Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

2014-01-29 10:41:36 -05:00 · 2014-01-29 10:41:36 -05:00 · a960d06c0c
commit a960d06c0c
parent b7aa0fd963 2b1129da49
3 changed files with 500 additions and 243 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -8705,7 +8705,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..628d039 100644
+index cf04cb5..23627f4 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -8842,7 +8842,7 @@ index cf04cb5..628d039 100644
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,334 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
@ -9153,6 +9153,10 @@ index cf04cb5..628d039 100644
 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
 +
 +optional_policy(`
 +    rkhunter_append_lib_files(domain)
 +')
 +
 +optional_policy(`
 +	rpm_rw_script_inherited_pipes(domain)
 +	rpm_use_fds(domain)
 +	rpm_read_pipes(domain)
@ -15887,7 +15891,7 @@ index e100d88..6f745f0 100644
 +	allow $1 usermodehelper_t:file relabelto;
 ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..4b6c9ad 100644
+index 8dbab4c..b1a339b 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -15916,7 +15920,7 @@ index 8dbab4c..4b6c9ad 100644
 allow debugfs_t self:filesystem associate;
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-@@ -95,9 +100,31 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 type proc_mdstat_t, proc_type;
 genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@ -15939,6 +15943,7 @@ index 8dbab4c..4b6c9ad 100644
 +type usermodehelper_t, proc_type;
 +typealias usermodehelper_t alias sysctl_hotplug_t;
 +typealias usermodehelper_t alias sysctl_modprobe_t;
 +dev_associate_sysfs(usermodehelper_t)
 +genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0)
 +genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0)
 +genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0)
@ -15948,7 +15953,7 @@ index 8dbab4c..4b6c9ad 100644
 type proc_xen_t, proc_type;
 files_mountpoint(proc_xen_t)
 genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -133,14 +160,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
 type sysctl_kernel_t, sysctl_type;
 genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@ -15963,7 +15968,7 @@ index 8dbab4c..4b6c9ad 100644
 # /proc/sys/net directory and files
 type sysctl_net_t, sysctl_type;
 genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +172,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
 type sysctl_vm_t, sysctl_type;
 genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@ -15974,7 +15979,7 @@ index 8dbab4c..4b6c9ad 100644
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +188,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 type unlabeled_t;
 fs_associate(unlabeled_t)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@ -15989,7 +15994,7 @@ index 8dbab4c..4b6c9ad 100644
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +220,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +221,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #
@ -15997,7 +16002,7 @@ index 8dbab4c..4b6c9ad 100644
 allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +265,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
 corenet_in_generic_if(unlabeled_t)
 corenet_in_generic_node(unlabeled_t)
@ -16005,7 +16010,7 @@ index 8dbab4c..4b6c9ad 100644
 corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +275,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
@ -16031,7 +16036,7 @@ index 8dbab4c..4b6c9ad 100644
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
-@@ -263,7 +298,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t)
 selinux_load_policy(kernel_t)
@ -16041,7 +16046,7 @@ index 8dbab4c..4b6c9ad 100644
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-@@ -277,25 +313,49 @@ files_list_root(kernel_t)
+@@ -277,25 +314,49 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
@ -16091,7 +16096,7 @@ index 8dbab4c..4b6c9ad 100644
 ')
 optional_policy(`
-@@ -305,6 +365,19 @@ optional_policy(`
+@@ -305,6 +366,19 @@ optional_policy(`
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
@ -16111,7 +16116,7 @@ index 8dbab4c..4b6c9ad 100644
 ')
 optional_policy(`
-@@ -312,6 +385,11 @@ optional_policy(`
+@@ -312,6 +386,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -16123,7 +16128,7 @@ index 8dbab4c..4b6c9ad 100644
 	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +410,6 @@ optional_policy(`
+@@ -332,9 +411,6 @@ optional_policy(`
 	sysnet_read_config(kernel_t)
@ -16133,7 +16138,7 @@ index 8dbab4c..4b6c9ad 100644
 	rpc_udp_rw_nfs_sockets(kernel_t)
 	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +418,7 @@ optional_policy(`
+@@ -343,9 +419,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -16144,7 +16149,7 @@ index 8dbab4c..4b6c9ad 100644
 	')
 	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +427,7 @@ optional_policy(`
+@@ -354,7 +428,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -16153,7 +16158,7 @@ index 8dbab4c..4b6c9ad 100644
 	')
 ')
-@@ -367,6 +440,15 @@ optional_policy(`
+@@ -367,6 +441,15 @@ optional_policy(`
 	unconfined_domain_noaudit(kernel_t)
 ')
@ -16169,7 +16174,7 @@ index 8dbab4c..4b6c9ad 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -409,4 +491,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
 allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
@ -24190,7 +24195,7 @@ index 6bf0ecc..115c533 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..ef809dd 100644
+index 8b40377..39c8bbb 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -24660,7 +24665,7 @@ index 8b40377..ef809dd 100644
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +526,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@ -24675,6 +24680,7 @@ index 8b40377..ef809dd 100644
 +manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 -logging_log_filetrans(xdm_t, xserver_log_t, file)
 +files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm")
 kernel_read_system_state(xdm_t)
 +kernel_read_device_sysctls(xdm_t)
@ -24692,7 +24698,7 @@ index 8b40377..ef809dd 100644
 corenet_all_recvfrom_netlabel(xdm_t)
 corenet_tcp_sendrecv_generic_if(xdm_t)
 corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -24746,7 +24752,7 @@ index 8b40377..ef809dd 100644
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -431,9 +611,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +612,28 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -24775,7 +24781,7 @@ index 8b40377..ef809dd 100644
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -24824,7 +24830,7 @@ index 8b40377..ef809dd 100644
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +688,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +689,144 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -24975,7 +24981,7 @@ index 8b40377..ef809dd 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -503,11 +839,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +840,26 @@ tunable_policy(`xdm_sysadm_login',`
 ')
 optional_policy(`
@ -25002,7 +25008,7 @@ index 8b40377..ef809dd 100644
 ')
 optional_policy(`
-@@ -517,9 +868,34 @@ optional_policy(`
+@@ -517,9 +869,34 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -25038,7 +25044,7 @@ index 8b40377..ef809dd 100644
 	')
 ')
-@@ -530,6 +906,20 @@ optional_policy(`
+@@ -530,6 +907,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -25059,7 +25065,7 @@ index 8b40377..ef809dd 100644
 	hostname_exec(xdm_t)
 ')
-@@ -547,28 +937,78 @@ optional_policy(`
+@@ -547,28 +938,78 @@ optional_policy(`
 ')
 optional_policy(`
@ -25147,7 +25153,7 @@ index 8b40377..ef809dd 100644
 ')
 optional_policy(`
-@@ -580,6 +1020,14 @@ optional_policy(`
+@@ -580,6 +1021,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -25162,7 +25168,7 @@ index 8b40377..ef809dd 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -594,7 +1042,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1043,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -25171,7 +25177,7 @@ index 8b40377..ef809dd 100644
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1052,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1053,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -25184,7 +25190,7 @@ index 8b40377..ef809dd 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1069,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1070,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -25200,7 +25206,7 @@ index 8b40377..ef809dd 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1085,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1086,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -25211,7 +25217,7 @@ index 8b40377..ef809dd 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1100,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1101,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -25248,7 +25254,7 @@ index 8b40377..ef809dd 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1146,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1147,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -25280,7 +25286,7 @@ index 8b40377..ef809dd 100644
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -704,7 +1178,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -704,7 +1179,16 @@ fs_getattr_xattr_fs(xserver_t)
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -25298,7 +25304,7 @@ index 8b40377..ef809dd 100644
 mls_xwin_read_to_clearance(xserver_t)
 selinux_validate_context(xserver_t)
-@@ -718,20 +1201,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1202,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
@ -25322,7 +25328,7 @@ index 8b40377..ef809dd 100644
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1221,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
@ -25331,7 +25337,7 @@ index 8b40377..ef809dd 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1264,44 @@ optional_policy(`
+@@ -785,17 +1265,44 @@ optional_policy(`
 ')
 optional_policy(`
@ -25378,7 +25384,7 @@ index 8b40377..ef809dd 100644
 ')
 optional_policy(`
-@@ -803,6 +1309,10 @@ optional_policy(`
+@@ -803,6 +1310,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -25389,7 +25395,7 @@ index 8b40377..ef809dd 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -25403,7 +25409,7 @@ index 8b40377..ef809dd 100644
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 # Run xkbcomp.
@ -25412,7 +25418,7 @@ index 8b40377..ef809dd 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1352,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1353,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -25447,7 +25453,7 @@ index 8b40377..ef809dd 100644
 ')
 optional_policy(`
-@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -25456,7 +25462,7 @@ index 8b40377..ef809dd 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -25488,7 +25494,7 @@ index 8b40377..ef809dd 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
@ -39138,7 +39144,7 @@ index 0000000..1d9bdfd
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..e9b0d55
+index 0000000..1605309
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,659 @@
@ -39359,7 +39365,7 @@ index 0000000..e9b0d55
 +# Local policy
 +#
 +
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override net_admin };
 +allow systemd_passwd_agent_t self:process { setsockcreate };
 +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 +
@ -39403,7 +39409,7 @@ index 0000000..e9b0d55
 +# Local policy
 +#
 +
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin };
 +allow systemd_tmpfiles_t self:process { setfscreate };
 +
 +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -578,6 +578,45 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Jan 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-19
 - Add net_admin also for systemd_passwd_agent_t
 - Allow Associate usermodehelper_t to sysfs filesystem
 - Allow gdm to create /var/gdm with correct labeling
 - Allow domains to append rkhunterl lib files. #1057982
 - Allow systemd_tmpfiles_t net_admin to communicate with journald
 - update libs_filetrans_named_content() to have support for /usr/lib/debug directory
 - Adding a new service script to enable setcheckreqprot
 - Add interface to getattr on an isid_type for any type of file
 - Allow initrc_t domtrans to authconfig if unconfined is enabled
 - Add labeling for snapper.log
 - Allow tumbler to execute dbusd-daemon in thumb_t
 - Add dbus_exec_dbusd()
 - Add snapperd_data_t type
 - Add additional fixes for snapperd
 - FIx bad calling in samba.te
 - Allow smbd to create tmpfs
 - Allow rhsmcertd-worker send signull to rpm process
 - Allow net_admin capability and send system log msgs
 - Allow lldpad send dgram to NM
 - Add networkmanager_dgram_send()
 - rkhunter_var_lib_t is correct type
 - Allow openlmi-storage to read removable devices
 - Allow system cron jobs to manage rkhunter lib files
 - Add rkhunter_manage_lib_files()
 - Fix ftpd_use_fusefs boolean to allow manage also symlinks
 - Allow smbcontrob block_suspend cap2
 - Allow slpd to read network and system state info
 - Allow NM domtrans to iscsid_t if iscsiadm is executed
 - Allow slapd to send a signal itself
 - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
 - Fix plymouthd_create_log() interface
 - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
 - Allow postfix and cyrus-imapd to work out of box
 - Remove logwatch_can_sendmail which is no longer used
 - Allow fcoemon to talk with unpriv user domain using unix_stream_socket
 - snapperd is D-Bus service
 - Allow OpenLMI PowerManagement to call 'systemctl --force reboot'
 * Fri Jan 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-18
 - Add haproxy_connect_any boolean
 - Allow haproxy also to use http cache port by default