- Allow lvm to create its own unit files

- Label /var/lib/sepolgen as selinux_config_t - Add filetrans rules for tw devices - Add transition from cupsd_config_t to cupsd_t
2013-04-26 14:11:44 +02:00 · 2013-04-26 14:11:44 +02:00 · ac58d9fab2
commit ac58d9fab2
parent d61e0b894f
3 changed files with 183 additions and 83 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -16759,7 +16759,7 @@ index 54f1827..409df4f 100644
 +/usr/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/usr/lib/udev/devices/fuse   -c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..6fb69e7 100644
+index 1700ef2..f8f6456 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@ -16880,7 +16880,7 @@ index 1700ef2..6fb69e7 100644
 ########################################
 ## <summary>
 ##	Allow the caller to directly read
-@@ -808,3 +891,369 @@ interface(`storage_unconfined',`
+@@ -808,3 +891,400 @@ interface(`storage_unconfined',`
 	typeattribute $1 storage_unconfined_type;
 ')
@ -17249,6 +17249,37 @@ index 1700ef2..6fb69e7 100644
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
 +	dev_filetrans($1, removable_device_t, chr_file, "rio500")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18")
 +	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19")
 +
 +')
 diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
 index 7d45d15..22c9cfe 100644
@ -31822,7 +31853,7 @@ index 39ea221..4dd92d4 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..e2a9f15 100644
+index 879bb1e..7daaff3 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
@ -31861,12 +31892,14 @@ index 879bb1e..e2a9f15 100644
 /sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,69 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',`
 #
 # /usr
 #
 -/usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 -/usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/lib/systemd/generator/lvm.*   gen_context(system_u:object_r:lvm_unit_file_t,s0)
 +
 +/usr/sbin/clvmd			--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 +/usr/sbin/cryptsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/dmeventd		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@ -31933,7 +31966,7 @@ index 879bb1e..e2a9f15 100644
 #
 # /var
-@@ -97,5 +164,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',`
 /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
 /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@ -32042,7 +32075,7 @@ index 58bc27f..51e9872 100644
 +	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..df70cac 100644
+index e8c59a5..5c935e3 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -32064,7 +32097,17 @@ index e8c59a5..df70cac 100644
 type lvm_lock_t;
 files_lock_file(lvm_lock_t)
-@@ -49,15 +52,19 @@ files_tmp_file(lvm_tmp_t)
+@@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t)
 type lvm_tmp_t;
 files_tmp_file(lvm_tmp_t)
 +type lvm_unit_file_t;
 +systemd_unit_file(lvm_unit_file_t)
 +
 ########################################
 #
 # Cluster LVM daemon local policy
@@ -49,15 +55,19 @@ files_tmp_file(lvm_tmp_t)
 allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
 dontaudit clvmd_t self:capability sys_tty_config;
 allow clvmd_t self:process { signal_perms setsched };
@ -32086,7 +32129,7 @@ index e8c59a5..df70cac 100644
 read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
-@@ -71,7 +78,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
+@@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
 corecmd_exec_shell(clvmd_t)
 corecmd_getattr_bin_files(clvmd_t)
@ -32094,7 +32137,7 @@ index e8c59a5..df70cac 100644
 corenet_all_recvfrom_netlabel(clvmd_t)
 corenet_tcp_sendrecv_generic_if(clvmd_t)
 corenet_udp_sendrecv_generic_if(clvmd_t)
-@@ -120,9 +126,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
+@@ -120,9 +129,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
 logging_send_syslog_msg(clvmd_t)
@ -32104,7 +32147,7 @@ index e8c59a5..df70cac 100644
 seutil_sigchld_newrole(clvmd_t)
 seutil_read_config(clvmd_t)
 seutil_read_file_contexts(clvmd_t)
-@@ -141,6 +145,11 @@ ifdef(`distro_redhat',`
+@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
 ')
 optional_policy(`
@ -32116,7 +32159,7 @@ index e8c59a5..df70cac 100644
 	ccs_stream_connect(clvmd_t)
 ')
-@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
@ -32124,7 +32167,17 @@ index e8c59a5..df70cac 100644
 allow lvm_t self:file rw_file_perms;
 allow lvm_t self:fifo_file manage_fifo_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -191,10 +201,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -179,6 +192,9 @@ allow lvm_t self:sem create_sem_perms;
 allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
 +allow lvm_t lvm_unit_file_t:file manage_file_perms;
 +systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file)
 +
 manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
@@ -191,10 +207,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
 can_exec(lvm_t, lvm_exec_t)
 # Creating lock files
@ -32137,7 +32190,7 @@ index e8c59a5..df70cac 100644
 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -202,8 +214,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -202,8 +220,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
 manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
 manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@ -32149,7 +32202,7 @@ index e8c59a5..df70cac 100644
 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -220,6 +234,7 @@ kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +240,7 @@ kernel_read_kernel_sysctls(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
@ -32157,7 +32210,7 @@ index e8c59a5..df70cac 100644
 kernel_search_debugfs(lvm_t)
 corecmd_exec_bin(lvm_t)
-@@ -230,11 +245,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +251,13 @@ dev_delete_generic_dirs(lvm_t)
 dev_read_rand(lvm_t)
 dev_read_urand(lvm_t)
 dev_rw_lvm_control(lvm_t)
@ -32172,7 +32225,7 @@ index e8c59a5..df70cac 100644
 # cjp: this has no effect since LVM does not
 # have lnk_file relabelto for anything else.
 # perhaps this should be blk_files?
-@@ -246,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +269,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
 dev_dontaudit_getattr_generic_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_pipes(lvm_t)
 dev_create_generic_dirs(lvm_t)
@ -32180,7 +32233,7 @@ index e8c59a5..df70cac 100644
 domain_use_interactive_fds(lvm_t)
 domain_read_all_domains_state(lvm_t)
-@@ -255,17 +273,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +279,21 @@ files_read_etc_files(lvm_t)
 files_read_etc_runtime_files(lvm_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dirs(lvm_t)
@ -32203,7 +32256,7 @@ index e8c59a5..df70cac 100644
 selinux_get_fs_mount(lvm_t)
 selinux_validate_context(lvm_t)
-@@ -285,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +313,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
@ -32212,7 +32265,7 @@ index e8c59a5..df70cac 100644
 init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +315,22 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +321,22 @@ init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
 logging_send_syslog_msg(lvm_t)
@ -32236,7 +32289,7 @@ index e8c59a5..df70cac 100644
 ifdef(`distro_redhat',`
 	# this is from the initrd:
-@@ -313,6 +342,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +348,11 @@ ifdef(`distro_redhat',`
 ')
 optional_policy(`
@ -32248,7 +32301,7 @@ index e8c59a5..df70cac 100644
 	bootloader_rw_tmp_files(lvm_t)
 ')
-@@ -333,14 +367,26 @@ optional_policy(`
+@@ -333,14 +373,26 @@ optional_policy(`
 ')
 optional_policy(`
@ -33737,7 +33790,7 @@ index cbbda4a..8dcc346 100644
 +userdom_use_inherited_user_terminals(netlabel_mgmt_t)
 +
 diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b1..c4182e8 100644
+index d43f3b1..f958391 100644
 --- a/policy/modules/system/selinuxutil.fc
 +++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,14 @@
@ -33758,7 +33811,7 @@ index d43f3b1..c4182e8 100644
 #
 # /root
-@@ -35,12 +36,14 @@
+@@ -35,19 +36,26 @@
 /usr/lib/selinux(/.*)?			gen_context(system_u:object_r:policy_src_t,s0)
 /usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
@ -33774,7 +33827,11 @@ index d43f3b1..c4182e8 100644
 #
 # /var/lib
-@@ -51,3 +54,7 @@
+ #
 /var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_var_lib_t,s0)
 +/var/lib/sepolgen(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
 #
 # /var/run
 #
 /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
@ -35926,10 +35983,10 @@ index 0000000..4e12420
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..5894afb
+index 0000000..2e5b822
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1159 @@
+@@ -0,0 +1,1195 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -36775,6 +36832,42 @@ index 0000000..5894afb
 +	allow $1 hostname_etc_t:file read_file_perms;
 +')
 +
 +#######################################
 +## <summary>
 +##  Create objects in /run/systemd/generator directory
 +##  with an automatic type transition to
 +##  a specified private type.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +## <param name="private_type">
 +##  <summary>
 +##  The type of the object to create.
 +##  </summary>
 +## </param>
 +## <param name="object_class">
 +##  <summary>
 +##  The class of the object to be created.
 +##  </summary>
 +## </param>
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
 +#
 +interface(`systemd_unit_file_filetrans',`
 +    gen_require(`
 +        type systemd_unit_file_t;
 +    ')
 +
 +	files_search_pids($1)
 +	filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4)
 +')
 +
 +########################################
 +## <summary>
 +##	Transition to systemd named content
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -4426,7 +4426,7 @@ index 83e899c..c0ece1b 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..c2a14a5 100644
+index 1a82e29..cb872c5 100644
 --- a/apache.te
 +++ b/apache.te
@@ -1,297 +1,360 @@
@ -5476,7 +5476,7 @@ index 1a82e29..c2a14a5 100644
 ')
 tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +799,42 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +799,38 @@ tunable_policy(`httpd_setrlimit',`
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -5495,11 +5495,10 @@ index 1a82e29..c2a14a5 100644
 +# are dontaudited here.
 tunable_policy(`httpd_tty_comm',`
 -	userdom_use_user_terminals(httpd_t)
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_t)
 +	userdom_use_inherited_user_terminals(httpd_t)
 +	userdom_use_inherited_user_terminals(httpd_suexec_t)
 ',`
 	userdom_dontaudit_use_user_terminals(httpd_t)
 +	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
 ')
 -tunable_policy(`httpd_use_cifs',`
@ -5519,7 +5518,7 @@ index 1a82e29..c2a14a5 100644
 -	fs_manage_fusefs_files(httpd_t)
 -	fs_read_fusefs_symlinks(httpd_t)
 -')
- 
+-
 -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 -	fs_exec_fusefs_files(httpd_t)
 -')
@ -5551,7 +5550,7 @@ index 1a82e29..c2a14a5 100644
 ')
 optional_policy(`
-@@ -743,14 +845,6 @@ optional_policy(`
+@@ -743,14 +841,6 @@ optional_policy(`
 	ccs_read_config(httpd_t)
 ')
@ -5566,7 +5565,7 @@ index 1a82e29..c2a14a5 100644
 optional_policy(`
 	cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +859,23 @@ optional_policy(`
+@@ -765,6 +855,23 @@ optional_policy(`
 ')
 optional_policy(`
@ -5590,7 +5589,7 @@ index 1a82e29..c2a14a5 100644
 	dbus_system_bus_client(httpd_t)
 	tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +892,42 @@ optional_policy(`
+@@ -781,34 +888,42 @@ optional_policy(`
 ')
 optional_policy(`
@ -5644,7 +5643,7 @@ index 1a82e29..c2a14a5 100644
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +935,18 @@ optional_policy(`
+@@ -816,8 +931,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -5663,7 +5662,7 @@ index 1a82e29..c2a14a5 100644
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -826,6 +955,7 @@ optional_policy(`
+@@ -826,6 +951,7 @@ optional_policy(`
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -5671,7 +5670,7 @@ index 1a82e29..c2a14a5 100644
 ')
 optional_policy(`
-@@ -836,20 +966,38 @@ optional_policy(`
+@@ -836,20 +962,38 @@ optional_policy(`
 ')
 optional_policy(`
@ -5716,7 +5715,7 @@ index 1a82e29..c2a14a5 100644
 ')
 optional_policy(`
-@@ -857,6 +1005,16 @@ optional_policy(`
+@@ -857,6 +1001,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -5733,7 +5732,7 @@ index 1a82e29..c2a14a5 100644
 	seutil_sigchld_newrole(httpd_t)
 ')
-@@ -865,6 +1023,7 @@ optional_policy(`
+@@ -865,6 +1019,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -5741,7 +5740,7 @@ index 1a82e29..c2a14a5 100644
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -877,65 +1036,166 @@ optional_policy(`
+@@ -877,65 +1032,166 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -5930,7 +5929,7 @@ index 1a82e29..c2a14a5 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
-@@ -944,123 +1204,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1200,74 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
@ -6085,7 +6084,7 @@ index 1a82e29..c2a14a5 100644
 	mysql_read_config(httpd_suexec_t)
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1288,104 @@ optional_policy(`
+@@ -1077,172 +1284,104 @@ optional_policy(`
 	')
 ')
@ -6321,7 +6320,7 @@ index 1a82e29..c2a14a5 100644
 ')
 tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1393,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1389,70 @@ tunable_policy(`httpd_read_user_content',`
 ')
 tunable_policy(`httpd_use_cifs',`
@ -6415,7 +6414,7 @@ index 1a82e29..c2a14a5 100644
 ########################################
 #
-@@ -1315,8 +1464,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1460,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 optional_policy(`
@ -6432,7 +6431,7 @@ index 1a82e29..c2a14a5 100644
 ')
 ########################################
-@@ -1324,49 +1480,36 @@ optional_policy(`
+@@ -1324,49 +1476,36 @@ optional_policy(`
 # User content local policy
 #
@ -6496,7 +6495,7 @@ index 1a82e29..c2a14a5 100644
 kernel_read_system_state(httpd_passwd_t)
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1519,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1515,99 @@ dev_read_urand(httpd_passwd_t)
 domain_use_interactive_fds(httpd_passwd_t)
@ -10168,7 +10167,7 @@ index 0000000..88107d7
 +/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
 diff --git a/chrome.if b/chrome.if
 new file mode 100644
-index 0000000..efebae7
+index 0000000..36bd6be
 --- /dev/null
 +++ b/chrome.if
@@ -0,0 +1,134 @@
@ -10258,7 +10257,7 @@ index 0000000..efebae7
 +
 +	allow chrome_sandbox_t $2:unix_dgram_socket { read write };
 +	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+	allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
+	allow chrome_sandbox_t $2:unix_stream_socket { append getattr read write };
 +	dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
 +	allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
 +	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
@ -16253,7 +16252,7 @@ index 06da9a0..ca832e1 100644
 +	ps_process_pattern($1, cupsd_t)
 ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..fb69e2c 100644
+index 9f34c2e..c861b5b 100644
 --- a/cups.te
 +++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@ -16577,7 +16576,7 @@ index 9f34c2e..fb69e2c 100644
 ')
 ########################################
-@@ -345,11 +381,9 @@ optional_policy(`
+@@ -345,12 +381,11 @@ optional_policy(`
 # Configuration daemon local policy
 #
@ -16589,9 +16588,11 @@ index 9f34c2e..fb69e2c 100644
 -allow cupsd_config_t self:tcp_socket { accept listen };
 +allow cupsd_config_t self:process { getsched };
 +domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
 allow cupsd_config_t cupsd_t:process signal;
 ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+ 
@@ -375,18 +410,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@ -16611,7 +16612,7 @@ index 9f34c2e..fb69e2c 100644
 corenet_all_recvfrom_netlabel(cupsd_config_t)
 corenet_tcp_sendrecv_generic_if(cupsd_config_t)
 corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +427,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 corenet_sendrecv_all_client_packets(cupsd_config_t)
 corenet_tcp_connect_all_ports(cupsd_config_t)
@ -16632,7 +16633,7 @@ index 9f34c2e..fb69e2c 100644
 fs_search_auto_mountpoints(cupsd_config_t)
 domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +444,6 @@ auth_use_nsswitch(cupsd_config_t)
 logging_send_syslog_msg(cupsd_config_t)
@ -16644,7 +16645,7 @@ index 9f34c2e..fb69e2c 100644
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +470,12 @@ optional_policy(`
+@@ -452,9 +471,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -16658,7 +16659,7 @@ index 9f34c2e..fb69e2c 100644
 ')
 optional_policy(`
-@@ -490,10 +511,6 @@ optional_policy(`
+@@ -490,10 +512,6 @@ optional_policy(`
 # Lpd local policy
 #
@ -16669,7 +16670,7 @@ index 9f34c2e..fb69e2c 100644
 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +529,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
@ -16702,7 +16703,7 @@ index 9f34c2e..fb69e2c 100644
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 ')
-@@ -546,7 +554,6 @@ optional_policy(`
+@@ -546,7 +555,6 @@ optional_policy(`
 #
 allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -16710,7 +16711,7 @@ index 9f34c2e..fb69e2c 100644
 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +570,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
 kernel_read_system_state(cups_pdf_t)
@ -16727,8 +16728,11 @@ index 9f34c2e..fb69e2c 100644
 -
 userdom_manage_user_home_content_dirs(cups_pdf_t)
 userdom_manage_user_home_content_files(cups_pdf_t)
- userdom_home_filetrans_user_home_dir(cups_pdf_t)
+-userdom_home_filetrans_user_home_dir(cups_pdf_t)
-@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
+userdom_filetrans_home_content(cups_pdf_t)
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(cups_pdf_t)
 	fs_manage_nfs_files(cups_pdf_t)
 ')
@ -16859,7 +16863,7 @@ index 9f34c2e..fb69e2c 100644
 ########################################
 #
-@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +614,6 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
@ -16867,7 +16871,7 @@ index 9f34c2e..fb69e2c 100644
 corenet_all_recvfrom_netlabel(ptal_t)
 corenet_tcp_sendrecv_generic_if(ptal_t)
 corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +623,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
 corenet_tcp_bind_ptal_port(ptal_t)
 corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -16881,7 +16885,7 @@ index 9f34c2e..fb69e2c 100644
 files_read_etc_runtime_files(ptal_t)
 fs_getattr_all_fs(ptal_t)
-@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +635,6 @@ fs_search_auto_mountpoints(ptal_t)
 logging_send_syslog_msg(ptal_t)
@ -55124,7 +55128,7 @@ index 2e23946..589bbf2 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..7bb7d5b 100644
+index 191a66f..fa32037 100644
 --- a/postfix.te
 +++ b/postfix.te
@@ -1,4 +1,4 @@
@ -55933,7 +55937,7 @@ index 191a66f..7bb7d5b 100644
 ')
 optional_policy(`
-@@ -764,31 +707,100 @@ optional_policy(`
+@@ -764,31 +707,99 @@ optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
@ -55969,9 +55973,9 @@ index 191a66f..7bb7d5b 100644
 userdom_manage_user_home_dirs(postfix_virtual_t)
 -userdom_manage_user_home_content_dirs(postfix_virtual_t)
 -userdom_manage_user_home_content_files(postfix_virtual_t)
-+userdom_manage_user_home_content(postfix_virtual_t)
+-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
 userdom_home_filetrans_user_home_dir(postfix_virtual_t)
 -userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
 +userdom_manage_user_home_content(postfix_virtual_t)
 +userdom_filetrans_home_content(postfix_virtual_t)
 +
 +########################################
@ -75305,7 +75309,7 @@ index 3a9a70b..039b0c8 100644
 	logging_list_logs($1)
 	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..a7c3d7c 100644
+index 49b12ae..a89828e 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@ -75394,7 +75398,7 @@ index 49b12ae..a7c3d7c 100644
 dev_read_urand(setroubleshootd_t)
 dev_read_sysfs(setroubleshootd_t)
-@@ -79,13 +85,13 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
+@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
 domain_dontaudit_search_all_domains_state(setroubleshootd_t)
 domain_signull_all_domains(setroubleshootd_t)
@ -75402,14 +75406,7 @@ index 49b12ae..a7c3d7c 100644
 files_list_all(setroubleshootd_t)
 files_getattr_all_files(setroubleshootd_t)
 files_getattr_all_pipes(setroubleshootd_t)
- files_getattr_all_sockets(setroubleshootd_t)
+@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
 files_read_all_symlinks(setroubleshootd_t)
 files_read_mnt_files(setroubleshootd_t)
 +files_read_var_lib_files(setroubleshootd_t)
 fs_getattr_all_dirs(setroubleshootd_t)
 fs_getattr_all_files(setroubleshootd_t)
@@ -107,27 +113,24 @@ init_read_utmp(setroubleshootd_t)
 init_dontaudit_write_utmp(setroubleshootd_t)
 libs_exec_ld_so(setroubleshootd_t)
@ -75442,7 +75439,7 @@ index 49b12ae..a7c3d7c 100644
 ')
 optional_policy(`
-@@ -135,10 +138,18 @@ optional_policy(`
+@@ -135,10 +137,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -75461,7 +75458,7 @@ index 49b12ae..a7c3d7c 100644
 	rpm_exec(setroubleshootd_t)
 	rpm_signull(setroubleshootd_t)
 	rpm_read_db(setroubleshootd_t)
-@@ -148,15 +159,17 @@ optional_policy(`
+@@ -148,15 +158,17 @@ optional_policy(`
 ########################################
 #
@ -75480,7 +75477,7 @@ index 49b12ae..a7c3d7c 100644
 setroubleshoot_stream_connect(setroubleshoot_fixit_t)
 kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +178,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
 corecmd_exec_shell(setroubleshoot_fixit_t)
 corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@ -75495,7 +75492,7 @@ index 49b12ae..a7c3d7c 100644
 files_list_tmp(setroubleshoot_fixit_t)
 auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
 logging_send_audit_msgs(setroubleshoot_fixit_t)
 logging_send_syslog_msg(setroubleshoot_fixit_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 35%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -530,6 +530,16 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Apr 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-37
 - Allow lvm to create its own unit files
 - Label /var/lib/sepolgen as selinux_config_t
 - Add filetrans rules for tw devices
 - Add transition from cupsd_config_t to cupsd_t
 * Wed Apr 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-36
 - Add filetrans rules for tw devices
 - Cleanup bad transition lines
 * Tue Apr 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-35
 - Fix lockdev_manage_files()
 - Allow setroubleshootd to read var_lib_t to make email_alert working