- Add mozilla_plugin_use_bluejeans boolean

- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
2014-06-11 20:13:51 +02:00 · 2014-06-11 20:13:51 +02:00 · a629498afd
parent 686a38099f
commit a629498afd
3 changed files with 244 additions and 171 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3900,7 +3900,7 @@ index f9b25c1..9af1f7a 100644
 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
 +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..38ba47d 100644
+index 07126bd..015bd7a 100644
 --- a/policy/modules/kernel/corenetwork.if.in
 +++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@ -4512,26 +4512,10 @@ index 07126bd..38ba47d 100644
 ##	Send and receive TCP network traffic on all reserved ports.
 ## </summary>
 ## <param name="domain">
-@@ -1757,7 +2129,259 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1772,6 +2144,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
 
 ########################################
 ## <summary>
-##	Send and receive UDP network traffic on all reserved ports.
-+##	Send and receive UDP network traffic on all reserved ports.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`corenet_udp_sendrecv_all_reserved_ports',`
-+	corenet_udp_send_all_reserved_ports($1)
-+	corenet_udp_receive_all_reserved_ports($1)
-+')
-+
-+########################################
-+## <summary>
 +##	Bind DCCP sockets to all reserved ports.
 +## </summary>
 +## <param name="domain">
@ -4551,19 +4535,15 @@ index 07126bd..38ba47d 100644
 +
 +########################################
 +## <summary>
-+##	Bind TCP sockets to all reserved ports.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`corenet_tcp_bind_all_reserved_ports',`
-+	gen_require(`
-+		attribute reserved_port_type;
-+	')
-+
+ ##	Bind TCP sockets to all reserved ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1785,31 +2176,284 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
+ 		attribute reserved_port_type;
+ 	')
+ 
+-	allow $1 reserved_port_type:tcp_socket name_bind;
+-	allow $1 self:capability net_bind_service;
 +	allow $1 reserved_port_type:tcp_socket name_bind;
 +	allow $1 self:capability net_bind_service;
 +')
@ -4679,6 +4659,24 @@ index 07126bd..38ba47d 100644
 +
 +########################################
 +## <summary>
+##	Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_t;
+	')
+
+	allow $1 unreserved_port_t:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
 +##	Bind UDP sockets to all ports > 1024.
 +## </summary>
 +## <param name="domain">
@ -4770,50 +4768,36 @@ index 07126bd..38ba47d 100644
 +########################################
 +## <summary>
 +##	Connect DCCP sockets to all ports > 1024.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1765,51 +2389,53 @@ interface(`corenet_udp_receive_all_reserved_ports',`
- ##	</summary>
- ## </param>
- #
-interface(`corenet_udp_sendrecv_all_reserved_ports',`
-	corenet_udp_send_all_reserved_ports($1)
-	corenet_udp_receive_all_reserved_ports($1)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`corenet_dccp_connect_all_unreserved_ports',`
 +	gen_require(`
 +		attribute unreserved_port_type;
 +	')
 +
 +	allow $1 unreserved_port_type:dccp_socket name_connect;
- ')
- 
-########################################
+')
+
 +#######################################
- ## <summary>
-##	Bind TCP sockets to all reserved ports.
+## <summary>
 +##  Connect TCP sockets to ports > 1024.
- ## </summary>
- ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+## </summary>
+## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
-interface(`corenet_tcp_bind_all_reserved_ports',`
-	gen_require(`
-		attribute reserved_port_type;
-	')
+## </param>
+#
 +interface(`corenet_tcp_connect_unreserved_ports',`
 +    gen_require(`
 +        type unreserved_port_t;
 +    ')
- 
-	allow $1 reserved_port_type:tcp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+
 +    allow $1 unreserved_port_t:tcp_socket name_connect;
 ')
 
@ -4847,7 +4831,7 @@ index 07126bd..38ba47d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1817,18 +2443,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+@@ -1817,18 +2461,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
 ##	</summary>
 ## </param>
 #
@ -4871,7 +4855,7 @@ index 07126bd..38ba47d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1836,35 +2462,36 @@ interface(`corenet_udp_bind_all_reserved_ports',`
+@@ -1836,35 +2480,36 @@ interface(`corenet_udp_bind_all_reserved_ports',`
 ##	</summary>
 ## </param>
 #
@ -4916,7 +4900,7 @@ index 07126bd..38ba47d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1872,17 +2499,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+@@ -1872,17 +2517,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
 ##	</summary>
 ## </param>
 #
@ -4938,7 +4922,7 @@ index 07126bd..38ba47d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1890,36 +2517,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
+@@ -1890,36 +2535,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
 ##	</summary>
 ## </param>
 #
@ -4985,7 +4969,7 @@ index 07126bd..38ba47d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1927,54 +2555,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
+@@ -1927,54 +2573,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
 ##	</summary>
 ## </param>
 #
@ -5055,7 +5039,7 @@ index 07126bd..38ba47d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1982,13 +2610,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+@@ -1982,13 +2628,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 ##	</summary>
 ## </param>
 #
@ -5071,7 +5055,7 @@ index 07126bd..38ba47d 100644
 ')
 
 ########################################
-@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2694,25 @@ interface(`corenet_rw_ppp_dev',`
 
 ########################################
 ## <summary>
@ -5097,7 +5081,7 @@ index 07126bd..38ba47d 100644
 ##	Bind TCP sockets to all RPC ports.
 ## </summary>
 ## <param name="domain">
-@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2732,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
 
 ########################################
 ## <summary>
@ -5122,7 +5106,7 @@ index 07126bd..38ba47d 100644
 ##	Do not audit attempts to bind TCP sockets to all RPC ports.
 ## </summary>
 ## <param name="domain">
-@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2876,25 @@ interface(`corenet_tcp_recv_netlabel',`
 
 ########################################
 ## <summary>
@ -5148,7 +5132,7 @@ index 07126bd..38ba47d 100644
 ##	Receive TCP packets from a NetLabel connection.
 ## </summary>
 ## <param name="domain">
-@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,7 +2914,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 
 ########################################
 ## <summary>
@ -5157,7 +5141,7 @@ index 07126bd..38ba47d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2221,10 +2922,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 ##	</summary>
 ## </param>
 #
@ -5175,7 +5159,7 @@ index 07126bd..38ba47d 100644
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
 	# older systems
-@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2955,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
 
 ########################################
 ## <summary>
@ -5202,7 +5186,7 @@ index 07126bd..38ba47d 100644
 ##	Do not audit attempts to receive TCP packets from a NetLabel
 ##	connection.
 ## </summary>
-@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2995,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
 
 ########################################
 ## <summary>
@ -5230,7 +5214,7 @@ index 07126bd..38ba47d 100644
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
-@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,15 +3280,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
 ## <infoflow type="read" weight="10"/>
 #
 interface(`corenet_all_recvfrom_unlabeled',`
@ -5250,7 +5234,7 @@ index 07126bd..38ba47d 100644
 ')
 
 ########################################
-@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+@@ -2567,11 +3309,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
 #
 interface(`corenet_all_recvfrom_netlabel',`
 	gen_require(`
@ -5288,7 +5272,7 @@ index 07126bd..38ba47d 100644
 ')
 
 ########################################
-@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3350,7 @@ interface(`corenet_all_recvfrom_netlabel',`
 ## </param>
 #
 interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@ -5296,7 +5280,7 @@ index 07126bd..38ba47d 100644
 	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
 	kernel_dontaudit_udp_recvfrom_unlabeled($1)
 	kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3379,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
 	')
 
 	dontaudit $1 netlabel_peer_t:peer recv;
@ -5333,7 +5317,7 @@ index 07126bd..38ba47d 100644
 ')
 
 ########################################
-@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3521,7 @@ interface(`corenet_raw_recvfrom_labeled',`
 ## </param>
 #
 interface(`corenet_all_recvfrom_labeled',`
@ -5341,13 +5325,30 @@ index 07126bd..38ba47d 100644
 	corenet_tcp_recvfrom_labeled($1, $2)
 	corenet_udp_recvfrom_labeled($1, $2)
 	corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3929,70 @@ interface(`corenet_unconfined',`
 
 	typeattribute $1 corenet_unconfined_type;
 ')
 +
 +########################################
 +## <summary>
+##	Dontaudit bind tcp sockets to defined ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_defined_ports',`
+	gen_require(`
+		attribute defined_port_type;
+	')
+	dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
 +##	Create all network named devices with the correct label
 +## </summary>
 +## <param name="domain">
@ -34513,10 +34514,38 @@ index 9fe8e01..83acb32 100644
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..416ac0f 100644
+index fc28bc3..faa2281 100644
 --- a/policy/modules/system/miscfiles.if
 +++ b/policy/modules/system/miscfiles.if
-@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
+@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
+ 
+ ########################################
+ ## <summary>
+##	Read all SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_all_certs',`
+	gen_require(`
+		attribute cert_type;
+	')
+
+	allow $1 cert_type:dir list_dir_perms;
+	manage_files_pattern($1, cert_type, cert_type)
+	manage_lnk_files_pattern($1, cert_type, cert_type)
+')
+
+########################################
+## <summary>
+ ##	Read generic SSL certificates.
+ ## </summary>
+ ## <param name="domain">
+@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
 
 ########################################
 ## <summary>
@ -34541,7 +34570,7 @@ index fc28bc3..416ac0f 100644
 ##	Manage generic SSL certificates.
 ## </summary>
 ## <param name="domain">
-@@ -156,6 +174,26 @@ interface(`miscfiles_manage_cert_dirs',`
+@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
 
 ########################################
 ## <summary>
@ -34568,7 +34597,7 @@ index fc28bc3..416ac0f 100644
 ##	Manage SSL certificates.
 ## </summary>
 ## <param name="domain">
-@@ -434,6 +472,7 @@ interface(`miscfiles_rw_localization',`
+@@ -434,6 +493,7 @@ interface(`miscfiles_rw_localization',`
 	files_search_usr($1)
 	allow $1 locale_t:dir list_dir_perms;
 	rw_files_pattern($1, locale_t, locale_t)
@ -34576,7 +34605,7 @@ index fc28bc3..416ac0f 100644
 ')
 
 ########################################
-@@ -453,6 +492,7 @@ interface(`miscfiles_relabel_localization',`
+@@ -453,6 +513,7 @@ interface(`miscfiles_relabel_localization',`
 
 	files_search_usr($1)
 	relabel_files_pattern($1, locale_t, locale_t)
@ -34584,7 +34613,7 @@ index fc28bc3..416ac0f 100644
 ')
 
 ########################################
-@@ -470,7 +510,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -470,7 +531,6 @@ interface(`miscfiles_legacy_read_localization',`
 		type locale_t;
 	')
 
@ -34592,7 +34621,7 @@ index fc28bc3..416ac0f 100644
 	allow $1 locale_t:file execute;
 ')
 
-@@ -531,6 +570,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +591,10 @@ interface(`miscfiles_read_man_pages',`
 	allow $1 { man_cache_t man_t }:dir list_dir_perms;
 	read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@ -34603,7 +34632,7 @@ index fc28bc3..416ac0f 100644
 ')
 
 ########################################
-@@ -554,6 +597,29 @@ interface(`miscfiles_delete_man_pages',`
+@@ -554,6 +618,29 @@ interface(`miscfiles_delete_man_pages',`
 	delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 	delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 	delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@ -34633,7 +34662,7 @@ index fc28bc3..416ac0f 100644
 ')
 
 ########################################
-@@ -622,6 +688,30 @@ interface(`miscfiles_manage_man_cache',`
+@@ -622,6 +709,30 @@ interface(`miscfiles_manage_man_cache',`
 
 ########################################
 ## <summary>
@ -34664,7 +34693,7 @@ index fc28bc3..416ac0f 100644
 ##	Read public files used for file
 ##	transfer services.
 ## </summary>
-@@ -784,8 +874,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +895,11 @@ interface(`miscfiles_etc_filetrans_localization',`
 		type locale_t;
 	')
 
@ -34678,7 +34707,7 @@ index fc28bc3..416ac0f 100644
 ')
 
 ########################################
-@@ -809,3 +902,61 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +923,61 @@ interface(`miscfiles_manage_localization',`
 	manage_lnk_files_pattern($1, locale_t, locale_t)
 ')
 
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -11121,7 +11121,7 @@ index 008f8ef..144c074 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..ad3330f 100644
+index 550b287..31b8bd7 100644
 --- a/certmonger.te
 +++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@ -11185,17 +11185,17 @@ index 550b287..ad3330f 100644
 
 fs_search_cgroup_dirs(certmonger_t)
 
-@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
+@@ -70,16 +84,17 @@ init_getattr_all_script_files(certmonger_t)
 
 logging_send_syslog_msg(certmonger_t)
 
 -miscfiles_read_localization(certmonger_t)
- miscfiles_manage_generic_cert_files(certmonger_t)
- 
-+systemd_exec_systemctl(certmonger_t)
+-miscfiles_manage_generic_cert_files(certmonger_t)
+miscfiles_manage_all_certs(certmonger_t)
 +
+systemd_exec_systemctl(certmonger_t)
+ 
 userdom_search_user_home_content(certmonger_t)
-+userdom_manage_home_certs(certmonger_t)
 
 optional_policy(`
 -	apache_initrc_domtrans(certmonger_t)
@ -11206,7 +11206,7 @@ index 550b287..ad3330f 100644
 ')
 
 optional_policy(`
-@@ -92,11 +108,51 @@ optional_policy(`
+@@ -92,11 +107,51 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -11556,10 +11556,10 @@ index 80a88a2..ec869f5 100644
 +logging_send_syslog_msg(cgred_t)
 diff --git a/chrome.fc b/chrome.fc
 new file mode 100644
-index 0000000..57866f6
+index 0000000..d020d89
 --- /dev/null
 +++ b/chrome.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,10 @@
 +/opt/google/chrome/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 +
 +/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
@ -11568,6 +11568,7 @@ index 0000000..57866f6
 +/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
 +
 +HOME_DIR/\.cache/google-chrome(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/google-chrome-unstable(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
 +HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
 diff --git a/chrome.if b/chrome.if
 new file mode 100644
@ -11713,10 +11714,10 @@ index 0000000..a0fdbcb
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..fb60ffc
+index 0000000..b4f29e9
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,248 @@
+@@ -0,0 +1,249 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@ -11851,7 +11852,8 @@ index 0000000..fb60ffc
 +	gnome_read_home_config(chrome_sandbox_t)
 +	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
 +	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
-+
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
 +')
 +
 +optional_policy(`
@ -38624,7 +38626,7 @@ index e88fb16..f20248c 100644
 +	')
 ')
 diff --git a/keystone.te b/keystone.te
-index 9929647..0907a30 100644
+index 9929647..4b6faae 100644
 --- a/keystone.te
 +++ b/keystone.te
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@ -38642,12 +38644,15 @@ index 9929647..0907a30 100644
 
 allow keystone_t self:fifo_file rw_fifo_file_perms;
 allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,33 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -57,20 +61,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
 corenet_tcp_sendrecv_generic_if(keystone_t)
 corenet_tcp_sendrecv_generic_node(keystone_t)
 corenet_tcp_bind_generic_node(keystone_t)
 +corenet_tcp_connect_mysqld_port(keystone_t)
 +corenet_tcp_connect_ldap_port(keystone_t)
+corenet_tcp_connect_keystone_port(keystone_t)
+corenet_tcp_connect_amqp_port(keystone_t)
+corenet_tcp_connect_osapi_compute_port(keystone_t)
 
 corenet_sendrecv_commplex_main_server_packets(keystone_t)
 corenet_tcp_bind_commplex_main_port(keystone_t)
@ -45834,10 +45839,10 @@ index 6194b80..7490fe3 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..fb431ea 100644
+index 11ac8e4..ab5b577 100644
 --- a/mozilla.te
 +++ b/mozilla.te
-@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
+@@ -6,17 +6,48 @@ policy_module(mozilla, 2.8.0)
 #
 
 ## <desc>
@ -45868,6 +45873,13 @@ index 11ac8e4..fb431ea 100644
 +
 +## <desc>
 +## <p>
+## Allow mozilla plugin to use Bluejeans.
+## </p>
+## </desc>
+gen_tunable(mozilla_plugin_use_bluejeans, false)
+
+## <desc>
+## <p>
 +## Allow confined web browsers to read home directory content
 +## </p>
 +## </desc>
@ -45884,7 +45896,7 @@ index 11ac8e4..fb431ea 100644
 type mozilla_t;
 type mozilla_exec_t;
 typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +55,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
 userdom_user_application_domain(mozilla_t, mozilla_exec_t)
 role mozilla_roles types mozilla_t;
 
@ -45894,7 +45906,7 @@ index 11ac8e4..fb431ea 100644
 type mozilla_home_t;
 typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
 typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,28 +65,24 @@ userdom_user_home_content(mozilla_home_t)
 
 type mozilla_plugin_t;
 type mozilla_plugin_exec_t;
@ -45928,7 +45940,7 @@ index 11ac8e4..fb431ea 100644
 role mozilla_plugin_config_roles types mozilla_plugin_config_t;
 
 type mozilla_tmp_t;
-@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +93,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
 typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
 userdom_user_tmpfs_file(mozilla_tmpfs_t)
 
@ -45939,7 +45951,7 @@ index 11ac8e4..fb431ea 100644
 ########################################
 #
 # Local policy
-@@ -75,27 +94,30 @@ optional_policy(`
+@@ -75,27 +101,30 @@ optional_policy(`
 allow mozilla_t self:capability { sys_nice setgid setuid };
 allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
 allow mozilla_t self:fifo_file rw_fifo_file_perms;
@ -45983,7 +45995,7 @@ index 11ac8e4..fb431ea 100644
 
 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +132,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
 
@ -46091,7 +46103,7 @@ index 11ac8e4..fb431ea 100644
 
 term_dontaudit_getattr_pty_dirs(mozilla_t)
 
-@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +203,73 @@ auth_use_nsswitch(mozilla_t)
 logging_send_syslog_msg(mozilla_t)
 
 miscfiles_read_fonts(mozilla_t)
@ -46099,15 +46111,15 @@ index 11ac8e4..fb431ea 100644
 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
 
 -userdom_use_user_ptys(mozilla_t)
-
+userdom_use_inherited_user_ptys(mozilla_t)
+ 
 -userdom_manage_user_tmp_dirs(mozilla_t)
 -userdom_manage_user_tmp_files(mozilla_t)
 -
 -userdom_manage_user_home_content_dirs(mozilla_t)
 -userdom_manage_user_home_content_files(mozilla_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-+userdom_use_inherited_user_ptys(mozilla_t)
- 
+-
 -userdom_write_user_tmp_sockets(mozilla_t)
 -
 -mozilla_run_plugin(mozilla_t, mozilla_roles)
@ -46202,7 +46214,7 @@ index 11ac8e4..fb431ea 100644
 ')
 
 optional_policy(`
-@@ -244,19 +276,12 @@ optional_policy(`
+@@ -244,19 +283,12 @@ optional_policy(`
 
 optional_policy(`
 	cups_read_rw_config(mozilla_t)
@ -46224,7 +46236,7 @@ index 11ac8e4..fb431ea 100644
 
 	optional_policy(`
 		networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +290,32 @@ optional_policy(`
+@@ -265,33 +297,32 @@ optional_policy(`
 
 optional_policy(`
 	gnome_stream_connect_gconf(mozilla_t)
@ -46237,34 +46249,34 @@ index 11ac8e4..fb431ea 100644
 -	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
 +	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+	java_domtrans(mozilla_t)
 ')
 
 optional_policy(`
 -	java_exec(mozilla_t)
 -	java_manage_generic_home_content(mozilla_t)
 -	java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+	lpd_domtrans_lpr(mozilla_t)
+	java_domtrans(mozilla_t)
 ')
 
 optional_policy(`
 -	lpd_run_lpr(mozilla_t, mozilla_roles)
-+	mplayer_domtrans(mozilla_t)
-+	mplayer_read_user_home_files(mozilla_t)
+	lpd_domtrans_lpr(mozilla_t)
 ')
 
 optional_policy(`
 -	mplayer_exec(mozilla_t)
 -	mplayer_manage_generic_home_content(mozilla_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+	nscd_socket_use(mozilla_t)
+	mplayer_domtrans(mozilla_t)
+	mplayer_read_user_home_files(mozilla_t)
 ')
 
 optional_policy(`
 -	pulseaudio_run(mozilla_t, mozilla_roles)
+	nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
 +	#pulseaudio_role(mozilla_roles, mozilla_t)
 +	pulseaudio_exec(mozilla_t)
 +	pulseaudio_stream_connect(mozilla_t)
@ -46272,7 +46284,7 @@ index 11ac8e4..fb431ea 100644
 ')
 
 optional_policy(`
-@@ -300,259 +324,253 @@ optional_policy(`
+@@ -300,259 +331,253 @@ optional_policy(`
 
 ########################################
 #
@ -46356,12 +46368,12 @@ index 11ac8e4..fb431ea 100644
 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
 +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
 -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
 +can_exec(mozilla_plugin_t, mozilla_exec_t)
 
@ -46539,12 +46551,12 @@ index 11ac8e4..fb431ea 100644
 
 -userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 -userdom_manage_user_tmp_files(mozilla_plugin_t)
-
+systemd_read_logind_sessions_files(mozilla_plugin_t)
+ 
 -userdom_manage_user_home_content_dirs(mozilla_plugin_t)
 -userdom_manage_user_home_content_files(mozilla_plugin_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
- 
+-
 -userdom_write_user_tmp_sockets(mozilla_plugin_t)
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
@ -46672,7 +46684,7 @@ index 11ac8e4..fb431ea 100644
 ')
 
 optional_policy(`
-@@ -560,7 +578,11 @@ optional_policy(`
+@@ -560,7 +585,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46685,7 +46697,7 @@ index 11ac8e4..fb431ea 100644
 ')
 
 optional_policy(`
-@@ -568,108 +590,131 @@ optional_policy(`
+@@ -568,108 +597,136 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46718,19 +46730,17 @@ index 11ac8e4..fb431ea 100644
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
- 
+-
 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
 -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
 -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+ 
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
- 
+-
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
@ -46739,20 +46749,22 @@ index 11ac8e4..fb431ea 100644
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
 
 -filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+ 
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
 +dev_read_sysfs(mozilla_plugin_config_t)
 +dev_read_urand(mozilla_plugin_config_t)
 +dev_dontaudit_read_rand(mozilla_plugin_config_t)
 +dev_dontaudit_rw_dri(mozilla_plugin_config_t)
 
-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
 +fs_search_auto_mountpoints(mozilla_plugin_config_t)
 +fs_list_inotifyfs(mozilla_plugin_config_t)
 
-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
-
 -kernel_read_system_state(mozilla_plugin_config_t)
 -kernel_request_load_module(mozilla_plugin_config_t)
 +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
@ -46824,18 +46836,14 @@ index 11ac8e4..fb431ea 100644
 -	allow mozilla_plugin_config_t self:process execmem;
 +optional_policy(`
 +	gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
- ')
- 
-tunable_policy(`mozilla_execstack',`
-	allow mozilla_plugin_config_t self:process { execmem execstack };
+')
+
 +optional_policy(`
 +	xserver_use_user_fonts(mozilla_plugin_config_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(mozilla_plugin_config_t)
-	fs_manage_nfs_files(mozilla_plugin_config_t)
-	fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`mozilla_execstack',`
+-	allow mozilla_plugin_config_t self:process { execmem execstack };
 +ifdef(`distro_redhat',`
 +	typealias mozilla_plugin_t  alias nsplugin_t;
 +	typealias mozilla_plugin_exec_t  alias nsplugin_exec_t;
@ -46846,10 +46854,10 @@ index 11ac8e4..fb431ea 100644
 +	typealias mozilla_plugin_config_exec_t  alias nsplugin_config_exec_t;
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(mozilla_plugin_config_t)
-	fs_manage_cifs_files(mozilla_plugin_config_t)
-	fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mozilla_plugin_config_t)
+-	fs_manage_nfs_files(mozilla_plugin_config_t)
+-	fs_manage_nfs_symlinks(mozilla_plugin_config_t)
 +#tunable_policy(`mozilla_plugin_enable_homedirs',`
 +#	userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
 +#', `
@ -46862,8 +46870,10 @@ index 11ac8e4..fb431ea 100644
 +	userdom_execmod_user_home_files(mozilla_plugin_t)
 ')
 
-optional_policy(`
-	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mozilla_plugin_config_t)
+-	fs_manage_cifs_files(mozilla_plugin_config_t)
+-	fs_manage_cifs_symlinks(mozilla_plugin_config_t)
 +tunable_policy(`mozilla_plugin_use_spice',`
 +	dev_rw_generic_usb_dev(mozilla_plugin_t)
 +	dev_setattr_generic_usb_dev(mozilla_plugin_t)
@ -46871,11 +46881,18 @@ index 11ac8e4..fb431ea 100644
 ')
 
 -optional_policy(`
-	xserver_use_user_fonts(mozilla_plugin_config_t)
+-	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
 +tunable_policy(`mozilla_plugin_use_gps',`
 +    fs_manage_dos_dirs(mozilla_plugin_t)
 +    fs_manage_dos_files(mozilla_plugin_t)
 ')
+ 
+-optional_policy(`
+-	xserver_use_user_fonts(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_bluejeans',`
+    corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+    corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+ ')
 diff --git a/mpd.fc b/mpd.fc
 index 313ce52..ae93e07 100644
 --- a/mpd.fc
@ -51533,7 +51550,7 @@ index fe1068b..98166ee 100644
 
 userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
 diff --git a/networkmanager.fc b/networkmanager.fc
-index 94b9734..bb9c83e 100644
+index 94b9734..448a7e8 100644
 --- a/networkmanager.fc
 +++ b/networkmanager.fc
@@ -1,44 +1,46 @@
@ -51565,7 +51582,7 @@ index 94b9734..bb9c83e 100644
 
 -/sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 -/sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/libexec/nm-dispatcher.action --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/libexec/nm-dispatcher.* --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
 /usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/bin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
@ -53278,10 +53295,10 @@ index 0000000..28936b4
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..2c40c73
+index 0000000..87072c4
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,314 @@
+@@ -0,0 +1,318 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@ -53353,11 +53370,15 @@ index 0000000..2c40c73
 +corecmd_exec_shell(nova_domain)
 +corenet_tcp_connect_mysqld_port(nova_domain)
 +
+auth_read_passwd(nova_domain)
+
 +dev_read_sysfs(nova_domain)
 +dev_read_urand(nova_domain)
 +
 +fs_getattr_xattr_fs(nova_domain)
 +
+init_read_utmp(nova_domain)
+
 +libs_exec_ldconfig(nova_domain)
 +
 +optional_policy(`
@ -79663,7 +79684,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
 ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..33ca060 100644
+index d32e1a2..04fffba 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@ -79739,8 +79760,8 @@ index d32e1a2..33ca060 100644
 -miscfiles_read_generic_certs(rhsmcertd_t)
 +logging_send_syslog_msg(rhsmcertd_t)
 +
-+miscfiles_manage_cert_files(rhsmcertd_t)
-+miscfiles_manage_cert_dirs(rhsmcertd_t)
+miscfiles_manage_generic_cert_files(rhsmcertd_t)
+miscfiles_manage_generic_cert_dirs(rhsmcertd_t)
 
 sysnet_dns_name_resolve(rhsmcertd_t)
 
@ -94554,10 +94575,10 @@ index 0000000..6a1f575
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..7fce837
+index 0000000..d3fe02a
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,119 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@ -94565,6 +94586,15 @@ index 0000000..7fce837
 +# Declarations
 +#
 +
+## <desc>
+##  <p>
+##	Determine whether swift can
+##	connect to all TCP ports
+##	</p>
+## </desc>
+gen_tunable(swift_can_network, false)
+
+
 +type swift_t;
 +type swift_exec_t;
 +init_daemon_domain(swift_t, swift_exec_t)
@ -94637,6 +94667,8 @@ index 0000000..7fce837
 +corenet_tcp_bind_xserver_port(swift_t)
 +corenet_tcp_bind_http_cache_port(swift_t)
 +
+corenet_tcp_connect_xserver_port(swift_t)
+
 +corecmd_exec_shell(swift_t)
 +corecmd_exec_bin(swift_t)
 +
@ -94656,6 +94688,12 @@ index 0000000..7fce837
 +
 +userdom_dontaudit_search_user_home_dirs(swift_t)
 +
+tunable_policy(`swift_can_network',`
+	corenet_sendrecv_all_client_packets(swift_t)
+	corenet_tcp_connect_all_ports(swift_t)
+	corenet_tcp_sendrecv_all_ports(swift_t)
+')
+
 +optional_policy(`
 +    rpm_exec(swift_t)
 +    rpm_dontaudit_manage_db(swift_t)
@ -97037,10 +97075,10 @@ index 0000000..c1fd8b4
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..0e30ce2
+index 0000000..7f7e7ff
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,159 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -97111,6 +97149,8 @@ index 0000000..0e30ce2
 +corecmd_exec_bin(thumb_t)
 +corecmd_exec_shell(thumb_t)
 +
+corenet_tcp_connect_xserver_port(thumb_t)
+
 +dev_read_sysfs(thumb_t)
 +dev_read_urand(thumb_t)
 +dev_dontaudit_rw_dri(thumb_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 57%{?dist}
+Release: 58%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,10 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Jun 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-58
+- Add mozilla_plugin_use_bluejeans boolean
+- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
+
 * Mon Jun 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-57
 - Allow staff_t to communicate and run docker
 - Fix *_ecryptfs_home_dirs booleans