* Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212

- udisk2 module is part of devicekit module now - Fix file context for /etc/pki/pki-tomcat/ca/ - new interface oddjob_mkhomedir_entrypoint() - Allow mdadm to get attributes from all devices. - Label /etc/puppetlabs as puppet_etc_t. - quota: allow init to run quota tools - Add new domain ipa_ods_exporter_t BZ(1366640) - Create new interface opendnssec_stream_connect() - Allow VirtualBox to manage udev rules. - Allow systemd_resolved to send dbus msgs to userdomains - Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t - Label all files in /dev/oracleasmfs/ as oracleasmfs_t
2016-08-31 12:07:56 +02:00 · 2016-08-31 12:07:56 +02:00 · 69374e6e65
commit 69374e6e65
parent acb4d9f0be
4 changed files with 169 additions and 98 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -17860,10 +17860,10 @@ index 1a03abd..3221f80 100644
 	allow files_unconfined_type file_type:file execmod;
 ')
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index d7c11a0..efcd377 100644
+index d7c11a0..f521a50 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -1,23 +1,29 @@
+@@ -1,23 +1,28 @@
 -/cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
 -/cgroup/.*			<<none>>
 +# ecryptfs does not support xattr
@ -17882,8 +17882,7 @@ index d7c11a0..efcd377 100644
 +/dev/shm                -d      gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
 +/dev/shm/.*                     <<none>>
-+/dev/oracleasm			-d		gen_context(system_u:object_r:oracleasmfs_t,s0)
+/dev/oracleasm(/.*)?			gen_context(system_u:object_r:oracleasmfs_t,s0)
 +/dev/oracleasm/.*                     <<none>>
 +
 +/usr/lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/usr/lib/udev/devices/hugepages/.*	<<none>>
@ -27189,10 +27188,10 @@ index 0000000..15b42ae
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..a298e23
+index 0000000..79f40da
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,354 @@
+@@ -0,0 +1,358 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -27392,6 +27391,10 @@ index 0000000..a298e23
 +')
 +
 +optional_policy(`
 +	oddjob_mkhomedir_entrypoint(unconfined_t)
 +')
 +
 +optional_policy(`
 +	dbus_role_template(unconfined, unconfined_r, unconfined_t)
 +	role system_r types unconfined_dbusd_t;
 +
@ -37422,7 +37425,7 @@ index 79a45f6..d092e6e 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..97e35aa 100644
+index 17eda24..022bbb7 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -37652,7 +37655,7 @@ index 17eda24..97e35aa 100644
 # file descriptors inherited from the rootfs:
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +261,70 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +261,72 @@ fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@ -37714,6 +37717,8 @@ index 17eda24..97e35aa 100644
 +
 +miscfiles_manage_localization(init_t)
 +miscfiles_filetrans_named_content(init_t)
 +
 +udev_manage_rules_files(init_t)
 -miscfiles_read_localization(init_t)
 +userdom_use_user_ttys(init_t)
@ -37728,7 +37733,7 @@ index 17eda24..97e35aa 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +333,264 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +335,264 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -37783,13 +37788,14 @@ index 17eda24..97e35aa 100644
 +
 +optional_policy(`
 +	ipa_delete_tmp(init_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	auth_rw_login_records(init_t)
 +	rpm_read_db(init_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 +	iscsi_read_lib_files(init_t)
 +	iscsi_manage_lock(init_t)
 +')
@ -37955,15 +37961,14 @@ index 17eda24..97e35aa 100644
 +        sysnet_relabelfrom_dhcpc_state(init_t)
 +        sysnet_setattr_dhcp_state(init_t)
 +    ')
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	auth_rw_login_records(init_t)
 +	lvm_rw_pipes(init_t)
 +	lvm_read_config(init_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 +	consolekit_manage_log(init_t)
 +')
 +
@ -38002,7 +38007,7 @@ index 17eda24..97e35aa 100644
 ')
 optional_policy(`
-@@ -216,7 +598,30 @@ optional_policy(`
+@@ -216,7 +600,30 @@ optional_policy(`
 ')
 optional_policy(`
@ -38034,7 +38039,7 @@ index 17eda24..97e35aa 100644
 ')
 ########################################
-@@ -225,9 +630,9 @@ optional_policy(`
+@@ -225,9 +632,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38046,7 +38051,7 @@ index 17eda24..97e35aa 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +663,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +665,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38063,7 +38068,7 @@ index 17eda24..97e35aa 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +688,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +690,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -38106,7 +38111,7 @@ index 17eda24..97e35aa 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +725,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +727,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -38118,7 +38123,7 @@ index 17eda24..97e35aa 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +737,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +739,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -38129,7 +38134,7 @@ index 17eda24..97e35aa 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +748,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +750,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -38139,7 +38144,7 @@ index 17eda24..97e35aa 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +757,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +759,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -38147,7 +38152,7 @@ index 17eda24..97e35aa 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +764,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +766,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38155,7 +38160,7 @@ index 17eda24..97e35aa 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +772,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +774,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -38173,7 +38178,7 @@ index 17eda24..97e35aa 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +790,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +792,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -38187,7 +38192,7 @@ index 17eda24..97e35aa 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +805,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +807,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -38201,7 +38206,7 @@ index 17eda24..97e35aa 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +818,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +820,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -38212,7 +38217,7 @@ index 17eda24..97e35aa 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +831,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +833,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -38220,7 +38225,7 @@ index 17eda24..97e35aa 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +850,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +852,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -38244,7 +38249,7 @@ index 17eda24..97e35aa 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +883,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +885,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -38252,7 +38257,7 @@ index 17eda24..97e35aa 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +917,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +919,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -38263,7 +38268,7 @@ index 17eda24..97e35aa 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +941,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +943,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -38272,7 +38277,7 @@ index 17eda24..97e35aa 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +956,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +958,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -38280,7 +38285,7 @@ index 17eda24..97e35aa 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +977,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +979,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -38288,7 +38293,7 @@ index 17eda24..97e35aa 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +987,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +989,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -38333,7 +38338,7 @@ index 17eda24..97e35aa 100644
 	')
 	optional_policy(`
-@@ -559,14 +1032,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1034,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -38365,7 +38370,7 @@ index 17eda24..97e35aa 100644
 	')
 ')
-@@ -577,6 +1067,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1069,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -38405,7 +38410,7 @@ index 17eda24..97e35aa 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1112,8 @@ optional_policy(`
+@@ -589,6 +1114,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -38414,7 +38419,7 @@ index 17eda24..97e35aa 100644
 ')
 optional_policy(`
-@@ -610,6 +1135,7 @@ optional_policy(`
+@@ -610,6 +1137,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -38422,7 +38427,7 @@ index 17eda24..97e35aa 100644
 ')
 optional_policy(`
-@@ -626,6 +1152,17 @@ optional_policy(`
+@@ -626,6 +1154,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -38440,7 +38445,7 @@ index 17eda24..97e35aa 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1179,13 @@ optional_policy(`
+@@ -642,9 +1181,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -38454,7 +38459,7 @@ index 17eda24..97e35aa 100644
 	')
 	optional_policy(`
-@@ -657,15 +1198,11 @@ optional_policy(`
+@@ -657,15 +1200,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -38472,7 +38477,7 @@ index 17eda24..97e35aa 100644
 ')
 optional_policy(`
-@@ -686,6 +1223,15 @@ optional_policy(`
+@@ -686,6 +1225,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -38488,7 +38493,7 @@ index 17eda24..97e35aa 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1272,7 @@ optional_policy(`
+@@ -726,6 +1274,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -38496,7 +38501,7 @@ index 17eda24..97e35aa 100644
 ')
 optional_policy(`
-@@ -743,7 +1290,13 @@ optional_policy(`
+@@ -743,7 +1292,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -38511,7 +38516,7 @@ index 17eda24..97e35aa 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1319,10 @@ optional_policy(`
+@@ -766,6 +1321,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38522,7 +38527,7 @@ index 17eda24..97e35aa 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1332,20 @@ optional_policy(`
+@@ -775,10 +1334,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -38543,7 +38548,7 @@ index 17eda24..97e35aa 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1354,10 @@ optional_policy(`
+@@ -787,6 +1356,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38554,7 +38559,7 @@ index 17eda24..97e35aa 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1379,6 @@ optional_policy(`
+@@ -808,8 +1381,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -38563,7 +38568,7 @@ index 17eda24..97e35aa 100644
 ')
 optional_policy(`
-@@ -818,6 +1387,10 @@ optional_policy(`
+@@ -818,6 +1389,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38574,7 +38579,7 @@ index 17eda24..97e35aa 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1400,12 @@ optional_policy(`
+@@ -827,10 +1402,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -38587,7 +38592,7 @@ index 17eda24..97e35aa 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1432,62 @@ optional_policy(`
+@@ -857,21 +1434,62 @@ optional_policy(`
 ')
 optional_policy(`
@ -38651,7 +38656,7 @@ index 17eda24..97e35aa 100644
 ')
 optional_policy(`
-@@ -887,6 +1503,10 @@ optional_policy(`
+@@ -887,6 +1505,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38662,7 +38667,7 @@ index 17eda24..97e35aa 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1517,218 @@ optional_policy(`
+@@ -897,3 +1519,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -49030,10 +49035,10 @@ index 0000000..16cd1ac
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..7abdaa0
+index 0000000..d141c81
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,967 @@
+@@ -0,0 +1,969 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -49943,6 +49948,8 @@ index 0000000..7abdaa0
 +
 +sysnet_manage_config(systemd_resolved_t)
 +
 +userdom_dbus_send_all_users(systemd_resolved_t)
 +
 +optional_policy(`
 +	dbus_system_bus_client(systemd_resolved_t)
 +	dbus_connect_system_bus(systemd_resolved_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -23749,6 +23749,24 @@ index 583a527..91c4104 100644
 +optional_policy(`
 +	gnome_dontaudit_search_config(denyhosts_t)
 +')
 diff --git a/devicekit.fc b/devicekit.fc
 index ae49c9d..6eb0842 100644
 --- a/devicekit.fc
 +++ b/devicekit.fc
@@ -11,6 +11,8 @@
 /usr/libexec/devkit-power-daemon	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
 /usr/libexec/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 /usr/libexec/upowerd	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
 +/usr/libexec/udisks2/udisksd		--	gen_context(system_u:object_r:devicekit_exec_t,s0)
 +/usr/bin/udisksctl		--	gen_context(system_u:object_r:devicekit_exec_t,s0)
 /var/lib/DeviceKit-.*	gen_context(system_u:object_r:devicekit_var_lib_t,s0)
 /var/lib/upower(/.*)?	gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@@ -24,3 +26,4 @@
 /var/run/pm-utils(/.*)?	gen_context(system_u:object_r:devicekit_var_run_t,s0)
 /var/run/udisks.*	gen_context(system_u:object_r:devicekit_var_run_t,s0)
 /var/run/upower(/.*)?	gen_context(system_u:object_r:devicekit_var_run_t,s0)
 +
 diff --git a/devicekit.if b/devicekit.if
 index 8ce99ff..1bc5d3a 100644
 --- a/devicekit.if
@ -24167,7 +24185,7 @@ index 8ce99ff..1bc5d3a 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
 diff --git a/devicekit.te b/devicekit.te
-index 77a5003..9e56e3e 100644
+index 77a5003..360db40 100644
 --- a/devicekit.te
 +++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@ -24189,7 +24207,18 @@ index 77a5003..9e56e3e 100644
 type devicekit_tmp_t;
 files_tmp_file(devicekit_tmp_t)
-@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
+@@ -29,6 +29,10 @@ files_type(devicekit_var_lib_t)
 type devicekit_var_log_t;
 logging_log_file(devicekit_var_log_t)
 +typealias devicekit_t alias { udisks2_t };
 +typealias devicekit_var_lib_t alias { udisks2_var_lib_t };
 +typealias devicekit_var_run_t alias { udisks2_var_run_t };
 +
 ########################################
 #
 # Local policy
@@ -45,11 +49,8 @@ kernel_read_system_state(devicekit_t)
 dev_read_sysfs(devicekit_t)
 dev_read_urand(devicekit_t)
@ -24202,7 +24231,7 @@ index 77a5003..9e56e3e 100644
 	dbus_system_bus_client(devicekit_t)
 	allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
-@@ -64,7 +61,8 @@ optional_policy(`
+@@ -64,7 +65,8 @@ optional_policy(`
 # Disk local policy
 #
@ -24212,7 +24241,7 @@ index 77a5003..9e56e3e 100644
 allow devicekit_disk_t self:process { getsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,17 +79,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,17 +83,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
 manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@ -24233,7 +24262,7 @@ index 77a5003..9e56e3e 100644
 corecmd_exec_bin(devicekit_disk_t)
 corecmd_exec_shell(devicekit_disk_t)
-@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+@@ -99,6 +102,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
 dev_getattr_all_chr_files(devicekit_disk_t)
 dev_getattr_mtrr_dev(devicekit_disk_t)
@ -24242,7 +24271,7 @@ index 77a5003..9e56e3e 100644
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
-@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -117,8 +122,8 @@ files_getattr_all_pipes(devicekit_disk_t)
 files_manage_boot_dirs(devicekit_disk_t)
 files_manage_isid_type_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
@ -24252,7 +24281,7 @@ index 77a5003..9e56e3e 100644
 fs_getattr_all_fs(devicekit_disk_t)
 fs_list_inotifyfs(devicekit_disk_t)
-@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -135,18 +140,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
 storage_raw_read_removable_device(devicekit_disk_t)
 storage_raw_write_removable_device(devicekit_disk_t)
@ -24274,7 +24303,7 @@ index 77a5003..9e56e3e 100644
 	dbus_system_bus_client(devicekit_disk_t)
 	allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -170,6 +171,7 @@ optional_policy(`
+@@ -170,6 +175,7 @@ optional_policy(`
 optional_policy(`
 	mount_domtrans(devicekit_disk_t)
@ -24282,7 +24311,7 @@ index 77a5003..9e56e3e 100644
 ')
 optional_policy(`
-@@ -183,6 +185,11 @@ optional_policy(`
+@@ -183,6 +189,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -24294,7 +24323,7 @@ index 77a5003..9e56e3e 100644
 	udev_domtrans(devicekit_disk_t)
 	udev_read_db(devicekit_disk_t)
 	udev_read_pid_files(devicekit_disk_t)
-@@ -192,12 +199,19 @@ optional_policy(`
+@@ -192,12 +203,19 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
@ -24315,7 +24344,7 @@ index 77a5003..9e56e3e 100644
 allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -212,9 +230,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@ -24326,7 +24355,7 @@ index 77a5003..9e56e3e 100644
 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
 manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
+@@ -224,12 +240,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
 kernel_read_fs_sysctls(devicekit_power_t)
 kernel_read_network_state(devicekit_power_t)
 kernel_read_system_state(devicekit_power_t)
@ -24341,7 +24370,7 @@ index 77a5003..9e56e3e 100644
 corecmd_exec_bin(devicekit_power_t)
 corecmd_exec_shell(devicekit_power_t)
-@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -248,21 +264,18 @@ domain_read_all_domains_state(devicekit_power_t)
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_runtime_files(devicekit_power_t)
@ -24364,7 +24393,7 @@ index 77a5003..9e56e3e 100644
 sysnet_domtrans_ifconfig(devicekit_power_t)
 sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -277,6 +286,12 @@ optional_policy(`
+@@ -277,6 +290,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -24377,7 +24406,7 @@ index 77a5003..9e56e3e 100644
 	dbus_system_bus_client(devicekit_power_t)
 	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -307,8 +322,11 @@ optional_policy(`
+@@ -307,8 +326,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -24390,7 +24419,7 @@ index 77a5003..9e56e3e 100644
 	hal_manage_pid_dirs(devicekit_power_t)
 	hal_manage_pid_files(devicekit_power_t)
 ')
-@@ -347,3 +365,9 @@ optional_policy(`
+@@ -347,3 +369,9 @@ optional_policy(`
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
@ -63813,7 +63842,7 @@ index dd1d9ef..c48733a 100644
 -/var/run/oddjobd\.pid	gen_context(system_u:object_r:oddjob_var_run_t,s0)
 +/var/run/oddjobd\.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)
 diff --git a/oddjob.if b/oddjob.if
-index c87bd2a..284e4de 100644
+index c87bd2a..6180fba 100644
 --- a/oddjob.if
 +++ b/oddjob.if
@@ -1,4 +1,8 @@
@ -63925,7 +63954,7 @@ index c87bd2a..284e4de 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -105,46 +141,96 @@ interface(`oddjob_domtrans_mkhomedir',`
+@@ -105,46 +141,114 @@ interface(`oddjob_domtrans_mkhomedir',`
 #
 interface(`oddjob_run_mkhomedir',`
 	gen_require(`
@ -63971,8 +64000,7 @@ index c87bd2a..284e4de 100644
 -######################################
 +#######################################
- ## <summary>
+## <summary>
 -##	Send child terminated signals to oddjob.
 +##  Execute oddjob in the oddjob domain.
 +## </summary>
 +## <param name="domain">
@ -63996,7 +64024,8 @@ index c87bd2a..284e4de 100644
 +')
 +
 +########################################
-+## <summary>
+ ## <summary>
 -##	Send child terminated signals to oddjob.
 +##	Create a domain which can be started by init,
 +##	with a range transition.
 ## </summary>
@ -64034,6 +64063,24 @@ index c87bd2a..284e4de 100644
 +		range_transition oddjob_t $2:process $3;
 +		mls_rangetrans_target($1)
 +	')
 +')
 +
 +########################################
 +## <summary>
 +##	Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`oddjob_mkhomedir_entrypoint',`
 +	gen_require(`
 +		type oddjob_mkhomedir_exec_t;
 +	')
 +	allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
 ')
 diff --git a/oddjob.te b/oddjob.te
 index e403097..45d387d 100644
@ -71277,12 +71324,12 @@ index 0000000..a2cb118
 +
 diff --git a/pki.fc b/pki.fc
 new file mode 100644
-index 0000000..b2b20f0
+index 0000000..47cd0f8
 --- /dev/null
 +++ b/pki.fc
@@ -0,0 +1,57 @@
 +/etc/pki/pki-tomcat(/.*)?		gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/etc/pki/pki-tomcat/ca/(/.*)?		gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki/pki-tomcat/ca(/.*)?		gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
 +/var/lib/pki/pki-tomcat(/.*)?       	gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
 +/var/run/pki/tomcat(/.*)?		gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
 +/var/log/pki/pki-tomcat(/.*)?		gen_context(system_u:object_r:pki_tomcat_log_t,s0)
@ -79106,12 +79153,13 @@ index 6643b49..dd0c3d3 100644
 optional_policy(`
 diff --git a/puppet.fc b/puppet.fc
-index d68e26d..d2c4d2a 100644
+index d68e26d..2542f5a 100644
 --- a/puppet.fc
 +++ b/puppet.fc
-@@ -1,18 +1,21 @@
+@@ -1,18 +1,22 @@
 -/etc/puppet(/.*)?	gen_context(system_u:object_r:puppet_etc_t,s0)
 +/etc/puppet(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
 +/etc/puppetlabs(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
 -/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/puppetmaster	--	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
@ -83115,7 +83163,7 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
 ')
 diff --git a/quota.te b/quota.te
-index f47c8e8..3710974 100644
+index f47c8e8..d4e9042 100644
 --- a/quota.te
 +++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@ -83177,7 +83225,7 @@ index f47c8e8..3710974 100644
 fs_get_xattr_fs_quotas(quota_t)
 fs_set_xattr_fs_quotas(quota_t)
 fs_getattr_xattr_fs(quota_t)
-@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t)
+@@ -80,17 +67,29 @@ term_dontaudit_use_console(quota_t)
 domain_use_interactive_fds(quota_t)
@ -83190,6 +83238,7 @@ index f47c8e8..3710974 100644
 +# Read /etc/mtab.
 +files_read_etc_runtime_files(quota_t)
 +
 +init_domain(quota_t, quota_exec_t)
 init_use_fds(quota_t)
 init_use_script_ptys(quota_t)
@ -83209,7 +83258,7 @@ index f47c8e8..3710974 100644
 ')
 optional_policy(`
-@@ -103,12 +101,12 @@ optional_policy(`
+@@ -103,12 +102,12 @@ optional_policy(`
 #######################################
 #
@ -83224,7 +83273,7 @@ index f47c8e8..3710974 100644
 manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
 files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t)
+@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t)
 logging_send_syslog_msg(quota_nld_t)
@ -83990,10 +84039,10 @@ index 951db7f..00e699d 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
 ')
 diff --git a/raid.te b/raid.te
-index c99753f..357db0b 100644
+index c99753f..31ff402 100644
 --- a/raid.te
 +++ b/raid.te
-@@ -15,54 +15,103 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
 type mdadm_initrc_exec_t;
 init_script_file(mdadm_initrc_exec_t)
@ -84074,6 +84123,7 @@ index c99753f..357db0b 100644
 -dev_dontaudit_getattr_all_chr_files(mdadm_t)
 +dev_dontaudit_read_all_blk_files(mdadm_t)
 +dev_dontaudit_read_all_chr_files(mdadm_t)
 +dev_getattr_generic_chr_files(mdadm_t)
 +dev_read_crash(mdadm_t)
 +dev_read_framebuffer(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
@ -84106,7 +84156,7 @@ index c99753f..357db0b 100644
 mls_file_read_all_levels(mdadm_t)
 mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +120,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
 storage_manage_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 storage_write_scsi_generic(mdadm_t)
@ -84133,7 +84183,7 @@ index c99753f..357db0b 100644
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
 userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +149,38 @@ optional_policy(`
+@@ -90,17 +150,38 @@ optional_policy(`
 ')
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 211%{?dist}
+Release: 212%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -648,6 +648,20 @@ exit 0
 %endif
 %changelog
 * Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212
 - udisk2 module is part of devicekit module now
 - Fix file context for /etc/pki/pki-tomcat/ca/
 - new interface oddjob_mkhomedir_entrypoint()
 - Allow mdadm to get attributes from all devices.
 - Label /etc/puppetlabs as puppet_etc_t.
 - quota: allow init to run quota tools
 - Add new domain ipa_ods_exporter_t BZ(1366640)
 - Create new interface opendnssec_stream_connect()
 - Allow VirtualBox to manage udev rules.
 - Allow systemd_resolved to send dbus msgs to userdomains
 - Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
 - Label all files in /dev/oracleasmfs/ as oracleasmfs_t
 * Thu Aug 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-211
 - Add new domain ipa_ods_exporter_t BZ(1366640)
 - Create new interface opendnssec_stream_connect()