* Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122

- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013) - Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180) - Allow mongod to work with configured SSSD. - Add collectd net_raw capability. BZ(1194169) - Merge postfix spool types(maildrop,flush) to one postfix_spool_t - Allow dhcpd kill capability. - Make rwhod as nsswitch domain. - Add support for new fence agent fence_mpath which is executed by fence_node. - Fix cloudform policy.(m4 is case sensitive) - Allow networkmanager and cloud_init_t to dbus chat - Allow lsmd plugin to run with configured SSSD. - Allow bacula access to tape devices. - Allow sblim domain to read sysctls.. - Allow timemaster send a signal to ntpd. - Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used. - two 'l' is enough. - Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files. - Allow polkit to dbus chat with xserver. (1207478) - Add lvm_stream_connect() interface. - Set label of /sys/kernel/debug
2015-04-07 16:26:56 +02:00 · 2015-04-07 16:26:56 +02:00 · b9a1c72d29
commit b9a1c72d29
parent 5852f33770
3 changed files with 185 additions and 84 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -15878,14 +15878,16 @@ index e7d1738..3ed4189 100644
 ########################################
 #
 diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
-index 7be4ddf..71e675a 100644
+index 7be4ddf..9710b33 100644
 --- a/policy/modules/kernel/kernel.fc
 +++ b/policy/modules/kernel/kernel.fc
-@@ -1 +1,3 @@
+@@ -1 +1,5 @@
 -# This module currently does not have any file contexts.
 +
 +/sys/class/net/ib.* 	  --	gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 +/sys/kernel/debug -d	gen_context(system_u:object_r:debugfs_t,s0)
 +/sys/kernel/debug/.*	<<none>>
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
 index e100d88..f45a698 100644
 --- a/policy/modules/kernel/kernel.if
@ -25799,7 +25801,7 @@ index 6bf0ecc..b036584 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..4f6e00b 100644
+index 8b40377..2532a81 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -26964,7 +26966,7 @@ index 8b40377..4f6e00b 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1281,50 @@ optional_policy(`
+@@ -785,17 +1281,54 @@ optional_policy(`
 ')
 optional_policy(`
@ -27006,6 +27008,10 @@ index 8b40377..4f6e00b 100644
 +	mozilla_plugin_rw_tmpfs_files(xserver_t)
 +')
 +
 +optional_policy(`
 +    policykit_dbus_chat(xserver_t)
 +')
 +
 +optional_policy(`
 	udev_read_db(xserver_t)
 ')
@ -27017,7 +27023,7 @@ index 8b40377..4f6e00b 100644
 ')
 optional_policy(`
-@@ -803,6 +1332,10 @@ optional_policy(`
+@@ -803,6 +1336,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -27028,7 +27034,7 @@ index 8b40377..4f6e00b 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,18 +1351,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1355,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -27053,7 +27059,7 @@ index 8b40377..4f6e00b 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1374,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1378,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -27088,7 +27094,7 @@ index 8b40377..4f6e00b 100644
 ')
 optional_policy(`
-@@ -912,7 +1439,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1443,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -27097,7 +27103,7 @@ index 8b40377..4f6e00b 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1493,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1497,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -27129,7 +27135,7 @@ index 8b40377..4f6e00b 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1539,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1543,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
@ -35469,7 +35475,7 @@ index 6b91740..562d1fd 100644
 +/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
 /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..65018fa 100644
+index 58bc27f..a4ec06e 100644
 --- a/policy/modules/system/lvm.if
 +++ b/policy/modules/system/lvm.if
@@ -1,5 +1,22 @@
@ -35546,7 +35552,33 @@ index 58bc27f..65018fa 100644
 ##	Manage LVM configuration files.
 ## </summary>
 ## <param name="domain">
-@@ -123,3 +184,131 @@ interface(`lvm_domtrans_clvmd',`
+@@ -105,6 +166,25 @@ interface(`lvm_manage_config',`
 	manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
 ')
 +########################################
 +## <summary>
 +##	Connect to lvm using a unix domain stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`lvm_stream_connect',`
 +	gen_require(`
 +		type lvm_t, lvm_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, lvm_var_run_t, lvm_var_run_t, lvm_t)
 +')
 +
 ######################################
 ## <summary>
 ##	Execute a domain transition to run clvmd.
@@ -123,3 +203,131 @@ interface(`lvm_domtrans_clvmd',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
 ')
@ -40292,10 +40324,10 @@ index a392fc4..ca1b2bc 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..a6664be
+index 0000000..a03b5ee
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,51 @@
 +HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +/root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +
@ -40317,6 +40349,7 @@ index 0000000..a6664be
 +/usr/lib/systemd/system(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-networkd\.service     gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-vconsole-setup\.service		gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-time.*\.service	--	gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
 +/usr/lib/systemd/system/.*halt.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
 +/usr/lib/systemd/system/.*hibernate.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
 +/usr/lib/systemd/system/.*power.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
@ -41814,10 +41847,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..b4916c2
+index 0000000..85428ce
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,707 @@
+@@ -0,0 +1,712 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -41900,6 +41933,9 @@ index 0000000..b4916c2
 +typeattribute systemd_timedated_t systemd_domain;
 +typealias systemd_timedated_t alias gnomeclock_t;
 +
 +type systemd_timedated_unit_file_t;
 +systemd_unit_file(systemd_timedated_unit_file_t)
 +
 +systemd_domain_template(systemd_sysctl)
 +
 +#######################################
@ -42395,6 +42431,8 @@ index 0000000..b4916c2
 +allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
 +allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
 +
 +allow systemd_timedated_t systemd_timedated_unit_file_t:service manage_service_perms;
 +
 +corecmd_exec_bin(systemd_timedated_t)
 +corecmd_exec_shell(systemd_timedated_t)
 +corecmd_dontaudit_access_check_bin(systemd_timedated_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -5155,7 +5155,7 @@ index f6eb485..164501c 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 6649962..12fcbb6 100644
+index 6649962..9c06038 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@ -5858,7 +5858,7 @@ index 6649962..12fcbb6 100644
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -6037,6 +6037,7 @@ index 6649962..12fcbb6 100644
 -	corenet_sendrecv_oracledb_client_packets(httpd_t)
 -	corenet_tcp_connect_oracledb_port(httpd_t)
 -	corenet_tcp_sendrecv_oracledb_port(httpd_t)
 +	corenet_tcp_connect_mongod_port(httpd_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_t)
 +	corenet_tcp_connect_oracle_port(httpd_t)
 +	corenet_sendrecv_oracle_client_packets(httpd_t)
@ -6097,7 +6098,7 @@ index 6649962..12fcbb6 100644
 ')
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
@ -6157,7 +6158,7 @@ index 6649962..12fcbb6 100644
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +796,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +797,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
@ -6250,7 +6251,7 @@ index 6649962..12fcbb6 100644
 ')
 tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +845,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +846,48 @@ tunable_policy(`httpd_setrlimit',`
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6331,7 +6332,7 @@ index 6649962..12fcbb6 100644
 ')
 optional_policy(`
-@@ -749,24 +898,32 @@ optional_policy(`
+@@ -749,24 +899,32 @@ optional_policy(`
 ')
 optional_policy(`
@ -6370,7 +6371,7 @@ index 6649962..12fcbb6 100644
 ')
 optional_policy(`
-@@ -775,6 +932,10 @@ optional_policy(`
+@@ -775,6 +933,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
@ -6381,7 +6382,7 @@ index 6649962..12fcbb6 100644
 ')
 optional_policy(`
-@@ -786,35 +947,60 @@ optional_policy(`
+@@ -786,35 +948,60 @@ optional_policy(`
 ')
 optional_policy(`
@ -6455,7 +6456,7 @@ index 6649962..12fcbb6 100644
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1008,18 @@ optional_policy(`
+@@ -822,8 +1009,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -6474,7 +6475,7 @@ index 6649962..12fcbb6 100644
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1028,7 @@ optional_policy(`
+@@ -832,6 +1029,7 @@ optional_policy(`
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -6482,7 +6483,7 @@ index 6649962..12fcbb6 100644
 ')
 optional_policy(`
-@@ -842,20 +1039,40 @@ optional_policy(`
+@@ -842,20 +1040,40 @@ optional_policy(`
 ')
 optional_policy(`
@ -6529,7 +6530,7 @@ index 6649962..12fcbb6 100644
 ')
 optional_policy(`
-@@ -863,19 +1080,35 @@ optional_policy(`
+@@ -863,19 +1081,35 @@ optional_policy(`
 ')
 optional_policy(`
@ -6565,7 +6566,7 @@ index 6649962..12fcbb6 100644
 	udev_read_db(httpd_t)
 ')
-@@ -883,65 +1116,189 @@ optional_policy(`
+@@ -883,65 +1117,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -6777,7 +6778,7 @@ index 6649962..12fcbb6 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
-@@ -950,123 +1307,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
@ -6932,7 +6933,7 @@ index 6649962..12fcbb6 100644
 	mysql_read_config(httpd_suexec_t)
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1391,107 @@ optional_policy(`
+@@ -1083,172 +1392,107 @@ optional_policy(`
 	')
 ')
@ -7170,7 +7171,7 @@ index 6649962..12fcbb6 100644
 ')
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1499,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 tunable_policy(`httpd_use_cifs',`
@ -7267,7 +7268,7 @@ index 6649962..12fcbb6 100644
 ########################################
 #
-@@ -1321,8 +1574,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 optional_policy(`
@ -7284,7 +7285,7 @@ index 6649962..12fcbb6 100644
 ')
 ########################################
-@@ -1330,49 +1590,38 @@ optional_policy(`
+@@ -1330,49 +1591,38 @@ optional_policy(`
 # User content local policy
 #
@ -7349,7 +7350,7 @@ index 6649962..12fcbb6 100644
 kernel_read_system_state(httpd_passwd_t)
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1631,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1632,101 @@ dev_read_urand(httpd_passwd_t)
 domain_use_interactive_fds(httpd_passwd_t)
@ -8815,7 +8816,7 @@ index dcd774e..c240ffa 100644
 	allow $1 bacula_t:process { ptrace signal_perms };
 diff --git a/bacula.te b/bacula.te
-index f16b000..3c80c4b 100644
+index f16b000..aac8d2e 100644
 --- a/bacula.te
 +++ b/bacula.te
@@ -27,6 +27,9 @@ type bacula_store_t;
@ -8863,7 +8864,7 @@ index f16b000..3c80c4b 100644
 corenet_sendrecv_hplip_server_packets(bacula_t)
 corenet_tcp_bind_hplip_port(bacula_t)
 corenet_udp_bind_hplip_port(bacula_t)
-@@ -99,12 +112,14 @@ dev_getattr_all_blk_files(bacula_t)
+@@ -99,12 +112,18 @@ dev_getattr_all_blk_files(bacula_t)
 dev_getattr_all_chr_files(bacula_t)
 files_dontaudit_getattr_all_sockets(bacula_t)
@ -8874,11 +8875,15 @@ index f16b000..3c80c4b 100644
 fs_getattr_xattr_fs(bacula_t)
 fs_list_all(bacula_t)
 +storage_raw_read_fixed_disk(bacula_t)
 +storage_read_tape(bacula_t)
 +storage_write_tape(bacula_t)
 +
 +auth_use_nsswitch(bacula_t)
 auth_read_shadow(bacula_t)
 logging_send_syslog_msg(bacula_t)
-@@ -125,6 +140,12 @@ optional_policy(`
+@@ -125,6 +144,12 @@ optional_policy(`
 	ldap_stream_connect(bacula_t)
 ')
@ -8891,7 +8896,7 @@ index f16b000..3c80c4b 100644
 ########################################
 #
 # Client local policy
-@@ -148,11 +169,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -148,11 +173,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
 domain_use_interactive_fds(bacula_admin_t)
@ -13524,10 +13529,10 @@ index 0000000..a06f04b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..21e071f
+index 0000000..8c06c5d
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,240 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@ -13647,6 +13652,10 @@ index 0000000..21e071f
 +')
 +
 +optional_policy(`
 +    networkmanager_dbus_chat(cloud_init_t)
 +')
 +
 +optional_policy(`
 +    dmidecode_domtrans(cloud_init_t)
 +')
 +
@ -14536,7 +14545,7 @@ index 954309e..6780142 100644
 ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..32e85d5 100644
+index 6471fa8..294d8e0 100644
 --- a/collectd.te
 +++ b/collectd.te
@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
@ -14558,7 +14567,7 @@ index 6471fa8..32e85d5 100644
 #
 -allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_admin sys_nice sys_ptrace dac_override };
+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override };
 allow collectd_t self:process { getsched setsched signal };
 allow collectd_t self:fifo_file rw_fifo_file_perms;
 allow collectd_t self:packet_socket create_socket_perms;
@ -23315,7 +23324,7 @@ index c697edb..954c090 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
 ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..401ddbc 100644
+index 98a24b9..5a24c3a 100644
 --- a/dhcp.te
 +++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@ -23333,7 +23342,7 @@ index 98a24b9..401ddbc 100644
 #
 -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
-+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid setpcap sys_resource };
+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw kill setgid setuid setpcap sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
 allow dhcpd_t self:process { getcap setcap signal_perms };
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@ -41949,10 +41958,10 @@ index 0000000..7ba5060
 +
 diff --git a/linuxptp.te b/linuxptp.te
 new file mode 100644
-index 0000000..15aea48
+index 0000000..7529f3c
 --- /dev/null
 +++ b/linuxptp.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,173 @@
 +policy_module(linuxptp, 1.0.0)
 +
 +
@ -42029,6 +42038,7 @@ index 0000000..15aea48
 +
 +optional_policy(`
 +	ntp_domtrans(timemaster_t)
 +    ntp_signal(timemaster_t)
 +')
 +
 +optional_policy(`
@ -43345,7 +43355,7 @@ index d314333..27ede09 100644
 +	')
 ')
 diff --git a/lsm.te b/lsm.te
-index 4ec0eea..930b3f2 100644
+index 4ec0eea..37557c2 100644
 --- a/lsm.te
 +++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@ -43380,7 +43390,7 @@ index 4ec0eea..930b3f2 100644
 ########################################
 #
 # Local policy
-@@ -26,4 +44,54 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,56 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@ -43427,6 +43437,8 @@ index 4ec0eea..930b3f2 100644
 +corenet_tcp_connect_lsm_plugin_port(lsmd_plugin_t)
 +corenet_tcp_connect_ssh_port(lsmd_plugin_t)
 +
 +auth_use_nsswitch(lsmd_plugin_t)
 +
 +init_stream_connect(lsmd_plugin_t)
 +init_dontaudit_rw_stream_socket(lsmd_plugin_t)
 +
@ -46797,16 +46809,17 @@ index 0000000..e7220a5
 +logging_send_syslog_msg(mon_procd_t)
 +
 diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..91adcaf 100644
+index 6fcfc31..1719247 100644
 --- a/mongodb.fc
 +++ b/mongodb.fc
-@@ -1,9 +1,13 @@
+@@ -1,9 +1,14 @@
 /etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 -/usr/bin/mongod	--	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongod	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongos	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/share/aeolus-conductor/dbomatic/dbomatic   --   gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/libexec/mongodb-scl-helper                 --   gen_context(system_u:object_r:mongod_exec_t,s0)
 /var/lib/mongo.*	gen_context(system_u:object_r:mongod_var_lib_t,s0)
@ -46818,7 +46831,7 @@ index 6fcfc31..91adcaf 100644
 +/var/run/mongo.*	                gen_context(system_u:object_r:mongod_var_run_t,s0)
 +/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
 diff --git a/mongodb.te b/mongodb.te
-index 169f236..907b24c 100644
+index 169f236..571da1a 100644
 --- a/mongodb.te
 +++ b/mongodb.te
@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
@ -46853,7 +46866,7 @@ index 169f236..907b24c 100644
 manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
 manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-@@ -41,21 +47,42 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -41,21 +47,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
 manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@ -46888,6 +46901,8 @@ index 169f236..907b24c 100644
 fs_getattr_all_fs(mongod_t)
 -miscfiles_read_localization(mongod_t)
 +auth_use_nsswitch(mongod_t)
 +
 +optional_policy(`
 +	mysql_stream_connect(mongod_t)
 +')
@ -58443,7 +58458,7 @@ index af3c91e..3e5f9cf 100644
 /var/log/ntp.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
 diff --git a/ntp.if b/ntp.if
-index e96a309..ef6081b 100644
+index e96a309..3dbc18c 100644
 --- a/ntp.if
 +++ b/ntp.if
@@ -1,4 +1,4 @@
@ -58492,7 +58507,7 @@ index e96a309..ef6081b 100644
 ')
 ########################################
-@@ -98,6 +117,49 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +117,67 @@ interface(`ntp_initrc_domtrans',`
 	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
 ')
@ -58538,11 +58553,29 @@ index e96a309..ef6081b 100644
 +
 +	ps_process_pattern($1, ntpd_t)
 +')
 +
 +########################################
 +## <summary>
 +##     Send a generic signal to ntpd
 +## </summary>
 +## <param name="domain">
 +##     <summary>
 +##     Domain allowed access.
 +##     </summary>
 +## </param>
 +#
 +interface(`ntp_signal',`
 +    gen_require(`
 +        type ntpd_t;
 +    ')
 +
 +    allow $1 ntpd_t:process signal;
 +')
 +
 ########################################
 ## <summary>
 ##	Read ntp drift files.
-@@ -141,8 +203,27 @@ interface(`ntp_rw_shm',`
+@@ -141,8 +221,27 @@ interface(`ntp_rw_shm',`
 ########################################
 ## <summary>
@ -58572,7 +58605,7 @@ index e96a309..ef6081b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -151,28 +232,32 @@ interface(`ntp_rw_shm',`
+@@ -151,28 +250,32 @@ interface(`ntp_rw_shm',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -58611,7 +58644,7 @@ index e96a309..ef6081b 100644
 	logging_list_logs($1)
 	admin_pattern($1, ntpd_log_t)
-@@ -186,5 +271,30 @@ interface(`ntp_admin',`
+@@ -186,5 +289,30 @@ interface(`ntp_admin',`
 	files_list_pids($1)
 	admin_pattern($1, ntpd_var_run_t)
@ -69320,7 +69353,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..a1ed642 100644
+index 5cfb83e..501c935 100644
 --- a/postfix.te
 +++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@ -69393,12 +69426,14 @@ index 5cfb83e..a1ed642 100644
 -files_type(postfix_spool_t)
 +files_spool_file(postfix_spool_t)
- type postfix_spool_maildrop_t, postfix_spool_type;
+-type postfix_spool_maildrop_t, postfix_spool_type;
 -files_type(postfix_spool_maildrop_t)
 +typealias postfix_spool_t alias postfix_spool_maildrop_t;
 +files_spool_file(postfix_spool_maildrop_t)
- type postfix_spool_flush_t, postfix_spool_type;
+-type postfix_spool_flush_t, postfix_spool_type;
 -files_type(postfix_spool_flush_t)
 +typealias postfix_spool_t alias postfix_spool_flush_t;
 +files_spool_file(postfix_spool_flush_t)
 type postfix_public_t;
@ -80921,10 +80956,10 @@ index c8a1e16..2d409bf 100644
 	xen_domtrans_xm(rgmanager_t)
 ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..2c625fb 100644
+index 47de2d6..7bed6ad 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,91 @@
+@@ -1,31 +1,92 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@ -80978,6 +81013,7 @@ index 47de2d6..2c625fb 100644
 -/var/run/groupd\.pid	--	gen_context(system_u:object_r:groupd_var_run_t,s0)
 -/var/run/qdiskd\.pid	--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
 +/var/run/cluster/fence_scsi.*           --       gen_context(system_u:object_r:fenced_var_run_t,s0)
 +/var/run/cluster/mpath\.devices     --  gen_context(system_u:object_r:fenced_var_run_t,s0)
 +/var/run/dlm_controld\.pid		--	gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
 +/var/run/dlm_controld(/.*)?		    gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
 +/var/run/fence.*				    gen_context(system_u:object_r:fenced_var_run_t,s0)
@ -81864,7 +81900,7 @@ index c8bdea2..bf60580 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..25c0f70 100644
+index 6cf79c4..bfaf5c6 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -82240,7 +82276,7 @@ index 6cf79c4..25c0f70 100644
 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
 files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +409,7 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +409,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -82248,10 +82284,11 @@ index 6cf79c4..25c0f70 100644
 -
 -kernel_read_system_state(fenced_t)
 +kernel_read_network_state(fenced_t)
 +kernel_read_fs_sysctls(fenced_t)
 corecmd_exec_bin(fenced_t)
 corecmd_exec_shell(fenced_t)
-@@ -140,6 +429,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +430,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
 corenet_sendrecv_zented_server_packets(fenced_t)
 corenet_tcp_bind_zented_port(fenced_t)
@ -82260,7 +82297,7 @@ index 6cf79c4..25c0f70 100644
 corenet_tcp_sendrecv_zented_port(fenced_t)
 corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +439,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +440,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
 dev_read_sysfs(fenced_t)
 dev_read_urand(fenced_t)
@ -82268,10 +82305,11 @@ index 6cf79c4..25c0f70 100644
 -files_read_usr_files(fenced_t)
 -files_read_usr_symlinks(fenced_t)
 +dev_read_rand(fenced_t)
 +dev_rw_lvm_control(fenced_t)
 storage_raw_read_fixed_disk(fenced_t)
 storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +449,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +451,7 @@ term_getattr_pty_fs(fenced_t)
 term_use_generic_ptys(fenced_t)
 term_use_ptmx(fenced_t)
@ -82280,7 +82318,7 @@ index 6cf79c4..25c0f70 100644
 tunable_policy(`fenced_can_network_connect',`
 	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +471,8 @@ optional_policy(`
+@@ -182,7 +473,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -82290,13 +82328,14 @@ index 6cf79c4..25c0f70 100644
 ')
 optional_policy(`
-@@ -190,12 +480,12 @@ optional_policy(`
+@@ -190,12 +482,13 @@ optional_policy(`
 ')
 optional_policy(`
 -	gnome_read_generic_home_content(fenced_t)
 +	lvm_domtrans(fenced_t)
 +	lvm_read_config(fenced_t)
 +    lvm_stream_connect(fenced_t)
 ')
 optional_policy(`
@ -82306,7 +82345,7 @@ index 6cf79c4..25c0f70 100644
 ')
 optional_policy(`
-@@ -203,6 +493,13 @@ optional_policy(`
+@@ -203,6 +496,13 @@ optional_policy(`
 	snmp_manage_var_lib_dirs(fenced_t)
 ')
@ -82320,7 +82359,7 @@ index 6cf79c4..25c0f70 100644
 #######################################
 #
 # foghorn local policy
-@@ -221,16 +518,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +521,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
 corenet_tcp_connect_agentx_port(foghorn_t)
 corenet_tcp_sendrecv_agentx_port(foghorn_t)
@ -82341,7 +82380,7 @@ index 6cf79c4..25c0f70 100644
 	snmp_stream_connect(foghorn_t)
 ')
-@@ -247,16 +546,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +549,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
 stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
 stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -82363,7 +82402,7 @@ index 6cf79c4..25c0f70 100644
 optional_policy(`
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +578,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +581,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
 dev_list_sysfs(groupd_t)
@ -82423,7 +82462,7 @@ index 6cf79c4..25c0f70 100644
 ######################################
 #
 # qdiskd local policy
-@@ -292,7 +642,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +645,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
 manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
 files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
@ -82431,7 +82470,7 @@ index 6cf79c4..25c0f70 100644
 kernel_read_software_raid_state(qdiskd_t)
 kernel_getattr_core_if(qdiskd_t)
-@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +673,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
 auth_use_nsswitch(qdiskd_t)
@ -87623,7 +87662,7 @@ index 0360ff0..e6cb34f 100644
 	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/rwho.te b/rwho.te
-index 7fb75f4..27f5e22 100644
+index 7fb75f4..ba5e778 100644
 --- a/rwho.te
 +++ b/rwho.te
@@ -16,7 +16,7 @@ type rwho_log_t;
@ -87643,11 +87682,12 @@ index 7fb75f4..27f5e22 100644
 corenet_all_recvfrom_netlabel(rwho_t)
 corenet_udp_sendrecv_generic_if(rwho_t)
 corenet_udp_sendrecv_generic_node(rwho_t)
-@@ -50,15 +49,13 @@ corenet_udp_sendrecv_rwho_port(rwho_t)
+@@ -50,15 +49,14 @@ corenet_udp_sendrecv_rwho_port(rwho_t)
 domain_use_interactive_fds(rwho_t)
 -files_read_etc_files(rwho_t)
 +auth_use_nsswitch(rwho_t)
 init_read_utmp(rwho_t)
 init_dontaudit_write_utmp(rwho_t)
@ -91632,7 +91672,7 @@ index 98c9e0a..562666e 100644
 	files_search_pids($1)
 	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 299756b..1a69cf7 100644
+index 299756b..8ce51cb 100644
 --- a/sblim.te
 +++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -91669,7 +91709,7 @@ index 299756b..1a69cf7 100644
 ######################################
 #
 # Common sblim domain local policy
-@@ -31,32 +38,38 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
+@@ -31,32 +38,39 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
 manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
 manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
 manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
@ -91687,6 +91727,7 @@ index 299756b..1a69cf7 100644
 kernel_read_network_state(sblim_domain)
 -kernel_read_system_state(sblim_domain)
 +kernel_read_sysctl(sblim_domain)
 -corenet_all_recvfrom_unlabeled(sblim_domain)
 -corenet_all_recvfrom_netlabel(sblim_domain)
@ -91718,7 +91759,7 @@ index 299756b..1a69cf7 100644
 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
 allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -82,8 +95,12 @@ fs_search_cgroup_dirs(sblim_gatherd_t)
+@@ -82,8 +96,12 @@ fs_search_cgroup_dirs(sblim_gatherd_t)
 storage_raw_read_fixed_disk(sblim_gatherd_t)
 storage_raw_read_removable_device(sblim_gatherd_t)
@ -91731,7 +91772,7 @@ index 299756b..1a69cf7 100644
 sysnet_dns_name_resolve(sblim_gatherd_t)
 term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +120,9 @@ optional_policy(`
+@@ -103,8 +121,9 @@ optional_policy(`
 ')
 optional_policy(`
@ -91742,7 +91783,7 @@ index 299756b..1a69cf7 100644
 ')
 optional_policy(`
-@@ -117,6 +135,59 @@ optional_policy(`
+@@ -117,6 +136,59 @@ optional_policy(`
 # Reposd local policy
 #
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 121%{?dist}
+Release: 122%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,28 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
 - Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
 - Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
 - Allow mongod to work with configured SSSD.
 - Add collectd net_raw capability. BZ(1194169)
 - Merge postfix spool types(maildrop,flush) to one postfix_spool_t
 - Allow dhcpd kill capability.
 - Make rwhod as nsswitch domain.
 - Add support for new fence agent fence_mpath which is executed by fence_node.
 - Fix cloudform policy.(m4 is case sensitive)
 - Allow networkmanager and cloud_init_t to dbus chat
 - Allow lsmd plugin to run with configured SSSD.
 - Allow bacula access to tape devices.
 - Allow sblim domain to read sysctls..
 - Allow timemaster send a signal to ntpd.
 - Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used.
 - two 'l' is enough.
 - Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
 - Allow polkit to dbus chat with xserver. (1207478)
 - Add lvm_stream_connect() interface.
 - Set label of /sys/kernel/debug
 * Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
 - Allow kmscon to read system state. BZ (1206871)
 - Label ~/.abrt/ as abrt_etc_t. BZ(1199658)