* Fri Apr 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-26

- Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6
2013-04-05 17:34:40 +02:00 · 2013-04-05 17:34:40 +02:00 · f4f51d7574
commit f4f51d7574
parent d9444b18fb
3 changed files with 579 additions and 225 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5515,7 +5515,7 @@ index b31c054..3a628fe 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..f7e9534 100644
+index 76f285e..059e984 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -6306,7 +6306,7 @@ index 76f285e..f7e9534 100644
 ')
 ########################################
-@@ -3855,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',`
 ########################################
 ## <summary>
@ -6345,11 +6345,47 @@ index 76f285e..f7e9534 100644
 +')
 +
 +########################################
 +## <summary>
 +##	Mount sysfs filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_mount_sysfs_fs',`
 +	gen_require(`
 +		type sysfs_t;
 +	')
 +
 +	allow $1 sysfs_t:filesystem mount;
 +')
 +
 +########################################
 +## <summary>
 +##	Unmount sysfs filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_unmount_sysfs_fs',`
 +	gen_require(`
 +		type sysfs_t;
 +	')
 +
 +	allow $1 sysfs_t:filesystem unmount;
 +')
 +
 +########################################
 +## <summary>
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">
-@@ -3904,6 +4270,7 @@ interface(`dev_list_sysfs',`
+@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',`
 		type sysfs_t;
 	')
@ -6357,7 +6393,7 @@ index 76f285e..f7e9534 100644
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
-@@ -3946,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ########################################
 ## <summary>
@ -6378,7 +6414,7 @@ index 76f285e..f7e9534 100644
 #
 -interface(`dev_manage_sysfs_dirs',`
 +interface(`dev_read_cpu_online',`
-+	gen_require(`
+ 	gen_require(`
 +		type cpu_online_t;
 +	')
 +
@ -6397,7 +6433,7 @@ index 76f285e..f7e9534 100644
 +## </param>
 +#
 +interface(`dev_relabel_cpu_online',`
- 	gen_require(`
+	gen_require(`
 +		type cpu_online_t;
 		type sysfs_t;
 	')
@ -6411,7 +6447,7 @@ index 76f285e..f7e9534 100644
 ########################################
 ## <summary>
 ##	Read hardware state information.
-@@ -4016,6 +4409,62 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',`
 ########################################
 ## <summary>
@ -6474,7 +6510,7 @@ index 76f285e..f7e9534 100644
 ##	Read and write the TPM device.
 ## </summary>
 ## <param name="domain">
-@@ -4113,6 +4562,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',`
 ########################################
 ## <summary>
@ -6500,7 +6536,7 @@ index 76f285e..f7e9534 100644
 ##	Getattr generic the USB devices.
 ## </summary>
 ## <param name="domain">
-@@ -4557,6 +5025,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',`
 ########################################
 ## <summary>
@ -6525,7 +6561,7 @@ index 76f285e..f7e9534 100644
 ##	Read and write VMWare devices.
 ## </summary>
 ## <param name="domain">
-@@ -4762,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',`
 ########################################
 ## <summary>
@ -6552,7 +6588,7 @@ index 76f285e..f7e9534 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4851,3 +5357,917 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',`
 	typeattribute $1 devices_unconfined_type;
 ')
@ -7386,6 +7422,26 @@ index 76f285e..f7e9534 100644
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
@ -15293,7 +15349,7 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..31a14c8 100644
+index 649e458..cc924ae 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@ -15305,7 +15361,32 @@ index 649e458..31a14c8 100644
 ')
 ########################################
-@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
+@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
 ########################################
 ## <summary>
 +##	Mount the proc filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`kernel_mount_proc',`
 +	gen_require(`
 +		type proc_t;
 +	')
 +
 +	allow $1 proc_t:filesystem mount;
 +')
 +
 +########################################
 +## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',`
 ########################################
 ## <summary>
@ -15330,7 +15411,7 @@ index 649e458..31a14c8 100644
 ##	Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',`
 #
 interface(`kernel_read_system_state',`
 	gen_require(`
@ -15346,7 +15427,7 @@ index 649e458..31a14c8 100644
 ')
 ########################################
-@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
 ########################################
 ## <summary>
@ -15371,7 +15452,7 @@ index 649e458..31a14c8 100644
 ##	Do not audit attempts by caller to search
 ##	the base directory of sysctls.
 ## </summary>
-@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')
 	dontaudit $1 sysctl_type:dir list_dir_perms;
@ -15380,7 +15461,7 @@ index 649e458..31a14c8 100644
 ')
 ########################################
-@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
 ########################################
 ## <summary>
@ -15406,7 +15487,7 @@ index 649e458..31a14c8 100644
 ##	Read the process state (/proc/pid) of all unlabeled_t.
 ## </summary>
 ## <param name="domain">
-@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -15415,7 +15496,7 @@ index 649e458..31a14c8 100644
 ##	</summary>
 ## </param>
 #
-@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 ########################################
 ## <summary>
@ -15440,7 +15521,7 @@ index 649e458..31a14c8 100644
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled character devices.
 ## </summary>
-@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 ########################################
 ## <summary>
@ -15465,7 +15546,7 @@ index 649e458..31a14c8 100644
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
-@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
 	allow $1 unlabeled_t:association { sendto recvfrom };
 	# temporary hack until labeling on packets is supported
@ -15474,7 +15555,7 @@ index 649e458..31a14c8 100644
 ')
 ########################################
-@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 ########################################
 ## <summary>
@ -15499,7 +15580,7 @@ index 649e458..31a14c8 100644
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
-@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 ########################################
 ## <summary>
@ -15525,7 +15606,7 @@ index 649e458..31a14c8 100644
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
-@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
@ -15559,7 +15640,7 @@ index 649e458..31a14c8 100644
 ########################################
 ## <summary>
-@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 ########################################
 ## <summary>
@ -15584,7 +15665,7 @@ index 649e458..31a14c8 100644
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
-@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',`
 	')
 	typeattribute $1 kern_unconfined;
@ -17164,7 +17245,7 @@ index 7d45d15..22c9cfe 100644
 +
 +/usr/lib/udev/devices/pts -d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..8b0e5e6 100644
+index 771bce1..55ebf4b 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@ -17226,7 +17307,50 @@ index 771bce1..8b0e5e6 100644
 ')
 ########################################
-@@ -481,6 +504,24 @@ interface(`term_list_ptys',`
+@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',`
 ########################################
 ## <summary>
 +##	Mount a pty filesystem
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`term_mount_pty_fs',`
 +	gen_require(`
 +		type devpts_t;
 +	')
 +
 +	allow $1 devpts_t:filesystem mount;
 +')
 +
 +########################################
 +## <summary>
 +##	Unmount a pty filesystem
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`term_unmount_pty_fs',`
 +	gen_require(`
 +		type devpts_t;
 +	')
 +
 +	allow $1 devpts_t:filesystem unmount;
 +')
 +
 +########################################
 +## <summary>
 ##	Relabel from and to pty filesystem.
 ## </summary>
 ## <param name="domain">
@@ -481,6 +540,24 @@ interface(`term_list_ptys',`
 ########################################
 ## <summary>
@ -17251,7 +17375,7 @@ index 771bce1..8b0e5e6 100644
 ##	Do not audit attempts to read the
 ##	/dev/pts directory.
 ## </summary>
-@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',`
+@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',`
 ########################################
 ## <summary>
@ -17260,7 +17384,7 @@ index 771bce1..8b0e5e6 100644
 ##	write the generic pty type.  This is
 ##	generally only used in the targeted policy.
 ## </summary>
-@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',`
 		type devpts_t;
 	')
@ -17268,7 +17392,7 @@ index 771bce1..8b0e5e6 100644
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
-@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',`
+@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',`
 ########################################
 ## <summary>
@ -17295,7 +17419,7 @@ index 771bce1..8b0e5e6 100644
 ##	Do not audit attempts to read or write any ptys.
 ## </summary>
 ## <param name="domain">
-@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',`
 		attribute ptynode;
 	')
@ -17304,7 +17428,7 @@ index 771bce1..8b0e5e6 100644
 ')
 ########################################
-@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',`
+@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',`
 	')
 	dev_list_all_dev_nodes($1)
@ -17313,7 +17437,7 @@ index 771bce1..8b0e5e6 100644
 ')
 ########################################
-@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -17322,7 +17446,7 @@ index 771bce1..8b0e5e6 100644
 ##	</summary>
 ## </param>
 #
-@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 		type tty_device_t;
 	')
@ -17371,7 +17495,7 @@ index 771bce1..8b0e5e6 100644
 ')
 ########################################
-@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 #
 interface(`term_getattr_all_ttys',`
 	gen_require(`
@ -17385,7 +17509,7 @@ index 771bce1..8b0e5e6 100644
 ')
 ########################################
-@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',`
 interface(`term_dontaudit_getattr_all_ttys',`
 	gen_require(`
 		attribute ttynode;
@ -17398,7 +17522,7 @@ index 771bce1..8b0e5e6 100644
 ')
 ########################################
-@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',`
 	')
 	dev_list_all_dev_nodes($1)
@ -17427,7 +17551,7 @@ index 771bce1..8b0e5e6 100644
 ')
 ########################################
-@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',`
 		attribute ttynode;
 	')
@ -17436,7 +17560,7 @@ index 771bce1..8b0e5e6 100644
 ')
 ########################################
-@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -17445,7 +17569,7 @@ index 771bce1..8b0e5e6 100644
 ##	</summary>
 ## </param>
 #
-@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
 	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
 	term_dontaudit_use_all_ttys($1)
 ')
@ -26328,7 +26452,7 @@ index 016a770..1effeb4 100644
 +	files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
 +')
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..4ea7640 100644
+index 6c4b6ee..f512b72 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
@ -26357,7 +26481,15 @@ index 6c4b6ee..4ea7640 100644
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
-@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t)
+@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
 # Enable swapping to files
 allow fsadm_t swapfile_t:file { rw_file_perms swapon };
 +kernel_get_sysvipc_info(fsadm_t)
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)
 kernel_request_load_module(fsadm_t)
@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
 files_read_etc_files(fsadm_t)
 files_manage_lost_found(fsadm_t)
 files_manage_isid_type_dirs(fsadm_t)
@ -26366,7 +26498,7 @@ index 6c4b6ee..4ea7640 100644
 # Write to /etc/mtab.
 files_manage_etc_runtime_files(fsadm_t)
 files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
@ -26376,7 +26508,7 @@ index 6c4b6ee..4ea7640 100644
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
-@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
 storage_raw_write_removable_device(fsadm_t)
 storage_read_scsi_generic(fsadm_t)
@ -26394,6 +26526,7 @@ index 6c4b6ee..4ea7640 100644
 +init_stream_connect(fsadm_t)
 logging_send_syslog_msg(fsadm_t)
 +logging_send_audit_msgs(fsadm_t)
 +logging_stream_connect_syslog(fsadm_t)
 -miscfiles_read_localization(fsadm_t)
@ -26405,7 +26538,7 @@ index 6c4b6ee..4ea7640 100644
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -166,6 +185,11 @@ optional_policy(`
+@@ -166,6 +187,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -26417,7 +26550,7 @@ index 6c4b6ee..4ea7640 100644
 	hal_dontaudit_write_log(fsadm_t)
 ')
-@@ -179,6 +203,10 @@ optional_policy(`
+@@ -179,6 +205,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -26428,7 +26561,7 @@ index 6c4b6ee..4ea7640 100644
 	nis_use_ypbind(fsadm_t)
 ')
-@@ -192,6 +220,10 @@ optional_policy(`
+@@ -192,6 +222,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -27940,7 +28073,7 @@ index 24e7804..1894886 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..99c538c 100644
+index dd3be8d..61531ce 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@ -28206,15 +28339,14 @@ index dd3be8d..99c538c 100644
 +
 +optional_policy(`
 +	gnome_filetrans_home_content(init_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	auth_rw_login_records(init_t)
 +	modutils_domtrans_insmod(init_t)
 +	modutils_list_module_config(init_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 +	postfix_exec(init_t)
 +	postfix_list_spool(init_t)
 +	mta_read_aliases(init_t)
@ -28338,28 +28470,29 @@ index dd3be8d..99c538c 100644
 +optional_policy(`
 +	lvm_rw_pipes(init_t)
 +	lvm_read_config(init_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	auth_rw_login_records(init_t)
 +	consolekit_manage_log(init_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 +	dbus_connect_system_bus(init_t)
 	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	nscd_use(init_t)
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	nscd_use(init_t)
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
 ')
@ -29002,7 +29135,7 @@ index dd3be8d..99c538c 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1353,187 @@ optional_policy(`
+@@ -896,3 +1353,191 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -29184,6 +29317,10 @@ index dd3be8d..99c538c 100644
 +allow initrc_domain systemprocess_entry:file { getattr open read execute };
 +allow initrc_domain systemprocess:process transition;
 +
 +optional_policy(`
 +    rgmanager_search_lib(initrc_domain)
 +')
 +
 +ifdef(`direct_sysadm_daemon',`
 +    allow daemon direct_run_init:fd use;
 +    allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
@ -32614,7 +32751,7 @@ index 72c746e..f035d9f 100644
 +/usr/sbin/umount\.ecryptfs_private	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 +/usr/sbin/umount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..0755e25 100644
+index 4584457..e432df3 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@ -32631,7 +32768,7 @@ index 4584457..0755e25 100644
 ')
 ########################################
-@@ -38,11 +45,103 @@ interface(`mount_domtrans',`
+@@ -38,11 +45,122 @@ interface(`mount_domtrans',`
 #
 interface(`mount_run',`
 	gen_require(`
@ -32719,6 +32856,25 @@ index 4584457..0755e25 100644
 +
 +########################################
 +## <summary>
 +##	Read/write mount PID files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`mount_rw_pid_files',`
 +	gen_require(`
 +		type mount_var_run_t;
 +	')
 +
 +	rw_files_pattern($1, mount_var_run_t, mount_var_run_t)
 +	files_search_pids($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage mount PID files.
 +## </summary>
 +## <param name="domain">
@ -32737,7 +32893,7 @@ index 4584457..0755e25 100644
 ')
 ########################################
-@@ -91,7 +190,7 @@ interface(`mount_signal',`
+@@ -91,7 +209,7 @@ interface(`mount_signal',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -32746,7 +32902,7 @@ index 4584457..0755e25 100644
 ##	</summary>
 ## </param>
 #
-@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',`
 ########################################
 ## <summary>
@ -32806,14 +32962,19 @@ index 4584457..0755e25 100644
 ##	<summary>
 -##	Role allowed access.
 +##	Domain allowed access.
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
-+#
+-## <rolecap/>
 #
 -interface(`mount_run_unconfined',`
 +interface(`mount_exec_fusermount',`
-+	gen_require(`
+ 	gen_require(`
 -		type unconfined_mount_t;
 +		type fusermount_exec_t;
-+	')
+ 	')
-+
+ 
 -	mount_domtrans_unconfined($1)
 -	role $2 types unconfined_mount_t;
 +	can_exec($1, fusermount_exec_t)
 +')
 +
@ -32824,19 +32985,14 @@ index 4584457..0755e25 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
-## <rolecap/>
+#
 #
 -interface(`mount_run_unconfined',`
 +interface(`mount_dontaudit_exec_fusermount',`
- 	gen_require(`
+	gen_require(`
 -		type unconfined_mount_t;
 +		type fusermount_exec_t;
- 	')
+	')
- 
+
 -	mount_domtrans_unconfined($1)
 -	role $2 types unconfined_mount_t;
 +	dontaudit $1 fusermount_exec_t:file exec_file_perms;
 +')
 +
@ -32902,7 +33058,7 @@ index 4584457..0755e25 100644
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
 ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..2fc14cd 100644
+index 6a50270..b34911e 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@ -33003,7 +33159,7 @@ index 6a50270..2fc14cd 100644
 kernel_dontaudit_write_debugfs_dirs(mount_t)
 kernel_dontaudit_write_proc_dirs(mount_t)
 # To load binfmt_misc kernel module
-@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t)
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
@ -33019,6 +33175,7 @@ index 6a50270..2fc14cd 100644
 dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 +dev_rw_loop_control(mount_t)
 +
 +ifdef(`hide_broken_symptoms',`
 +	dev_rw_generic_blk_files(mount_t)
@ -33053,7 +33210,7 @@ index 6a50270..2fc14cd 100644
 files_read_isid_type_files(mount_t)
 # For reading cert files
 files_read_usr_files(mount_t)
-@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +148,39 @@ files_list_mnt(mount_t)
 files_dontaudit_write_all_mountpoints(mount_t)
 files_dontaudit_setattr_all_mountpoints(mount_t)
@ -33099,7 +33256,7 @@ index 6a50270..2fc14cd 100644
 term_dontaudit_manage_pty_dirs(mount_t)
 auth_use_nsswitch(mount_t)
-@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t)
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
 init_dontaudit_getattr_initctl(mount_t)
@ -33123,7 +33280,7 @@ index 6a50270..2fc14cd 100644
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',`
 	')
 ')
@ -33163,7 +33320,7 @@ index 6a50270..2fc14cd 100644
 	corenet_tcp_bind_generic_port(mount_t)
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +251,8 @@ optional_policy(`
+@@ -179,6 +252,8 @@ optional_policy(`
 	fs_search_rpc(mount_t)
 	rpc_stub(mount_t)
@ -33172,7 +33329,7 @@ index 6a50270..2fc14cd 100644
 ')
 optional_policy(`
-@@ -186,6 +260,36 @@ optional_policy(`
+@@ -186,6 +261,36 @@ optional_policy(`
 ')
 optional_policy(`
@ -33209,7 +33366,7 @@ index 6a50270..2fc14cd 100644
 	ifdef(`hide_broken_symptoms',`
 		# for a bug in the X server
 		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +298,128 @@ optional_policy(`
+@@ -194,24 +299,128 @@ optional_policy(`
 ')
 optional_policy(`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 25%{?dist}
+Release: 26%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -526,6 +526,39 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Apr 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-26
 - Try to label on controlC devices up to 30 correctly
 - Add mount_rw_pid_files() interface
 - Add additional mount/umount interfaces needed by mock
 - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk
 - Fix tabs
 - Allow initrc_domain to search rgmanager lib files
 - Add more fixes which make mock working together with confined users
  * Allow mock_t to manage rpm files
  * Allow mock_t to read rpm log files
  * Allow mock to setattr on tmpfs, devpts
  * Allow mount/umount filesystems
 - Add rpm_read_log() interface
 - yum-cron runs rpm from within it.
 - Allow tuned to transition to dmidecode
 - Allow firewalld to do net_admin
 - Allow mock to unmont tmpfs_t
 - Fix virt_sigkill() interface
 - Add additional fixes for mock. Mainly caused by mount running in mock_t
 - Allow mock to write sysfs_t and mount pid files
 - Add mailman_domain to mailman_template()
 - Allow openvswitch to execute shell
 - Allow qpidd to use kerberos
 - Allow mailman to use fusefs, needs back port to RHEL6
 - Allow apache and its scripts to use anon_inodefs
 - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7
 - Realmd needs to connect to samba ports, needs back port to F18 also
 - Allow colord to read /run/initial-setup-
 - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock
 - Add virt_kill() interface
 - Add rgmanager_search_lib() interface
 - Allow wdmd to getattr on all filesystems. Back ported from RHEL6
 * Tue Apr 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-25
 - Allow realmd to create tmp files
 - FIx ircssi_home_t type to irssi_home_t