- Fix lockdev_manage_files()

- Allow setroubleshootd to read var_lib_t to make email_alert working - Add lockdev_manage_files() - Call proper interface in virt.te - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - When you enter a container from root, you generate avcs with a leaked file descriptor - Allow mpd getattr on file system directories - Make sure realmd creates content with the correct label - Allow systemd-tty-ask to write kmsg - Allow mgetty to use lockdev library for device locking - Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music - When you enter a container from root, you generate avcs with a leaked file descriptor - Make sure init.fc files are labeled correctly at creation - File name trans vconsole.conf - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t
2013-04-23 12:44:02 +02:00 · 2013-04-23 12:44:02 +02:00 · d61e0b894f
parent aae6505e89
commit d61e0b894f
3 changed files with 665 additions and 401 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3021,7 +3021,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..d2dbf35 100644
+index 644d4d7..4debbf2 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@ -3179,7 +3179,7 @@ index 644d4d7..d2dbf35 100644
 /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +246,30 @@ ifdef(`distro_gentoo',`
 /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@ -3189,7 +3189,9 @@ index 644d4d7..d2dbf35 100644
 -/usr/lib/nspluginwrapper/np.*		gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib/portage/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib/pm-utils(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nagios/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/urlize  --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/netsaint/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nspluginwrapper/np.*	gen_context(system_u:object_r:bin_t,s0)
@ -3215,7 +3217,7 @@ index 644d4d7..d2dbf35 100644
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +284,15 @@ ifdef(`distro_gentoo',`
 /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@ -3231,7 +3233,7 @@ index 644d4d7..d2dbf35 100644
 /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +305,17 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
@ -3252,7 +3254,7 @@ index 644d4d7..d2dbf35 100644
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +331,15 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@ -3268,7 +3270,7 @@ index 644d4d7..d2dbf35 100644
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +354,22 @@ ifdef(`distro_gentoo',`
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@ -3293,7 +3295,7 @@ index 644d4d7..d2dbf35 100644
 
 ifdef(`distro_debian',`
 /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +385,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +387,27 @@ ifdef(`distro_redhat', `
 /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
 /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
 
@ -3322,7 +3324,7 @@ index 644d4d7..d2dbf35 100644
 /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +454,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +456,15 @@ ifdef(`distro_suse', `
 #
 # /var
 #
@ -3339,7 +3341,7 @@ index 644d4d7..d2dbf35 100644
 /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
 
 /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +472,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +474,12 @@ ifdef(`distro_suse', `
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -7749,7 +7751,7 @@ index 6a1e4d1..adafd25 100644
 +	dontaudit $1 domain:socket_class_set { read write };
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..dc4207f 100644
+index cf04cb5..ff7b3f4 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -7875,7 +7877,7 @@ index cf04cb5..dc4207f 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
@ -7904,6 +7906,7 @@ index cf04cb5..dc4207f 100644
 +	init_reboot(unconfined_domain_type)
 +	init_halt(unconfined_domain_type)
 +	init_undefined(unconfined_domain_type)
+	init_filetrans_named_content(unconfined_domain_type)
 +')
 +
 +optional_policy(`
@ -18526,10 +18529,10 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..83e6404 100644
+index 88d0028..4cc476f 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
 # Declarations
 #
 
@ -18583,6 +18586,7 @@ index 88d0028..83e6404 100644
 
 +application_exec(sysadm_t)
 +
+init_filetrans_named_content(sysadm_t)
 init_exec(sysadm_t)
 +init_exec_script_files(sysadm_t)
 +init_dbus_chat(sysadm_t)
@ -18619,7 +18623,7 @@ index 88d0028..83e6404 100644
 
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
-@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',`
 	init_exec_rc(sysadm_t)
 ')
 
@ -18634,7 +18638,7 @@ index 88d0028..83e6404 100644
 	domain_ptrace_all_domains(sysadm_t)
 ')
 
-@@ -71,9 +104,9 @@ optional_policy(`
+@@ -71,9 +105,9 @@ optional_policy(`
 
 optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
@ -18645,7 +18649,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -87,6 +120,7 @@ optional_policy(`
+@@ -87,6 +121,7 @@ optional_policy(`
 
 optional_policy(`
 	asterisk_stream_connect(sysadm_t)
@ -18653,7 +18657,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -110,6 +144,10 @@ optional_policy(`
+@@ -110,6 +145,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18664,7 +18668,7 @@ index 88d0028..83e6404 100644
 	certwatch_run(sysadm_t, sysadm_r)
 ')
 
-@@ -122,11 +160,19 @@ optional_policy(`
+@@ -122,11 +161,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18686,7 +18690,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -140,6 +186,10 @@ optional_policy(`
+@@ -140,6 +187,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18697,7 +18701,7 @@ index 88d0028..83e6404 100644
 	dmesg_exec(sysadm_t)
 ')
 
-@@ -156,11 +206,11 @@ optional_policy(`
+@@ -156,11 +207,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18711,7 +18715,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -179,6 +229,13 @@ optional_policy(`
+@@ -179,6 +230,13 @@ optional_policy(`
 	ipsec_stream_connect(sysadm_t)
 	# for lsof
 	ipsec_getattr_key_sockets(sysadm_t)
@ -18725,7 +18729,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -186,15 +243,20 @@ optional_policy(`
+@@ -186,15 +244,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18749,7 +18753,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -214,22 +276,20 @@ optional_policy(`
+@@ -214,22 +277,20 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
@ -18778,7 +18782,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -241,14 +301,27 @@ optional_policy(`
+@@ -241,14 +302,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18806,7 +18810,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -256,10 +329,20 @@ optional_policy(`
+@@ -256,10 +330,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18827,7 +18831,7 @@ index 88d0028..83e6404 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +353,36 @@ optional_policy(`
+@@ -270,31 +354,36 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18871,7 +18875,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -319,12 +407,18 @@ optional_policy(`
+@@ -319,12 +408,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18891,7 +18895,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -349,7 +443,18 @@ optional_policy(`
+@@ -349,7 +444,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18911,7 +18915,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -360,19 +465,15 @@ optional_policy(`
+@@ -360,19 +466,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18933,7 +18937,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -384,10 +485,6 @@ optional_policy(`
+@@ -384,10 +486,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18944,7 +18948,7 @@ index 88d0028..83e6404 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +492,9 @@ optional_policy(`
+@@ -395,6 +493,9 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -18954,7 +18958,7 @@ index 88d0028..83e6404 100644
 ')
 
 optional_policy(`
-@@ -402,31 +502,34 @@ optional_policy(`
+@@ -402,31 +503,34 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18995,7 +18999,7 @@ index 88d0028..83e6404 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
 
-@@ -439,10 +542,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +543,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -19006,7 +19010,7 @@ index 88d0028..83e6404 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 
 		optional_policy(`
-@@ -463,15 +562,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +563,75 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -26810,7 +26814,7 @@ index e4376aa..2c98c56 100644
 +	allow $1 getty_unit_file_t:service start;
 +')
 diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index fc38c9c..dce2d4e 100644
+index fc38c9c..61a1d24 100644
 --- a/policy/modules/system/getty.te
 +++ b/policy/modules/system/getty.te
@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
@ -26852,17 +26856,20 @@ index fc38c9c..dce2d4e 100644
 	# Support logging in from /dev/console
 	term_use_console(getty_t)
 ',`
-@@ -125,10 +130,6 @@ optional_policy(`
+@@ -121,11 +126,11 @@ tunable_policy(`console_login',`
+ ')
+ 
+ optional_policy(`
+-	mta_send_mail(getty_t)
+    lockdev_manage_files(getty_t)
 ')
 
 optional_policy(`
 -	nscd_use(getty_t)
-')
-
-optional_policy(`
- 	ppp_domtrans(getty_t)
+	mta_send_mail(getty_t)
 ')
 
+ optional_policy(`
 diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
 index 9dfecf7..6d00f5c 100644
 --- a/policy/modules/system/hostname.fc
@ -27074,7 +27081,7 @@ index 9a4d3a7..9d960bb 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..1894886 100644
+index 24e7804..d0780a9 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -27959,7 +27966,7 @@ index 24e7804..1894886 100644
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -28244,6 +28251,28 @@ index 24e7804..1894886 100644
 +
 +	allow $1 init_t:system undefined;
 +')
+
+########################################
+## <summary>
+##	Transition to init named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_filetrans_named_content',`
+	gen_require(`
+		type init_var_run_t;
+		type initrc_var_run_t;
+		type machineid_t;
+	')
+
+	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+	files_pid_filetrans($1, init_var_run_t, file, "random-seed")
+	files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index dd3be8d..969bda2 100644
 --- a/policy/modules/system/init.te
@ -30065,7 +30094,7 @@ index 5dfa44b..aa4d8fc 100644
 
 optional_policy(`
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..aadfba0 100644
+index 73bb3c0..46439b4 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -30227,7 +30256,7 @@ index 73bb3c0..aadfba0 100644
 
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-@@ -299,17 +310,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 #
 /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
 
@ -30383,6 +30412,7 @@ index 73bb3c0..aadfba0 100644
 +/opt/lgtonmc/bin/.*\.so(\.[0-9])?  	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.dll	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/chrome/.*\.so	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
@ -32307,7 +32337,7 @@ index 9fe8e01..fa82aac 100644
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..2f33076 100644
+index fc28bc3..2960ed7 100644
 --- a/policy/modules/system/miscfiles.if
 +++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@ -32445,7 +32475,7 @@ index fc28bc3..2f33076 100644
 ')
 
 ########################################
-@@ -809,3 +882,60 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +882,61 @@ interface(`miscfiles_manage_localization',`
 	manage_lnk_files_pattern($1, locale_t, locale_t)
 ')
 
@ -32466,6 +32496,7 @@ index fc28bc3..2f33076 100644
 +
 +	files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
 +	files_etc_filetrans($1, locale_t, file, "locale.conf")
+	files_etc_filetrans($1, locale_t, file, "vconsole.conf")
 +	files_etc_filetrans($1, locale_t, file, "locale.conf.new")
 +	files_etc_filetrans($1, locale_t, file, "timezone")
 +	files_etc_filetrans($1, locale_t, file, "clock")
@ -37060,10 +37091,10 @@ index 0000000..5894afb
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..b3ea12d
+index 0000000..2c9ccbf
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,642 @@
+@@ -0,0 +1,643 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -37308,6 +37339,7 @@ index 0000000..b3ea12d
 +dev_create_generic_dirs(systemd_passwd_agent_t)
 +dev_read_generic_files(systemd_passwd_agent_t)
 +dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
 +
 +term_read_console(systemd_passwd_agent_t)
 +
@ -39078,7 +39110,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..9799799 100644
+index 3c5dba7..b44b1c9 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -40360,7 +40392,7 @@ index 3c5dba7..9799799 100644
 -		corenet_tcp_bind_generic_node($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
 +
-+	tunable_policy(`selinuxuser_user_share_music',`
+	tunable_policy(`selinuxuser_share_music',`
 +		corenet_tcp_bind_daap_port($1_usertype)
 +	')
 +
@ -41745,7 +41777,7 @@ index 3c5dba7..9799799 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',`
 	')
 
 	allow $1 userdomain:dbus send_msg;
@ -42306,6 +42338,42 @@ index 3c5dba7..9799799 100644
 +
 +########################################
 +## <summary>
+##	Dontaudit Read files inherited from the admin home dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_inherited_admin_home_files',`
+	gen_require(`
+		attribute admin_home_t;
+	')
+
+	dontaudit $1 admin_home_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit append files inherited from the admin home dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_inherited_admin_home_file',`
+	gen_require(`
+		attribute admin_home_t;
+	')
+
+	dontaudit $1 admin_home_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
 +##	Read/Write files inherited
 +##	in a user home subdirectory.
 +## </summary>
@ -43104,7 +43172,7 @@ index 3c5dba7..9799799 100644
 +	filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
 ')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..6371ed6 100644
+index e2b538b..9e23738 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@ -43143,7 +43211,7 @@ index e2b538b..6371ed6 100644
 ## </p>
 ## </desc>
 -gen_tunable(user_dmesg, false)
-+gen_tunable(selinuxuser_user_share_music, false)
+gen_tunable(selinuxuser_share_music, false)
 
 ## <desc>
 ## <p>
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 32%{?dist}
+Release: 35%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -229,8 +229,12 @@ if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
     rm -f ${FILE_CONTEXT}.pre; \
 fi; \
-/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
-/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null; \
+if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
+    continue; \
+fi; \
+if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \
+    continue; \
+fi;

 %define preInstall() \
 if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
@ -526,6 +530,41 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Apr 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-35
+- Fix lockdev_manage_files()
+- Allow setroubleshootd to read var_lib_t to make email_alert working
+- Add lockdev_manage_files()
+- Call proper interface in virt.te
+- Allow gkeyring_domain to create /var/run/UID/config/dbus file
+- system dbus seems to be blocking suspend
+- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
+- When you enter a container from root, you generate avcs with a leaked file descriptor
+- Allow mpd getattr on file system directories
+- Make sure realmd creates content with the correct label
+- Allow systemd-tty-ask to write kmsg
+- Allow mgetty to use lockdev library for device locking
+- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
+- When you enter a container from root, you generate avcs with a leaked file descriptor
+- Make sure init.fc files are labeled correctly at creation
+- File name trans vconsole.conf
+- Fix labeling for nagios plugins
+- label shared libraries in /opt/google/chrome as testrel_shlib_t
+
+* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-34
+- Allow certmonger to dbus communicate with realmd 
+- Make realmd working
+
+* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-33
+- Fix mozilla specification of homedir content
+- Allow certmonger to read network state
+- Allow tmpwatch to read tmp in /var/spool/{cups,lpd}
+- Label all nagios plugin as unconfined by default
+- Add httpd_serve_cobbler_files()
+- Allow mdadm to read /dev/sr0 and create tmp files
+- Allow certwatch to send mails
+- Fix labeling for nagios plugins
+- label shared libraries in /opt/google/chrome as testrel_shlib_t
+
 * Wed Apr 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-32
 - Allow realmd to run ipa, really needs to be an unconfined_domain
 - Allow sandbox domains to use inherted terminals