- If I can create a socket I need to be able to set the attributes

- Add tcp/8775 port as neutron port - Add additional ports for swift ports - Added changes to fedora from bug bz#1082183 - Add support for tcp/6200 port - Allow collectd getattr access to configfs_t dir Fixes Bug 1115040 - Update neutron_manage_lib_files() interface - Allow glustered to connect to ephemeral ports - Allow apache to search ipa lib files by default - Allow neutron to domtrans to haproxy - Add rhcs_domtrans_haproxy() - Add support for openstack-glance-* unit files - Add initial support for /usr/bin/glance-scrubber - Allow swift to connect to keystone and memcache ports. - Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup - Add policies for openstack-cinder - Add support for /usr/bin/nova-conductor - Add neutron_can_network boolean - Allow neutron to connet to neutron port - Allow glance domain to use syslog - Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
2014-07-04 18:51:18 +02:00 · 2014-07-04 18:51:18 +02:00 · 682896c0a1
commit 682896c0a1
parent 24862fd309
3 changed files with 639 additions and 219 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5452,7 +5452,7 @@ index 8e0f9cd..b9f45b9 100644
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..dab9975 100644
+index b191055..a19d634 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5724,7 +5724,7 @@ index b191055..dab9975 100644
 network_port(puppet, tcp, 8140, s0)
 network_port(pxe, udp,4011,s0)
 network_port(pyzor, udp,24441,s0)
-+network_port(neutron, tcp,9696,s0, tcp,9697,s0)
+network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
 network_port(radacct, udp,1646,s0, udp,1813,s0)
 network_port(radius, udp,1645,s0, udp,1812,s0)
 network_port(radsec, tcp,2083,s0)
@ -5770,7 +5770,7 @@ index b191055..dab9975 100644
 network_port(svn, tcp,3690,s0, udp,3690,s0)
 network_port(svrloc, tcp,427,s0, udp,427,s0)
 network_port(swat, tcp,901,s0)
-+network_port(swift, tcp,6200,s0)
+network_port(swift, tcp,6200-6203,s0)
 network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
 -network_port(syslogd, udp,514,s0)
 +network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
@ -22165,7 +22165,7 @@ index fe0c682..eb9cefe 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..bdb6d0e 100644
+index cc877c7..b4e231c 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
@ -22673,7 +22673,7 @@ index cc877c7..bdb6d0e 100644
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +517,140 @@ optional_policy(`
+@@ -341,3 +517,147 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
@ -22728,6 +22728,9 @@ index cc877c7..bdb6d0e 100644
 +
 +corecmd_exec_shell(chroot_user_t)
 +
 +domain_subj_id_change_exemption(chroot_user_t)
 +domain_role_change_exemption(chroot_user_t)
 +
 +term_search_ptys(chroot_user_t)
 +term_use_ptmx(chroot_user_t)
 +
@ -22777,6 +22780,10 @@ index cc877c7..bdb6d0e 100644
 +    ssh_rw_dgram_sockets(chroot_user_t)
 +')
 +
 +optional_policy(`
 +    unconfined_shell_domtrans(chroot_user_t)
 +')
 +
 +######################################
 +#
 +# ssh_agent_type common policy local policy
@ -29913,7 +29920,7 @@ index 79a45f6..89b43aa 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..7c66e96 100644
+index 17eda24..84a3fcf 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -30034,7 +30041,7 @@ index 17eda24..7c66e96 100644
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
-@@ -108,14 +157,42 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +157,43 @@ allow init_t self:capability ~sys_module;
 allow init_t self:fifo_file rw_fifo_file_perms;
@ -30072,6 +30079,7 @@ index 17eda24..7c66e96 100644
 +manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +files_pid_filetrans(init_t, init_var_run_t, { dir file })
 +allow init_t init_var_run_t:dir mounton;
 +allow init_t init_var_run_t:sock_file relabelto;
@ -30083,7 +30091,7 @@ index 17eda24..7c66e96 100644
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +202,22 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +203,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@ -30097,6 +30105,7 @@ index 17eda24..7c66e96 100644
 +corenet_tcp_bind_all_ports(init_t)
 +corenet_udp_bind_all_ports(init_t)
 +
 +dev_create_all_chr_files(init_t)
 +dev_rw_sysfs(init_t)
 +dev_read_urand(init_t)
 +dev_read_raw_memory(init_t)
@ -30107,7 +30116,7 @@ index 17eda24..7c66e96 100644
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
-@@ -139,14 +225,22 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +227,22 @@ domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
@ -30130,7 +30139,7 @@ index 17eda24..7c66e96 100644
 # file descriptors inherited from the rootfs:
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +250,53 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +252,53 @@ fs_list_inotifyfs(init_t)
 fs_write_ramfs_sockets(init_t)
 mcs_process_set_categories(init_t)
@ -30187,7 +30196,7 @@ index 17eda24..7c66e96 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +305,237 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +307,237 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -30434,7 +30443,7 @@ index 17eda24..7c66e96 100644
 ')
 optional_policy(`
-@@ -216,7 +543,31 @@ optional_policy(`
+@@ -216,7 +545,31 @@ optional_policy(`
 ')
 optional_policy(`
@ -30466,7 +30475,7 @@ index 17eda24..7c66e96 100644
 ')
 ########################################
-@@ -225,9 +576,9 @@ optional_policy(`
+@@ -225,9 +578,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30478,7 +30487,7 @@ index 17eda24..7c66e96 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +609,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +611,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -30495,7 +30504,7 @@ index 17eda24..7c66e96 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +634,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +636,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -30538,7 +30547,7 @@ index 17eda24..7c66e96 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +671,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +673,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -30550,7 +30559,7 @@ index 17eda24..7c66e96 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +683,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +685,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -30561,7 +30570,7 @@ index 17eda24..7c66e96 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +694,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +696,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -30571,7 +30580,7 @@ index 17eda24..7c66e96 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +703,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +705,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -30579,7 +30588,7 @@ index 17eda24..7c66e96 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +710,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +712,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -30587,7 +30596,7 @@ index 17eda24..7c66e96 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +718,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +720,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -30605,7 +30614,7 @@ index 17eda24..7c66e96 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +736,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +738,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -30619,7 +30628,7 @@ index 17eda24..7c66e96 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +751,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +753,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -30633,7 +30642,7 @@ index 17eda24..7c66e96 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +764,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +766,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -30644,7 +30653,7 @@ index 17eda24..7c66e96 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +777,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +779,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -30652,7 +30661,7 @@ index 17eda24..7c66e96 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +796,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +798,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -30676,7 +30685,7 @@ index 17eda24..7c66e96 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +829,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +831,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -30684,7 +30693,7 @@ index 17eda24..7c66e96 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +863,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +865,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -30695,7 +30704,7 @@ index 17eda24..7c66e96 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +887,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +889,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -30704,7 +30713,7 @@ index 17eda24..7c66e96 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +902,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +904,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -30712,7 +30721,7 @@ index 17eda24..7c66e96 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +923,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +925,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -30720,7 +30729,7 @@ index 17eda24..7c66e96 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +933,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +935,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -30765,7 +30774,7 @@ index 17eda24..7c66e96 100644
 	')
 	optional_policy(`
-@@ -559,14 +978,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +980,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -30797,7 +30806,7 @@ index 17eda24..7c66e96 100644
 	')
 ')
-@@ -577,6 +1013,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1015,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -30837,7 +30846,7 @@ index 17eda24..7c66e96 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1058,8 @@ optional_policy(`
+@@ -589,6 +1060,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -30846,7 +30855,7 @@ index 17eda24..7c66e96 100644
 ')
 optional_policy(`
-@@ -610,6 +1081,7 @@ optional_policy(`
+@@ -610,6 +1083,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -30854,7 +30863,7 @@ index 17eda24..7c66e96 100644
 ')
 optional_policy(`
-@@ -626,6 +1098,17 @@ optional_policy(`
+@@ -626,6 +1100,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -30872,7 +30881,7 @@ index 17eda24..7c66e96 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1125,13 @@ optional_policy(`
+@@ -642,9 +1127,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -30886,7 +30895,7 @@ index 17eda24..7c66e96 100644
 	')
 	optional_policy(`
-@@ -657,15 +1144,11 @@ optional_policy(`
+@@ -657,15 +1146,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -30904,7 +30913,7 @@ index 17eda24..7c66e96 100644
 ')
 optional_policy(`
-@@ -686,6 +1169,15 @@ optional_policy(`
+@@ -686,6 +1171,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -30920,7 +30929,7 @@ index 17eda24..7c66e96 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1218,7 @@ optional_policy(`
+@@ -726,6 +1220,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -30928,7 +30937,7 @@ index 17eda24..7c66e96 100644
 ')
 optional_policy(`
-@@ -743,7 +1236,13 @@ optional_policy(`
+@@ -743,7 +1238,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -30943,7 +30952,7 @@ index 17eda24..7c66e96 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1265,10 @@ optional_policy(`
+@@ -766,6 +1267,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -30954,7 +30963,7 @@ index 17eda24..7c66e96 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1278,20 @@ optional_policy(`
+@@ -775,10 +1280,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -30975,7 +30984,7 @@ index 17eda24..7c66e96 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1300,10 @@ optional_policy(`
+@@ -787,6 +1302,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -30986,7 +30995,7 @@ index 17eda24..7c66e96 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1325,6 @@ optional_policy(`
+@@ -808,8 +1327,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -30995,7 +31004,7 @@ index 17eda24..7c66e96 100644
 ')
 optional_policy(`
-@@ -818,6 +1333,10 @@ optional_policy(`
+@@ -818,6 +1335,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -31006,7 +31015,7 @@ index 17eda24..7c66e96 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1346,12 @@ optional_policy(`
+@@ -827,10 +1348,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -31019,7 +31028,7 @@ index 17eda24..7c66e96 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1378,60 @@ optional_policy(`
+@@ -857,21 +1380,60 @@ optional_policy(`
 ')
 optional_policy(`
@ -31081,7 +31090,7 @@ index 17eda24..7c66e96 100644
 ')
 optional_policy(`
-@@ -887,6 +1447,10 @@ optional_policy(`
+@@ -887,6 +1449,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -31092,7 +31101,7 @@ index 17eda24..7c66e96 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1461,218 @@ optional_policy(`
+@@ -897,3 +1463,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -47757,7 +47766,7 @@ index e79d545..101086d 100644
 ')
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..018d0a6 100644
+index 6e91317..8fc985f 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@ -47819,16 +47828,18 @@ index 6e91317..018d0a6 100644
 define(`create_fifo_file_perms',`{ getattr create open }')
 define(`rename_fifo_file_perms',`{ getattr rename }')
 define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
 define(`setattr_sock_file_perms',`{ setattr }')
 define(`read_sock_file_perms',`{ getattr open read }')
 define(`write_sock_file_perms',`{ getattr write open append }')
 -define(`rw_sock_file_perms',`{ getattr open read write append }')
 -define(`create_sock_file_perms',`{ getattr create open }')
 +define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
 +define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
- define(`create_sock_file_perms',`{ getattr create open }')
+define(`create_sock_file_perms',`{ getattr setattr create open }')
 define(`rename_sock_file_perms',`{ getattr rename }')
 define(`delete_sock_file_perms',`{ getattr unlink }')
 define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
 define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
 define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 62%{?dist}
+Release: 63%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -600,6 +600,29 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Jul 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-63
 - If I can create a socket I need to be able to set the attributes
 - Add tcp/8775 port as neutron port
 - Add additional ports for swift ports
 - Added changes to fedora from bug bz#1082183
 - Add support for tcp/6200 port
 - Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
 - Update neutron_manage_lib_files() interface
 - Allow glustered to connect to ephemeral ports
 - Allow apache to search ipa lib files by default
 - Allow neutron to domtrans to haproxy
 - Add rhcs_domtrans_haproxy()
 - Add support for openstack-glance-* unit files
 - Add initial support for /usr/bin/glance-scrubber
 - Allow swift to connect to keystone and memcache ports.
 - Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
 - Add policies for openstack-cinder
 - Add support for /usr/bin/nova-conductor
 - Add neutron_can_network boolean
 - Allow neutron to connet to neutron port
 - Allow glance domain to use syslog
 - Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
 * Wed Jun 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-62
 - Allow swift to use tcp/6200 swift port
 - ALlow swift to search apache configs