- Don't audit access checks by sandbox xserver on xdb var_lib

- Allow ntop to read usbmon devices - Add labeling for new polcykit authorizor - Dontaudit access checks from fail2ban_client - Don't audit access checks by sandbox xserver on xdb var_lib - Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream - Fix labeling for all /usr/bim/razor-lightdm-* binaries - Add filename trans for /dev/md126p1
2013-06-20 16:58:38 +02:00 · 2013-06-20 16:58:38 +02:00 · 82acdf3079
commit 82acdf3079
parent 859a101f23
3 changed files with 377 additions and 138 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -15142,7 +15142,7 @@ index 54f1827..cc2de1a 100644
 +/usr/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/usr/lib/udev/devices/fuse   -c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..f8f6456 100644
+index 1700ef2..38b597e 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@ -15181,7 +15181,15 @@ index 1700ef2..f8f6456 100644
 	typeattribute $1 fixed_disk_raw_read;
 ')
 
-@@ -205,6 +227,7 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
+ interface(`storage_raw_rw_fixed_disk',`
+ 	storage_raw_read_fixed_disk($1)
+ 	storage_raw_write_fixed_disk($1)
+	dev_rw_generic_blk_files($1)
+ ')
+ 
+ ########################################
+@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',`
 
 	allow $1 self:capability mknod;
 	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@ -15189,7 +15197,7 @@ index 1700ef2..f8f6456 100644
 	dev_add_entry_generic_dirs($1)
 ')
 
-@@ -269,6 +292,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
 	dev_filetrans($1, fixed_disk_device_t, blk_file)
 ')
 
@ -15238,7 +15246,7 @@ index 1700ef2..f8f6456 100644
 ########################################
 ## <summary>
 ##	Create block devices in on a tmpfs filesystem with the
-@@ -711,6 +776,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
 	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
 ')
 
@ -15263,7 +15271,7 @@ index 1700ef2..f8f6456 100644
 ########################################
 ## <summary>
 ##	Allow the caller to directly read
-@@ -808,3 +891,400 @@ interface(`storage_unconfined',`
+@@ -808,3 +892,401 @@ interface(`storage_unconfined',`
 
 	typeattribute $1 storage_unconfined_type;
 ')
@ -15374,6 +15382,7 @@ index 1700ef2..f8f6456 100644
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1")
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
@ -20595,7 +20604,7 @@ index 5fc0391..994eec2 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..97140ee 100644
+index d1f64a0..156a29f 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -20685,7 +20694,7 @@ index d1f64a0..97140ee 100644
 +
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
-+/usr/bin/razor-lightdm-greeter  --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/razor-lightdm-*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 +/usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@ -20752,7 +20761,7 @@ index d1f64a0..97140ee 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..18223e7 100644
+index 6bf0ecc..9388756 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -21224,18 +21233,19 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +904,92 @@ interface(`xserver_manage_xdm_spool_files',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
 -		type xdm_t, xdm_tmp_t;
 +		type xdm_t, xdm_tmp_t, xdm_var_run_t;
+		type xdm_dbusd_t;
 	')
 
 	files_search_tmp($1)
 -	stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
 +	files_search_pids($1)
-+	stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
+	stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, { xdm_t xdm_dbusd_t } )
 +')
 +
 +########################################
@ -21318,7 +21328,7 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +1013,25 @@ interface(`xserver_read_xdm_rw_config',`
 
 ########################################
 ## <summary>
@ -21344,7 +21354,7 @@ index 6bf0ecc..18223e7 100644
 ##	Set the attributes of XDM temporary directories.
 ## </summary>
 ## <param name="domain">
-@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1045,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 		type xdm_tmp_t;
 	')
 
@ -21371,7 +21381,7 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1103,26 @@ interface(`xserver_read_xdm_pid',`
 	')
 
 	files_search_pids($1)
@ -21399,7 +21409,7 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1145,24 @@ interface(`xserver_read_xdm_lib_files',`
 
 ########################################
 ## <summary>
@ -21424,7 +21434,7 @@ index 6bf0ecc..18223e7 100644
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1232,26 @@ interface(`xserver_getattr_log',`
 	')
 
 	logging_search_logs($1)
@ -21452,7 +21462,7 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1270,7 @@ interface(`xserver_dontaudit_write_log',`
 		type xserver_log_t;
 	')
 
@ -21461,66 +21471,167 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,7 +1317,7 @@ interface(`xserver_read_xkb_libs',`
 
 ########################################
 ## <summary>
-+##	Read xdm config files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit
-+##	</summary>
-+## </param>
-+#
-+interface(`xserver_read_xdm_etc_files',`
-+	gen_require(`
-+		type xdm_etc_t;
-+	')
-+
-+	files_search_etc($1)
-+	read_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+	read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Manage xdm config files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit
-+##	</summary>
-+## </param>
-+#
-+interface(`xserver_manage_xdm_etc_files',`
-+	gen_require(`
-+		type xdm_etc_t;
-+	')
-+
-+	files_search_etc($1)
-+	manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Read xdm temporary files.
+-##	Read xdm temporary files.
+##	dontaudit access checks X keyboard extension libraries.
 ## </summary>
 ## <param name="domain">
-@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',`
- 		type xdm_tmp_t;
+ ##	<summary>
+@@ -1012,56 +1325,57 @@ interface(`xserver_read_xkb_libs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_read_xdm_tmp_files',`
+interface(`xserver_dontaudit_xkb_libs_access',`
+ 	gen_require(`
+-		type xdm_tmp_t;
+		type xkb_var_lib_t;
 	')
 
 - 	files_search_tmp($1)
-+	files_search_tmp($1)
- 	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+-	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+	dontaudit $1 xkb_var_lib_t:dir audit_access;
+	dontaudit $1 xkb_var_lib_t:file audit_access;
 ')
 
-@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',`
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read xdm temporary files.
+##	Read xdm config files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
+##	Domain to not audit
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_read_xdm_tmp_files',`
+interface(`xserver_read_xdm_etc_files',`
+ 	gen_require(`
+-		type xdm_tmp_t;
+		type xdm_etc_t;
+ 	')
+ 
+-	dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+-	dontaudit $1 xdm_tmp_t:file read_file_perms;
+	files_search_etc($1)
+	read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+	read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read write xdm temporary files.
+##	Manage xdm config files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
+##	Domain to not audit
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_rw_xdm_tmp_files',`
+interface(`xserver_manage_xdm_etc_files',`
+ 	gen_require(`
+-		type xdm_tmp_t;
+		type xdm_etc_t;
+ 	')
+ 
+-	allow $1 xdm_tmp_t:dir search_dir_perms;
+-	allow $1 xdm_tmp_t:file rw_file_perms;
+	files_search_etc($1)
+	manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete xdm temporary files.
+##	Read xdm temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1069,18 +1383,18 @@ interface(`xserver_rw_xdm_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_manage_xdm_tmp_files',`
+interface(`xserver_read_xdm_tmp_files',`
+ 	gen_require(`
+ 		type xdm_tmp_t;
+ 	')
+ 
+-	manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+	files_search_tmp($1)
+	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ ')
 
 ########################################
 ## <summary>
 -##	Do not audit attempts to get the attributes of
+-##	xdm temporary named sockets.
+##	Do not audit attempts to read xdm temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1088,12 +1402,105 @@ interface(`xserver_manage_xdm_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+interface(`xserver_dontaudit_read_xdm_tmp_files',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+	dontaudit $1 xdm_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read write xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_tmp_files',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir search_dir_perms;
+	allow $1 xdm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_files',`
+ 	gen_require(`
+ 		type xdm_tmp_t;
+ 	')
+ 
+-	dontaudit $1 xdm_tmp_t:sock_file getattr;
+	manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
 +##	Create, read, write, and delete xdm temporary dirs.
 +## </summary>
 +## <param name="domain">
@ -21558,19 +21669,24 @@ index 6bf0ecc..18223e7 100644
 +########################################
 +## <summary>
 +##	Do not audit attempts to get the attributes of
- ##	xdm temporary named sockets.
- ## </summary>
- ## <param name="domain">
-@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
- 		type xdm_tmp_t;
- 	')
- 
-	dontaudit $1 xdm_tmp_t:sock_file getattr;
+##	xdm temporary named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
 +	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
-@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1518,10 @@ interface(`xserver_domtrans',`
 		type xserver_t, xserver_exec_t;
 	')
 
@ -21582,7 +21698,7 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1619,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
 
 ########################################
 ## <summary>
@ -21608,7 +21724,7 @@ index 6bf0ecc..18223e7 100644
 ##	Connect to the X server over a unix domain
 ##	stream socket.
 ## </summary>
-@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1654,26 @@ interface(`xserver_stream_connect',`
 
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -21635,7 +21751,7 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1699,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -21644,7 +21760,7 @@ index 6bf0ecc..18223e7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1709,23 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -21669,7 +21785,7 @@ index 6bf0ecc..18223e7 100644
 ')
 
 ########################################
-@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1742,604 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -23864,7 +23980,7 @@ index 28ad538..ebe81bf 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..c7f52c2 100644
+index 3efd5b6..2f6ba05 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -24054,16 +24170,7 @@ index 3efd5b6..c7f52c2 100644
 ##	Execute a login_program in the target domain,
 ##	with a range transition.
 ## </summary>
-@@ -395,6 +432,8 @@ interface(`auth_domtrans_chk_passwd',`
- 	')
- 
- 	optional_policy(`
-+		pcscd_manage_pub_files($1)
-+		pcscd_manage_pub_pipes($1)
- 		pcscd_read_pid_files($1)
- 		pcscd_stream_connect($1)
- 	')
-@@ -402,6 +441,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +439,8 @@ interface(`auth_domtrans_chk_passwd',`
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -24072,7 +24179,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -448,6 +489,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +487,25 @@ interface(`auth_run_chk_passwd',`
 
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -24098,7 +24205,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -467,7 +527,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +525,6 @@ interface(`auth_domtrans_upd_passwd',`
 
 	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
 	auth_dontaudit_read_shadow($1)
@ -24106,7 +24213,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -664,6 +723,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +721,10 @@ interface(`auth_manage_shadow',`
 
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -24117,7 +24224,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 #######################################
-@@ -763,7 +826,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +824,50 @@ interface(`auth_rw_faillog',`
 	')
 
 	logging_search_logs($1)
@ -24169,7 +24276,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 #######################################
-@@ -824,9 +930,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +928,29 @@ interface(`auth_rw_lastlog',`
 	allow $1 lastlog_t:file { rw_file_perms lock setattr };
 ')
 
@ -24200,7 +24307,7 @@ index 3efd5b6..c7f52c2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -834,12 +960,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +958,27 @@ interface(`auth_rw_lastlog',`
 ##	</summary>
 ## </param>
 #
@ -24231,7 +24338,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -854,15 +995,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +993,15 @@ interface(`auth_domtrans_pam',`
 #
 interface(`auth_signal_pam',`
 	gen_require(`
@ -24250,7 +24357,7 @@ index 3efd5b6..c7f52c2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -875,13 +1016,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1014,33 @@ interface(`auth_signal_pam',`
 ##	</summary>
 ## </param>
 #
@ -24288,7 +24395,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -959,9 +1120,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1118,30 @@ interface(`auth_manage_var_auth',`
 	')
 
 	files_search_var($1)
@ -24322,7 +24429,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -1040,6 +1222,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1220,10 @@ interface(`auth_manage_pam_pid',`
 	files_search_pids($1)
 	allow $1 pam_var_run_t:dir manage_dir_perms;
 	allow $1 pam_var_run_t:file manage_file_perms;
@ -24333,7 +24440,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -1176,6 +1362,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1360,7 @@ interface(`auth_manage_pam_console_data',`
 	files_search_pids($1)
 	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
 	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -24341,7 +24448,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 #######################################
-@@ -1576,6 +1763,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1761,25 @@ interface(`auth_setattr_login_records',`
 
 ########################################
 ## <summary>
@ -24367,7 +24474,7 @@ index 3efd5b6..c7f52c2 100644
 ##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
-@@ -1726,24 +1932,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1930,7 @@ interface(`auth_manage_login_records',`
 
 	logging_rw_generic_log_dirs($1)
 	allow $1 wtmp_t:file manage_file_perms;
@ -24393,7 +24500,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -1767,11 +1956,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1954,13 @@ interface(`auth_relabel_login_records',`
 ## <infoflow type="both" weight="10"/>
 #
 interface(`auth_use_nsswitch',`
@ -24410,7 +24517,7 @@ index 3efd5b6..c7f52c2 100644
 ')
 
 ########################################
-@@ -1805,3 +1996,219 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1994,219 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -28821,7 +28928,7 @@ index 5dfa44b..2502d06 100644
 
 optional_policy(`
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..dc79c6f 100644
+index 73bb3c0..6e848de 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -28983,7 +29090,7 @@ index 73bb3c0..dc79c6f 100644
 
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-@@ -299,17 +310,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +310,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 #
 /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
 
@ -29141,6 +29248,8 @@ index 73bb3c0..dc79c6f 100644
 +/opt/google/picasa/.*\.dll	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/chrome/.*\.so	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/[^/]*/.*\.so	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
@ -30183,7 +30292,7 @@ index 4e94884..5481f47 100644
 +	init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..4dd92d4 100644
+index 39ea221..7094526 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@ -30371,7 +30480,7 @@ index 39ea221..4dd92d4 100644
 # sys_admin for the integrated klog of syslog-ng and metalog
 # cjp: why net_admin!
 -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid };
 dontaudit syslogd_t self:capability sys_tty_config;
 +allow syslogd_t self:capability2 { syslog block_suspend };
 # setpgid for metalog
@ -36903,10 +37012,10 @@ index 0f64692..d7e8a01 100644
 
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..1749342 100644
+index a5ec88b..e7663f3 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
-@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
+@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
 
@ -36921,8 +37030,13 @@ index a5ec88b..1749342 100644
 +typealias udev_var_run_t alias udev_tbl_t;
 init_daemon_run_dir(udev_var_run_t, "udev")
 
+type udev_tmp_t;
+files_tmp_file(udev_tmp_t)
+
 ifdef(`enable_mcs',`
-@@ -37,9 +35,11 @@ ifdef(`enable_mcs',`
+ 	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+ 	init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+@@ -37,9 +38,11 @@ ifdef(`enable_mcs',`
 # Local policy
 #
 
@ -36936,7 +37050,7 @@ index a5ec88b..1749342 100644
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -53,6 +53,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
 allow udev_t self:unix_stream_socket connectto;
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
@ -36944,14 +37058,17 @@ index a5ec88b..1749342 100644
 
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
-@@ -63,31 +64,36 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t)
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
 
 -# create udev database in /dev/.udevdb
 -allow udev_t udev_tbl_t:file manage_file_perms;
 -dev_filetrans(udev_t, udev_tbl_t, file)
-
+allow udev_t udev_tmp_t:dir manage_dir_perms;
+allow udev_t udev_tmp_t:file manage_file_perms;
+files_tmp_filetrans(udev_t, udev_tmp_t, { file dir })
+ 
 list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
 -read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
 +manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
@ -36988,7 +37105,7 @@ index a5ec88b..1749342 100644
 
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t)
 
 dev_rw_sysfs(udev_t)
 dev_manage_all_dev_nodes(udev_t)
@ -36996,7 +37113,7 @@ index a5ec88b..1749342 100644
 dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
 dev_search_usbfs(udev_t)
-@@ -106,23 +113,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t)
 # preserved, instead of short circuiting the relabel
 dev_relabel_generic_symlinks(udev_t)
 dev_manage_generic_symlinks(udev_t)
@ -37032,7 +37149,7 @@ index a5ec88b..1749342 100644
 
 mls_file_read_all_levels(udev_t)
 mls_file_write_all_levels(udev_t)
-@@ -144,17 +159,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t)
 init_read_utmp(udev_t)
 init_dontaudit_write_utmp(udev_t)
 init_getattr_initctl(udev_t)
@ -37054,7 +37171,7 @@ index a5ec88b..1749342 100644
 
 seutil_read_config(udev_t)
 seutil_read_default_contexts(udev_t)
-@@ -170,6 +188,9 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +195,9 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
@ -37064,7 +37181,7 @@ index a5ec88b..1749342 100644
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_gentoo',`
-@@ -179,16 +200,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +207,9 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -37083,7 +37200,7 @@ index a5ec88b..1749342 100644
 
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
-@@ -226,19 +240,34 @@ optional_policy(`
+@@ -226,19 +247,34 @@ optional_policy(`
 
 optional_policy(`
 	cups_domtrans_config(udev_t)
@ -37118,7 +37235,7 @@ index a5ec88b..1749342 100644
 ')
 
 optional_policy(`
-@@ -264,6 +293,10 @@ optional_policy(`
+@@ -264,6 +300,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37129,7 +37246,7 @@ index a5ec88b..1749342 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -278,6 +311,15 @@ optional_policy(`
+@@ -278,6 +318,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37145,7 +37262,7 @@ index a5ec88b..1749342 100644
 	unconfined_signal(udev_t)
 ')
 
-@@ -290,6 +332,7 @@ optional_policy(`
+@@ -290,6 +339,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -10904,7 +10904,7 @@ index 32e8265..0de4af3 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..770ae51 100644
+index 914ee2d..1544e9b 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -10934,10 +10934,12 @@ index 914ee2d..770ae51 100644
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
 +dev_read_rand(chronyd_t)
 +dev_read_urand(chronyd_t)
 +
@ -23011,7 +23013,7 @@ index 50d0084..6565422 100644
 
 	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..5d49b4f 100644
+index 0872e50..d336d7f 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
@ -23056,7 +23058,15 @@ index 0872e50..5d49b4f 100644
 	iptables_domtrans(fail2ban_t)
 ')
 
-@@ -137,14 +137,12 @@ corecmd_exec_bin(fail2ban_client_t)
+@@ -129,6 +129,7 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+ 
+ domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+ 
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+ stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+ 
+ kernel_read_system_state(fail2ban_client_t)
+@@ -137,14 +138,12 @@ corecmd_exec_bin(fail2ban_client_t)
 
 domain_use_interactive_fds(fail2ban_client_t)
 
@ -27140,7 +27150,7 @@ index d03fd43..26023f7 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
 ')
 diff --git a/gnome.te b/gnome.te
-index 20f726b..6af4e62 100644
+index 20f726b..8e905be 100644
 --- a/gnome.te
 +++ b/gnome.te
@@ -1,18 +1,36 @@
@ -27368,7 +27378,7 @@ index 20f726b..6af4e62 100644
 +')
 +
 +optional_policy(`
-+ 	gnome_read_home_config(gnomesystemmm_t)
+ 	gnome_manage_home_config(gnomesystemmm_t)
 +')
 +
 +optional_policy(`
@ -37396,11 +37406,104 @@ index 0000000..67b8b3d
 +tunable_policy(`mock_enable_homedirs',`
 +	userdom_read_user_home_content_files(mock_build_t)
 +')
+diff --git a/modemmanager.fc b/modemmanager.fc
+index a83894c..481dca3 100644
+--- a/modemmanager.fc
+++ b/modemmanager.fc
+@@ -1 +1,4 @@
+ /usr/sbin/modem-manager	--	gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/sbin/ModemManager	--	gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
+/usr/lib/systemd/system/ModemManager.service		--	gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
+diff --git a/modemmanager.if b/modemmanager.if
+index b1ac8b5..90ca430 100644
+--- a/modemmanager.if
+++ b/modemmanager.if
+@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
+ 
+ ########################################
+ ## <summary>
+##	Execute modemmanager server in the modemmanager domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modemmanager_systemctl',`
+	gen_require(`
+		type modemmanager_t;
+		type modemmanager_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_password_run($1)
+	allow $1 modemmanager_unit_file_t:file read_file_perms;
+	allow $1 modemmanager_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, modemmanager_t)
+')
+
+########################################
+## <summary>
+ ##	Send and receive messages from
+ ##	modemmanager over dbus.
+ ## </summary>
+@@ -39,3 +63,38 @@ interface(`modemmanager_dbus_chat',`
+ 	allow $1 modemmanager_t:dbus send_msg;
+ 	allow modemmanager_t $1:dbus send_msg;
+ ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an modemmanager environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`modemmanager_admin',`
+	gen_require(`
+		type modemmanager_t;
+		type modemmanager_unit_file_t;
+	')
+
+	allow $1 modemmanager_t:process { ptrace signal_perms };
+	ps_process_pattern($1, modemmanager_t)
+
+	modemmanager_systemctl($1)
+	admin_pattern($1, modemmanager_unit_file_t)
+	allow $1 modemmanager_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
 diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..d744144 100644
+index cb4c13d..ab6fb25 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
-@@ -27,12 +27,12 @@ kernel_read_system_state(modemmanager_t)
+@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
+ typealias modemmanager_t alias ModemManager_t;
+ typealias modemmanager_exec_t alias ModemManager_exec_t;
+ 
+type modemmanager_unit_file_t;
+systemd_unit_file(modemmanager_unit_file_t)
+
+ ########################################
+ #
+ # Local policy
+@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
 dev_read_sysfs(modemmanager_t)
 dev_rw_modem(modemmanager_t)
 
@ -47550,7 +47653,7 @@ index 0000000..7d839fe
 +	pulseaudio_setattr_home_dir(nsplugin_t)
 +')
 diff --git a/ntop.te b/ntop.te
-index 52757d8..638c3d2 100644
+index 52757d8..6ce5c69 100644
 --- a/ntop.te
 +++ b/ntop.te
@@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t)
@ -47561,7 +47664,12 @@ index 52757d8..638c3d2 100644
 corenet_all_recvfrom_netlabel(ntop_t)
 corenet_tcp_sendrecv_generic_if(ntop_t)
 corenet_raw_sendrecv_generic_if(ntop_t)
-@@ -81,7 +80,6 @@ dev_rw_generic_usb_dev(ntop_t)
+@@ -78,10 +77,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
+ 
+ dev_read_sysfs(ntop_t)
+ dev_rw_generic_usb_dev(ntop_t)
+dev_read_usbmon_dev(ntop_t)
+dev_write_usbmon_dev(ntop_t)
 
 domain_use_interactive_fds(ntop_t)
 
@ -49990,10 +50098,10 @@ index 0000000..bddd4b3
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..877c71a
+index 0000000..35f9df0
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,546 @@
+@@ -0,0 +1,547 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
@ -50041,6 +50149,7 @@ index 0000000..877c71a
 +files_pid_file(openshift_var_run_t)
 +
 +type openshift_var_lib_t, openshift_file_type;
+userdom_user_home_content(openshift_var_lib_t)
 +files_poly(openshift_var_lib_t)
 +files_poly_parent(openshift_var_lib_t)
 +files_mountpoint(openshift_var_lib_t)
@ -54227,10 +54336,10 @@ index a14b3bc..b196183 100644
 
 userdom_signal_unpriv_users(podsleuth_t)
 diff --git a/policykit.fc b/policykit.fc
-index 1d76c72..4718a93 100644
+index 1d76c72..eeb33d9 100644
 --- a/policykit.fc
 +++ b/policykit.fc
-@@ -1,23 +1,20 @@
+@@ -1,23 +1,21 @@
 -/usr/lib/polkit-1/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
 -/usr/lib/polkit-1/polkit-agent-helper-1	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 -
@ -54241,6 +54350,7 @@ index 1d76c72..4718a93 100644
 -/usr/lib/policykit-1/polkit-agent-helper-1	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 -/usr/lib/policykit-1/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
 +/usr/lib/policykit/polkit-read-auth-helper --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/bin/pkla-check-authorization 	   --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 +/usr/lib/policykit/polkit-grant-helper.*   --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
 +/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
 +/usr/lib/policykit/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
@ -74663,10 +74773,10 @@ index 0000000..5da5bff
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..81198c3
+index 0000000..cb720ee
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,463 @@
+@@ -0,0 +1,465 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@ -74774,6 +74884,8 @@ index 0000000..81198c3
 +userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
 +userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
 +
+xserver_read_xkb_libs(sandbox_xserver_t)
+xserver_dontaudit_xkb_libs_access(sandbox_xserver_t)
 +xserver_entry_type(sandbox_xserver_t)
 +
 +optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 53%{?dist}
+Release: 54%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -535,6 +535,16 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Jun 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-54
+- Don't audit access checks by sandbox xserver on xdb var_lib
+- Allow ntop to read usbmon devices
+- Add labeling for new polcykit authorizor
+- Dontaudit access checks from fail2ban_client
+- Don't audit access checks by sandbox xserver on xdb var_lib
+- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
+- Fix labeling for all /usr/bim/razor-lightdm-* binaries
+- Add filename trans for /dev/md126p1
+
 * Tue Jun 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-53
 - Make vdagent able to request loading kernel module
 - Add support for cloud-init make it as unconfined domain