- Fix passenger_stream_connect interface

- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do

policy-rawhide-base.patch

@@ -58,6 +58,19 @@ index 313d837..ef3c532 100644
  	@echo "Success."
  
  ########################################
+diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
+index 881a292..80110a4 100644
+--- a/config/appconfig-mcs/staff_u_default_contexts
++++ b/config/appconfig-mcs/staff_u_default_contexts
+@@ -1,7 +1,7 @@
+ system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+ system_r:remote_login_t:s0	staff_r:staff_t:s0
+ system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+-system_r:crond_t:s0		staff_r:cronjob_t:s0
++system_r:crond_t:s0		staff_r:staff_t:s0
+ system_r:xdm_t:s0		staff_r:staff_t:s0
+ staff_r:staff_su_t:s0		staff_r:staff_t:s0
+ staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
 diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
 new file mode 100644
 index 0000000..ff32acc
@@ -65,6 +78,19 @@ index 0000000..ff32acc
 +++ b/config/appconfig-mcs/systemd_contexts
 @@ -0,0 +1 @@
 +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
+diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
+index cacbc93..4f59f94 100644
+--- a/config/appconfig-mcs/user_u_default_contexts
++++ b/config/appconfig-mcs/user_u_default_contexts
+@@ -1,7 +1,7 @@
+ system_r:local_login_t:s0	user_r:user_t:s0
+ system_r:remote_login_t:s0	user_r:user_t:s0
+ system_r:sshd_t:s0		user_r:user_t:s0
+-system_r:crond_t:s0		user_r:cronjob_t:s0
++system_r:crond_t:s0		user_r:user_t:s0
+ system_r:xdm_t:s0		user_r:user_t:s0
+ user_r:user_su_t:s0		user_r:user_t:s0
+ user_r:user_sudo_t:s0		user_r:user_t:s0
 diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
 index d387b42..150f281 100644
 --- a/config/appconfig-mcs/virtual_domain_context
@@ -72,6 +98,19 @@ index d387b42..150f281 100644
 @@ -1 +1,2 @@
  system_u:system_r:svirt_t:s0
 +system_u:system_r:svirt_tcg_t:s0
+diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
+index 881a292..80110a4 100644
+--- a/config/appconfig-mls/staff_u_default_contexts
++++ b/config/appconfig-mls/staff_u_default_contexts
+@@ -1,7 +1,7 @@
+ system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+ system_r:remote_login_t:s0	staff_r:staff_t:s0
+ system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+-system_r:crond_t:s0		staff_r:cronjob_t:s0
++system_r:crond_t:s0		staff_r:staff_t:s0
+ system_r:xdm_t:s0		staff_r:staff_t:s0
+ staff_r:staff_su_t:s0		staff_r:staff_t:s0
+ staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
 diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts
 new file mode 100644
 index 0000000..ff32acc
@@ -79,6 +118,32 @@ index 0000000..ff32acc
 +++ b/config/appconfig-mls/systemd_contexts
 @@ -0,0 +1 @@
 +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
+diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
+index cacbc93..4f59f94 100644
+--- a/config/appconfig-mls/user_u_default_contexts
++++ b/config/appconfig-mls/user_u_default_contexts
+@@ -1,7 +1,7 @@
+ system_r:local_login_t:s0	user_r:user_t:s0
+ system_r:remote_login_t:s0	user_r:user_t:s0
+ system_r:sshd_t:s0		user_r:user_t:s0
+-system_r:crond_t:s0		user_r:cronjob_t:s0
++system_r:crond_t:s0		user_r:user_t:s0
+ system_r:xdm_t:s0		user_r:user_t:s0
+ user_r:user_su_t:s0		user_r:user_t:s0
+ user_r:user_sudo_t:s0		user_r:user_t:s0
+diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
+index c2a5ea8..f63999e 100644
+--- a/config/appconfig-standard/staff_u_default_contexts
++++ b/config/appconfig-standard/staff_u_default_contexts
+@@ -1,7 +1,7 @@
+ system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
+ system_r:remote_login_t		staff_r:staff_t
+ system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
+-system_r:crond_t		staff_r:cronjob_t
++system_r:crond_t		staff_r:staff_t
+ system_r:xdm_t			staff_r:staff_t
+ staff_r:staff_su_t		staff_r:staff_t
+ staff_r:staff_sudo_t		staff_r:staff_t
 diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
 new file mode 100644
 index 0000000..ff32acc
@@ -86,6 +151,19 @@ index 0000000..ff32acc
 +++ b/config/appconfig-standard/systemd_contexts
 @@ -0,0 +1 @@
 +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
+diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
+index f5bfac3..639555b 100644
+--- a/config/appconfig-standard/user_u_default_contexts
++++ b/config/appconfig-standard/user_u_default_contexts
+@@ -1,7 +1,7 @@
+ system_r:local_login_t		user_r:user_t
+ system_r:remote_login_t		user_r:user_t
+ system_r:sshd_t			user_r:user_t
+-system_r:crond_t		user_r:cronjob_t
++system_r:crond_t		user_r:user_t
+ system_r:xdm_t			user_r:user_t
+ user_r:user_su_t		user_r:user_t
+ user_r:user_sudo_t		user_r:user_t
 diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
 index c049e10..150f281 100644
 --- a/config/appconfig-standard/virtual_domain_context
@@ -689,7 +767,7 @@ index 3a45f23..f4754f0 100644
  # fork
  # setexec
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..fdcb9a7 100644
+index 28802c5..1afd77b 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
 @@ -329,6 +329,7 @@ class process
@@ -708,9 +786,9 @@ index 28802c5..fdcb9a7 100644
 +	reboot
 +	status
 +	undefined
-+	enable
++    enable
-+	disable
++    disable
-+	reload
++    reload
  }
  
  #
@@ -747,7 +825,7 @@ index 28802c5..fdcb9a7 100644
  
  class x_pointer
  inherits x_device
-@@ -862,3 +877,20 @@ inherits database
+@@ -862,3 +877,18 @@ inherits database
  	implement
  	execute
  }
@@ -758,8 +836,6 @@ index 28802c5..fdcb9a7 100644
 +	stop
 +	status
 +	reload
-+	kill
-+	load
 +	enable
 +	disable
 +}
@@ -2615,7 +2691,7 @@ index 99e3903..7270808 100644
  
  ########################################
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..68f6887 100644
+index d555767..3053e39 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2897,7 +2973,7 @@ index d555767..68f6887 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,16 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2906,7 +2982,8 @@ index d555767..68f6887 100644
  optional_policy(`
 -	nscd_run(passwd_t, passwd_roles)
 +	gnome_exec_keyringd(passwd_t)
-+    gnome_manage_cache_home_dir(passwd_t)
++	gnome_manage_cache_home_dir(passwd_t)
++	gnome_stream_connect_gkeyringd(passwd_t)
 +')
 +
 +optional_policy(`
@@ -2915,7 +2992,7 @@ index d555767..68f6887 100644
  ')
  
  ########################################
-@@ -398,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -2928,7 +3005,7 @@ index d555767..68f6887 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -2936,7 +3013,7 @@ index d555767..68f6887 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -423,19 +470,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -2958,7 +3035,7 @@ index d555767..68f6887 100644
  ')
  
  ########################################
-@@ -443,7 +488,8 @@ optional_policy(`
+@@ -443,7 +489,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -2968,7 +3045,7 @@ index d555767..68f6887 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -458,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -2979,7 +3056,7 @@ index d555767..68f6887 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -465,36 +515,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3028,7 +3105,7 @@ index d555767..68f6887 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +555,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3079,7 +3156,7 @@ index d555767..68f6887 100644
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
  ')
-@@ -542,7 +595,12 @@ optional_policy(`
+@@ -542,7 +596,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3093,7 +3170,7 @@ index d555767..68f6887 100644
  ')
  
  optional_policy(`
-@@ -550,6 +608,11 @@ optional_policy(`
+@@ -550,6 +609,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3105,7 +3182,7 @@ index d555767..68f6887 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -559,3 +622,12 @@ optional_policy(`
+@@ -559,3 +623,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -44757,7 +44834,7 @@ index e79d545..101086d 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..936a91d 100644
+index 6e91317..260ea6c 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -44867,7 +44944,7 @@ index 6e91317..936a91d 100644
 +#
 +# Service
 +#
-+define(`manage_service_perms', `{ start stop status reload kill load } ')
++define(`manage_service_perms', `{ start stop status reload } ')
 diff --git a/policy/users b/policy/users
 index c4ebc7e..30d6d7a 100644
 --- a/policy/users

policy-rawhide-contrib.patch

@@ -40198,10 +40198,10 @@ index 0000000..b694afc
 +')
 +
 diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..2c1c0e0 100644
+index 6ffaba2..a4d75bf 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -1,38 +1,68 @@
+@@ -1,38 +1,69 @@
 -HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -40244,6 +40244,7 @@ index 6ffaba2..2c1c0e0 100644
 +HOME_DIR/\.quakelive(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.spicec(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.texlive2012(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.texlive2013(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.ICAClient(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.IBMERS(/.*)?          	gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/zimbrauserdata(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -40304,7 +40305,7 @@ index 6ffaba2..2c1c0e0 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..d54c5ba 100644
+index 6194b80..ada96f0 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -1,146 +1,75 @@
@@ -40995,7 +40996,7 @@ index 6194b80..d54c5ba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -530,45 +499,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -41065,6 +41066,7 @@ index 6194b80..d54c5ba 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
++	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
@@ -44778,7 +44780,7 @@ index 97370e4..3549b8f 100644
 +	apache_search_sys_content(munin_t)
 +')
 diff --git a/mysql.fc b/mysql.fc
-index c48dc17..6355fb4 100644
+index c48dc17..43d56e3 100644
 --- a/mysql.fc
 +++ b/mysql.fc
 @@ -1,11 +1,24 @@
@@ -44814,7 +44816,7 @@ index c48dc17..6355fb4 100644
  /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
  /usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  
-@@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
  
  /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -44836,6 +44838,7 @@ index c48dc17..6355fb4 100644
 -/var/run/mysqld.*	gen_context(system_u:object_r:mysqld_var_run_t,s0)
 -/var/run/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
 -/var/run/mysqld/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
++/var/run/mariadb(/.*)?      gen_context(system_u:object_r:mysqld_var_run_t,s0)
 +/var/run/mysqld(/.*)?		gen_context(system_u:object_r:mysqld_var_run_t,s0)
 +/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
 diff --git a/mysql.if b/mysql.if
@@ -54755,7 +54758,7 @@ index 2c389ea..9155bd0 100644
 +
 +/var/run/passenger(/.*)?		gen_context(system_u:object_r:passenger_var_run_t,s0)
 diff --git a/passenger.if b/passenger.if
-index bf59ef7..c050b37 100644
+index bf59ef7..0ec51d4 100644
 --- a/passenger.if
 +++ b/passenger.if
 @@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
@@ -54811,7 +54814,7 @@ index bf59ef7..c050b37 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -53,6 +69,88 @@ interface(`passenger_read_lib_files',`
+@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',`
  		type passenger_var_lib_t;
  	')
  
@@ -54877,9 +54880,14 @@ index bf59ef7..c050b37 100644
 +interface(`passenger_stream_connect',`
 +	gen_require(`
 +		type passenger_t;
++		type passenger_tmp_t;
++		type passenger_var_run_t;
 +	')
 +
-+	allow $1 passenger_t:unix_stream_socket connectto;
++
++
++	stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
++	stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
 +')
 +
 +#######################################
@@ -55254,7 +55262,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..2254bf5 100644
+index 7bcf327..22a5b66 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -55278,7 +55286,7 @@ index 7bcf327..2254bf5 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,266 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,269 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -55341,6 +55349,7 @@ index 7bcf327..2254bf5 100644
 +auth_manage_passwd(pegasus_openlmi_account_t)
 +auth_manage_shadow(pegasus_openlmi_account_t)
 +auth_relabel_shadow(pegasus_openlmi_account_t)
++auth_read_login_records(pegasus_openlmi_account_t)
 +auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
 +
 +logging_send_audit_msgs(pegasus_openlmi_account_t)
@@ -55404,6 +55413,8 @@ index 7bcf327..2254bf5 100644
 +
 +allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
 +
++kernel_read_network_state(pegasus_openlmi_services_t)
++
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_openlmi_services_t)
 +')
@@ -55550,7 +55561,7 @@ index 7bcf327..2254bf5 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +299,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -55581,7 +55592,7 @@ index 7bcf327..2254bf5 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +325,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -55614,7 +55625,7 @@ index 7bcf327..2254bf5 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,6 +353,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -55622,7 +55633,7 @@ index 7bcf327..2254bf5 100644
  
  domain_use_interactive_fds(pegasus_t)
  domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +368,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -55654,7 +55665,7 @@ index 7bcf327..2254bf5 100644
  ')
  
  optional_policy(`
-@@ -151,16 +398,24 @@ optional_policy(`
+@@ -151,16 +401,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55683,7 +55694,7 @@ index 7bcf327..2254bf5 100644
  ')
  
  optional_policy(`
-@@ -168,7 +423,7 @@ optional_policy(`
+@@ -168,7 +426,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -63019,7 +63030,7 @@ index 00edeab..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
  ')
 diff --git a/procmail.te b/procmail.te
-index d447152..a911295 100644
+index d447152..73c437c 100644
 --- a/procmail.te
 +++ b/procmail.te
 @@ -1,4 +1,4 @@
@@ -63054,7 +63065,7 @@ index d447152..a911295 100644
  allow procmail_t procmail_log_t:dir setattr_dir_perms;
  create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
  append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,59 +44,76 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
  allow procmail_t procmail_tmp_t:file manage_file_perms;
  files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
  
@@ -63158,7 +63169,8 @@ index d447152..a911295 100644
  ')
  
  optional_policy(`
-@@ -100,12 +121,7 @@ optional_policy(`
+-	cyrus_stream_connect(procmail_t)
++	dovecot_stream_connect(procmail_t)
  ')
  
  optional_policy(`
@@ -63168,18 +63180,20 @@ index d447152..a911295 100644
 -	mta_manage_mail_home_rw_content(procmail_t)
 -	mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
 -	mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
++	cyrus_stream_connect(procmail_t)
+ ')
+ 
+ optional_policy(`
+-	munin_dontaudit_search_lib(procmail_t)
 +	gnome_manage_data(procmail_t)
  ')
  
  optional_policy(`
-@@ -113,16 +129,17 @@ optional_policy(`
+-	nagios_search_spool(procmail_t)
++	munin_dontaudit_search_lib(procmail_t)
  ')
  
  optional_policy(`
--	nagios_search_spool(procmail_t)
--')
--
--optional_policy(`
 +	# for a bug in the postfix local program
  	postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
  	postfix_dontaudit_use_fds(procmail_t)
@@ -63195,7 +63209,7 @@ index d447152..a911295 100644
  ')
  
  optional_policy(`
-@@ -131,6 +148,8 @@ optional_policy(`
+@@ -131,6 +152,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -65393,10 +65407,10 @@ index 1148dce..86d25ea 100644
 +	allow $2 pwauth_t:process signal;
  ')
 diff --git a/pwauth.te b/pwauth.te
-index 3078e34..8f357cc 100644
+index 3078e34..215df88 100644
 --- a/pwauth.te
 +++ b/pwauth.te
-@@ -5,38 +5,35 @@ policy_module(pwauth, 1.0.0)
+@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
  # Declarations
  #
  
@@ -65427,13 +65441,12 @@ index 3078e34..8f357cc 100644
  
  manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
  files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
+@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
  
- domain_use_interactive_fds(pwauth_t)
- 
-+
  auth_domtrans_chkpwd(pwauth_t)
  auth_use_nsswitch(pwauth_t)
 +auth_read_shadow(pwauth_t)
++auth_rw_lastlog(pwauth_t)
  
  init_read_utmp(pwauth_t)
  
@@ -82400,7 +82413,7 @@ index 3a9a70b..039b0c8 100644
  	logging_list_logs($1)
  	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..d47e356 100644
+index 49b12ae..d686e4a 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
 @@ -1,4 +1,4 @@
@@ -82561,7 +82574,7 @@ index 49b12ae..d47e356 100644
  	rpm_exec(setroubleshootd_t)
  	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
-@@ -148,15 +160,18 @@ optional_policy(`
+@@ -148,26 +160,36 @@ optional_policy(`
  
  ########################################
  #
@@ -82581,7 +82594,9 @@ index 49b12ae..d47e356 100644
  setroubleshoot_stream_connect(setroubleshoot_fixit_t)
  
  kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +180,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
++kernel_read_network_state(setroubleshoot_fixit_t)
+ 
+ corecmd_exec_bin(setroubleshoot_fixit_t)
  corecmd_exec_shell(setroubleshoot_fixit_t)
  corecmd_getattr_all_executables(setroubleshoot_fixit_t)
  
@@ -82598,7 +82613,7 @@ index 49b12ae..d47e356 100644
  files_list_tmp(setroubleshoot_fixit_t)
  
  auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +196,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 99%{?dist}
+Release: 100%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -573,6 +573,22 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Nov 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-100
+- Fix passenger_stream_connect interface
+- setroubleshoot_fixit wants to read network state
+- Allow procmail_t to connect to dovecot stream sockets
+- Allow cimprovagt service providers to read network states
+- Add labeling for /var/run/mariadb
+- pwauth uses lastlog() to update system's lastlog
+- Allow account provider to read login records
+- Add support for texlive2013
+- More fixes for user config files to make crond_t running in userdomain
+- Add back disable/reload/enable permissions for system class
+- Fix manage_service_perms macro
+- Allow passwd_t to connect to gnome keyring to change password
+- Update mls config files to have cronjobs in the user domains
+- Remove access checks that systemd does not actually do
+
 * Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
 - Add support for yubikey in homedir
 - Add support for upd/3052 port