- Dontaudit rendom domains listing /proc and hittping system_map_t

- devicekit_power sends out a signal to all processes on the message bus when power is going down - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - systemd_tmpfiles_t needs to _setcheckreqprot - Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it - Fixed snapperd policy - Fixed broken interfaces - Should use rw_socket_perms rather then sock_file on a unix_stream_socket - Fixed bugsfor pcp policy - pcscd seems to be using policy kit and looking at domains proc data that transition to it - Allow dbus_system_domains to be started by init - Fixed some interfaces - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Allow ABRT to read puppet certs - Allow virtd_lxc_t to specify the label of a socket - New version of docker requires more access
2014-02-14 13:09:05 +01:00 · 2014-02-14 13:09:05 +01:00 · 7a727702c0
parent 05a36cdcd0
commit 7a727702c0
3 changed files with 490 additions and 319 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -10427,7 +10427,7 @@ index a3760bc..a570048 100644
 +
 +init_sigchld_script(cachefiles_kernel_t)
 diff --git a/calamaris.if b/calamaris.if
-index cd9c528..9de38c4 100644
+index cd9c528..ba793b7 100644
 --- a/calamaris.if
 +++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
@ -10435,7 +10435,7 @@ index cd9c528..9de38c4 100644
 	')
 
 -	lightsquid_domtrans($1)
-+	clamd_domtrans($1)
+	calamaris_domtrans($1)
 	roleattribute $2 calamaris_roles;
 ')
 
@ -11186,10 +11186,10 @@ index 0000000..57866f6
 +HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
 diff --git a/chrome.if b/chrome.if
 new file mode 100644
-index 0000000..5977d96
+index 0000000..8ea5b7c
 --- /dev/null
 +++ b/chrome.if
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,133 @@
 +
 +## <summary>policy for chrome</summary>
 +
@ -11276,9 +11276,8 @@ index 0000000..5977d96
 +
 +	allow chrome_sandbox_t $2:unix_dgram_socket { read write };
 +	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+	allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
-+	dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
-+	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+	allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;;
+	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
 +	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
 +	allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
 +
@ -19280,7 +19279,7 @@ index dda905b..31f269b 100644
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb..ff0c9da 100644
+index 62d22cb..2d33fcd 100644
 --- a/dbus.if
 +++ b/dbus.if
@@ -1,4 +1,4 @@
@ -19802,7 +19801,7 @@ index 62d22cb..ff0c9da 100644
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
-@@ -397,81 +403,66 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +403,67 @@ interface(`dbus_manage_lib_files',`
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
@ -19827,6 +19826,7 @@ index 62d22cb..ff0c9da 100644
 +	domain_entry_file($1, $2)
 +
 +	domtrans_pattern(system_dbusd_t, $2, $1)
+	init_system_domain($1, $2)
 +
 +	ps_process_pattern($1, system_dbusd_t)
 +
@ -19911,7 +19911,7 @@ index 62d22cb..ff0c9da 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +471,18 @@ interface(`dbus_spec_session_domain',`
 ##	</summary>
 ## </param>
 #
@ -19935,7 +19935,7 @@ index 62d22cb..ff0c9da 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +490,80 @@ interface(`dbus_connect_system_bus',`
 ##	</summary>
 ## </param>
 #
@ -20062,7 +20062,7 @@ index 62d22cb..ff0c9da 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -597,28 +570,32 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +571,32 @@ interface(`dbus_use_system_bus_fds',`
 ##	</summary>
 ## </param>
 #
@ -23074,10 +23074,10 @@ index c7bb4e7..e6fe2f40 100644
 sysnet_etc_filetrans_config(dnssec_triggerd_t)
 diff --git a/docker.fc b/docker.fc
 new file mode 100644
-index 0000000..1c4ac02
+index 0000000..fd679a1
 --- /dev/null
 +++ b/docker.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,18 @@
 +/usr/bin/docker			--	gen_context(system_u:object_r:docker_exec_t,s0)
 +
 +/usr/lib/systemd/system/docker.service		--	gen_context(system_u:object_r:docker_unit_file_t,s0)
@ -23086,6 +23086,7 @@ index 0000000..1c4ac02
 +
 +/var/run/docker\.pid		--	gen_context(system_u:object_r:docker_var_run_t,s0)
 +/var/run/docker\.sock		-s	gen_context(system_u:object_r:docker_var_run_t,s0)
+/var/run/docker-client(/.*)?		gen_context(system_u:object_r:docker_var_run_t,s0)
 +
 +/var/lock/lxc(/.*)?		gen_context(system_u:object_r:docker_lock_t,s0)
 +
@ -23097,10 +23098,10 @@ index 0000000..1c4ac02
 +/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
 diff --git a/docker.if b/docker.if
 new file mode 100644
-index 0000000..cc6846a
+index 0000000..89401fe
 --- /dev/null
 +++ b/docker.if
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,324 @@
 +
 +## <summary>The open-source application container engine.</summary>
 +
@ -23372,6 +23373,7 @@ index 0000000..cc6846a
 +
 +    files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
 +    files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
+    files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
 +    logging_log_filetrans($1, docker_log_t, dir, "lxc")
 +    files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
 +    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
@ -23426,10 +23428,10 @@ index 0000000..cc6846a
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..18e4ef8
+index 0000000..a1e6966
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,239 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@ -23508,6 +23510,7 @@ index 0000000..18e4ef8
 +manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
 +manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
 +fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
+allow docker_t docker_tmpfs_t:chr_file mounton;
 +
 +manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
 +manage_files_pattern(docker_t, docker_share_t, docker_share_t)
@ -23640,6 +23643,8 @@ index 0000000..18e4ef8
 +
 +modutils_domtrans_insmod(docker_t)
 +
+userdom_stream_connect(docker_t)
+
 +optional_policy(`
 +	dbus_system_bus_client(docker_t)
 +	init_dbus_chat(docker_t)
@ -28542,7 +28547,7 @@ index e39de43..6a6db28 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index ab09d61..edd1c94 100644
+index ab09d61..d0bfef0 100644
 --- a/gnome.if
 +++ b/gnome.if
@@ -1,52 +1,78 @@
@ -30013,7 +30018,7 @@ index ab09d61..edd1c94 100644
 +#
 +interface(`gnome_create_home_config_dirs',`
 +	gen_require(`
-+		type cache_home_t;
+		type config_home_t;
 +	')
 +
 +	allow $1 config_home_t:dir create_dir_perms;
@ -33047,7 +33052,7 @@ index 0000000..9278f85
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..c6cf456
+index 0000000..deb738f
 --- /dev/null
 +++ b/ipa.if
@@ -0,0 +1,21 @@
@ -33065,7 +33070,7 @@ index 0000000..c6cf456
 +#
 +interface(`ipa_domtrans_otpd',`
 +	gen_require(`
-+		type ipa_otpd_t, ipa_otpd_t_exec_t;
+		type ipa_otpd_t, ipa_otpd_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
@ -53910,7 +53915,7 @@ index 379af96..fac7d7b 100644
 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
 +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
 diff --git a/nut.if b/nut.if
-index 57c0161..54bd4d7 100644
+index 57c0161..dae3360 100644
 --- a/nut.if
 +++ b/nut.if
@@ -1,39 +1,24 @@
@ -53966,7 +53971,7 @@ index 57c0161..54bd4d7 100644
 
 -	files_search_pids($1)
 -	admin_pattern($1, nut_var_run_t)
-+    ps_process_pattern($1, swift_t)
+    ps_process_pattern($1, nut_t)
 ')
 diff --git a/nut.te b/nut.te
 index 5b2cb0d..249224e 100644
@ -58594,10 +58599,10 @@ index 0000000..9b8cb6b
 +/var/run/pmcd\.socket    --  gen_context(system_u:object_r:pcp_var_run_t,s0)
 diff --git a/pcp.if b/pcp.if
 new file mode 100644
-index 0000000..4f074cb
+index 0000000..f099f7c
 --- /dev/null
 +++ b/pcp.if
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,121 @@
 +## <summary>The  pcp  command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
 +
 +######################################
@ -58698,12 +58703,33 @@ index 0000000..4f074cb
 +    corecmd_search_bin($1)
 +    can_exec($1, pcp_pmie_exec_t)
 +')
+
+########################################
+## <summary>
+##  Allow the specified domain to execute pcp_pmlogger
+##  in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcp_pmlogger_exec',`
+    gen_require(`
+        type pcp_pmlogger_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    can_exec($1, pcp_pmlogger_exec_t)
+')
+
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..8ec3a48
+index 0000000..d21c5d7
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,192 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@ -58769,6 +58795,8 @@ index 0000000..8ec3a48
 +
 +dev_read_urand(pcp_domain)
 +
+files_read_etc_files(pcp_domain)
+
 +fs_getattr_all_fs(pcp_domain)
 +
 +auth_read_passwd(pcp_domain)
@ -58786,6 +58814,8 @@ index 0000000..8ec3a48
 +allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
 +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
 +
+auth_use_nsswitch(pcp_pmcd_t)
+
 +kernel_read_network_state(pcp_pmcd_t)
 +kernel_read_system_state(pcp_pmcd_t)
 +kernel_read_state(pcp_pmcd_t)
@ -58807,9 +58837,9 @@ index 0000000..8ec3a48
 +fs_getattr_all_dirs(pcp_pmcd_t)
 +fs_list_cgroup_dirs(pcp_pmcd_t)
 +
-+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+logging_send_syslog_msg(pcp_pmcd_t)
 +
-+auth_use_nsswitch(pcp_pmcd_t)
+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
 +
 +optional_policy(`
 +    dbus_system_bus_client(pcp_pmcd_t)
@ -58826,9 +58856,12 @@ index 0000000..8ec3a48
 +
 +allow pcp_pmproxy_t self:process setsched;
 +allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
+allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
 +
 +auth_use_nsswitch(pcp_pmproxy_t)
 +
+logging_send_syslog_msg(pcp_pmproxy_t)
+
 +########################################
 +#
 +# pcp_pmwebd local  policy
@ -58842,21 +58875,27 @@ index 0000000..8ec3a48
 +#
 +
 +allow pcp_pmmgr_t self:process { setpgid };
-+
+allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
 +allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
 +
 +kernel_read_system_state(pcp_pmmgr_t)
 +
+auth_use_nsswitch(pcp_pmmgr_t)
+
 +corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
 +
+corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
+corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
+
 +corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
 +
 +corecmd_exec_bin(pcp_pmmgr_t)
 +
-+auth_use_nsswitch(pcp_pmmgr_t)
+logging_send_syslog_msg(pcp_pmmgr_t)
 +
 +optional_policy(`
 +    pcp_pmie_exec(pcp_pmmgr_t)
+    pcp_pmlogger_exec(pcp_pmmgr_t)
 +')
 +
 +########################################
@ -58868,11 +58907,35 @@ index 0000000..8ec3a48
 +
 +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
 +
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
+
+########################################
+#
+# pcp_pmlogger local  policy
+#
+
+allow pcp_pmlogger_t self:process setpgid;
+allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
+
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
 diff --git a/pcscd.if b/pcscd.if
-index 43d50f9..7f77d32 100644
+index 43d50f9..6b1544f 100644
 --- a/pcscd.if
 +++ b/pcscd.if
-@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',`
+@@ -17,6 +17,8 @@ interface(`pcscd_domtrans',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+
+	ps_process_pattern(pcscd_t, $1)
+ ')
+ 
+ ########################################
+@@ -50,7 +52,7 @@ interface(`pcscd_read_pid_files',`
 	')
 
 	files_search_pids($1)
@ -58882,7 +58945,7 @@ index 43d50f9..7f77d32 100644
 
 ########################################
 diff --git a/pcscd.te b/pcscd.te
-index 1fb1964..c5ec0c4 100644
+index 1fb1964..36eb845 100644
 --- a/pcscd.te
 +++ b/pcscd.te
@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
@ -58925,7 +58988,18 @@ index 1fb1964..c5ec0c4 100644
 sysnet_dns_name_resolve(pcscd_t)
 
 optional_policy(`
-@@ -85,3 +82,7 @@ optional_policy(`
+@@ -73,6 +70,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	policykit_dbus_chat(pcscd_t)
+')
+
+optional_policy(`
+ 	openct_stream_connect(pcscd_t)
+ 	openct_read_pid_files(pcscd_t)
+ 	openct_signull(pcscd_t)
+@@ -85,3 +86,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(pcscd_t)
 ')
@ -58933,6 +59007,7 @@ index 1fb1964..c5ec0c4 100644
 +optional_policy(`
 +	virt_rw_svirt_dev(pcscd_t)
 +')
+
 diff --git a/pegasus.fc b/pegasus.fc
 index dfd46e4..d40433a 100644
 --- a/pegasus.fc
@ -74056,7 +74131,7 @@ index e240ac9..638d6b4 100644
 +
 +/var/run/redis(/.*)?		gen_context(system_u:object_r:redis_var_run_t,s0)
 diff --git a/redis.if b/redis.if
-index 16c8ecb..9fc0cb9 100644
+index 16c8ecb..2640ab5 100644
 --- a/redis.if
 +++ b/redis.if
@@ -1,9 +1,224 @@
@ -74273,7 +74348,7 @@ index 16c8ecb..9fc0cb9 100644
 +	')
 +
 +	systemd_exec_systemctl($1)
-+    systemd_read_fifo_file_password_run($1)
+    systemd_read_fifo_file_passwd_run($1)
 +	allow $1 redis_unit_file_t:file read_file_perms;
 +	allow $1 redis_unit_file_t:service manage_service_perms;
 +
@ -88175,7 +88250,7 @@ index 0000000..94105ee
 +')
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..838f907
+index 0000000..a299f53
 --- /dev/null
 +++ b/snapper.te
@@ -0,0 +1,66 @@
@ -88193,8 +88268,8 @@ index 0000000..838f907
 +type snapperd_log_t;
 +logging_log_file(snapperd_log_t)
 +
-+type snappperd_conf_t;
-+files_config_file(snappperd_conf_t)
+type snapperd_conf_t;
+files_config_file(snapperd_conf_t)
 +
 +type snapperd_data_t;
 +files_type(snapperd_data_t)
@ -98851,7 +98926,7 @@ index facdee8..fddb027 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..81e9d56 100644
+index f03dcf5..2a43838 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,197 @@
@ -100188,7 +100263,7 @@ index f03dcf5..81e9d56 100644
 +# virt_lxc local policy
 #
 +allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
-+allow virtd_lxc_t self:process { transition setpgid signal_perms };
+allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms };
 +allow virtd_lxc_t self:capability2 compromise_kernel;
 
 -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
@ -100971,7 +101046,7 @@ index 0000000..5726cdb
 +/usr/lib/systemd/system/vmtoolsd.*		--	gen_context(system_u:object_r:vmtools_unit_file_t,s0)
 diff --git a/vmtools.if b/vmtools.if
 new file mode 100644
-index 0000000..044be2f
+index 0000000..82fc528
 --- /dev/null
 +++ b/vmtools.if
@@ -0,0 +1,78 @@
@ -101042,7 +101117,7 @@ index 0000000..044be2f
 +	ps_process_pattern($1, vmtools_t)
 +
 +	tunable_policy(`deny_ptrace',`',`
-+		allow $1 ninfod_t:process ptrace;
+		allow $1 vmtools_t:process ptrace;
 +	')
 +
 +	vmtools_systemctl($1)
@ -105172,7 +105247,7 @@ index 0000000..ceaa219
 +/var/spool/zoneminder-upload(/.*)?	gen_context(system_u:object_r:zoneminder_spool_t,s0)
 diff --git a/zoneminder.if b/zoneminder.if
 new file mode 100644
-index 0000000..d02a6f4
+index 0000000..e0604c7
 --- /dev/null
 +++ b/zoneminder.if
@@ -0,0 +1,374 @@
@ -105385,7 +105460,7 @@ index 0000000..d02a6f4
 +#
 +interface(`zoneminder_manage_lib_sock_files',`
 +    gen_require(`
-+        type sock_var_lib_t;
+        type zoneminder_sock_var_lib_t;
 +    ')
 +    files_search_var_lib($1)
 +    manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -578,7 +578,36 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
-* Mon Feb 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-23
+* Fri Feb 14 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-24
+- Dontaudit rendom domains listing /proc and hittping system_map_t
+- devicekit_power sends out a signal to all processes on the message bus when power is going down
+- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
+- systemd_tmpfiles_t needs to _setcheckreqprot
+- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
+- Fixed snapperd policy
+- Fixed broken interfaces
+- Should use rw_socket_perms rather then sock_file on a unix_stream_socket
+- Fixed bugsfor pcp policy
+- pcscd seems to be using policy kit and looking at domains proc data that transition to it
+- Allow dbus_system_domains to be started by init
+- Fixed some interfaces
+- Addopt corenet rules for unbound-anchor to rpm_script_t
+- Allow runuser to send send audit messages.
+- Allow postfix-local to search .forward in munin lib dirs
+- Allow udisks to connect to D-Bus
+- Allow spamd to connect to spamd port
+- Fix syntax error in snapper.te
+- Dontaudit osad to search gconf home files
+- Allow rhsmcertd to manage /etc/sysconf/rhn director
+- Fix pcp labeling to accept /usr/bin for all daemon binaries
+- Fix mcelog_read_log() interface
+- Allow iscsid to manage iscsi lib files
+- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
+- Allow ABRT to read puppet certs
+- Allow virtd_lxc_t to specify the label of a socket
+- New version of docker requires more access
+
+* Mon Feb 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-23
 - Addopt corenet rules for unbound-anchor to rpm_script_t
 - Allow runuser to send send audit messages.
 - Allow postfix-local to search .forward in munin lib dirs