scratch build

2013-10-30 20:24:38 +01:00 · 2013-10-30 20:24:38 +01:00 · cd5d972925
parent af7d966e90
commit cd5d972925
3 changed files with 113 additions and 66 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5461,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..9455a13 100644
+index 4edc40d..cc71e95 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5714,7 +5714,7 @@ index 4edc40d..9455a13 100644
 network_port(puppet, tcp, 8140, s0)
 network_port(pxe, udp,4011,s0)
 network_port(pyzor, udp,24441,s0)
-+network_port(quantum, tcp,9696,s0)
+network_port(neutron, tcp,9696,s0)
 network_port(radacct, udp,1646,s0, udp,1813,s0)
 network_port(radius, udp,1645,s0, udp,1812,s0)
 network_port(radsec, tcp,2083,s0)
@ -5810,7 +5810,7 @@ index 4edc40d..9455a13 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -342,9 +400,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +400,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -5837,6 +5837,10 @@ index 4edc40d..9455a13 100644
 +allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
 +allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress };
 +allow netlabel_peer_t node_t:node recvfrom;
+
+typealias  neutron_port_t alias quantum_port_t;
+typealias  neutron_server_packet_t alias quantum_server_packet_t;
+typealias  neutron_client_packet_t alias quantum_client_packet_t;
 diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
 index 3f6e168..51ad69a 100644
 --- a/policy/modules/kernel/corenetwork.te.m4
@ -14159,10 +14163,10 @@ index 8416beb..c6cd3eb 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..e0209df 100644
+index 9e603f5..1198b51 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
+@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
@ -14170,9 +14174,11 @@ index 9e603f5..e0209df 100644
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0);
 
 # Use the allocating task SID to label inodes in the following filesystem
-@@ -53,6 +55,7 @@ type anon_inodefs_t;
+ # types, and label the filesystem itself with the specified context.
+@@ -53,6 +56,7 @@ type anon_inodefs_t;
 fs_type(anon_inodefs_t)
 files_mountpoint(anon_inodefs_t)
 genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@ -14180,7 +14186,7 @@ index 9e603f5..e0209df 100644
 
 type bdev_t;
 fs_type(bdev_t)
-@@ -63,12 +66,17 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t)
 files_mountpoint(binfmt_misc_fs_t)
 genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
 
@ -14199,7 +14205,7 @@ index 9e603f5..e0209df 100644
 fs_type(cgroup_t)
 files_type(cgroup_t)
 files_mountpoint(cgroup_t)
-@@ -89,6 +97,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t)
 files_mountpoint(ecryptfs_t)
 genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
 
@ -14211,7 +14217,7 @@ index 9e603f5..e0209df 100644
 type futexfs_t;
 fs_type(futexfs_t)
 genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +110,7 @@ type hugetlbfs_t;
+@@ -97,6 +111,7 @@ type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@ -14219,7 +14225,7 @@ index 9e603f5..e0209df 100644
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
-@@ -119,12 +133,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
 
 type nfsd_fs_t;
 fs_type(nfsd_fs_t)
@ -14237,7 +14243,7 @@ index 9e603f5..e0209df 100644
 type ramfs_t;
 fs_type(ramfs_t)
 files_mountpoint(ramfs_t)
-@@ -145,11 +164,6 @@ fs_type(spufs_t)
+@@ -145,11 +165,6 @@ fs_type(spufs_t)
 genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
 files_mountpoint(spufs_t)
 
@ -14249,7 +14255,7 @@ index 9e603f5..e0209df 100644
 type sysv_t;
 fs_noxattr_type(sysv_t)
 files_mountpoint(sysv_t)
-@@ -167,6 +181,8 @@ type vxfs_t;
+@@ -167,6 +182,8 @@ type vxfs_t;
 fs_noxattr_type(vxfs_t)
 files_mountpoint(vxfs_t)
 genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@ -14258,7 +14264,7 @@ index 9e603f5..e0209df 100644
 
 #
 # tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +192,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +193,8 @@ fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
@ -14267,7 +14273,7 @@ index 9e603f5..e0209df 100644
 
 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +273,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
@ -14276,7 +14282,7 @@ index 9e603f5..e0209df 100644
 files_mountpoint(removable_t)
 
 #
-@@ -274,6 +294,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@ -35461,7 +35467,7 @@ index 346a7cc..42a48b6 100644
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..b82ccf1 100644
+index 6944526..0bd8d93 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -35736,7 +35742,7 @@ index 6944526..b82ccf1 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
 
 	sysnet_read_config($1)
 ')
@ -35804,6 +35810,8 @@ index 6944526..b82ccf1 100644
 +
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
+	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
 +	files_etc_filetrans($1, net_conf_t, file, "denyhosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2728,7 +2728,7 @@ index 0000000..df5b3be
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..784557c
+index 0000000..8ba9c95
 --- /dev/null
 +++ b/antivirus.te
@@ -0,0 +1,274 @@
@ -2825,7 +2825,7 @@ index 0000000..784557c
 +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
 +
-+allow antivirus_domain antivirus_log_t:dir setattr_dir_perms;
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
 +manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
 +manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
 +logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
@ -55084,7 +55084,7 @@ index d2fc677..ded726f 100644
 ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..c1e0a6f 100644
+index 7bcf327..c19ce47 100644
 --- a/pegasus.te
 +++ b/pegasus.te
@@ -1,17 +1,16 @@
@ -55108,7 +55108,7 @@ index 7bcf327..c1e0a6f 100644
 type pegasus_cache_t;
 files_type(pegasus_cache_t)
 
-@@ -30,20 +29,262 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,266 @@ files_type(pegasus_mof_t)
 type pegasus_var_run_t;
 files_pid_file(pegasus_var_run_t)
 
@ -55242,6 +55242,10 @@ index 7bcf327..c1e0a6f 100644
 +    realmd_dbus_chat(pegasus_openlmi_services_t)
 +')
 +
+optional_policy(`
+    sssd_stream_connect(pegasus_openlmi_services_t)
+')
+
 +######################################
 +#
 +# pegasus openlmi system (networking) local policy
@ -55376,7 +55380,7 @@ index 7bcf327..c1e0a6f 100644
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +295,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +299,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
 manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -55407,7 +55411,7 @@ index 7bcf327..c1e0a6f 100644
 
 kernel_read_network_state(pegasus_t)
 kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +321,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +325,21 @@ kernel_read_net_sysctls(pegasus_t)
 kernel_read_xen_state(pegasus_t)
 kernel_write_xen_state(pegasus_t)
 
@ -55440,7 +55444,7 @@ index 7bcf327..c1e0a6f 100644
 
 corecmd_exec_bin(pegasus_t)
 corecmd_exec_shell(pegasus_t)
-@@ -114,6 +349,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +353,7 @@ files_getattr_all_dirs(pegasus_t)
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
@ -55448,7 +55452,7 @@ index 7bcf327..c1e0a6f 100644
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +364,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +368,25 @@ init_stream_connect_script(pegasus_t)
 logging_send_audit_msgs(pegasus_t)
 logging_send_syslog_msg(pegasus_t)
 
@ -55480,7 +55484,7 @@ index 7bcf327..c1e0a6f 100644
 ')
 
 optional_policy(`
-@@ -151,16 +394,24 @@ optional_policy(`
+@@ -151,16 +398,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -55509,7 +55513,7 @@ index 7bcf327..c1e0a6f 100644
 ')
 
 optional_policy(`
-@@ -168,7 +419,7 @@ optional_policy(`
+@@ -168,7 +423,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -67640,7 +67644,7 @@ index afc0068..3105104 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..801835e 100644
+index 769d1fd..acee489 100644
 --- a/quantum.te
 +++ b/quantum.te
@@ -1,96 +1,109 @@
@ -67661,7 +67665,7 @@ index 769d1fd..801835e 100644
 
 -type quantum_initrc_exec_t;
 -init_script_file(quantum_initrc_exec_t)
-+type neutron_initrc_exec_t alias qauntum_initrc_exec_t;
+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
 +init_script_file(neutron_initrc_exec_t)
 
 -type quantum_log_t;
@ -67751,7 +67755,7 @@ index 769d1fd..801835e 100644
 
 -dev_list_sysfs(quantum_t)
 -dev_read_urand(quantum_t)
-+corenet_tcp_bind_quantum_port(neutron_t)
+corenet_tcp_bind_neutron_port(neutron_t)
 +corenet_tcp_connect_keystone_port(neutron_t)
 +corenet_tcp_connect_amqp_port(neutron_t)
 +corenet_tcp_connect_mysqld_port(neutron_t)
@ -85923,7 +85927,7 @@ index dbb005a..45291bb 100644
 -/var/run/sssd\.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 diff --git a/sssd.if b/sssd.if
-index a240455..54c5c1f 100644
+index a240455..02ad8a9 100644
 --- a/sssd.if
 +++ b/sssd.if
@@ -1,21 +1,21 @@
@ -86051,7 +86055,9 @@ index a240455..54c5c1f 100644
 +    gen_require(`
 +        type sssd_conf_t;
 +    ')
-+
+ 
+-	files_search_etc($1)
+-	write_files_pattern($1, sssd_conf_t, sssd_conf_t)
 +    files_search_etc($1)
 +    write_files_pattern($1, sssd_conf_t, sssd_conf_t)
 +')
@ -86070,9 +86076,7 @@ index a240455..54c5c1f 100644
 +    gen_require(`
 +        type sssd_conf_t;
 +    ')
- 
-	files_search_etc($1)
-	write_files_pattern($1, sssd_conf_t, sssd_conf_t)
+
 +    files_search_etc($1)
 +    create_files_pattern($1, sssd_conf_t, sssd_conf_t)
 ')
@ -86168,7 +86172,32 @@ index a240455..54c5c1f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -297,8 +333,7 @@ interface(`sssd_dbus_chat',`
+@@ -235,6 +271,24 @@ interface(`sssd_dontaudit_search_lib',`
+ 
+ ########################################
+ ## <summary>
+##	Do not audit attempts to read sssd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_read_lib',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	dontaudit $1 sssd_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+ ##	Read sssd lib files.
+ ## </summary>
+ ## <param name="domain">
+@@ -297,8 +351,7 @@ interface(`sssd_dbus_chat',`
 
 ########################################
 ## <summary>
@ -86178,7 +86207,7 @@ index a240455..54c5c1f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -317,8 +352,27 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +370,27 @@ interface(`sssd_stream_connect',`
 
 ########################################
 ## <summary>
@ -86198,7 +86227,7 @@ index a240455..54c5c1f 100644
 +	')
 +
 +	dontaudit $1 sssd_t:unix_stream_socket connectto;
-+	dontaudit $1 sssd_var_lib_t:sock_file write;
+	dontaudit $1 sssd_var_lib_t:sock_file { read write };
 +')
 +
 +########################################
@ -86208,7 +86237,7 @@ index a240455..54c5c1f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -327,7 +381,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +399,7 @@ interface(`sssd_stream_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -86217,7 +86246,7 @@ index a240455..54c5c1f 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -335,27 +389,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +407,29 @@ interface(`sssd_stream_connect',`
 interface(`sssd_admin',`
 	gen_require(`
 		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@ -93995,7 +94024,7 @@ index 9dec06c..73549fd 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..a77dab1 100644
+index 1f22fba..d798c85 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,147 +1,167 @@
@ -94239,7 +94268,7 @@ index 1f22fba..a77dab1 100644
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
 ')
-@@ -150,295 +170,140 @@ ifdef(`enable_mls',`
+@@ -150,295 +170,141 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
 ')
 
@ -94497,6 +94526,7 @@ index 1f22fba..a77dab1 100644
 optional_policy(`
 -	xen_rw_image_files(virt_domain)
 +	sssd_dontaudit_stream_connect(svirt_t)
+	sssd_dontaudit_read_lib(svirt_t)
 ')
 
 -########################################
@ -94619,7 +94649,7 @@ index 1f22fba..a77dab1 100644
 
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +313,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +314,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 
@ -94666,7 +94696,7 @@ index 1f22fba..a77dab1 100644
 logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 
 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +348,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +349,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
 
@ -94688,7 +94718,7 @@ index 1f22fba..a77dab1 100644
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +361,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +362,7 @@ kernel_read_kernel_sysctls(virtd_t)
 kernel_request_load_module(virtd_t)
 kernel_search_debugfs(virtd_t)
 kernel_setsched(virtd_t)
@ -94696,7 +94726,7 @@ index 1f22fba..a77dab1 100644
 
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -520,24 +369,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +370,16 @@ corecmd_exec_shell(virtd_t)
 corenet_all_recvfrom_netlabel(virtd_t)
 corenet_tcp_sendrecv_generic_if(virtd_t)
 corenet_tcp_sendrecv_generic_node(virtd_t)
@ -94724,7 +94754,7 @@ index 1f22fba..a77dab1 100644
 dev_rw_sysfs(virtd_t)
 dev_read_urand(virtd_t)
 dev_read_rand(virtd_t)
-@@ -548,22 +389,27 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +390,27 @@ dev_rw_vhost(virtd_t)
 dev_setattr_generic_usb_dev(virtd_t)
 dev_relabel_generic_usb_dev(virtd_t)
 
@ -94757,7 +94787,7 @@ index 1f22fba..a77dab1 100644
 fs_rw_anon_inodefs_files(virtd_t)
 fs_list_inotifyfs(virtd_t)
 fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +440,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +441,18 @@ term_use_ptmx(virtd_t)
 
 auth_use_nsswitch(virtd_t)
 
@ -94777,7 +94807,7 @@ index 1f22fba..a77dab1 100644
 
 selinux_validate_context(virtd_t)
 
-@@ -613,18 +462,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +463,26 @@ seutil_read_file_contexts(virtd_t)
 sysnet_signull_ifconfig(virtd_t)
 sysnet_signal_ifconfig(virtd_t)
 sysnet_domtrans_ifconfig(virtd_t)
@ -94814,7 +94844,7 @@ index 1f22fba..a77dab1 100644
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +490,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +491,7 @@ tunable_policy(`virt_use_nfs',`
 ')
 
 tunable_policy(`virt_use_samba',`
@ -94823,7 +94853,7 @@ index 1f22fba..a77dab1 100644
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
-@@ -658,20 +515,12 @@ optional_policy(`
+@@ -658,20 +516,12 @@ optional_policy(`
 	')
 
 	optional_policy(`
@ -94844,7 +94874,7 @@ index 1f22fba..a77dab1 100644
 ')
 
 optional_policy(`
-@@ -684,14 +533,20 @@ optional_policy(`
+@@ -684,14 +534,20 @@ optional_policy(`
 	dnsmasq_kill(virtd_t)
 	dnsmasq_signull(virtd_t)
 	dnsmasq_create_pid_dirs(virtd_t)
@ -94867,7 +94897,7 @@ index 1f22fba..a77dab1 100644
 	iptables_manage_config(virtd_t)
 ')
 
-@@ -704,11 +559,13 @@ optional_policy(`
+@@ -704,11 +560,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -94881,7 +94911,7 @@ index 1f22fba..a77dab1 100644
 	policykit_domtrans_auth(virtd_t)
 	policykit_domtrans_resolve(virtd_t)
 	policykit_read_lib(virtd_t)
-@@ -719,10 +576,18 @@ optional_policy(`
+@@ -719,10 +577,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -94900,7 +94930,7 @@ index 1f22fba..a77dab1 100644
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
 
-@@ -737,44 +602,264 @@ optional_policy(`
+@@ -737,44 +603,264 @@ optional_policy(`
 	udev_read_db(virtd_t)
 ')
 
@ -95187,7 +95217,7 @@ index 1f22fba..a77dab1 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +870,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +871,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
 
@ -95214,7 +95244,7 @@ index 1f22fba..a77dab1 100644
 
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +890,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +891,23 @@ fs_search_auto_mountpoints(virsh_t)
 
 storage_raw_read_fixed_disk(virsh_t)
 
@ -95247,7 +95277,7 @@ index 1f22fba..a77dab1 100644
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +925,20 @@ optional_policy(`
+@@ -847,14 +926,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -95269,7 +95299,7 @@ index 1f22fba..a77dab1 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -879,49 +963,65 @@ optional_policy(`
+@@ -879,49 +964,65 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
 
@ -95353,7 +95383,7 @@ index 1f22fba..a77dab1 100644
 
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1033,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1034,16 @@ dev_read_urand(virtd_lxc_t)
 
 domain_use_interactive_fds(virtd_lxc_t)
 
@ -95373,7 +95403,7 @@ index 1f22fba..a77dab1 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1054,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1055,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
 
@ -95397,7 +95427,7 @@ index 1f22fba..a77dab1 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1079,238 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1080,238 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
 
@ -95772,7 +95802,7 @@ index 1f22fba..a77dab1 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 
-@@ -1165,12 +1323,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1324,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
 
@ -95787,7 +95817,7 @@ index 1f22fba..a77dab1 100644
 sysnet_read_config(virt_qmf_t)
 
 optional_policy(`
-@@ -1183,9 +1341,8 @@ optional_policy(`
+@@ -1183,9 +1342,8 @@ optional_policy(`
 
 ########################################
 #
@ -95798,7 +95828,7 @@ index 1f22fba..a77dab1 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1355,194 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1356,194 @@ kernel_read_network_state(virt_bridgehelper_t)
 
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 94%{?dist}
+Release: 95%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -573,6 +573,15 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Oct 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-95
+- Fix alias decl in corenetwork.te.in
+- Add support for fuse.glusterfs
+- Add file transition rules for content created by f5link
+- Rename quantum_port information to neutron
+- Allow all antivirus domains to manage also own log dirs
+- Rename quantum_port information to neutron
+- Allow pegasus_openlmi_services_t to stream connect to sssd_t
+
 * Mon Oct 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94
 - Allow sysadm_t to read login information
 - Allow systemd_tmpfiles to setattr on var_log_t directories