- Add labels for /var/named/chroot_sdb/dev devices

- Add support for strongimcv - Add additional fixes for yubikeys based on william@firstyear.id.au - Allow init_t run /sbin/augenrules - Remove dup decl for dev_unmount_sysfs_fs - Allow unpriv SELinux user to use sandbox - Fix ntp_filetrans_named_content for sntp-kod file - Add httpd_dbus_sssd boolean - Dontaudit exec insmod in boinc policy - Add dbus_filetrans_named_content_system() - We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t - varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit sandbox_t getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files
2014-04-04 10:51:29 +02:00 · 2014-04-04 10:51:29 +02:00 · c14474eca6
parent 33665e5aa5
commit c14474eca6
3 changed files with 428 additions and 265 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -2357,10 +2357,10 @@ index 0960199..aa51ab2 100644
 +	can_exec($1, sudo_exec_t)
 +')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..fc6d1d3 100644
+index d9fce57..612503a 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,100 @@ attribute sudodomain;
+@@ -7,3 +7,105 @@ attribute sudodomain;
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
@ -2392,6 +2392,7 @@ index d9fce57..fc6d1d3 100644
 +allow sudodomain self:unix_dgram_socket sendto;
 +allow sudodomain self:unix_stream_socket connectto;
 +allow sudodomain self:key manage_key_perms;
+allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
 +
 +kernel_getattr_core_if(sudodomain)
 +kernel_link_key(sudodomain)
@ -2454,6 +2455,10 @@ index d9fce57..fc6d1d3 100644
 +userdom_search_admin_dir(sudodomain)
 +userdom_manage_all_users_keys(sudodomain)
 +
+tunable_policy(`authlogin_yubikey',`
+    auth_manage_home_content(sudodomain)
+')
+
 +optional_policy(`
 +	dbus_system_bus_client(sudodomain)
 +')
@ -5844,7 +5849,7 @@ index 3f6e168..51ad69a 100644
 ')
 
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..1212440 100644
+index b31c054..5e37a40 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@ -5922,7 +5927,7 @@ index b31c054..1212440 100644
 /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +212,22 @@ ifdef(`distro_debian',`
+@@ -198,12 +212,27 @@ ifdef(`distro_debian',`
 /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 
@ -5934,6 +5939,11 @@ index b31c054..1212440 100644
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
+/var/named/chroot_sdb/dev	-d	gen_context(system_u:object_r:device_t,s0)
+/var/named/chroot_sdb/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
+/var/named/chroot_sdb/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
+/var/named/chroot_sdb/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
+/
 +/var/spool/postfix/dev    -d    gen_context(system_u:object_r:device_t,s0)
 ')
 +
@ -9214,7 +9224,7 @@ index cf04cb5..0b3704b 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..7a98631 100644
+index b876c48..9cbe36a 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -9348,7 +9358,7 @@ index b876c48..7a98631 100644
 #
 # /selinux
 #
-@@ -178,25 +191,28 @@ ifdef(`distro_debian',`
+@@ -178,25 +191,29 @@ ifdef(`distro_debian',`
 #
 # /srv
 #
@ -9367,6 +9377,7 @@ index b876c48..7a98631 100644
 
 /tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /tmp/lost\+found/.*		<<none>>
+/tmp/hsperfdata_root        gen_context(system_u:object_r:tmp_t,s0)
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:tmp_t,s0)
 
 #
@ -9380,7 +9391,7 @@ index b876c48..7a98631 100644
 
 /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
-@@ -204,15 +220,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +221,9 @@ ifdef(`distro_debian',`
 
 /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
@ -9397,7 +9408,7 @@ index b876c48..7a98631 100644
 
 /usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
 
-@@ -220,8 +230,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +231,6 @@ ifdef(`distro_debian',`
 /usr/tmp/.*			<<none>>
 
 ifndef(`distro_redhat',`
@ -9406,7 +9417,7 @@ index b876c48..7a98631 100644
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 ')
-@@ -229,7 +237,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +238,7 @@ ifndef(`distro_redhat',`
 #
 # /var
 #
@ -9415,7 +9426,7 @@ index b876c48..7a98631 100644
 /var/.*				gen_context(system_u:object_r:var_t,s0)
 /var/\.journal			<<none>>
 
-@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +246,25 @@ ifndef(`distro_redhat',`
 
 /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
 
@ -9442,7 +9453,7 @@ index b876c48..7a98631 100644
 
 /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/log/lost\+found/.*		<<none>>
-@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +279,14 @@ ifndef(`distro_redhat',`
 /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*\.*pid		<<none>>
@ -9457,7 +9468,7 @@ index b876c48..7a98631 100644
 /var/tmp/.*			<<none>>
 /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*		<<none>>
-@@ -271,3 +295,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +296,5 @@ ifdef(`distro_debian',`
 /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
@ -20526,7 +20537,7 @@ index 3835596..fbca2be 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..c8df034 100644
+index 6d77e81..c175ba4 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@ -20542,7 +20553,7 @@ index 6d77e81..c8df034 100644
 # this module should be named user, but that is
 # a compile error since user is a keyword.
 
-@@ -12,12 +19,96 @@ role user_r;
+@@ -12,12 +19,98 @@ role user_r;
 
 userdom_unpriv_user_template(user)
 
@ -20555,6 +20566,8 @@ index 6d77e81..c8df034 100644
 +storage_read_scsi_generic(user_t)
 +storage_write_scsi_generic(user_t)
 +
+seutil_read_module_store(user_t)
+
 +init_dbus_chat(user_t)
 +init_status(user_t)
 +
@ -20640,7 +20653,7 @@ index 6d77e81..c8df034 100644
 ')
 
 optional_policy(`
-@@ -25,6 +116,18 @@ optional_policy(`
+@@ -25,6 +118,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20659,7 +20672,7 @@ index 6d77e81..c8df034 100644
 	vlock_run(user_t, user_r)
 ')
 
-@@ -102,10 +205,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +207,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -20670,7 +20683,7 @@ index 6d77e81..c8df034 100644
 		postgresql_role(user_r, user_t)
 	')
 
-@@ -128,7 +227,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +229,6 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		ssh_role_template(user, user_r, user_t)
 	')
@ -20678,7 +20691,7 @@ index 6d77e81..c8df034 100644
 	optional_policy(`
 		su_role_template(user, user_r, user_t)
 	')
-@@ -161,3 +259,19 @@ ifndef(`distro_redhat',`
+@@ -161,3 +261,19 @@ ifndef(`distro_redhat',`
 		wireshark_role(user_r, user_t)
 	')
 ')
@ -26106,14 +26119,14 @@ index c6fdab7..af71c62 100644
 	sudo_sigchld(application_domain_type)
 ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2479587..00d2700 100644
+index 2479587..077c9bc 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
-+HOME_DIR/\.yubico(/.*)?				gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.yubico(/.*)?				    gen_context(system_u:object_r:auth_home_t,s0)
 +HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 +HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.yubico(/.*)?				gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.yubico/(.*)                     gen_context(system_u:object_r:auth_home_t,s0)
 +/root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 +/root/\.google_authenticator~			gen_context(system_u:object_r:auth_home_t,s0)
 
@ -26201,7 +26214,7 @@ index 2479587..00d2700 100644
 /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..08c3e93 100644
+index 3efd5b6..0bd3a26 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -26787,7 +26800,7 @@ index 3efd5b6..08c3e93 100644
 ')
 
 ########################################
-@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2029,262 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -26990,6 +27003,26 @@ index 3efd5b6..08c3e93 100644
 +	read_files_pattern($1, auth_home_t, auth_home_t)
 +')
 +
+########################################
+## <summary>
+##	Read the authorization data in the user home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_home_content',`
+	
+	gen_require(`
+		type auth_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, auth_home_t, auth_home_t)
+    manage_dirs_pattern($1, auth_home_t, auth_home_t)
+')
 +
 +########################################
 +## <summary>
@ -27031,7 +27064,7 @@ index 3efd5b6..08c3e93 100644
 +	allow $1 login_pgm:process sigchld;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..1a3d5b3 100644
+index 09b791d..73376ca 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -27047,7 +27080,7 @@ index 09b791d..1a3d5b3 100644
 +
 +## <desc>
 +## <p>
-+## Allow users to login using a yubikey  server
+## Allow users to login using a yubikey OTP server or challenge response mode
 +## </p>
 +## </desc>
 +gen_tunable(authlogin_yubikey, false)
@ -29621,7 +29654,7 @@ index 79a45f6..89b43aa 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..d1590ad 100644
+index 17eda24..56e006c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -29834,7 +29867,7 @@ index 17eda24..d1590ad 100644
 # file descriptors inherited from the rootfs:
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +246,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +246,53 @@ fs_list_inotifyfs(init_t)
 fs_write_ramfs_sockets(init_t)
 
 mcs_process_set_categories(init_t)
@ -29874,6 +29907,7 @@ index 17eda24..d1590ad 100644
 +logging_send_audit_msgs(init_t)
 logging_rw_generic_logs(init_t)
 +logging_relabel_devlog_dev(init_t)
+logging_manage_audit_config(init_t)
 
 seutil_read_config(init_t)
 +seutil_read_module_store(init_t)
@ -29890,7 +29924,7 @@ index 17eda24..d1590ad 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +300,230 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +301,230 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -30129,7 +30163,7 @@ index 17eda24..d1590ad 100644
 ')
 
 optional_policy(`
-@@ -216,7 +531,31 @@ optional_policy(`
+@@ -216,7 +532,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30161,7 +30195,7 @@ index 17eda24..d1590ad 100644
 ')
 
 ########################################
-@@ -225,9 +564,9 @@ optional_policy(`
+@@ -225,9 +565,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30173,7 +30207,7 @@ index 17eda24..d1590ad 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -30190,7 +30224,7 @@ index 17eda24..d1590ad 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -30233,7 +30267,7 @@ index 17eda24..d1590ad 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -30245,7 +30279,7 @@ index 17eda24..d1590ad 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +671,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +672,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -30256,7 +30290,7 @@ index 17eda24..d1590ad 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +682,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +683,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -30266,7 +30300,7 @@ index 17eda24..d1590ad 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +691,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +692,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -30274,7 +30308,7 @@ index 17eda24..d1590ad 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -30282,7 +30316,7 @@ index 17eda24..d1590ad 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +706,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +707,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -30300,7 +30334,7 @@ index 17eda24..d1590ad 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +724,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +725,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -30314,7 +30348,7 @@ index 17eda24..d1590ad 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +739,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +740,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -30328,7 +30362,7 @@ index 17eda24..d1590ad 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +752,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +753,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -30339,7 +30373,7 @@ index 17eda24..d1590ad 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +765,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +766,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -30347,7 +30381,7 @@ index 17eda24..d1590ad 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +784,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +785,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -30371,7 +30405,7 @@ index 17eda24..d1590ad 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +817,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +818,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -30379,7 +30413,7 @@ index 17eda24..d1590ad 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +851,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +852,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -30390,7 +30424,7 @@ index 17eda24..d1590ad 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +875,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +876,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -30399,7 +30433,7 @@ index 17eda24..d1590ad 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +890,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +891,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -30407,7 +30441,7 @@ index 17eda24..d1590ad 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +911,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +912,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -30415,7 +30449,7 @@ index 17eda24..d1590ad 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +921,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +922,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -30460,7 +30494,7 @@ index 17eda24..d1590ad 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +966,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +967,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -30492,7 +30526,7 @@ index 17eda24..d1590ad 100644
 	')
 ')
 
-@@ -577,6 +1001,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1002,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -30532,7 +30566,7 @@ index 17eda24..d1590ad 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1046,8 @@ optional_policy(`
+@@ -589,6 +1047,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -30541,7 +30575,7 @@ index 17eda24..d1590ad 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1069,7 @@ optional_policy(`
+@@ -610,6 +1070,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -30549,7 +30583,7 @@ index 17eda24..d1590ad 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1086,17 @@ optional_policy(`
+@@ -626,6 +1087,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30567,7 +30601,7 @@ index 17eda24..d1590ad 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1113,13 @@ optional_policy(`
+@@ -642,9 +1114,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -30581,7 +30615,7 @@ index 17eda24..d1590ad 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1132,11 @@ optional_policy(`
+@@ -657,15 +1133,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30599,7 +30633,7 @@ index 17eda24..d1590ad 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1157,15 @@ optional_policy(`
+@@ -686,6 +1158,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30615,7 +30649,7 @@ index 17eda24..d1590ad 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1206,7 @@ optional_policy(`
+@@ -726,6 +1207,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -30623,7 +30657,7 @@ index 17eda24..d1590ad 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1224,13 @@ optional_policy(`
+@@ -743,7 +1225,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30638,7 +30672,7 @@ index 17eda24..d1590ad 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1253,10 @@ optional_policy(`
+@@ -766,6 +1254,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30649,7 +30683,7 @@ index 17eda24..d1590ad 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1266,20 @@ optional_policy(`
+@@ -775,10 +1267,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30670,7 +30704,7 @@ index 17eda24..d1590ad 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1288,10 @@ optional_policy(`
+@@ -787,6 +1289,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30681,7 +30715,7 @@ index 17eda24..d1590ad 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1313,6 @@ optional_policy(`
+@@ -808,8 +1314,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -30690,7 +30724,7 @@ index 17eda24..d1590ad 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1321,10 @@ optional_policy(`
+@@ -818,6 +1322,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30701,7 +30735,7 @@ index 17eda24..d1590ad 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1334,12 @@ optional_policy(`
+@@ -827,10 +1335,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -30714,7 +30748,7 @@ index 17eda24..d1590ad 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1366,60 @@ optional_policy(`
+@@ -857,21 +1367,60 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30776,7 +30810,7 @@ index 17eda24..d1590ad 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1435,10 @@ optional_policy(`
+@@ -887,6 +1436,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30787,7 +30821,7 @@ index 17eda24..d1590ad 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1449,218 @@ optional_policy(`
+@@ -897,3 +1450,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -31007,10 +31041,10 @@ index 17eda24..d1590ad 100644
 +    ')
 + ')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..08589f8 100644
+index 662e79b..fc34e78 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,23 @@
+@@ -1,14 +1,24 @@
 /etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/strongswan	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@ -31018,6 +31052,7 @@ index 662e79b..08589f8 100644
 -/etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
 +/usr/lib/systemd/system/ipsec.*         --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
 +/usr/lib/systemd/system/strongswan.*         --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+/usr/lib/systemd/system/strongimcv.*    --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
 +
 +/etc/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
 /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
@ -31035,17 +31070,19 @@ index 662e79b..08589f8 100644
 
 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
-@@ -26,16 +35,24 @@
+@@ -26,16 +36,26 @@
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 +/usr/libexec/nm-libreswan-service   --  gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/strongswan/.*	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/strongswan/.*      --	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/strongimcv/.*      --  gen_context(system_u:object_r:ipsec_exec_t,s0)
 
 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
 +/usr/sbin/strongswan	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/sbin/strongimcv    --  gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
 +/var/lock/subsys/strongswan		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
@ -37456,7 +37493,7 @@ index 40edc18..a072ac2 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..f752c31 100644
+index 2cea692..77f307f 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -37784,7 +37821,7 @@ index 2cea692..f752c31 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +983,95 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +983,115 @@ interface(`sysnet_use_portmap',`
 
 	sysnet_read_config($1)
 ')
@ -37873,6 +37910,26 @@ index 2cea692..f752c31 100644
 +##	</summary>
 +## </param>
 +#
+interface(`sysnet_manage_ifconfig_run',`
+	gen_require(`
+		type ifconfig_var_run_t;
+	')
+
+	manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+')
+
+########################################
+## <summary>
+##	Transition to sysnet ifconfig named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`sysnet_filetrans_named_content_ifconfig',`
 +	gen_require(`
 +		type ifconfig_var_run_t;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 42%{?dist}
+Release: 43%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,24 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Fri Apr 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-43
+- Add labels for /var/named/chroot_sdb/dev devices
+- Add support for strongimcv
+- Add additional fixes for yubikeys based on william@firstyear.id.au
+- Allow init_t run /sbin/augenrules
+- Remove dup decl for dev_unmount_sysfs_fs
+- Allow unpriv SELinux user to use sandbox
+- Fix ntp_filetrans_named_content for sntp-kod file
+- Add httpd_dbus_sssd boolean
+- Dontaudit exec insmod in boinc policy
+- Add dbus_filetrans_named_content_system()
+- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t
+- varnishd wants chown capability
+- update ntp_filetrans_named_content() interface
+- Add additional fixes for neutron_t. #1083335
+- Dontaudit sandbox_t getattr on proc_kcore_t
+- Allow pki_tomcat_t to read ipa lib files
+
 * Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-42
 - Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t