- Allow init_t to setattr/relabelfrom dhcp state files

- Allow dmesg to read hwdata and memory dev - Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Additional fixes for instack overcloud - Allow block_suspend cap for haproxy - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Add labeling for /lib/systemd/system/thttpd.service - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod also create sock_file with correct labeling in /run - Allow aiccu stream connect to pcscd - Allow rabbitmq_beam to connect to httpd port - Allow httpd to send signull to apache script domains and don't audit leaks - Fix labeling in drbd.fc - Allow sssd to connect to the smbd port for handing logins using active directory, needs back - Allow all freeipmi domains to read/write ipmi devices - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow sblim_sfcbd to use also pegasus-https port - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Add httpd_run_preupgrade boolean - Add interfaces to access preupgrade_data_t - Add preupgrade policy - Add labeling for puppet helper scripts
2014-04-18 14:31:10 +02:00 · 2014-04-18 14:31:10 +02:00 · 7ca2b30721
commit 7ca2b30721
parent d641991bb4
3 changed files with 597 additions and 287 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -1601,7 +1601,7 @@ index d6cc2d9..0685b19 100644
 +
 +/usr/bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
 diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..17357e5 100644
+index 72bc6d8..bb4a6f0 100644
 --- a/policy/modules/admin/dmesg.te
 +++ b/policy/modules/admin/dmesg.te
@@ -9,6 +9,10 @@ type dmesg_t;
@ -1615,7 +1615,7 @@ index 72bc6d8..17357e5 100644
 ########################################
 #
 # Local policy
-@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config;
+@@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config;
 
 allow dmesg_t self:process signal_perms;
 
@ -1630,15 +1630,17 @@ index 72bc6d8..17357e5 100644
 
 dev_read_sysfs(dmesg_t)
 +dev_read_kmsg(dmesg_t)
+dev_read_raw_memory(dmesg_t)
 
 fs_search_auto_mountpoints(dmesg_t)
 
-@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t)
+@@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t)
 logging_send_syslog_msg(dmesg_t)
 logging_write_generic_logs(dmesg_t)
 
 -miscfiles_read_localization(dmesg_t)
-
+miscfiles_read_hwdata(dmesg_t)
+ 
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
 -userdom_use_user_terminals(dmesg_t)
 +userdom_use_inherited_user_terminals(dmesg_t)
@ -29655,7 +29657,7 @@ index 79a45f6..89b43aa 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..56e006c 100644
+index 17eda24..e5c555c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -29925,7 +29927,7 @@ index 17eda24..56e006c 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +301,230 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +301,235 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -30123,6 +30125,11 @@ index 17eda24..56e006c 100644
 +    optional_policy(`
 +        rpc_manage_nfs_state_data(init_t)
 +    ')
+
+    optional_policy(`
+        sysnet_relabelfrom_dhcpc_state(init_t)
+        sysnet_setattr_dhcp_state(init_t)
+    ')
 +')
 +
 +optional_policy(`
@ -30142,10 +30149,9 @@ index 17eda24..56e006c 100644
 +	optional_policy(`
 +		devicekit_dbus_chat_power(init_t)
 +	')
- ')
- 
- optional_policy(`
-	nscd_use(init_t)
+')
+
+optional_policy(`
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
@ -30155,16 +30161,17 @@ index 17eda24..56e006c 100644
 +
 +optional_policy(`
 +		networkmanager_stream_connect(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_use(init_t)
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
 +	plymouthd_filetrans_named_content(init_t)
 ')
 
 optional_policy(`
-@@ -216,7 +532,31 @@ optional_policy(`
+@@ -216,7 +537,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30196,7 +30203,7 @@ index 17eda24..56e006c 100644
 ')
 
 ########################################
-@@ -225,9 +565,9 @@ optional_policy(`
+@@ -225,9 +570,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30208,7 +30215,7 @@ index 17eda24..56e006c 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -30225,7 +30232,7 @@ index 17eda24..56e006c 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -30268,7 +30275,7 @@ index 17eda24..56e006c 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -30280,7 +30287,7 @@ index 17eda24..56e006c 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +672,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +677,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -30291,7 +30298,7 @@ index 17eda24..56e006c 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +683,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +688,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -30301,7 +30308,7 @@ index 17eda24..56e006c 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +692,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -30309,7 +30316,7 @@ index 17eda24..56e006c 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -30317,7 +30324,7 @@ index 17eda24..56e006c 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +707,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -30335,7 +30342,7 @@ index 17eda24..56e006c 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +725,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -30349,7 +30356,7 @@ index 17eda24..56e006c 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +740,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +745,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -30363,7 +30370,7 @@ index 17eda24..56e006c 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +753,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +758,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -30374,7 +30381,7 @@ index 17eda24..56e006c 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +766,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +771,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -30382,7 +30389,7 @@ index 17eda24..56e006c 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +785,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +790,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -30406,7 +30413,7 @@ index 17eda24..56e006c 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +818,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +823,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -30414,7 +30421,7 @@ index 17eda24..56e006c 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +852,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +857,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -30425,7 +30432,7 @@ index 17eda24..56e006c 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +876,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +881,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -30434,7 +30441,7 @@ index 17eda24..56e006c 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +891,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +896,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -30442,7 +30449,7 @@ index 17eda24..56e006c 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +912,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +917,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -30450,7 +30457,7 @@ index 17eda24..56e006c 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +922,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +927,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -30495,7 +30502,7 @@ index 17eda24..56e006c 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +967,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +972,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -30527,7 +30534,7 @@ index 17eda24..56e006c 100644
 	')
 ')
 
-@@ -577,6 +1002,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1007,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -30567,7 +30574,7 @@ index 17eda24..56e006c 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1047,8 @@ optional_policy(`
+@@ -589,6 +1052,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -30576,7 +30583,7 @@ index 17eda24..56e006c 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1070,7 @@ optional_policy(`
+@@ -610,6 +1075,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -30584,7 +30591,7 @@ index 17eda24..56e006c 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1087,17 @@ optional_policy(`
+@@ -626,6 +1092,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30602,7 +30609,7 @@ index 17eda24..56e006c 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1114,13 @@ optional_policy(`
+@@ -642,9 +1119,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -30616,7 +30623,7 @@ index 17eda24..56e006c 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1133,11 @@ optional_policy(`
+@@ -657,15 +1138,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30634,7 +30641,7 @@ index 17eda24..56e006c 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1158,15 @@ optional_policy(`
+@@ -686,6 +1163,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30650,7 +30657,7 @@ index 17eda24..56e006c 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1207,7 @@ optional_policy(`
+@@ -726,6 +1212,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -30658,7 +30665,7 @@ index 17eda24..56e006c 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1225,13 @@ optional_policy(`
+@@ -743,7 +1230,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30673,7 +30680,7 @@ index 17eda24..56e006c 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1254,10 @@ optional_policy(`
+@@ -766,6 +1259,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30684,7 +30691,7 @@ index 17eda24..56e006c 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1267,20 @@ optional_policy(`
+@@ -775,10 +1272,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30705,7 +30712,7 @@ index 17eda24..56e006c 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1289,10 @@ optional_policy(`
+@@ -787,6 +1294,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30716,7 +30723,7 @@ index 17eda24..56e006c 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1314,6 @@ optional_policy(`
+@@ -808,8 +1319,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -30725,7 +30732,7 @@ index 17eda24..56e006c 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1322,10 @@ optional_policy(`
+@@ -818,6 +1327,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30736,7 +30743,7 @@ index 17eda24..56e006c 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1335,12 @@ optional_policy(`
+@@ -827,10 +1340,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -30749,7 +30756,7 @@ index 17eda24..56e006c 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1367,60 @@ optional_policy(`
+@@ -857,21 +1372,60 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30811,7 +30818,7 @@ index 17eda24..56e006c 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1436,10 @@ optional_policy(`
+@@ -887,6 +1441,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30822,7 +30829,7 @@ index 17eda24..56e006c 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1450,218 @@ optional_policy(`
+@@ -897,3 +1455,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -31289,7 +31296,7 @@ index 0d4c8d3..e6ffda3 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..a97e8da 100644
+index 312cd04..d6d434a 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -31302,7 +31309,7 @@ index 312cd04..a97e8da 100644
 type ipsec_mgmt_lock_t;
 files_lock_file(ipsec_mgmt_lock_t)
 
-@@ -72,14 +75,18 @@ role system_r types setkey_t;
+@@ -72,24 +75,32 @@ role system_r types setkey_t;
 # ipsec Local policy
 #
 
@ -31324,8 +31331,10 @@ index 312cd04..a97e8da 100644
 
 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 
-@@ -88,8 +95,11 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+ allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
+ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
 
 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
 -manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
@ -31337,7 +31346,7 @@ index 312cd04..a97e8da 100644
 
 manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
 manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +120,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
 allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
 allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@ -31350,7 +31359,7 @@ index 312cd04..a97e8da 100644
 kernel_list_proc(ipsec_t)
 kernel_read_proc_symlinks(ipsec_t)
 # allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +138,22 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t)
 corecmd_exec_bin(ipsec_t)
 
 # Pluto needs network access
@ -31380,7 +31389,7 @@ index 312cd04..a97e8da 100644
 
 dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
-@@ -157,24 +169,33 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +170,33 @@ files_dontaudit_search_home(ipsec_t)
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
 
@ -31415,7 +31424,7 @@ index 312cd04..a97e8da 100644
 	seutil_sigchld_newrole(ipsec_t)
 ')
 
-@@ -187,10 +208,10 @@ optional_policy(`
+@@ -187,10 +209,10 @@ optional_policy(`
 # ipsec_mgmt Local policy
 #
 
@ -31430,7 +31439,7 @@ index 312cd04..a97e8da 100644
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +230,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
 
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -31446,7 +31455,7 @@ index 312cd04..a97e8da 100644
 
 # _realsetup needs to be able to cat /var/run/pluto.pid,
 # run ps on that pid, and delete the file
-@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +270,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
 
@ -31463,7 +31472,7 @@ index 312cd04..a97e8da 100644
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
-@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +289,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 
@ -31472,7 +31481,7 @@ index 312cd04..a97e8da 100644
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
 
-@@ -278,9 +313,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
 
 term_use_console(ipsec_mgmt_t)
@ -31484,7 +31493,7 @@ index 312cd04..a97e8da 100644
 
 init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +324,22 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 
@ -31512,7 +31521,7 @@ index 312cd04..a97e8da 100644
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +363,10 @@ optional_policy(`
+@@ -322,6 +364,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31523,7 +31532,7 @@ index 312cd04..a97e8da 100644
 	modutils_domtrans_insmod(ipsec_mgmt_t)
 ')
 
-@@ -335,7 +380,7 @@ optional_policy(`
+@@ -335,7 +381,7 @@ optional_policy(`
 #
 
 allow racoon_t self:capability { net_admin net_bind_service };
@ -31532,7 +31541,7 @@ index 312cd04..a97e8da 100644
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +415,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
 
@ -31552,7 +31561,7 @@ index 312cd04..a97e8da 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
 
-@@ -401,10 +445,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
 
@ -31565,7 +31574,7 @@ index 312cd04..a97e8da 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +482,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t)
 
 locallogin_use_fds(setkey_t)
 
@ -37497,7 +37506,7 @@ index 40edc18..a072ac2 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..77f307f 100644
+index 2cea692..1c0de21 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -37777,7 +37786,34 @@ index 2cea692..77f307f 100644
 ')
 
 ########################################
-@@ -711,8 +897,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -647,6 +833,26 @@ interface(`sysnet_search_dhcp_state',`
+ 	allow $1 dhcp_state_t:dir search_dir_perms;
+ ')
+ 
+#######################################
+## <summary>
+##	Set the attributes of network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_setattr_dhcp_state',`
+	gen_require(`
+		type dhcp_state_t;
+	')
+
+    files_search_var_lib($1)
+	allow $1 dhcp_state_t:file setattr_file_perms;
+')
+
+
+ ########################################
+ ## <summary>
+ ##	Create DHCP state data.
+@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
 	allow $1 self:udp_socket create_socket_perms;
 	allow $1 self:netlink_route_socket r_netlink_socket_perms;
 
@ -37786,7 +37822,7 @@ index 2cea692..77f307f 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +904,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
 	corenet_tcp_sendrecv_dns_port($1)
 	corenet_udp_sendrecv_dns_port($1)
 	corenet_tcp_connect_dns_port($1)
@ -37798,7 +37834,7 @@ index 2cea692..77f307f 100644
 	sysnet_read_config($1)
 
 	optional_policy(`
-@@ -750,8 +937,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
 
 	allow $1 self:tcp_socket create_socket_perms;
 
@ -37807,7 +37843,7 @@ index 2cea692..77f307f 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
 	corenet_tcp_sendrecv_ldap_port($1)
-@@ -763,6 +948,9 @@ interface(`sysnet_use_ldap',`
+@@ -763,6 +968,9 @@ interface(`sysnet_use_ldap',`
 	dev_read_urand($1)
 
 	sysnet_read_config($1)
@ -37817,7 +37853,7 @@ index 2cea692..77f307f 100644
 ')
 
 ########################################
-@@ -784,7 +972,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +992,6 @@ interface(`sysnet_use_portmap',`
 	allow $1 self:udp_socket create_socket_perms;
 
 	corenet_all_recvfrom_unlabeled($1)
@ -37825,7 +37861,7 @@ index 2cea692..77f307f 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +983,115 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1003,115 @@ interface(`sysnet_use_portmap',`
 
 	sysnet_read_config($1)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 45%{?dist}
+Release: 46%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,35 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Fri Apr 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-46
+- Allow init_t to setattr/relabelfrom dhcp state files
+- Allow dmesg to read hwdata and memory dev
+- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
+- Dontaudit antivirus domains read access on all security files by default
+- Add missing alias for old amavis_etc_t type
+- Additional fixes for  instack overcloud
+- Allow block_suspend cap for haproxy
+- Allow OpenStack to read mysqld_db links and connect to MySQL
+- Remove dup filename rules in gnome.te
+- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
+- Add labeling for /lib/systemd/system/thttpd.service
+- Allow iscsid to handle own unit files
+- Add iscsi_systemctl()
+- Allow mongod also create sock_file with correct labeling in /run
+- Allow aiccu stream connect to pcscd
+- Allow rabbitmq_beam to connect to httpd port
+- Allow httpd to send signull to apache script domains and don't audit leaks
+- Fix labeling in drbd.fc
+- Allow sssd to connect to the smbd port for handing logins using active directory, needs back port for rhel7
+- Allow all freeipmi domains to read/write ipmi devices
+- Allow rabbitmq_epmd to manage rabbit_var_log_t files
+- Allow sblim_sfcbd to use also pegasus-https port
+- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
+- Add httpd_run_preupgrade boolean
+- Add interfaces to access preupgrade_data_t
+- Add preupgrade policy
+- Add labeling for puppet helper scripts
+
 * Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
 Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.