* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62

- Fix definition of sandbox.disabled to sandbox.pp.disabled
2013-07-09 21:53:12 +02:00 · 2013-07-09 21:53:12 +02:00 · 60ad55be4d
commit 60ad55be4d
parent d3c6b2620c
3 changed files with 440 additions and 232 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3042,7 +3042,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..38a8a2d 100644
+index 644d4d7..51181b8 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@ -3229,7 +3229,7 @@ index 644d4d7..38a8a2d 100644
 +/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib/vte/gnome-pty-helper	--	gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/systemd/system-sleep/(.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-sleep(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/vte/gnome-pty-helper 	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/yaboot/addnote	      	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
@ -8257,7 +8257,7 @@ index 6529bd9..831344c 100644
 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
 allow devices_unconfined_type mtrr_device_t:file *;
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..adafd25 100644
+index 6a1e4d1..c691385 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@ -8296,6 +8296,15 @@ index 6a1e4d1..adafd25 100644
 ')
 
 ########################################
+@@ -128,7 +103,7 @@ interface(`domain_entry_file',`
+ 	')
+ 
+ 	allow $1 $2:file entrypoint;
+-	allow $1 $2:file { mmap_file_perms ioctl lock };
+	allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };
+ 
+ 	typeattribute $2 entry_type;
+ 
@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
 
 ########################################
@ -9055,7 +9064,7 @@ index c2c6e05..be423a7 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..fe6d89c 100644
+index 64ff4d7..3e91f7d 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -11585,7 +11594,7 @@ index 64ff4d7..fe6d89c 100644
 	')
 
 	allow $1 var_t:dir search_dir_perms;
-@@ -6562,3 +7839,474 @@ interface(`files_unconfined',`
+@@ -6562,3 +7839,491 @@ interface(`files_unconfined',`
 
 	typeattribute $1 files_unconfined_type;
 ')
@ -12060,6 +12069,23 @@ index 64ff4d7..fe6d89c 100644
 +	allow $1 file_type:service all_service_perms;
 +')
 +
+########################################
+## <summary>
+##	Get the status of etc_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_status_etc',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service status;
+')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 148d87a..822f6be 100644
 --- a/policy/modules/kernel/files.te
@ -16648,10 +16674,10 @@ index 234a940..d340f20 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..3577c24 100644
+index 5da7870..1a2de40 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
+@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
 role staff_r;
 
 userdom_unpriv_user_template(staff)
@ -16683,6 +16709,7 @@ index 5da7870..3577c24 100644
 +dev_read_kmsg(staff_t)
 +
 +domain_read_all_domains_state(staff_t)
+domain_getsched_all_domains(staff_t)
 +domain_getattr_all_domains(staff_t)
 +domain_obj_id_change_exemption(staff_t)
 +
@ -16719,7 +16746,7 @@ index 5da7870..3577c24 100644
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
-@@ -23,11 +78,102 @@ optional_policy(`
+@@ -23,11 +79,102 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -16823,7 +16850,7 @@ index 5da7870..3577c24 100644
 ')
 
 optional_policy(`
-@@ -35,15 +181,31 @@ optional_policy(`
+@@ -35,15 +182,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -16857,7 +16884,7 @@ index 5da7870..3577c24 100644
 ')
 
 optional_policy(`
-@@ -52,10 +214,55 @@ optional_policy(`
+@@ -52,10 +215,55 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -16913,7 +16940,7 @@ index 5da7870..3577c24 100644
 	xserver_role(staff_r, staff_t)
 ')
 
-@@ -65,10 +272,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +273,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -16924,7 +16951,7 @@ index 5da7870..3577c24 100644
 		cdrecord_role(staff_r, staff_t)
 	')
 
-@@ -78,10 +281,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +282,6 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
@ -16935,7 +16962,7 @@ index 5da7870..3577c24 100644
 	')
 
 	optional_policy(`
-@@ -101,10 +300,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +301,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -16946,7 +16973,7 @@ index 5da7870..3577c24 100644
 		java_role(staff_r, staff_t)
 	')
 
-@@ -125,10 +320,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +321,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -16957,7 +16984,7 @@ index 5da7870..3577c24 100644
 		pyzor_role(staff_r, staff_t)
 	')
 
-@@ -141,10 +332,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +333,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -16968,7 +16995,7 @@ index 5da7870..3577c24 100644
 		spamassassin_role(staff_r, staff_t)
 	')
 
-@@ -176,3 +363,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +364,22 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
@ -17020,10 +17047,10 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..c461b2b 100644
+index 88d0028..c3275cb 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,81 @@ policy_module(sysadm, 2.5.1)
 # Declarations
 #
 
@ -17056,6 +17083,7 @@ index 88d0028..c461b2b 100644
 +
 +files_read_kernel_modules(sysadm_t)
 +files_filetrans_named_content(sysadm_t)
+files_status_etc(sysadm_t)
 +
 +fs_mount_fusefs(sysadm_t)
 +
@ -17115,7 +17143,7 @@ index 88d0028..c461b2b 100644
 
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
-@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +97,7 @@ ifdef(`distro_gentoo',`
 	init_exec_rc(sysadm_t)
 ')
 
@ -17130,7 +17158,7 @@ index 88d0028..c461b2b 100644
 	domain_ptrace_all_domains(sysadm_t)
 ')
 
-@@ -71,9 +106,9 @@ optional_policy(`
+@@ -71,9 +107,9 @@ optional_policy(`
 
 optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
@ -17141,7 +17169,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -87,6 +122,7 @@ optional_policy(`
+@@ -87,6 +123,7 @@ optional_policy(`
 
 optional_policy(`
 	asterisk_stream_connect(sysadm_t)
@ -17149,7 +17177,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -110,11 +146,17 @@ optional_policy(`
+@@ -110,11 +147,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17167,7 +17195,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -122,11 +164,19 @@ optional_policy(`
+@@ -122,11 +165,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17189,7 +17217,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -140,6 +190,10 @@ optional_policy(`
+@@ -140,6 +191,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17200,7 +17228,7 @@ index 88d0028..c461b2b 100644
 	dmesg_exec(sysadm_t)
 ')
 
-@@ -156,11 +210,11 @@ optional_policy(`
+@@ -156,11 +211,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17214,7 +17242,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -179,6 +233,13 @@ optional_policy(`
+@@ -179,6 +234,13 @@ optional_policy(`
 	ipsec_stream_connect(sysadm_t)
 	# for lsof
 	ipsec_getattr_key_sockets(sysadm_t)
@ -17228,7 +17256,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -186,15 +247,20 @@ optional_policy(`
+@@ -186,15 +248,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17252,7 +17280,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -214,22 +280,20 @@ optional_policy(`
+@@ -214,22 +281,20 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
@ -17281,7 +17309,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -241,14 +305,27 @@ optional_policy(`
+@@ -241,14 +306,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17309,7 +17337,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -256,10 +333,20 @@ optional_policy(`
+@@ -256,10 +334,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17330,7 +17358,7 @@ index 88d0028..c461b2b 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +357,36 @@ optional_policy(`
+@@ -270,31 +358,36 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17374,7 +17402,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -319,12 +411,18 @@ optional_policy(`
+@@ -319,12 +412,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17394,7 +17422,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -349,7 +447,18 @@ optional_policy(`
+@@ -349,7 +448,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17414,7 +17442,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -360,19 +469,15 @@ optional_policy(`
+@@ -360,19 +470,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17436,7 +17464,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -384,10 +489,6 @@ optional_policy(`
+@@ -384,10 +490,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17447,7 +17475,7 @@ index 88d0028..c461b2b 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +496,9 @@ optional_policy(`
+@@ -395,6 +497,9 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -17457,7 +17485,7 @@ index 88d0028..c461b2b 100644
 ')
 
 optional_policy(`
-@@ -402,31 +506,34 @@ optional_policy(`
+@@ -402,31 +507,34 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17498,7 +17526,7 @@ index 88d0028..c461b2b 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
 
-@@ -439,10 +546,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +547,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -17509,7 +17537,7 @@ index 88d0028..c461b2b 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 
 		optional_policy(`
-@@ -463,15 +566,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +567,75 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -23933,10 +23961,10 @@ index 1b6619e..be02b96 100644
 +    allow $1 application_domain_type:socket_class_set getattr;
 +')
 diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..cd80b96 100644
+index c6fdab7..af71c62 100644
 --- a/policy/modules/system/application.te
 +++ b/policy/modules/system/application.te
-@@ -6,12 +6,33 @@ attribute application_domain_type;
+@@ -6,15 +6,40 @@ attribute application_domain_type;
 # Executables to be run by user
 attribute application_exec_type;
 
@ -23957,11 +23985,11 @@ index c6fdab7..cd80b96 100644
 +	afs_rw_udp_sockets(application_domain_type)
 +')
 +
-+optional_policy(`
+ optional_policy(`
 +	cfengine_append_inherited_log(application_domain_type)
 +')
 +
- optional_policy(`
+optional_policy(`
 +	cron_rw_inherited_user_spool_files(application_domain_type)
 	cron_sigchld(application_domain_type)
 ')
@ -23971,6 +23999,13 @@ index c6fdab7..cd80b96 100644
 	ssh_rw_stream_sockets(application_domain_type)
 ')
 
+ optional_policy(`
+	screen_sigchld(application_domain_type)
+')
+
+optional_policy(`
+ 	sudo_sigchld(application_domain_type)
+ ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
 index 28ad538..ebe81bf 100644
 --- a/policy/modules/system/authlogin.fc
@ -28588,7 +28623,7 @@ index 0d4c8d3..a89c4a2 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..468dc31 100644
+index 9e54bf9..9a068f6 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -28756,7 +28791,18 @@ index 9e54bf9..468dc31 100644
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t)
+@@ -322,6 +349,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	l2tpd_read_pid_files(ipsec_mgmt_t)
+')
+
+optional_policy(`
+ 	modutils_domtrans_insmod(ipsec_mgmt_t)
+ ')
+ 
+@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
 
@ -28776,7 +28822,7 @@ index 9e54bf9..468dc31 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
 
-@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
 
@ -28789,7 +28835,7 @@ index 9e54bf9..468dc31 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
 
 locallogin_use_fds(setkey_t)
 
@ -28889,7 +28935,7 @@ index c42fbc3..174cfdb 100644
 ## <summary>
 ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..2502d06 100644
+index 5dfa44b..4abf7fd 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@ -28971,7 +29017,7 @@ index 5dfa44b..2502d06 100644
 userdom_use_all_users_fds(iptables_t)
 
 ifdef(`hide_broken_symptoms',`
-@@ -102,11 +104,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
 
 optional_policy(`
 	fail2ban_append_log(iptables_t)
@ -28980,13 +29026,19 @@ index 5dfa44b..2502d06 100644
 ')
 
 optional_policy(`
- 	firstboot_use_fds(iptables_t)
- 	firstboot_rw_pipes(iptables_t)
-+	firewalld_dontaudit_write_tmp_files(iptables_t)
+@@ -110,6 +114,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-@@ -124,6 +129,12 @@ optional_policy(`
+	firewalld_read_config(iptables_t)
+	firewalld_dontaudit_write_tmp_files(iptables_t)
+')
+
+optional_policy(`
+ 	modutils_run_insmod(iptables_t, iptables_roles)
+ ')
+ 
+@@ -124,6 +133,12 @@ optional_policy(`
 
 optional_policy(`
 	psad_rw_tmp_files(iptables_t)
@ -28999,7 +29051,7 @@ index 5dfa44b..2502d06 100644
 ')
 
 optional_policy(`
-@@ -135,9 +146,9 @@ optional_policy(`
+@@ -135,9 +150,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -34933,10 +34985,10 @@ index b7686d5..431d2f1 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..4e12420
+index 0000000..2cd29ba
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
 +/etc/hostname			--		gen_context(system_u:object_r:hostname_etc_t,s0)
 +/etc/machine-info		--		gen_context(system_u:object_r:hostname_etc_t,s0)
 +
@ -34952,6 +35004,7 @@ index 0000000..4e12420
 +/usr/bin/systemd-tty-ask-password-agent		--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
 +
 +/usr/lib/systemd/system(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-vconsole-setup\.service		gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
 +/usr/lib/systemd/system/.*halt.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
 +/usr/lib/systemd/system/.*hibernate.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
 +/usr/lib/systemd/system/.*power.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
@ -36218,10 +36271,10 @@ index 0000000..6862d53
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..87474b2
+index 0000000..b43a6c1
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,647 @@
+@@ -0,0 +1,654 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -36285,6 +36338,9 @@ index 0000000..87474b2
 +type power_unit_file_t;
 +systemd_unit_file(power_unit_file_t)
 +
+type systemd_vconsole_unit_file_t;
+systemd_unit_file(systemd_vconsole_unit_file_t)
+
 +# executable for systemctl
 +type systemd_systemctl_exec_t;
 +corecmd_executable_file(systemd_systemctl_exec_t)
@ -36696,9 +36752,13 @@ index 0000000..87474b2
 +
 +dev_write_kmsg(systemd_localed_t)
 +
+init_dbus_chat(systemd_localed_t)
+
 +logging_stream_connect_syslog(systemd_localed_t)
 +logging_send_syslog_msg(systemd_localed_t)
 +
+allow systemd_localed_t systemd_vconsole_unit_file_t:service start;
+
 +miscfiles_manage_localization(systemd_localed_t)
 +miscfiles_etc_filetrans_localization(systemd_localed_t)
 +
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 59%{?dist}
+Release: 62%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -539,6 +539,39 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62
+- Fix definition of sandbox.disabled to sandbox.pp.disabled
+
+* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-61
+- Allow mdamd to execute systemctl
+- Allow mdadm to read /dev/kvm
+- Allow ipsec_mgmt_t to read l2tpd pid content
+
+* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-60
+- Allow nsd_t to read /dev/urand
+- Allow mdadm_t to read framebuffer
+- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t
+- Allow mozilla_plugin_config_t to create tmp files
+- Cleanup openvswitch policy
+- Allow mozilla plugin to getattr on all executables
+- Allow l2tpd_t to create fifo_files in /var/run
+- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
+- Allow mdadm to connecto its own unix_stream_socket
+- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.
+- Allow apache to access smokeping pid files
+- Allow rabbitmq_beam_t to getattr on all filesystems
+- Add systemd support for iodined
+- Allow nup_upsdrvctl_t to execute its entrypoint
+- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch
+- add labeling for ~/.cache/libvirt-sandbox
+- Add interface to allow domains transitioned to by confined users to send sigchld to screen program
+- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab
+- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service
+- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition,  I can see no case where this is  a bad thing, and elminiates a whole class of AVCs.
+- Allow staff to getsched all domains, required to run htop
+- Add port definition for redis port
+- fix selinuxuser_use_ssh_chroot boolean
+
 * Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
 - Add prosody policy written by Michael Scherer
 - Allow nagios plugins to read /sys info