- Allow gpg to read fips_enabled

- Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fen - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy
2013-02-08 14:01:21 +01:00 · 2013-02-08 14:01:21 +01:00 · ad094338a5
commit ad094338a5
parent d4e203ba2f
3 changed files with 176 additions and 79 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -235863,10 +235863,10 @@ index 0000000..a4b0917
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..9b74225
+index 0000000..1131866
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,612 @@
+@@ -0,0 +1,616 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -236474,10 +236474,14 @@ index 0000000..9b74225
 +
 +files_read_system_conf_files(systemd_sysctl_t)
 +
 +dev_write_kmsg(systemd_sysctl_t)
 +
 +domain_use_interactive_fds(systemd_sysctl_t)
 +
 +files_read_etc_files(systemd_sysctl_t)
 +
 +init_stream_connect(systemd_sysctl_t)
 +
 +logging_stream_connect_syslog(systemd_sysctl_t)
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
 index 40928d8..49fd32e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -8023,7 +8023,7 @@ index e73fb79..2badfc0 100644
 	domain_system_change_exemption($1)
 	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/bitlbee.te b/bitlbee.te
-index ac8c91e..a63f4c2 100644
+index ac8c91e..80ecd7e 100644
 --- a/bitlbee.te
 +++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@ -8041,7 +8041,15 @@ index ac8c91e..a63f4c2 100644
 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
 allow bitlbee_t bitlbee_conf_t:file read_file_perms;
-@@ -59,8 +62,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
 manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 +read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
@ -8051,7 +8059,7 @@ index ac8c91e..a63f4c2 100644
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
-@@ -109,16 +112,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
 dev_read_rand(bitlbee_t)
 dev_read_urand(bitlbee_t)
@ -23395,7 +23403,7 @@ index 9eacb2c..229782f 100644
 	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
 	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..be03e22 100644
+index e0a4f46..70277e8 100644
 --- a/glance.te
 +++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@ -23421,7 +23429,15 @@ index e0a4f46..be03e22 100644
 init_daemon_domain(glance_api_t, glance_api_exec_t)
 type glance_api_initrc_exec_t;
-@@ -56,10 +57,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
 # Common local policy
 #
 +allow glance_domain self:process signal_perms;
 allow glance_domain self:fifo_file rw_fifo_file_perms;
 allow glance_domain self:unix_stream_socket create_stream_socket_perms;
 allow glance_domain self:tcp_socket { accept listen };
@@ -56,10 +58,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
 manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@ -23432,7 +23448,7 @@ index e0a4f46..be03e22 100644
 corenet_tcp_sendrecv_generic_if(glance_domain)
 corenet_tcp_sendrecv_generic_node(glance_domain)
 corenet_tcp_sendrecv_all_ports(glance_domain)
-@@ -70,13 +67,10 @@ corecmd_exec_shell(glance_domain)
+@@ -70,13 +68,10 @@ corecmd_exec_shell(glance_domain)
 dev_read_urand(glance_domain)
@ -23447,7 +23463,7 @@ index e0a4f46..be03e22 100644
 sysnet_dns_name_resolve(glance_domain)
 ########################################
-@@ -88,8 +82,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +83,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
 manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
 files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@ -23463,7 +23479,7 @@ index e0a4f46..be03e22 100644
 logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +109,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +110,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
 files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
 can_exec(glance_api_t, glance_tmp_t)
@ -26764,7 +26780,7 @@ index 180f1b7..951b790 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 44cf341..c47fa5f 100644
+index 44cf341..8424d09 100644
 --- a/gpg.te
 +++ b/gpg.te
@@ -1,47 +1,47 @@
@ -26836,7 +26852,7 @@ index 44cf341..c47fa5f 100644
 type gpg_secret_t;
 typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
-@@ -52,112 +52,115 @@ type gpg_helper_t;
+@@ -52,112 +52,116 @@ type gpg_helper_t;
 type gpg_helper_exec_t;
 typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
 typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
@ -26912,6 +26928,7 @@ index 44cf341..c47fa5f 100644
 +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
 kernel_read_sysctl(gpg_t)
 +kernel_read_system_state(gpg_t)
 +kernel_getattr_core_if(gpg_t)
 corecmd_exec_shell(gpg_t)
@ -27000,7 +27017,7 @@ index 44cf341..c47fa5f 100644
 ')
 optional_policy(`
-@@ -165,37 +168,51 @@ optional_policy(`
+@@ -165,37 +169,51 @@ optional_policy(`
 ')
 optional_policy(`
@ -27063,7 +27080,7 @@ index 44cf341..c47fa5f 100644
 tunable_policy(`use_nfs_home_dirs',`
 	fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +224,35 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',`
 ########################################
 #
@ -27105,7 +27122,7 @@ index 44cf341..c47fa5f 100644
 corecmd_exec_shell(gpg_agent_t)
 dev_read_rand(gpg_agent_t)
-@@ -239,31 +262,30 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,31 +263,30 @@ domain_use_interactive_fds(gpg_agent_t)
 fs_dontaudit_list_inotifyfs(gpg_agent_t)
@ -27148,7 +27165,7 @@ index 44cf341..c47fa5f 100644
 ')
 optional_policy(`
-@@ -277,8 +299,17 @@ optional_policy(`
+@@ -277,8 +300,17 @@ optional_policy(`
 allow gpg_pinentry_t self:process { getcap getsched setsched signal };
 allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@ -27167,7 +27184,7 @@ index 44cf341..c47fa5f 100644
 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +318,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +319,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@ -45643,10 +45660,10 @@ index f5d145d..97e1148 100644
 +	virt_ptrace(numad_t)
 +')
 diff --git a/nut.fc b/nut.fc
-index 379af96..371119d 100644
+index 379af96..41ff159 100644
 --- a/nut.fc
 +++ b/nut.fc
-@@ -1,23 +1,13 @@
+@@ -1,23 +1,16 @@
 -/etc/nut(/.*)?	gen_context(system_u:object_r:nut_conf_t,s0)
 -/etc/ups(/.*)?	gen_context(system_u:object_r:nut_conf_t,s0)
 +/etc/ups(/.*)?		gen_context(system_u:object_r:nut_conf_t,s0)
@ -45657,14 +45674,16 @@ index 379af96..371119d 100644
 -/sbin/upsd	--	gen_context(system_u:object_r:nut_upsd_exec_t,s0)
 /sbin/upsdrvctl	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
 -/sbin/upsmon	--	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
-
+ 
 -/usr/lib/cgi-bin/nut/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 -/usr/lib/cgi-bin/nut/upsset\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 -/usr/lib/cgi-bin/nut/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 +/usr/lib/systemd/system/nut.*	--  gen_context(system_u:object_r:nut_unit_file_t,s0)
 /usr/sbin/upsd	--	gen_context(system_u:object_r:nut_upsd_exec_t,s0)
 /usr/sbin/upsdrvctl	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
 -/usr/sbin/upsmon	--	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
 +/usr/sbin/blazer_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
 +/usr/sbin/upsmon --	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
 /var/run/nut(/.*)?	gen_context(system_u:object_r:nut_var_run_t,s0)
@ -45676,29 +45695,35 @@ index 379af96..371119d 100644
 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 diff --git a/nut.if b/nut.if
-index 57c0161..56660c5 100644
+index 57c0161..d5ad79d 100644
 --- a/nut.if
 +++ b/nut.if
-@@ -1,39 +1 @@
+@@ -1,39 +1,25 @@
 -## <summary>Network UPS Tools </summary>
-
+## <summary>nut - Network UPS Tools </summary>
 -########################################
-## <summary>
+#######################################
 ## <summary>
 -##	All of the rules required to
 -##	administrate an nut environment.
-## </summary>
+##  Execute swift server in the swift domain.
-## <param name="domain">
+ ## </summary>
 ## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
-## </param>
+##  <summary>
 +##  Domain allowed to transition.
 +##  </summary>
 ## </param>
 -## <param name="role">
 -##	<summary>
 -##	Role allowed access.
 -##	</summary>
 -## </param>
 -## <rolecap/>
-#
+ #
 -interface(`nut_admin',`
 -	gen_require(`
 -		attribute nut_domain;
@ -45712,19 +45737,28 @@ index 57c0161..56660c5 100644
 -	domain_system_change_exemption($1)
 -	role_transition $2 nut_initrc_exec_t system_r;
 -	allow $2 system_r;
-
+interface(`nut_systemctl',`
 +    gen_require(`
 +        type nut_t;
 +        type nut_unit_file_t;
 +    ')
 -	files_search_etc($1)
 -	admin_pattern($1, nut_conf_t)
-
+	systemd_exec_systemctl($1)
 +	systemd_read_fifo_file_password_run($1)
 +    allow $1 nut_unit_file_t:file read_file_perms;
 +    allow $1 nut_unit_file_t:service manage_service_perms;
 -	files_search_pids($1)
 -	admin_pattern($1, nut_var_run_t)
-')
+    ps_process_pattern($1, swift_t)
-+## <summary>nut - Network UPS Tools </summary>
+ ')
 diff --git a/nut.te b/nut.te
-index 0c9deb7..87c7eb7 100644
+index 0c9deb7..dbc52a1 100644
 --- a/nut.te
 +++ b/nut.te
-@@ -1,121 +1,105 @@
+@@ -1,121 +1,108 @@
 -policy_module(nut, 1.2.4)
 +policy_module(nut, 1.2.0)
@ -45759,6 +45793,9 @@ index 0c9deb7..87c7eb7 100644
 type nut_var_run_t;
 files_pid_file(nut_var_run_t)
 -init_daemon_run_dir(nut_var_run_t, "nut")
 +
 +type nut_unit_file_t;
 +systemd_unit_file(nut_unit_file_t)
 ########################################
 #
@ -45774,20 +45811,20 @@ index 0c9deb7..87c7eb7 100644
 -allow nut_domain nut_conf_t:dir list_dir_perms;
 -allow nut_domain nut_conf_t:file read_file_perms;
 -allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
 -
 -manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
 -manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
 -files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
 +allow nut_upsd_t self:capability { setgid setuid dac_override };
 +allow nut_upsd_t self:process signal_perms;
-kernel_read_kernel_sysctls(nut_domain)
+-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
 -manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
 -files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
 +allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-logging_send_syslog_msg(nut_domain)
+-kernel_read_kernel_sysctls(nut_domain)
 +allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
 -logging_send_syslog_msg(nut_domain)
 -
 -miscfiles_read_localization(nut_domain)
 -
 -########################################
@ -45803,18 +45840,18 @@ index 0c9deb7..87c7eb7 100644
 +manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
 manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
 -files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
 -
 -stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
 +files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
 -stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
 +kernel_read_kernel_sysctls(nut_upsd_t)
 -corenet_all_recvfrom_unlabeled(nut_upsd_t)
 -corenet_all_recvfrom_netlabel(nut_upsd_t)
 -corenet_tcp_sendrecv_generic_if(nut_upsd_t)
 -corenet_tcp_sendrecv_generic_node(nut_upsd_t)
 -corenet_tcp_sendrecv_all_ports(nut_upsd_t)
 -corenet_tcp_bind_generic_node(nut_upsd_t)
-+kernel_read_kernel_sysctls(nut_upsd_t)
+-
 -corenet_sendrecv_ups_server_packets(nut_upsd_t)
 corenet_tcp_bind_ups_port(nut_upsd_t)
 -
@ -45842,9 +45879,9 @@ index 0c9deb7..87c7eb7 100644
 +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
 +allow nut_upsmon_t self:tcp_socket create_socket_perms;
 +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
 +
 +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
 +# pid file
 +manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
 +manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
@ -45889,7 +45926,7 @@ index 0c9deb7..87c7eb7 100644
 mta_send_mail(nut_upsmon_t)
 optional_policy(`
-@@ -124,14 +108,27 @@ optional_policy(`
+@@ -124,14 +111,27 @@ optional_policy(`
 ########################################
 #
@ -45919,7 +45956,7 @@ index 0c9deb7..87c7eb7 100644
 corecmd_exec_bin(nut_upsdrvctl_t)
 dev_read_sysfs(nut_upsdrvctl_t)
-@@ -144,17 +141,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
+@@ -144,17 +144,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
 init_sigchld(nut_upsdrvctl_t)
@ -47570,7 +47607,7 @@ index 0000000..1a26cd5
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..4bc6574
+index 0000000..b89f7fc
 --- /dev/null
 +++ b/openshift.te
@@ -0,0 +1,463 @@
@ -47970,7 +48007,7 @@ index 0000000..4bc6574
 +#
 +# openshift_cron local policy
 +#
-+allow openshift_cron_t self:capability net_admin;
+allow openshift_cron_t self:capability { net_admin sys_admin };
 +allow openshift_cron_t self:process signal_perms;
 +allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
 +allow openshift_cron_t self:udp_socket create_socket_perms;
@ -48762,7 +48799,7 @@ index 9682d9a..d47f913 100644
 +	')
 ')
 diff --git a/pacemaker.te b/pacemaker.te
-index 3dd8ada..9683812 100644
+index 3dd8ada..993c92c 100644
 --- a/pacemaker.te
 +++ b/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2)
@ -48839,7 +48876,7 @@ index 3dd8ada..9683812 100644
 files_read_kernel_symbol_table(pacemaker_t)
 fs_getattr_all_fs(pacemaker_t)
-@@ -75,9 +87,16 @@ auth_use_nsswitch(pacemaker_t)
+@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
 logging_send_syslog_msg(pacemaker_t)
@ -48855,8 +48892,12 @@ index 3dd8ada..9683812 100644
 +	corosync_setattr_log(pacemaker_t)
 	corosync_stream_connect(pacemaker_t)
 +	corosync_rw_tmpfs(pacemaker_t)
- ')
+')
 +
 +optional_policy(`
 +	#executes heartbeat lib files
 +	rgmanager_execute_lib(pacemaker_t)
 ')
 diff --git a/pads.if b/pads.if
 index 6e097c9..503c97a 100644
 --- a/pads.if
@ -62321,12 +62362,14 @@ index f1512d6..93f1ee6 100644
 userdom_dontaudit_search_user_home_dirs(readahead_t)
 diff --git a/realmd.fc b/realmd.fc
-index 04babe3..3c24ce4 100644
+index 04babe3..02a1f34 100644
 --- a/realmd.fc
 +++ b/realmd.fc
-@@ -1 +1 @@
+@@ -1 +1,3 @@
 -/usr/lib/realmd/realmd	--	gen_context(system_u:object_r:realmd_exec_t,s0)
 +/usr/lib/realmd/realmd		--	gen_context(system_u:object_r:realmd_exec_t,s0)
 +
 +/var/cache/realmd(/.*)?			gen_context(system_u:object_r:realmd_var_cache_t,s0)
 diff --git a/realmd.if b/realmd.if
 index bff31df..e38693b 100644
 --- a/realmd.if
@ -62344,7 +62387,7 @@ index bff31df..e38693b 100644
 ## <param name="domain">
 ## <summary>
 diff --git a/realmd.te b/realmd.te
-index 9a8f052..5372646 100644
+index 9a8f052..ecd8eaf 100644
 --- a/realmd.te
 +++ b/realmd.te
@@ -1,4 +1,4 @@
@ -62353,13 +62396,16 @@ index 9a8f052..5372646 100644
 ########################################
 #
-@@ -7,11 +7,12 @@ policy_module(realmd, 1.0.2)
+@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2)
 type realmd_t;
 type realmd_exec_t;
 -init_system_domain(realmd_t, realmd_exec_t)
 +application_domain(realmd_t, realmd_exec_t)
 +role system_r types realmd_t;
 +
 +type realmd_var_cache_t;
 +files_type(realmd_var_cache_t)
 ########################################
 #
@ -62368,7 +62414,13 @@ index 9a8f052..5372646 100644
 #
 allow realmd_t self:capability sys_nice;
-@@ -22,28 +23,30 @@ kernel_read_system_state(realmd_t)
+ allow realmd_t self:process setsched;
 +manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
 +manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
 +
 kernel_read_system_state(realmd_t)
 corecmd_exec_bin(realmd_t)
 corecmd_exec_shell(realmd_t)
@ -62408,7 +62460,7 @@ index 9a8f052..5372646 100644
 optional_policy(`
 	dbus_system_domain(realmd_t, realmd_exec_t)
-@@ -67,17 +70,21 @@ optional_policy(`
+@@ -67,17 +76,21 @@ optional_policy(`
 optional_policy(`
 	nis_exec_ypbind(realmd_t)
@ -62433,7 +62485,7 @@ index 9a8f052..5372646 100644
 ')
 optional_policy(`
-@@ -86,5 +93,9 @@ optional_policy(`
+@@ -86,5 +99,9 @@ optional_policy(`
 	sssd_manage_lib_files(realmd_t)
 	sssd_manage_public_files(realmd_t)
 	sssd_read_pid_files(realmd_t)
@ -62698,7 +62750,7 @@ index 5421af0..91e69b8 100644
 +/var/run/heartbeat(/.*)?             gen_context(system_u:object_r:rgmanager_var_run_t,s0)
 +/var/run/rgmanager\.pid			--	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
 diff --git a/rgmanager.if b/rgmanager.if
-index 1c2f9aa..5bd6fdb 100644
+index 1c2f9aa..7d70a46 100644
 --- a/rgmanager.if
 +++ b/rgmanager.if
@@ -1,13 +1,13 @@
@ -62801,7 +62853,7 @@ index 1c2f9aa..5bd6fdb 100644
 	init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -121,3 +139,27 @@ interface(`rgmanager_admin',`
+@@ -121,3 +139,47 @@ interface(`rgmanager_admin',`
 	files_list_pids($1)
 	admin_pattern($1, rgmanager_var_run_t)
 ')
@ -62829,6 +62881,26 @@ index 1c2f9aa..5bd6fdb 100644
 +    files_list_pids($1)
 +    admin_pattern($1, rgmanager_var_run_t)
 +')
 +
 +######################################
 +## <summary>
 +##  Allow the specified domain to execute rgmanager's lib files.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`rgmanager_execute_lib',`
 +    gen_require(`
 +        type rgmanager_var_lib_t;
 +    ')
 +
 +    files_list_var_lib($1)
 +	allow $1 rgmanager_var_lib_t:dir search_dir_perms;
 +    can_exec($1, rgmanager_var_lib_t)
 +')
 diff --git a/rgmanager.te b/rgmanager.te
 index b418d1c..1ad9c12 100644
 --- a/rgmanager.te
@ -63054,15 +63126,16 @@ index b418d1c..1ad9c12 100644
 	xen_domtrans_xm(rgmanager_t)
 ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..977f2eb 100644
+index 47de2d6..d022603 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,30 @@
+@@ -1,31 +1,31 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
 +/usr/sbin/fenced			--	gen_context(system_u:object_r:fenced_exec_t,s0)
 +/usr/sbin/fence_node			--	gen_context(system_u:object_r:fenced_exec_t,s0)
 +/usr/sbin/fence_sanlockd		--	gen_context(system_u:object_r:fenced_exec_t,s0)
 +/usr/sbin/fence_tool                    --      gen_context(system_u:object_r:fenced_exec_t,s0) 
 +/usr/sbin/fence_virtd 			--      gen_context(system_u:object_r:fenced_exec_t,s0) 
 +/usr/sbin/gfs_controld			--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
@ -71365,7 +71438,7 @@ index cd6c213..34b861a 100644
 +	allow $1 sanlock_unit_file_t:service all_service_perms;
 ')
 diff --git a/sanlock.te b/sanlock.te
-index a34eac4..4f4eaf4 100644
+index a34eac4..114c9d2 100644
 --- a/sanlock.te
 +++ b/sanlock.te
@@ -1,4 +1,4 @@
@ -71460,7 +71533,7 @@ index a34eac4..4f4eaf4 100644
 auth_use_nsswitch(sanlock_t)
 init_read_utmp(sanlock_t)
-@@ -79,20 +87,25 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
 logging_send_syslog_msg(sanlock_t)
@ -71492,10 +71565,14 @@ index a34eac4..4f4eaf4 100644
 +    fs_manage_cifs_files(sanlock_t)
 +    fs_manage_cifs_named_sockets(sanlock_t)
 +    fs_read_cifs_symlinks(sanlock_t)
 +')
 +
 +optional_policy(`
 +    rhcs_domtrans_fenced(sanlock_t)
 ')
 optional_policy(`
-@@ -100,7 +113,7 @@ optional_policy(`
+@@ -100,7 +117,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -87038,7 +87115,7 @@ index f93558c..cc73c96 100644
 	files_search_pids($1)
 diff --git a/xen.te b/xen.te
-index ed40676..8042769 100644
+index ed40676..0706207 100644
 --- a/xen.te
 +++ b/xen.te
@@ -1,42 +1,34 @@
@ -87360,7 +87437,12 @@ index ed40676..8042769 100644
 kernel_read_kernel_sysctls(xend_t)
 kernel_read_system_state(xend_t)
-@@ -228,57 +275,39 @@ kernel_read_network_state(xend_t)
+@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t)
 kernel_read_xen_state(xend_t)
 kernel_rw_net_sysctls(xend_t)
 kernel_read_network_state(xend_t)
 +kernel_request_load_module(xend_t)
 corecmd_exec_bin(xend_t)
 corecmd_exec_shell(xend_t)
@ -87424,7 +87506,7 @@ index ed40676..8042769 100644
 storage_read_scsi_generic(xend_t)
-@@ -295,7 +324,8 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t)
 logging_send_syslog_msg(xend_t)
@ -87434,7 +87516,7 @@ index ed40676..8042769 100644
 miscfiles_read_hwdata(xend_t)
 sysnet_domtrans_dhcpc(xend_t)
-@@ -308,23 +338,7 @@ sysnet_rw_dhcp_config(xend_t)
+@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t)
 userdom_dontaudit_search_user_home_dirs(xend_t)
@ -87459,7 +87541,7 @@ index ed40676..8042769 100644
 optional_policy(`
 	brctl_domtrans(xend_t)
-@@ -342,7 +356,7 @@ optional_policy(`
+@@ -342,7 +357,7 @@ optional_policy(`
 	mount_domtrans(xend_t)
 ')
@ -87468,7 +87550,7 @@ index ed40676..8042769 100644
 	netutils_domtrans(xend_t)
 ')
-@@ -351,6 +365,7 @@ optional_policy(`
+@@ -351,6 +366,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -87476,7 +87558,7 @@ index ed40676..8042769 100644
 	virt_search_images(xend_t)
 	virt_read_config(xend_t)
 ')
-@@ -365,13 +380,9 @@ allow xenconsoled_t self:process setrlimit;
+@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit;
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
 allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@ -87492,7 +87574,7 @@ index ed40676..8042769 100644
 manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
 manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
 files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
-@@ -384,10 +395,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t)
 dev_filetrans_xen(xenconsoled_t)
 dev_rw_sysfs(xenconsoled_t)
@ -87503,7 +87585,7 @@ index ed40676..8042769 100644
 fs_list_tmpfs(xenconsoled_t)
 fs_manage_xenfs_dirs(xenconsoled_t)
-@@ -395,15 +402,13 @@ fs_manage_xenfs_files(xenconsoled_t)
+@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t)
 term_create_pty(xenconsoled_t, xen_devpts_t)
 term_use_generic_ptys(xenconsoled_t)
@ -87521,7 +87603,7 @@ index ed40676..8042769 100644
 xen_stream_connect_xenstore(xenconsoled_t)
 optional_policy(`
-@@ -416,24 +421,26 @@ optional_policy(`
+@@ -416,24 +422,26 @@ optional_policy(`
 #
 allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
@ -87552,7 +87634,7 @@ index ed40676..8042769 100644
 manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
 manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
 manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
-@@ -448,157 +455,36 @@ dev_filetrans_xen(xenstored_t)
+@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
 dev_rw_xen(xenstored_t)
 dev_read_sysfs(xenstored_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Feb 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-11
 - Allow gpg to read fips_enabled
 - Add support for /var/cache/realmd
 - Add support for /usr/sbin/blazer_usb and systemd support for nut
 - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t
 - bitlbee wants to read own log file
 - Allow glance domain to send a signal itself
 - Allow xend_t to request that the kernel load a kernel module
 - Allow pacemaker to execute heartbeat lib files
 - cleanup new swift policy
 * Tue Feb 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-10
 - Fix smartmontools
 - Fix userdom_restricted_xwindows_user_template() interface