- Add labeling for /dev/tgt

- Dontaudit leak fd from firewalld for modprobe - Allow runuser running as rpm_script_t to
2013-06-14 12:56:00 +02:00 · 2013-06-14 12:56:00 +02:00 · 708bb6ef9d
commit 708bb6ef9d
parent 166a2805b7
3 changed files with 207 additions and 447 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5637,7 +5637,7 @@ index b31c054..17e11e0 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..e26dfc3 100644
+index 76f285e..0fc6f53 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -6384,7 +6384,32 @@ index 76f285e..e26dfc3 100644
 ##	Do not audit attempts to get the attributes
 ##	of the BIOS non-volatile RAM device.
 ## </summary>
-@@ -3254,7 +3565,25 @@ interface(`dev_rw_printer',`
+@@ -3163,6 +3474,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
 ########################################
 ## <summary>
 +##	Read BIOS non-volatile RAM.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_read_nvram',`
 +	gen_require(`
 +		type nvram_device_t;
 +	')
 +
 +	read_chr_files_pattern($1, device_t, nvram_device_t)
 +')
 +
 +########################################
 +## <summary>
 ##	Read and write BIOS non-volatile RAM.
 ## </summary>
 ## <param name="domain">
@@ -3254,7 +3583,25 @@ interface(`dev_rw_printer',`
 ########################################
 ## <summary>
@ -6411,7 +6436,7 @@ index 76f285e..e26dfc3 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3262,12 +3591,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3609,13 @@ interface(`dev_rw_printer',`
 ##	</summary>
 ## </param>
 #
@ -6428,269 +6453,117 @@ index 76f285e..e26dfc3 100644
 ')
 ########################################
-@@ -3855,7 +4185,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4203,96 @@ interface(`dev_getattr_sysfs_dirs',`
 ########################################
 ## <summary>
 -##	Search the sysfs directories.
 +##	Set the attributes of sysfs directories.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -3863,53 +4193,53 @@ interface(`dev_getattr_sysfs_dirs',`
+##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`dev_search_sysfs',`
 +interface(`dev_setattr_sysfs_dirs',`
- 	gen_require(`
+	gen_require(`
- 		type sysfs_t;
+		type sysfs_t;
- 	')
+	')
- 
+
 -	search_dirs_pattern($1, sysfs_t, sysfs_t)
 +	allow $1 sysfs_t:dir setattr_dir_perms;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Do not audit attempts to search sysfs.
 +##	Get attributes of sysfs filesystems.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`dev_dontaudit_search_sysfs',`
 +interface(`dev_getattr_sysfs_fs',`
- 	gen_require(`
+	gen_require(`
- 		type sysfs_t;
+		type sysfs_t;
- 	')
+	')
- 
+
 -	dontaudit $1 sysfs_t:dir search_dir_perms;
 +	allow $1 sysfs_t:filesystem getattr;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	List the contents of the sysfs directories.
 +##	Mount a filesystem on /sys
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
 -##	Domain allowed access.
 +##	Domain allow access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`dev_list_sysfs',`
 +interface(`dev_mounton_sysfs',`
- 	gen_require(`
+	gen_require(`
- 		type sysfs_t;
+		type sysfs_t;
- 	')
+	')
- 
+
 -	list_dirs_pattern($1, sysfs_t, sysfs_t)
 +	allow $1 sysfs_t:dir mounton;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Write in a sysfs directories.
 +##	Mount sysfs filesystems.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
@@ -3917,37 +4247,35 @@ interface(`dev_list_sysfs',`
 ##	</summary>
 ## </param>
 #
 -# cjp: added for cpuspeed
 -interface(`dev_write_sysfs_dirs',`
 +interface(`dev_mount_sysfs_fs',`
 	gen_require(`
 		type sysfs_t;
 	')
 -	allow $1 sysfs_t:dir write;
 +	allow $1 sysfs_t:filesystem mount;
 ')
 ########################################
 ## <summary>
 -##	Do not audit attempts to write in a sysfs directory.
 +##	Unmount sysfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
-interface(`dev_dontaudit_write_sysfs_dirs',`
+interface(`dev_mount_sysfs_fs',`
 +	gen_require(`
 +		type sysfs_t;
 +	')
 +
 +	allow $1 sysfs_t:filesystem mount;
 +')
 +
 +########################################
 +## <summary>
 +##	Unmount sysfs filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_unmount_sysfs_fs',`
- 	gen_require(`
+	gen_require(`
 +		type sysfs_t;
 +	')
 +
 +	allow $1 sysfs_t:filesystem unmount;
 +')
 +
 +########################################
 +## <summary>
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">
@@ -3904,6 +4342,7 @@ interface(`dev_list_sysfs',`
 		type sysfs_t;
 	')
-	dontaudit $1 sysfs_t:dir write;
+	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+	allow $1 sysfs_t:filesystem unmount;
+ 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
@@ -3946,23 +4385,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ########################################
 ## <summary>
 -##	Create, read, write, and delete sysfs
 -##	directories.
 +##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3955,47 +4283,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
 -interface(`dev_manage_sysfs_dirs',`
 +interface(`dev_search_sysfs',`
 	gen_require(`
 		type sysfs_t;
 	')
 -	manage_dirs_pattern($1, sysfs_t, sysfs_t)
 +	search_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 ########################################
 ## <summary>
 -##	Read hardware state information.
 +##	Do not audit attempts to search sysfs.
 ## </summary>
 -## <desc>
 -##	<p>
 -##	Allow the specified domain to read the contents of
 -##	the sysfs filesystem.  This filesystem contains
 -##	information, parameters, and other settings on the
 -##	hardware installed on the system.
 -##	</p>
 -## </desc>
 ## <param name="domain">
 ##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
 ##	</summary>
 ## </param>
 -## <infoflow type="read" weight="10"/>
 #
 -interface(`dev_read_sysfs',`
 +interface(`dev_dontaudit_search_sysfs',`
 	gen_require(`
 		type sysfs_t;
 	')
 -	read_files_pattern($1, sysfs_t, sysfs_t)
 -	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 -
 -	list_dirs_pattern($1, sysfs_t, sysfs_t)
 +	dontaudit $1 sysfs_t:dir search_dir_perms;
 ')
 ########################################
 ## <summary>
 -##	Allow caller to modify hardware state information.
 +##	List the contents of the sysfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4003,20 +4319,18 @@ interface(`dev_read_sysfs',`
 ##	</summary>
 ## </param>
 #
 -interface(`dev_rw_sysfs',`
 +interface(`dev_list_sysfs',`
 	gen_require(`
 		type sysfs_t;
 	')
 -	rw_files_pattern($1, sysfs_t, sysfs_t)
 	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 -
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 ########################################
 ## <summary>
 -##	Read and write the TPM device.
 +##	Write in a sysfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4024,78 +4338,60 @@ interface(`dev_rw_sysfs',`
 ##	</summary>
 ## </param>
 #
 -interface(`dev_rw_tpm',`
 +# cjp: added for cpuspeed
 +interface(`dev_write_sysfs_dirs',`
 	gen_require(`
 -		type device_t, tpm_device_t;
 +		type sysfs_t;
 	')
 -	rw_chr_files_pattern($1, device_t, tpm_device_t)
 +	allow $1 sysfs_t:dir write;
 ')
 ########################################
 ## <summary>
 -##	Read from pseudo random number generator devices (e.g., /dev/urandom).
 +##	Do not audit attempts to write in a sysfs directory.
 ## </summary>
 -## <desc>
 -##	<p>
 -##	Allow the specified domain to read from pseudo random number
 -##	generator devices (e.g., /dev/urandom).  Typically this is
 -##	used in situations when a cryptographically secure random
 -##	number is not necessarily needed.  One example is the Stack
 -##	Smashing Protector (SSP, formerly known as ProPolice) support
 -##	that may be compiled into programs.
 -##	</p>
 -##	<p>
 -##	Related interface:
 -##	</p>
 -##	<ul>
 -##		<li>dev_read_rand()</li>
 -##	</ul>
 -##	<p>
 -##	Related tunable:
 -##	</p>
 -##	<ul>
 -##		<li>global_ssp</li>
 -##	</ul>
 -## </desc>
 ## <param name="domain">
 ##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
 ##	</summary>
 ## </param>
 -## <infoflow type="read" weight="10"/>
 #
 -interface(`dev_read_urand',`
 +interface(`dev_dontaudit_write_sysfs_dirs',`
 	gen_require(`
 -		type device_t, urandom_device_t;
 +		type sysfs_t;
 	')
 -	read_chr_files_pattern($1, device_t, urandom_device_t)
 +	dontaudit $1 sysfs_t:dir write;
 ')
 ########################################
 ## <summary>
 -##	Do not audit attempts to read from pseudo
 -##	random devices (e.g., /dev/urandom)
 +##	Read cpu online hardware state information.
 ## </summary>
 +## <desc>
@ -6700,44 +6573,37 @@ index 76f285e..e26dfc3 100644
 +## </desc>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+ ##	Domain allowed access.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dev_dontaudit_read_urand',`
+-interface(`dev_manage_sysfs_dirs',`
 +interface(`dev_read_cpu_online',`
- 	gen_require(`
+	gen_require(`
 -		type urandom_device_t;
 +		type cpu_online_t;
- 	')
+	')
- 
+
 -	dontaudit $1 urandom_device_t:chr_file { getattr read };
 +	dev_search_sysfs($1)
 +	read_files_pattern($1, cpu_online_t, cpu_online_t)
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Write to the pseudo random device (e.g., /dev/urandom). This
 -##	sets the random number generator seed.
 +##	Relabel cpu online hardware state information.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -4103,19 +4399,245 @@ interface(`dev_dontaudit_read_urand',`
+##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`dev_write_urand',`
 +interface(`dev_relabel_cpu_online',`
 	gen_require(`
 -		type device_t, urandom_device_t;
 +		type cpu_online_t;
-+		type sysfs_t;
+ 		type sysfs_t;
 	')
-	write_chr_files_pattern($1, device_t, urandom_device_t)
+-	manage_dirs_pattern($1, sysfs_t, sysfs_t)
 +	dev_search_sysfs($1)
 +	allow $1 cpu_online_t:file relabel_file_perms;
 ')
@ -6745,69 +6611,24 @@ index 76f285e..e26dfc3 100644
 +
 ########################################
 ## <summary>
-##	Getattr generic the USB devices.
+ ##	Read hardware state information.
-+##	Read hardware state information.
+@@ -4016,7 +4481,7 @@ interface(`dev_rw_sysfs',`
- ## </summary>
+ 
-## <param name="domain">
+ ########################################
-+## <desc>
+ ## <summary>
-+##	<p>
+-##	Read and write the TPM device.
 +##	Allow the specified domain to read the contents of
 +##	the sysfs filesystem.  This filesystem contains
 +##	information, parameters, and other settings on the
 +##	hardware installed on the system.
 +##	</p>
 +## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <infoflow type="read" weight="10"/>
 +#
 +interface(`dev_read_sysfs',`
 +	gen_require(`
 +		type sysfs_t;
 +	')
 +
 +	read_files_pattern($1, sysfs_t, sysfs_t)
 +	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 +
 +	list_dirs_pattern($1, sysfs_t, sysfs_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Allow caller to modify hardware state information.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_rw_sysfs',`
 +	gen_require(`
 +		type sysfs_t;
 +	')
 +
 +	rw_files_pattern($1, sysfs_t, sysfs_t)
 +	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 +
 +	list_dirs_pattern($1, sysfs_t, sysfs_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Relabel hardware state directories.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
-+##	Domain allowed access.
+@@ -4024,9 +4489,65 @@ interface(`dev_rw_sysfs',`
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
-+#
+ #
 -interface(`dev_rw_tpm',`
 +interface(`dev_relabel_sysfs_dirs',`
-+	gen_require(`
+ 	gen_require(`
 -		type device_t, tpm_device_t;
 +		type sysfs_t;
 +	')
 +
@ -6865,92 +6686,13 @@ index 76f285e..e26dfc3 100644
 +interface(`dev_rw_tpm',`
 +	gen_require(`
 +		type device_t, tpm_device_t;
-+	')
+ 	')
-+
+ 
-+	rw_chr_files_pattern($1, device_t, tpm_device_t)
+ 	rw_chr_files_pattern($1, device_t, tpm_device_t)
-+')
+@@ -4113,6 +4634,25 @@ interface(`dev_write_urand',`
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 +##	Read from pseudo random number generator devices (e.g., /dev/urandom).
 +## </summary>
 +## <desc>
 +##	<p>
 +##	Allow the specified domain to read from pseudo random number
 +##	generator devices (e.g., /dev/urandom).  Typically this is
 +##	used in situations when a cryptographically secure random
 +##	number is not necessarily needed.  One example is the Stack
 +##	Smashing Protector (SSP, formerly known as ProPolice) support
 +##	that may be compiled into programs.
 +##	</p>
 +##	<p>
 +##	Related interface:
 +##	</p>
 +##	<ul>
 +##		<li>dev_read_rand()</li>
 +##	</ul>
 +##	<p>
 +##	Related tunable:
 +##	</p>
 +##	<ul>
 +##		<li>global_ssp</li>
 +##	</ul>
 +## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <infoflow type="read" weight="10"/>
 +#
 +interface(`dev_read_urand',`
 +	gen_require(`
 +		type device_t, urandom_device_t;
 +	')
 +
 +	read_chr_files_pattern($1, device_t, urandom_device_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to read from pseudo
 +##	random devices (e.g., /dev/urandom)
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_dontaudit_read_urand',`
 +	gen_require(`
 +		type urandom_device_t;
 +	')
 +
 +	dontaudit $1 urandom_device_t:chr_file { getattr read };
 +')
 +
 +########################################
 +## <summary>
 +##	Write to the pseudo random device (e.g., /dev/urandom). This
 +##	sets the random number generator seed.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_write_urand',`
 +	gen_require(`
 +		type device_t, urandom_device_t;
 +	')
 +
 +	write_chr_files_pattern($1, device_t, urandom_device_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to write to pseudo
 +##	random devices (e.g., /dev/urandom)
 +## </summary>
@ -6970,13 +6712,10 @@ index 76f285e..e26dfc3 100644
 +
 +########################################
 +## <summary>
-+##	Getattr generic the USB devices.
+ ##	Getattr generic the USB devices.
 +## </summary>
 +## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ## </summary>
-@@ -4409,9 +4931,9 @@ interface(`dev_rw_usbfs',`
+ ## <param name="domain">
@@ -4409,9 +4949,9 @@ interface(`dev_rw_usbfs',`
 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
@ -6988,7 +6727,7 @@ index 76f285e..e26dfc3 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4419,17 +4941,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +4959,17 @@ interface(`dev_rw_usbfs',`
 ##	</summary>
 ## </param>
 #
@ -7011,7 +6750,7 @@ index 76f285e..e26dfc3 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4437,12 +4959,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +4977,12 @@ interface(`dev_getattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -7027,7 +6766,7 @@ index 76f285e..e26dfc3 100644
 ')
 ########################################
-@@ -4539,6 +5061,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5079,134 @@ interface(`dev_write_video_dev',`
 ########################################
 ## <summary>
@ -7162,7 +6901,7 @@ index 76f285e..e26dfc3 100644
 ##	Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">
-@@ -4557,6 +5207,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5225,24 @@ interface(`dev_rw_vhost',`
 ########################################
 ## <summary>
@ -7187,7 +6926,7 @@ index 76f285e..e26dfc3 100644
 ##	Read and write VMWare devices.
 ## </summary>
 ## <param name="domain">
-@@ -4762,6 +5430,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5448,26 @@ interface(`dev_rw_xserver_misc',`
 ########################################
 ## <summary>
@ -7214,7 +6953,7 @@ index 76f285e..e26dfc3 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4851,3 +5539,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5557,943 @@ interface(`dev_unconfined',`
 	typeattribute $1 devices_unconfined_type;
 ')
@ -15146,7 +14885,7 @@ index 522ab32..cb9c3a2 100644
 	')
 }
 diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..409df4f 100644
+index 54f1827..cc2de1a 100644
 --- a/policy/modules/kernel/storage.fc
 +++ b/policy/modules/kernel/storage.fc
@@ -23,12 +23,15 @@
@ -15166,16 +14905,17 @@ index 54f1827..409df4f 100644
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +54,7 @@ ifdef(`distro_redhat', `
+@@ -51,7 +54,8 @@ ifdef(`distro_redhat', `
 /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/tape.*		-c	gen_context(system_u:object_r:tape_device_t,s0)
 -/dev/tw[a-z][^/]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/dev/tgt        -c  gen_context(system_u:object_r:scsi_generic_device_t,s0)
 +/dev/tw[a-z][^/]*	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/ub[a-z][^/]+	-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
 /dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/vd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +85,6 @@ ifdef(`distro_redhat', `
 /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
@ -31487,7 +31227,7 @@ index 7449974..6375786 100644
 +	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..3e5393b 100644
+index 7a49e28..1d374a0 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@ -31668,7 +31408,7 @@ index 7a49e28..3e5393b 100644
 userdom_dontaudit_search_user_home_dirs(insmod_t)
 kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +202,32 @@ optional_policy(`
+@@ -184,28 +202,33 @@ optional_policy(`
 ')
 optional_policy(`
@ -31685,6 +31425,7 @@ index 7a49e28..3e5393b 100644
 optional_policy(`
 -	hotplug_search_config(insmod_t)
 +    firewalld_dontaudit_write_tmp_files(insmod_t)
 +	firewallgui_dontaudit_rw_pipes(insmod_t)
 ')
@ -31708,7 +31449,7 @@ index 7a49e28..3e5393b 100644
 ')
 optional_policy(`
-@@ -225,6 +247,7 @@ optional_policy(`
+@@ -225,6 +248,7 @@ optional_policy(`
 optional_policy(`
 	rpm_rw_pipes(insmod_t)
@ -31716,7 +31457,7 @@ index 7a49e28..3e5393b 100644
 ')
 optional_policy(`
-@@ -233,6 +256,10 @@ optional_policy(`
+@@ -233,6 +257,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -31727,7 +31468,7 @@ index 7a49e28..3e5393b 100644
 	# cjp: why is this needed:
 	dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +318,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t)
 logging_send_syslog_msg(update_modules_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -64407,7 +64407,7 @@ index 951db7f..6d6ec1d 100644
 +	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
 ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..259b790 100644
+index 2c1730b..e67ea1b 100644
 --- a/raid.te
 +++ b/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@ -64453,10 +64453,11 @@ index 2c1730b..259b790 100644
 corecmd_exec_bin(mdadm_t)
 corecmd_exec_shell(mdadm_t)
-@@ -51,17 +59,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+@@ -51,17 +59,20 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 dev_read_raw_memory(mdadm_t)
 +dev_read_nvram(mdadm_t)
 +dev_read_generic_files(mdadm_t)
 +domain_read_all_domains_state(mdadm_t)
@ -64475,7 +64476,7 @@ index 2c1730b..259b790 100644
 mls_file_read_all_levels(mdadm_t)
 mls_file_write_all_levels(mdadm_t)
-@@ -70,16 +80,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,16 +81,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
 storage_manage_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 storage_write_scsi_generic(mdadm_t)
@ -70529,7 +70530,7 @@ index 0628d50..84f2fd7 100644
 +	allow rpm_script_t $1:process sigchld;
 ')
 diff --git a/rpm.te b/rpm.te
-index 5cbe81c..f79d5f4 100644
+index 5cbe81c..ff2b58e 100644
 --- a/rpm.te
 +++ b/rpm.te
@@ -1,15 +1,13 @@
@ -70785,7 +70786,7 @@ index 5cbe81c..f79d5f4 100644
 ')
 ########################################
-@@ -239,19 +252,20 @@ optional_policy(`
+@@ -239,18 +252,20 @@ optional_policy(`
 #
 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
@ -70803,13 +70804,13 @@ index 5cbe81c..f79d5f4 100644
 allow rpm_script_t self:msgq create_msgq_perms;
 allow rpm_script_t self:msg { send receive };
 allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
 -allow rpm_script_t rpm_t:netlink_route_socket { read write };
 -
 -allow rpm_script_t rpm_t:netlink_route_socket { read write };
 +allow rpm_script_t self:netlink_audit_socket create_socket_perms;
 allow rpm_script_t rpm_tmp_t:file read_file_perms;
- allow rpm_script_t rpm_script_tmp_t:dir mounton;
+@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@ -70820,7 +70821,7 @@ index 5cbe81c..f79d5f4 100644
 kernel_read_crypto_sysctls(rpm_script_t)
 kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
 kernel_list_all_proc(rpm_script_t)
 kernel_read_software_raid_state(rpm_script_t)
@ -70870,7 +70871,7 @@ index 5cbe81c..f79d5f4 100644
 mls_file_read_all_levels(rpm_script_t)
 mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
 term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
@ -70928,7 +70929,7 @@ index 5cbe81c..f79d5f4 100644
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -363,40 +378,54 @@ ifdef(`distro_redhat',`
+@@ -363,40 +379,54 @@ ifdef(`distro_redhat',`
 	')
 ')
@ -70993,7 +70994,7 @@ index 5cbe81c..f79d5f4 100644
 	unconfined_domtrans(rpm_script_t)
 	optional_policy(`
-@@ -409,6 +438,6 @@ optional_policy(`
+@@ -409,6 +439,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -83440,6 +83441,18 @@ index 38389e6..4847b43 100644
 +/usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
 +/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
 +/var/run/tgtd.*			-s	gen_context(system_u:object_r:tgtd_var_run_t,s0)
 diff --git a/tgtd.if b/tgtd.if
 index 5406b6e..dc5b46e 100644
 --- a/tgtd.if
 +++ b/tgtd.if
@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
 	files_search_tmp($1)
 	admin_pattern($1, tgtd_tmp_t)
 -	files_search_tmpfs($1)
 +	fs_search_tmpfs($1)
 	admin_pattern($1, tgtd_tmpfs_t)
 ')
 diff --git a/tgtd.te b/tgtd.te
 index c93c973..08aef1e 100644
 --- a/tgtd.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 51%{?dist}
+Release: 52%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -530,6 +530,12 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Jun 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-52
 - Add labeling for /dev/tgt
 - Dontaudit leak fd from firewalld for modprobe
 - Allow runuser running as rpm_script_t to create netlink_audit socket
 - Allow mdadm to read BIOS non-volatile RAM
 * Thu Jun 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-51
 - accountservice watches when accounts come and go in wtmp
 - /usr/java/jre1.7.0_21/bin/java needs to create netlink socket