(`
+@@ -172,13 +246,31 @@ optional_policy(`
 	# at things (e.g., ipsec auto --status)
 	# probably should create an ipsec_admin role for this kind of thing
 	ipsec_exec_mgmt(sysadm_t)
 +    ipsec_read_pid(sysadm_t)
 	ipsec_stream_connect(sysadm_t)
 	# for lsof
 	ipsec_getattr_key_sockets(sysadm_t)
@ -22782,7 +22786,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -190,11 +281,12 @@ optional_policy(`
+@@ -190,11 +282,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -22797,7 +22801,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -210,22 +302,20 @@ optional_policy(`
+@@ -210,22 +303,20 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
@ -22826,7 +22830,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -237,14 +327,28 @@ optional_policy(`
+@@ -237,14 +328,28 @@ optional_policy(`
 ')
 optional_policy(`
@ -22855,7 +22859,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -252,10 +356,20 @@ optional_policy(`
+@@ -252,10 +357,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -22876,7 +22880,7 @@ index 2522ca6..0371f63 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +380,41 @@ optional_policy(`
+@@ -266,35 +381,41 @@ optional_policy(`
 ')
 optional_policy(`
@ -22925,7 +22929,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -308,6 +428,7 @@ optional_policy(`
+@@ -308,6 +429,7 @@ optional_policy(`
 optional_policy(`
 	screen_role_template(sysadm, sysadm_r, sysadm_t)
@ -22933,7 +22937,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -315,12 +436,20 @@ optional_policy(`
+@@ -315,12 +437,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -22955,7 +22959,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -345,30 +474,37 @@ optional_policy(`
+@@ -345,30 +475,37 @@ optional_policy(`
 ')
 optional_policy(`
@ -23002,7 +23006,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -380,10 +516,6 @@ optional_policy(`
+@@ -380,10 +517,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -23013,7 +23017,7 @@ index 2522ca6..0371f63 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +523,9 @@ optional_policy(`
+@@ -391,6 +524,9 @@ optional_policy(`
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -23023,7 +23027,7 @@ index 2522ca6..0371f63 100644
 ')
 optional_policy(`
-@@ -398,31 +533,34 @@ optional_policy(`
+@@ -398,31 +534,34 @@ optional_policy(`
 ')
 optional_policy(`
@ -23064,7 +23068,7 @@ index 2522ca6..0371f63 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
-@@ -435,10 +573,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +574,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -23075,7 +23079,7 @@ index 2522ca6..0371f63 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 		optional_policy(`
-@@ -459,15 +593,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +594,79 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -35414,7 +35418,7 @@ index 662e79b..d32012f 100644
 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..720ece8 100644
+index 0d4c8d3..537aa42 100644
 --- a/policy/modules/system/ipsec.if
 +++ b/policy/modules/system/ipsec.if
@@ -18,6 +18,24 @@ interface(`ipsec_domtrans',`
@ -35600,7 +35604,34 @@ index 0d4c8d3..720ece8 100644
 ')
 ########################################
-@@ -369,3 +497,27 @@ interface(`ipsec_run_setkey',`
+@@ -267,6 +395,26 @@ interface(`ipsec_write_pid',`
 ########################################
 ## <summary>
 +##	Allow read the IPSEC pid files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`ipsec_read_pid',`
 +	gen_require(`
 +		type ipsec_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
 +	read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 ##	Create, read, write, and delete the IPSEC pid files.
 ## </summary>
 ## <param name="domain">
@@ -369,3 +517,27 @@ interface(`ipsec_run_setkey',`
 	ipsec_domtrans_setkey($1)
 	role $2 types setkey_t;
 ')
@ -35629,7 +35660,7 @@ index 0d4c8d3..720ece8 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..8e32ea8 100644
+index 312cd04..34f5262 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -35771,7 +35802,7 @@ index 312cd04..8e32ea8 100644
 	seutil_sigchld_newrole(ipsec_t)
 ')
-@@ -182,19 +211,29 @@ optional_policy(`
+@@ -182,19 +211,30 @@ optional_policy(`
 	udev_read_db(ipsec_t)
 ')
@ -35802,10 +35833,11 @@ index 312cd04..8e32ea8 100644
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 +allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
 +allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +247,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -35821,7 +35853,7 @@ index 312cd04..8e32ea8 100644
 # _realsetup needs to be able to cat /var/run/pluto.pid,
 # run ps on that pid, and delete the file
-@@ -246,6 +287,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +288,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
@ -35838,7 +35870,7 @@ index 312cd04..8e32ea8 100644
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +306,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +307,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
@ -35847,7 +35879,7 @@ index 312cd04..8e32ea8 100644
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +322,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +323,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
 files_read_etc_runtime_files(ipsec_mgmt_t)
@ -35855,7 +35887,7 @@ index 312cd04..8e32ea8 100644
 files_read_usr_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +332,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +333,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
 term_use_console(ipsec_mgmt_t)
@ -35867,7 +35899,7 @@ index 312cd04..8e32ea8 100644
 init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +343,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +344,28 @@ init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@ -35901,7 +35933,7 @@ index 312cd04..8e32ea8 100644
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +388,10 @@ optional_policy(`
+@@ -322,6 +389,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -35912,7 +35944,7 @@ index 312cd04..8e32ea8 100644
 	modutils_domtrans_insmod(ipsec_mgmt_t)
 ')
-@@ -335,7 +405,7 @@ optional_policy(`
+@@ -335,7 +406,7 @@ optional_policy(`
 #
 allow racoon_t self:capability { net_admin net_bind_service };
@ -35921,7 +35953,7 @@ index 312cd04..8e32ea8 100644
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +440,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +441,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
@ -35941,7 +35973,7 @@ index 312cd04..8e32ea8 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +470,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +471,10 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
@ -35954,7 +35986,7 @@ index 312cd04..8e32ea8 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +507,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +508,8 @@ corenet_setcontext_all_spds(setkey_t)
 locallogin_use_fds(setkey_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -8260,7 +8260,7 @@ index 50c9b9c..533a555 100644
 +	allow $1 arpwatch_unit_file_t:service all_service_perms;
 ')
 diff --git a/arpwatch.te b/arpwatch.te
-index 2d7bf34..2927585 100644
+index 2d7bf34..766a91a 100644
 --- a/arpwatch.te
 +++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@ -8273,15 +8273,16 @@ index 2d7bf34..2927585 100644
 ########################################
 #
 # Local policy
-@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
+@@ -33,6 +36,8 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
 allow arpwatch_t self:tcp_socket { accept listen };
 allow arpwatch_t self:packet_socket create_socket_perms;
 allow arpwatch_t self:socket create_socket_perms;
 +allow arpwatch_t self:netlink_socket create_socket_perms;
 +allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
 manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
 manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
-@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+@@ -45,11 +50,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
 manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
 files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
@ -8306,7 +8307,7 @@ index 2d7bf34..2927585 100644
 dev_read_sysfs(arpwatch_t)
 dev_read_usbmon_dev(arpwatch_t)
 dev_rw_generic_usb_dev(arpwatch_t)
-@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
+@@ -59,15 +76,12 @@ fs_search_auto_mountpoints(arpwatch_t)
 domain_use_interactive_fds(arpwatch_t)
@ -65103,7 +65104,7 @@ index 9b15730..cb00f20 100644
 +	')
 ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..ba23186 100644
+index 44dbc99..a17af8b 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@ -65120,7 +65121,7 @@ index 44dbc99..ba23186 100644
 type openvswitch_var_lib_t;
 files_type(openvswitch_var_lib_t)
-@@ -27,20 +24,28 @@ files_tmp_file(openvswitch_tmp_t)
+@@ -27,20 +24,29 @@ files_tmp_file(openvswitch_tmp_t)
 type openvswitch_var_run_t;
 files_pid_file(openvswitch_var_run_t)
@ -65145,6 +65146,7 @@ index 44dbc99..ba23186 100644
 +allow openvswitch_t self:tcp_socket create_stream_socket_perms;
 +allow openvswitch_t self:netlink_socket create_socket_perms;
 +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
 +allow openvswitch_t self:netlink_generic_socket create_socket_perms;
 -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
@ -65157,7 +65159,7 @@ index 44dbc99..ba23186 100644
 manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
 manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -48,9 +53,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -48,9 +54,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
 files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
 manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@ -65168,7 +65170,7 @@ index 44dbc99..ba23186 100644
 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
 logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +68,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +69,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
 manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@ -93304,7 +93306,7 @@ index 2b7c441..0232e85 100644
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
 ')
 diff --git a/sambagui.te b/sambagui.te
-index e18b0a2..463e207 100644
+index e18b0a2..dc2a745 100644
 --- a/sambagui.te
 +++ b/sambagui.te
@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
@ -93325,8 +93327,11 @@ index e18b0a2..463e207 100644
 sysnet_use_ldap(sambagui_t)
-@@ -61,6 +61,7 @@ optional_policy(`
+@@ -59,8 +59,10 @@ optional_policy(`
 	samba_append_log(sambagui_t)
 	samba_manage_config(sambagui_t)
 	samba_manage_var_files(sambagui_t)
 +	samba_manage_var_dirs(sambagui_t)
 	samba_read_secrets(sambagui_t)
 	samba_initrc_domtrans(sambagui_t)
 +	samba_systemctl(sambagui_t)
@ -110464,7 +110469,7 @@ index facdee8..19b6ffb 100644
 +        ps_process_pattern(virtd_t, $1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..27c7cb7 100644
+index f03dcf5..a9548bd 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,248 @@
@ -111457,7 +111462,7 @@ index f03dcf5..27c7cb7 100644
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
-@@ -746,44 +686,277 @@ optional_policy(`
+@@ -746,44 +686,278 @@ optional_policy(`
 	udev_read_pid_files(virtd_t)
 ')
@ -111534,7 +111539,8 @@ index f03dcf5..27c7cb7 100644
 +manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
 +manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
 +manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
-+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file })
+manage_sock_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
 +files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file sock_file})
 +userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
 +
 +manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
@ -111757,7 +111763,7 @@ index f03dcf5..27c7cb7 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +967,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +968,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -111784,7 +111790,7 @@ index f03dcf5..27c7cb7 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +987,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +988,25 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -111818,7 +111824,7 @@ index f03dcf5..27c7cb7 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1024,20 @@ optional_policy(`
+@@ -856,14 +1025,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -111840,7 +111846,7 @@ index f03dcf5..27c7cb7 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +1062,65 @@ optional_policy(`
+@@ -888,49 +1063,65 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -111924,7 +111930,7 @@ index f03dcf5..27c7cb7 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1132,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1133,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -111944,7 +111950,7 @@ index f03dcf5..27c7cb7 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1153,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1154,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -111968,7 +111974,7 @@ index f03dcf5..27c7cb7 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1178,343 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1179,343 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -112453,7 +112459,7 @@ index f03dcf5..27c7cb7 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1527,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -112468,7 +112474,7 @@ index f03dcf5..27c7cb7 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,9 +1545,8 @@ optional_policy(`
+@@ -1192,9 +1546,8 @@ optional_policy(`
 ########################################
 #
@ -112479,7 +112485,7 @@ index f03dcf5..27c7cb7 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1205,7 +1557,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
+@@ -1205,7 +1558,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
 kernel_read_network_state(virt_bridgehelper_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 162%{?dist}
+Release: 163%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -664,6 +664,10 @@ exit 0
 %endif
 %changelog
 * Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
 - Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
 - Add ipsec_read_pid() interface
 * Mon Dec 07 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-162
 - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
 - Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)