* Tue Feb 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-241

- Remove ganesha from gluster module and create own module for ganesha - FIx label for /usr/lib/libGLdispatch.so.0.0.0
2017-02-21 14:04:18 +01:00 · 2017-02-21 14:04:18 +01:00 · acb049dbc4
commit acb049dbc4
parent 9d87d07100
4 changed files with 369 additions and 104 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -1,3 +1,13 @@
+diff --git a/.gitmodules b/.gitmodules
+index 360bd03..e794aa3 100644
+--- a/.gitmodules
+++ b/.gitmodules
+@@ -1,3 +1,4 @@
+ [submodule "policy/modules/contrib"]
+ 	path = policy/modules/contrib
+-	url = http://oss.tresys.com/git/refpolicy-contrib.git
+    url = https://github.com/fedora-selinux/selinux-policy-contrib
+    branch = rawhide
 diff --git a/Makefile b/Makefile
 index ec7b5cb..e2936c6 100644
 --- a/Makefile
@ -19165,7 +19175,7 @@ index 7be4ddf..9710b33 100644
 +/sys/kernel/debug -d	gen_context(system_u:object_r:debugfs_t,s0)
 +/sys/kernel/debug/.*	<<none>>
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..342fb1e 100644
+index e100d88..d780b64 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@ -19561,7 +19571,34 @@ index e100d88..342fb1e 100644
 ')
 
 ########################################
-@@ -2085,7 +2241,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2048,6 +2204,26 @@ interface(`kernel_read_rpc_sysctls',`
+ 	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+ 
+
+########################################
+## <summary>
+##	Read RPC sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_rpc_sysctls_dirs',`
+	gen_require(`
+		type proc_t, proc_net_t, sysctl_rpc_t;
+	')
+
+	rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+')
+
+ ########################################
+ ## <summary>
+ ##	Read and write RPC sysctls.
+@@ -2085,7 +2261,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')
 
 	dontaudit $1 sysctl_type:dir list_dir_perms;
@ -19617,7 +19654,7 @@ index e100d88..342fb1e 100644
 ')
 
 ########################################
-@@ -2282,6 +2485,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2505,25 @@ interface(`kernel_list_unlabeled',`
 
 ########################################
 ## <summary>
@ -19643,7 +19680,7 @@ index e100d88..342fb1e 100644
 ##	Read the process state (/proc/pid) of all unlabeled_t.
 ## </summary>
 ## <param name="domain">
-@@ -2306,7 +2528,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2548,7 @@ interface(`kernel_read_unlabeled_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -19652,80 +19689,56 @@ index e100d88..342fb1e 100644
 ##	</summary>
 ## </param>
 #
-@@ -2488,6 +2710,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,21 +2730,39 @@ interface(`kernel_rw_unlabeled_blk_files',`
 
 ########################################
 ## <summary>
+-##	Do not audit attempts by caller to get attributes for
+-##	unlabeled character devices.
 +##	Read and write unlabeled sockets.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
 +interface(`kernel_rw_unlabeled_socket',`
-+	gen_require(`
-+		type unlabeled_t;
-+	')
-+
+ 	gen_require(`
+ 		type unlabeled_t;
+ 	')
+ 
+-	dontaudit $1 unlabeled_t:chr_file getattr;
 +	allow $1 unlabeled_t:socket rw_socket_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts by caller to get attributes for
- ##	unlabeled character devices.
- ## </summary>
-@@ -2525,7 +2765,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
- 
- ########################################
- ## <summary>
-##	Allow caller to relabel unlabeled files.
-+##	Allow caller to relabel unlabeled filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2533,18 +2773,17 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
- ##	</summary>
- ## </param>
- #
-interface(`kernel_relabelfrom_unlabeled_files',`
-+interface(`kernel_relabelfrom_unlabeled_fs',`
- 	gen_require(`
- 		type unlabeled_t;
- 	')
- 
-	kernel_list_unlabeled($1)
-	allow $1 unlabeled_t:file { getattr relabelfrom };
-+	allow $1 unlabeled_t:filesystem relabelfrom;
+##	Do not audit attempts by caller to get attributes for
+##	unlabeled character devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:chr_file getattr;
 ')
 
 ########################################
- ## <summary>
-##	Allow caller to relabel unlabeled symbolic links.
-+##	Allow caller to relabel unlabeled files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2552,13 +2791,32 @@ interface(`kernel_relabelfrom_unlabeled_files',`
- ##	</summary>
- ## </param>
- #
-interface(`kernel_relabelfrom_unlabeled_symlinks',`
-+interface(`kernel_relabelfrom_unlabeled_files',`
- 	gen_require(`
- 		type unlabeled_t;
- 	')
+@@ -2525,6 +2785,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 
- 	kernel_list_unlabeled($1)
-	allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
-+	allow $1 unlabeled_t:file { getattr relabelfrom };
-+')
-+
-+########################################
-+## <summary>
-+##	Allow caller to relabel unlabeled symbolic links.
+ ########################################
+ ## <summary>
+##	Allow caller to relabel unlabeled filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -19733,17 +19746,20 @@ index e100d88..342fb1e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`kernel_relabelfrom_unlabeled_symlinks',`
+interface(`kernel_relabelfrom_unlabeled_fs',`
 +	gen_require(`
 +		type unlabeled_t;
 +	')
 +
-+	kernel_list_unlabeled($1)
-+	allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
- ')
- 
- ########################################
-@@ -2667,6 +2925,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+	allow $1 unlabeled_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+ ##	Allow caller to relabel unlabeled files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2667,6 +2945,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 
 ########################################
 ## <summary>
@ -19768,7 +19784,7 @@ index e100d88..342fb1e 100644
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
-@@ -2694,6 +2970,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2990,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 
 ########################################
 ## <summary>
@ -19794,7 +19810,7 @@ index e100d88..342fb1e 100644
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
-@@ -2803,6 +3098,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3118,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
@ -19828,7 +19844,7 @@ index e100d88..342fb1e 100644
 
 ########################################
 ## <summary>
-@@ -2958,6 +3280,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3300,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 
 ########################################
 ## <summary>
@ -19853,7 +19869,7 @@ index e100d88..342fb1e 100644
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
-@@ -2972,5 +3312,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3332,649 @@ interface(`kernel_unconfined',`
 	')
 
 	typeattribute $1 kern_unconfined;
@ -37802,7 +37818,7 @@ index 0000000..c814795
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..7b05663 100644
+index 73bb3c0..5d62107 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -37886,7 +37902,7 @@ index 73bb3c0..7b05663 100644
 /usr/lib/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/win32/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libGLdispatch/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libGLdispatch.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@ -43211,7 +43227,7 @@ index 3822072..d358162 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..8d4ed0f 100644
+index dc46420..a86e9eb 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@ -43746,7 +43762,7 @@ index dc46420..8d4ed0f 100644
 ')
 
 ########################################
-@@ -522,111 +597,201 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,202 @@ ifdef(`distro_ubuntu',`
 # Setfiles local policy
 #
 
@ -43911,6 +43927,7 @@ index dc46420..8d4ed0f 100644
 +fs_getattr_all_files(setfiles_domain)
 +fs_search_auto_mountpoints(setfiles_domain)
 +fs_relabelfrom_noxattr_fs(setfiles_domain)
+fs_mount_tracefs(setfiles_domain)
 +
 +selinux_validate_context(setfiles_domain)
 +selinux_compute_access_vector(setfiles_domain)
@ -47071,10 +47088,10 @@ index 0000000..86e3d01
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..c6280dc
+index 0000000..0100a56
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1017 @@
+@@ -0,0 +1,1018 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -48072,6 +48089,7 @@ index 0000000..c6280dc
 +#
 +
 +allow systemd_bootchart_t self:capability2 wake_alarm;
+allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_bootchart_t)
 +kernel_rw_kernel_sysctl(systemd_bootchart_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -12878,7 +12878,7 @@ index 85ca63f..1d1c99c 100644
 	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
 	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index 80a88a2..ec869f5 100644
+index 80a88a2..71c25c3 100644
 --- a/cgroup.te
 +++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@ -12906,7 +12906,7 @@ index 80a88a2..ec869f5 100644
 domain_setpriority_all_domains(cgclear_t)
 
 fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -64,23 +66,26 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
 kernel_list_unlabeled(cgconfig_t)
 kernel_read_system_state(cgconfig_t)
 
@ -12930,12 +12930,13 @@ index 80a88a2..ec869f5 100644
 -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
 allow cgred_t self:netlink_socket { write bind create read };
 allow cgred_t self:unix_dgram_socket { write create connect };
+allow cgred_t self:netlink_connector_socket create_socket_perms;
 
 +allow cgred_t cgconfig_etc_t:file read_file_perms;
 allow cgred_t cgrules_etc_t:file read_file_perms;
 
 allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t)
 files_getattr_all_files(cgred_t)
 files_getattr_all_sockets(cgred_t)
 files_read_all_symlinks(cgred_t)
@ -14855,10 +14856,10 @@ index cc4e7cb..f348d27 100644
 	domain_system_change_exemption($1)
 	role_transition $2 cmirrord_initrc_exec_t system_r;
 diff --git a/cmirrord.te b/cmirrord.te
-index bbdd396..8328b95 100644
+index bbdd396..28b1761 100644
 --- a/cmirrord.te
 +++ b/cmirrord.te
-@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
+@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t)
 # Local policy
 #
 
@ -14867,7 +14868,14 @@ index bbdd396..8328b95 100644
 dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process { setfscreate signal };
 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+ allow cmirrord_t self:sem create_sem_perms;
+ allow cmirrord_t self:shm create_shm_perms;
+ allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:netlink_connector_socket create_socket_perms;
+ allow cmirrord_t self:unix_stream_socket { accept listen };
+ 
+ manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
 domain_use_interactive_fds(cmirrord_t)
 domain_obj_id_change_exemption(cmirrord_t)
 
@ -30858,6 +30866,243 @@ index e5b15fb..220622e 100644
 	allow games_t self:process execmem;
 ')
 
+diff --git a/ganesha.fc b/ganesha.fc
+new file mode 100644
+index 0000000..c5982d5
+--- /dev/null
+++ b/ganesha.fc
+@@ -0,0 +1,11 @@
+/usr/bin/ganesha.nfsd		--	gen_context(system_u:object_r:ganesha_exec_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/var/log/ganesha.log	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
+
+/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)
+diff --git a/ganesha.if b/ganesha.if
+new file mode 100644
+index 0000000..d9ba5fa
+--- /dev/null
+++ b/ganesha.if
+@@ -0,0 +1,147 @@
+
+## <summary>policy for ganesha</summary>
+
+########################################
+## <summary>
+##	Execute ganesha_exec_t in the ganesha domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ganesha_domtrans',`
+	gen_require(`
+		type ganesha_t, ganesha_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ganesha_exec_t, ganesha_t)
+')
+
+######################################
+## <summary>
+##	Execute ganesha in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_exec',`
+	gen_require(`
+		type ganesha_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ganesha_exec_t)
+')
+########################################
+## <summary>
+##	Read ganesha PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_read_pid_files',`
+	gen_require(`
+		type ganesha_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute ganesha server in the ganesha domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ganesha_systemctl',`
+	gen_require(`
+		type ganesha_t;
+		type ganesha_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 ganesha_unit_file_t:file read_file_perms;
+	allow $1 ganesha_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ganesha_t)
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	ganesha over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_dbus_chat',`
+	gen_require(`
+		type ganesha_t;
+		class dbus send_msg;
+	')
+
+	allow $1 ganesha_t:dbus send_msg;
+	allow ganesha_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ganesha environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ganesha_admin',`
+	gen_require(`
+		type ganesha_t;
+		type ganesha_var_run_t;
+	type ganesha_unit_file_t;
+	')
+
+	allow $1 ganesha_t:process { signal_perms };
+	ps_process_pattern($1, ganesha_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ganesha_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, ganesha_var_run_t)
+
+	ganesha_systemctl($1)
+	admin_pattern($1, ganesha_unit_file_t)
+	allow $1 ganesha_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+diff --git a/ganesha.te b/ganesha.te
+new file mode 100644
+index 0000000..20b9fcf
+--- /dev/null
+++ b/ganesha.te
+@@ -0,0 +1,61 @@
+policy_module(ganesha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ganesha_t;
+type ganesha_exec_t;
+init_daemon_domain(ganesha_t, ganesha_exec_t)
+
+permissive ganesha_t;
+
+type ganesha_var_log_t;
+logging_log_file(ganesha_var_log_t)
+
+type ganesha_var_run_t;
+files_pid_file(ganesha_var_run_t)
+
+type ganesha_unit_file_t;
+systemd_unit_file(ganesha_unit_file_t)
+
+########################################
+#
+# ganesha local policy
+#
+allow ganesha_t self:process { setcap setrlimit };
+allow ganesha_t self:fifo_file rw_fifo_file_perms;
+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
+allow ganesha_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
+
+auth_use_nsswitch(ganesha_t)
+
+corenet_tcp_bind_nfs_port(ganesha_t)
+corenet_tcp_connect_generic_port(ganesha_t)
+corenet_udp_bind_nfs_port(ganesha_t)
+corenet_udp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_all_rpc_ports(ganesha_t)
+
+logging_send_syslog_msg(ganesha_t)
+
+sysnet_dns_name_resolve(ganesha_t)
+
+optional_policy(`
+	dbus_system_bus_client(ganesha_t)
+	dbus_connect_system_bus(ganesha_t)
+')
+
+optional_policy(`
+	rpc_manage_nfs_state_data_dir(ganesha_t)
+	rpcbind_stream_connect(ganesha_t)
+')
 diff --git a/gatekeeper.te b/gatekeeper.te
 index 2820368..88c98f4 100644
 --- a/gatekeeper.te
@ -32165,10 +32410,10 @@ index 5cd0909..bd3c3d2 100644
 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
 diff --git a/glusterd.fc b/glusterd.fc
 new file mode 100644
-index 0000000..a3633cd
+index 0000000..9806f50
 --- /dev/null
 +++ b/glusterd.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,25 @@
 +/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +
 +/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
@ -32184,20 +32429,16 @@ index 0000000..a3633cd
 +/usr/libexec/glusterfs/peer_eventsapi.py    -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +/usr/libexec/glusterfs/events/glustereventsd.py   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
-+/usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-+
 +/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
 +/var/lib/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
 +
 +/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
-+/var/log/ganesha.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
 +
 +/var/run/gluster(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/ganesha.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 diff --git a/glusterd.if b/glusterd.if
 new file mode 100644
 index 0000000..764ae00
@ -83507,7 +83748,7 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
 ')
 diff --git a/quota.te b/quota.te
-index f47c8e8..d4e9042 100644
+index f47c8e8..af09c76 100644
 --- a/quota.te
 +++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@ -83602,7 +83843,7 @@ index f47c8e8..d4e9042 100644
 ')
 
 optional_policy(`
-@@ -103,12 +102,12 @@ optional_policy(`
+@@ -103,12 +102,13 @@ optional_policy(`
 
 #######################################
 #
@ -83613,11 +83854,12 @@ index f47c8e8..d4e9042 100644
 allow quota_nld_t self:fifo_file rw_fifo_file_perms;
 allow quota_nld_t self:netlink_socket create_socket_perms;
 -allow quota_nld_t self:unix_stream_socket { accept listen };
+allow quota_nld_t self:netlink_generic_socket create_socket_perms;
 +allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
 files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t)
+@@ -121,11 +121,9 @@ init_read_utmp(quota_nld_t)
 
 logging_send_syslog_msg(quota_nld_t)
 
@ -91112,7 +91354,7 @@ index 0bf13c2..ed393a0 100644
 	files_list_tmp($1)
 	admin_pattern($1, gssd_tmp_t)
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..a37f579 100644
+index 2da9fca..be1fab2 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@ -91316,7 +91558,7 @@ index 2da9fca..a37f579 100644
 ')
 
 ########################################
-@@ -202,41 +232,61 @@ optional_policy(`
+@@ -202,41 +232,62 @@ optional_policy(`
 #
 
 allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -91334,6 +91576,7 @@ index 2da9fca..a37f579 100644
 kernel_request_load_module(nfsd_t)
 -# kernel_mounton_proc(nfsd_t)
 +kernel_mounton_proc(nfsd_t)
+kernel_rw_rpc_sysctls_dirs(nfsd_t)
 
 -corenet_sendrecv_nfs_server_packets(nfsd_t)
 +corecmd_exec_shell(nfsd_t)
@ -91388,7 +91631,7 @@ index 2da9fca..a37f579 100644
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
-@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
@ -91396,7 +91639,7 @@ index 2da9fca..a37f579 100644
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
@ -91411,7 +91654,7 @@ index 2da9fca..a37f579 100644
 ')
 
 ########################################
-@@ -270,7 +319,7 @@ optional_policy(`
+@@ -270,7 +320,7 @@ optional_policy(`
 # GSSD local policy
 #
 
@ -91420,7 +91663,7 @@ index 2da9fca..a37f579 100644
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
@ -91428,7 +91671,7 @@ index 2da9fca..a37f579 100644
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
-@@ -288,25 +338,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +339,31 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
@ -91463,7 +91706,7 @@ index 2da9fca..a37f579 100644
 ')
 
 optional_policy(`
-@@ -314,9 +370,12 @@ optional_policy(`
+@@ -314,9 +371,12 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 240%{?dist}
+Release: 241%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,10 @@ exit 0
 %endif

 %changelog
+* Tue Feb 21 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-241
+- Remove ganesha from gluster module and create own module for ganesha
+- FIx label for /usr/lib/libGLdispatch.so.0.0.0
+
 * Wed Feb 15 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-240
 - Dontaudit xdm_t wake_alarm capability2
 - Allow systemd_initctl_t to create and connect unix_dgram sockets