* Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-92

- Add kdump_rw_inherited_kdumpctl_tmp_pipes() - Added fixes related to linuxptp. BZ (1149693) - Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424 - Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256) - Fix seutil_dontaudit_access_check_load_policy() - Add dontaudit interfaces for audit_access in seutil - Label /etc/strongimcv as ipsec_conf_file_t.
2014-11-10 18:19:50 +01:00 · 2014-11-10 18:19:50 +01:00 · b6161d4177
commit b6161d4177
parent 062b36f481
3 changed files with 221 additions and 36 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -32228,10 +32228,10 @@ index 17eda24..d4113cc 100644
 +    ')
 + ')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..fc34e78 100644
+index 662e79b..353c3b7 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,24 @@
+@@ -1,14 +1,25 @@
 /etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/strongswan	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@ -32251,13 +32251,14 @@ index 662e79b..fc34e78 100644
 /etc/racoon/certs(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 
 +/etc/strongswan(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/strongimcv(/.*)?       gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 +
 /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 +/etc/strongswan/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 
 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
-@@ -26,16 +36,26 @@
+@@ -26,16 +37,26 @@
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@ -37267,10 +37268,35 @@ index d43f3b1..870bc36 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..270bde3 100644
+index 3822072..8686e0a 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
-@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
+@@ -135,6 +135,24 @@ interface(`seutil_exec_loadpolicy',`
+ 
+ ########################################
+ ## <summary>
+## Dontaudit access check on load_policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_access_check_load_policy',`
+	gen_require(`
+		type load_policy_exec_t;
+	')
+
+    dontaudit $1 load_policy_exec_t:file audit_access;
+')
+
+########################################
+## <summary>
+ ##	Read the load_policy program file.
+ ## </summary>
+ ## <param name="domain">
+@@ -192,11 +210,22 @@ interface(`seutil_domtrans_newrole',`
 #
 interface(`seutil_run_newrole',`
 	gen_require(`
@ -37295,7 +37321,7 @@ index 3822072..270bde3 100644
 ')
 
 ########################################
-@@ -359,6 +370,27 @@ interface(`seutil_exec_restorecon',`
+@@ -359,6 +388,27 @@ interface(`seutil_exec_restorecon',`
 
 ########################################
 ## <summary>
@ -37323,7 +37349,7 @@ index 3822072..270bde3 100644
 ##	Execute run_init in the run_init domain.
 ## </summary>
 ## <param name="domain">
-@@ -425,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',`
+@@ -425,11 +475,20 @@ interface(`seutil_init_script_domtrans_runinit',`
 #
 interface(`seutil_run_runinit',`
 	gen_require(`
@ -37347,7 +37373,7 @@ index 3822072..270bde3 100644
 ')
 
 ########################################
-@@ -461,11 +502,19 @@ interface(`seutil_run_runinit',`
+@@ -461,11 +520,19 @@ interface(`seutil_run_runinit',`
 #
 interface(`seutil_init_script_run_runinit',`
 	gen_require(`
@ -37370,7 +37396,7 @@ index 3822072..270bde3 100644
 ')
 
 ########################################
-@@ -535,6 +584,53 @@ interface(`seutil_run_setfiles',`
+@@ -535,6 +602,53 @@ interface(`seutil_run_setfiles',`
 
 ########################################
 ## <summary>
@ -37424,7 +37450,32 @@ index 3822072..270bde3 100644
 ##	Execute setfiles in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -680,10 +776,115 @@ interface(`seutil_manage_config',`
+@@ -555,6 +669,24 @@ interface(`seutil_exec_setfiles',`
+ 
+ ########################################
+ ## <summary>
+## Dontaudit access check on setfiles.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_access_check_setfiles',`
+	gen_require(`
+		type setfiles_exec_t;
+	')
+
+    dontaudit $1 setfiles_exec_t:file audit_access;
+')
+
+########################################
+## <summary>
+ ##	Do not audit attempts to search the SELinux
+ ##	configuration directory (/etc/selinux).
+ ## </summary>
+@@ -680,10 +812,115 @@ interface(`seutil_manage_config',`
 	')
 
 	files_search_etc($1)
@ -37540,7 +37591,7 @@ index 3822072..270bde3 100644
 #######################################
 ## <summary>
 ##	Create, read, write, and delete
-@@ -694,15 +895,62 @@ interface(`seutil_manage_config',`
+@@ -694,15 +931,62 @@ interface(`seutil_manage_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -37606,7 +37657,7 @@ index 3822072..270bde3 100644
 ')
 
 ########################################
-@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',`
+@@ -746,6 +1030,29 @@ interface(`seutil_read_default_contexts',`
 	read_files_pattern($1, default_context_t, default_context_t)
 ')
 
@ -37636,7 +37687,7 @@ index 3822072..270bde3 100644
 ########################################
 ## <summary>
 ##	Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1055,9 @@ interface(`seutil_read_file_contexts',`
+@@ -784,7 +1091,9 @@ interface(`seutil_read_file_contexts',`
 
 	files_search_etc($1)
 	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
@ -37646,7 +37697,7 @@ index 3822072..270bde3 100644
 ')
 
 ########################################
-@@ -999,6 +1272,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1308,26 @@ interface(`seutil_domtrans_semanage',`
 
 ########################################
 ## <summary>
@ -37673,7 +37724,7 @@ index 3822072..270bde3 100644
 ##	Execute semanage in the semanage domain, and
 ##	allow the specified role the semanage domain,
 ##	and use the caller's terminal.
-@@ -1017,11 +1310,67 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1346,67 @@ interface(`seutil_domtrans_semanage',`
 #
 interface(`seutil_run_semanage',`
 	gen_require(`
@ -37743,7 +37794,7 @@ index 3822072..270bde3 100644
 ')
 
 ########################################
-@@ -1043,7 +1392,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1428,11 @@ interface(`seutil_manage_module_store',`
 	files_search_etc($1)
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
@ -37755,7 +37806,32 @@ index 3822072..270bde3 100644
 ')
 
 #######################################
-@@ -1137,3 +1490,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1067,6 +1456,24 @@ interface(`seutil_get_semanage_read_lock',`
+ 
+ #######################################
+ ## <summary>
+##	Dontaudit access check on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_access_check_semanage_read_lock',`
+	gen_require(`
+		type semanage_read_lock_t;
+	')
+
+    dontaudit $1 semanage_read_lock_t:file audit_access;
+')
+
+#######################################
+## <summary>
+ ##	Get trans lock on module store
+ ## </summary>
+ ## <param name="domain">
+@@ -1137,3 +1544,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
 	selinux_dontaudit_get_fs_mount($1)
 	seutil_dontaudit_read_config($1)
 ')
@ -39289,7 +39365,7 @@ index 2cea692..e094fc0 100644
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..4302955 100644
+index a392fc4..ca1b2bc 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -39648,12 +39724,13 @@ index a392fc4..4302955 100644
 ')
 
 optional_policy(`
-@@ -350,7 +450,15 @@ optional_policy(`
+@@ -350,7 +450,16 @@ optional_policy(`
 ')
 
 optional_policy(`
 -	nis_use_ypbind(ifconfig_t)
 +	kdump_dontaudit_read_config(ifconfig_t)
+    kdump_rw_inherited_kdumpctl_tmp_pipes(ifconfig_t)
 +')
 +
 +optional_policy(`
@ -39665,7 +39742,7 @@ index a392fc4..4302955 100644
 ')
 
 optional_policy(`
-@@ -371,3 +479,13 @@ optional_policy(`
+@@ -371,3 +480,13 @@ optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -12502,7 +12502,7 @@ index 32e8265..0de4af3 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..f975594 100644
+index e5b621c..fc150e9 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -12533,7 +12533,7 @@ index e5b621c..f975594 100644
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,24 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,29 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
@ -12559,6 +12559,11 @@ index e5b621c..f975594 100644
 optional_policy(`
 -	mta_send_mail(chronyd_t)
 +    timemaster_stream_connect(chronyd_t)
+    timemaster_rw_shm(chronyd_t)
+')
+
+optional_policy(`
+    ptp4l_rw_shm(chronyd_t)
 ')
 diff --git a/cinder.fc b/cinder.fc
 new file mode 100644
@ -37843,7 +37848,7 @@ index a49ae4e..0c0e987 100644
 +
 +/var/lock/kdump(/.*)?   gen_context(system_u:object_r:kdump_lock_t,s0)
 diff --git a/kdump.if b/kdump.if
-index 3a00b3a..21efcc4 100644
+index 3a00b3a..6043fd6 100644
 --- a/kdump.if
 +++ b/kdump.if
@@ -1,4 +1,4 @@
@ -37984,7 +37989,7 @@ index 3a00b3a..21efcc4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -76,10 +177,69 @@ interface(`kdump_manage_config',`
+@@ -76,10 +177,88 @@ interface(`kdump_manage_config',`
 	allow $1 kdump_etc_t:file manage_file_perms;
 ')
 
@ -38009,6 +38014,25 @@ index 3a00b3a..21efcc4 100644
 +
 +###################################
 +## <summary>
+##      Read/write inherited kdump /var/tmp named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kdump_rw_inherited_kdumpctl_tmp_pipes',`
+        gen_require(`
+                type kdumpctl_tmp_t;
+        ')
+
+    files_search_tmp($1)
+    allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+###################################
+## <summary>
 +##      Manage kdump /var/tmp files.
 +## </summary>
 +## <param name="domain">
@ -38056,7 +38080,7 @@ index 3a00b3a..21efcc4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -88,19 +248,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +267,24 @@ interface(`kdump_manage_config',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -38086,7 +38110,7 @@ index 3a00b3a..21efcc4 100644
 
 	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -110,6 +275,10 @@ interface(`kdump_admin',`
+@@ -110,6 +294,10 @@ interface(`kdump_admin',`
 	files_search_etc($1)
 	admin_pattern($1, kdump_etc_t)
 
@ -39886,16 +39910,18 @@ index 628b78b..fe65617 100644
 -
 -miscfiles_read_localization(keyboardd_t)
 diff --git a/keystone.fc b/keystone.fc
-index b273d80..6a07210 100644
+index b273d80..9b6e9bd 100644
 --- a/keystone.fc
 +++ b/keystone.fc
-@@ -1,3 +1,5 @@
+@@ -1,7 +1,13 @@
 +/usr/lib/systemd/system/openstack-keystone.*		--	gen_context(system_u:object_r:keystone_unit_file_t,s0)
 +
 /etc/rc\.d/init\.d/openstack-keystone	--	gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
 
 /usr/bin/keystone-all	--	gen_context(system_u:object_r:keystone_exec_t,s0)
-@@ -5,3 +7,5 @@
+ 
+/usr/share/keystone(/.*)?	gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
+
 /var/lib/keystone(/.*)?	gen_context(system_u:object_r:keystone_var_lib_t,s0)
 
 /var/log/keystone(/.*)?	gen_context(system_u:object_r:keystone_log_t,s0)
@ -41912,10 +41938,10 @@ index 0000000..d2061a9
 +/var/run/timemaster(/.*)?				gen_context(system_u:object_r:timemaster_var_run_t,s0)
 diff --git a/linuxptp.if b/linuxptp.if
 new file mode 100644
-index 0000000..8d6873f
+index 0000000..236707b
 --- /dev/null
 +++ b/linuxptp.if
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,103 @@
 +## <summary>implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.</summary>
 +
 +########################################
@ -41975,12 +42001,56 @@ index 0000000..8d6873f
 +        stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
 +')
 +
+########################################
+## <summary>
+## Read and write timemaster shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`timemaster_rw_shm',`
+	gen_require(`
+		type timemaster_t, timemaster_tmpfs_t;
+	')
+
+	allow $1 timemaster_t:shm rw_shm_perms;
+	list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read and write ptp4l_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ptp4l_rw_shm',`
+	gen_require(`
+		type ptp4l_t, timemaster_tmpfs_t;
+	')
+
+	allow $1 ptp4l_t:shm rw_shm_perms;
+	list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
 diff --git a/linuxptp.te b/linuxptp.te
 new file mode 100644
-index 0000000..5a1445c
+index 0000000..affa9bd
 --- /dev/null
 +++ b/linuxptp.te
-@@ -0,0 +1,144 @@
+@@ -0,0 +1,173 @@
 +policy_module(linuxptp, 1.0.0)
 +
 +
@ -41996,6 +42066,9 @@ index 0000000..5a1445c
 +type timemaster_var_run_t;
 +files_pid_file(timemaster_var_run_t)
 +
+type timemaster_tmpfs_t;
+files_tmpfs_file(timemaster_tmpfs_t)
+
 +type timemaster_unit_file_t;
 +systemd_unit_file(timemaster_unit_file_t)
 +
@ -42028,11 +42101,17 @@ index 0000000..5a1445c
 +allow timemaster_t ptp4l_t:process signal;
 +allow timemaster_t phc2sys_t:process signal;
 +
+allow timemaster_t ptp4l_t:shm rw_shm_perms;
+
 +manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
 +files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
 +
+manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
+
 +kernel_read_network_state(timemaster_t)
 +
 +auth_use_nsswitch(timemaster_t)
@ -42040,11 +42119,17 @@ index 0000000..5a1445c
 +corenet_udp_bind_generic_node(timemaster_t)
 +corenet_udp_bind_ntp_port(timemaster_t)
 +
+dev_read_urand(timemaster_t)
+
 +logging_send_syslog_msg(timemaster_t)
 +
 +sysnet_read_config(timemaster_t)
 +
 +optional_policy(`
+	ntp_domtrans(timemaster_t)
+')
+
+optional_policy(`
 +	chronyd_domtrans(timemaster_t)
 +	chronyd_rw_shm(timemaster_t)
 +')
@ -42074,11 +42159,19 @@ index 0000000..5a1445c
 +
 +allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
 +
+allow phc2sys_t timemaster_t:shm rw_shm_perms;
+
 +manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
 +files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
 +
+manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
+
+dev_rw_realtime_clock(phc2sys_t)
+
 +logging_send_syslog_msg(phc2sys_t)
 +
 +optional_policy(`
@ -42112,9 +42205,15 @@ index 0000000..5a1445c
 +manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
 +files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
 +
+manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
+
 +corenet_udp_bind_generic_node(ptp4l_t)
 +corenet_udp_bind_reserved_port(ptp4l_t)
 +
+dev_rw_realtime_clock(ptp4l_t)
+
 +logging_send_syslog_msg(ptp4l_t)
 +
 +optional_policy(`
@ -67101,7 +67200,7 @@ index 032a84d..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
 ')
 diff --git a/policykit.te b/policykit.te
-index ee91778..b00a474 100644
+index ee91778..945a36f 100644
 --- a/policykit.te
 +++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
@ -67297,7 +67396,7 @@ index ee91778..b00a474 100644
 
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
 +userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
-+userdom_dontaudit_manage_user_home_dirs(policykit_auth_t)
+userdom_dontaudit_access_check_user_content(policykit_auth_t)
 +userdom_read_admin_home_files(policykit_auth_t)
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 91%{?dist}
+Release: 92%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,6 +604,15 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-92
+- Add kdump_rw_inherited_kdumpctl_tmp_pipes()
+- Added fixes related to linuxptp. BZ (1149693)
+- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424
+- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
+- Fix seutil_dontaudit_access_check_load_policy()
+- Add dontaudit interfaces for audit_access in seutil
+- Label /etc/strongimcv as ipsec_conf_file_t.
+
 * Fri Nov 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-91
 - Added interface userdom_dontaudit_manage_user_home_dirs
 - Fix unconfined_server_dbus_chat() interface.