- Turn on gear_port_t

- Add gear policy and remove permissive domains. - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t
2014-03-27 20:39:58 +01:00 · 2014-03-27 20:39:58 +01:00 · f8f75f94a2
commit f8f75f94a2
parent 83715e6621
4 changed files with 479 additions and 34 deletions
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -2505,5 +2505,11 @@ bacula = module
 #
 # rhnsd policy
 #
 rhnsd = module
 # Layer: contrib
 # Module: gear
 #
 # gear policy
 #
 gear = module
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -26099,7 +26099,7 @@ index c6fdab7..af71c62 100644
 	sudo_sigchld(application_domain_type)
 ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2479587..39239cf 100644
+index 2479587..00d2700 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
@ -26135,7 +26135,7 @@ index 2479587..39239cf 100644
 /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +30,24 @@ ifdef(`distro_suse', `
+@@ -16,13 +30,25 @@ ifdef(`distro_suse', `
 /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
@ -26147,6 +26147,7 @@ index 2479587..39239cf 100644
 -/usr/sbin/validate	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 +/usr/sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
 +/usr/sbin/pam_timestamp_check	 --	gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
 +/usr/sbin/pwhistory_helper  --  gen_context(system_u:object_r:updpwd_exec_t,s0)
 +/usr/sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 +/usr/sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 +/usr/sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
@ -26162,7 +26163,7 @@ index 2479587..39239cf 100644
 /var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,21 +55,25 @@ ifdef(`distro_gentoo', `
+@@ -30,21 +56,25 @@ ifdef(`distro_gentoo', `
 /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2311,14 +2311,17 @@ index 16d0d66..60abfd0 100644
 optional_policy(`
 	nscd_dontaudit_search_pid(amtu_t)
 diff --git a/anaconda.fc b/anaconda.fc
-index b098089..b2c4d10 100644
+index b098089..258407b 100644
 --- a/anaconda.fc
 +++ b/anaconda.fc
-@@ -1 +1,4 @@
+@@ -1 +1,7 @@
 # No file context specifications.
 +
 +/usr/libexec/anaconda/anaconda-yum  --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/sbin/anaconda      --  gen_context(system_u:object_r:install_exec_t,s0)
 +
 +/usr/bin/ostree         --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/bin/rpm-ostree     --  gen_context(system_u:object_r:install_exec_t,s0)
 diff --git a/anaconda.if b/anaconda.if
 index 14a61b7..21bbf36 100644
 --- a/anaconda.if
@ -23286,10 +23289,10 @@ index 0000000..fd679a1
 +/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
 diff --git a/docker.if b/docker.if
 new file mode 100644
-index 0000000..4ca46bc
+index 0000000..1048292
 --- /dev/null
 +++ b/docker.if
-@@ -0,0 +1,325 @@
+@@ -0,0 +1,345 @@
 +
 +## <summary>The open-source application container engine.</summary>
 +
@ -23573,6 +23576,26 @@ index 0000000..4ca46bc
 +
 +########################################
 +## <summary>
 +##	Connect to docker over a unix stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`docker_stream_connect',`
 +	gen_require(`
 +		type docker_t, docker_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
 +##	an docker environment
 +## </summary>
@ -27441,6 +27464,413 @@ index 2820368..88c98f4 100644
 sysnet_read_config(gatekeeper_t)
 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
 diff --git a/gear.fc b/gear.fc
 new file mode 100644
 index 0000000..5eabf35
 --- /dev/null
 +++ b/gear.fc
@@ -0,0 +1,7 @@
 +/usr/bin/gear			--	gen_context(system_u:object_r:gear_exec_t,s0)
 +
 +/usr/lib/systemd/system/gear.service		--	gen_context(system_u:object_r:gear_unit_file_t,s0)
 +
 +/var/lib/containers/bin/gear	--	gen_context(system_u:object_r:gear_exec_t,s0)
 +
 +/var/lib/gear(/.*)?		gen_context(system_u:object_r:gear_var_lib_t,s0)
 diff --git a/gear.if b/gear.if
 new file mode 100644
 index 0000000..04e159f
 --- /dev/null
 +++ b/gear.if
@@ -0,0 +1,288 @@
 +
 +## <summary>The open-source application container engine.</summary>
 +
 +########################################
 +## <summary>
 +##	Execute gear in the gear domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`gear_domtrans',`
 +	gen_require(`
 +		type gear_t, gear_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, gear_exec_t, gear_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Search gear lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_search_lib',`
 +	gen_require(`
 +		type gear_var_lib_t;
 +	')
 +
 +	allow $1 gear_var_lib_t:dir search_dir_perms;
 +	files_search_var_lib($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Execute gear lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_exec_lib',`
 +	gen_require(`
 +		type gear_var_lib_t;
 +	')
 +
 +	allow $1 gear_var_lib_t:dir search_dir_perms;
 +	can_exec($1, gear_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read gear lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_read_lib_files',`
 +	gen_require(`
 +		type gear_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage gear lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_manage_lib_files',`
 +	gen_require(`
 +		type gear_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
 +	manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage gear lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_manage_lib_dirs',`
 +	gen_require(`
 +		type gear_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Create objects in a gear var lib directory
 +##	with an automatic type transition to
 +##	a specified private type.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="private_type">
 +##	<summary>
 +##	The type of the object to create.
 +##	</summary>
 +## </param>
 +## <param name="object_class">
 +##	<summary>
 +##	The class of the object to be created.
 +##	</summary>
 +## </param>
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_lib_filetrans',`
 +	gen_require(`
 +		type gear_var_lib_t;
 +	')
 +
 +	filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
 +')
 +
 +########################################
 +## <summary>
 +##	Read gear PID files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_read_pid_files',`
 +	gen_require(`
 +		type gear_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	read_files_pattern($1, gear_var_run_t, gear_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Execute gear server in the gear domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_systemctl',`
 +	gen_require(`
 +		type gear_t;
 +		type gear_unit_file_t;
 +	')
 +
 +	systemd_exec_systemctl($1)
 +        systemd_read_fifo_file_passwd_run($1)
 +	allow $1 gear_unit_file_t:file read_file_perms;
 +	allow $1 gear_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, gear_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read and write gear shared memory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_rw_sem',`
 +	gen_require(`
 +		type gear_t;
 +	')
 +
 +	allow $1 gear_t:sem rw_sem_perms;
 +')
 +
 +#######################################
 +## <summary>
 +##  Read and write the gear pty type.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`gear_use_ptys',`
 +    gen_require(`
 +        type gear_devpts_t;
 +    ')
 +
 +    allow $1 gear_devpts_t:chr_file rw_term_perms;
 +')
 +
 +#######################################
 +## <summary>
 +##      Allow domain to create gear content
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +#
 +interface(`gear_filetrans_named_content',`
 +    gen_require(`
 +            type gear_var_lib_t;
 +	    type gear_var_run_t;
 +    ')
 +
 +    files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
 +    files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
 +')
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
 +##	an gear environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gear_admin',`
 +	gen_require(`
 +		type gear_t;
 +		type gear_var_lib_t, gear_var_run_t;
 +		type gear_unit_file_t;
 +		type gear_lock_t;
 +		type gear_log_t;
 +	')
 +
 +	allow $1 gear_t:process { ptrace signal_perms };
 +	ps_process_pattern($1, gear_t)
 +
 +	files_search_var_lib($1)
 +	admin_pattern($1, gear_var_lib_t)
 +
 +	files_search_pids($1)
 +	admin_pattern($1, gear_var_run_t)
 +
 +	logging_search_logs($1)
 +	admin_pattern($1, gear_log_t)
 +
 +	gear_systemctl($1)
 +	admin_pattern($1, gear_unit_file_t)
 +	allow $1 gear_unit_file_t:service all_service_perms;
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
 index 0000000..6c32f79
 --- /dev/null
 +++ b/gear.te
@@ -0,0 +1,94 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type gear_t;
 +type gear_exec_t;
 +init_daemon_domain(gear_t, gear_exec_t)
 +
 +type gear_var_lib_t;
 +files_type(gear_var_lib_t)
 +
 +type gear_log_t;
 +logging_log_file(gear_log_t)
 +
 +type gear_var_run_t;
 +files_pid_file(gear_var_run_t)
 +
 +type gear_unit_file_t;
 +systemd_unit_file(gear_unit_file_t)
 +
 +########################################
 +#
 +# gear local policy
 +#
 +allow gear_t self:process { getattr signal_perms };
 +allow gear_t self:fifo_file rw_fifo_file_perms;
 +allow gear_t self:unix_stream_socket create_stream_socket_perms;
 +allow gear_t self:tcp_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
 +manage_files_pattern(gear_t, gear_log_t, gear_log_t)
 +manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
 +logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
 +
 +gear_filetrans_named_content(gear_t)
 +
 +manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 +manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 +manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 +manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 +manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 +files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
 +
 +manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
 +manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
 +manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
 +manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
 +files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
 +
 +kernel_read_system_state(gear_t)
 +kernel_read_network_state(gear_t)
 +kernel_read_all_sysctls(gear_t)
 +kernel_rw_net_sysctls(gear_t)
 +
 +domain_use_interactive_fds(gear_t)
 +
 +corecmd_exec_bin(gear_t)
 +corecmd_exec_shell(gear_t)
 +
 +corenet_tcp_bind_generic_node(gear_t)
 +corenet_tcp_sendrecv_generic_if(gear_t)
 +corenet_tcp_sendrecv_generic_node(gear_t)
 +corenet_tcp_sendrecv_generic_port(gear_t)
 +corenet_tcp_bind_gear_port(gear_t)
 +
 +files_read_etc_files(gear_t)
 +
 +fs_read_cgroup_files(gear_t)
 +fs_read_tmpfs_symlinks(gear_t)
 +
 +auth_use_nsswitch(gear_t)
 +
 +init_read_state(gear_t)
 +init_dbus_chat(gear_t)
 +
 +logging_send_audit_msgs(gear_t)
 +logging_send_syslog_msg(gear_t)
 +
 +miscfiles_read_localization(gear_t)
 +
 +mount_domtrans(gear_t)
 +
 +seutil_read_default_contexts(gear_t)
 +
 +sysnet_dns_name_resolve(gear_t)
 +
 +systemd_manage_all_unit_files(gear_t)
 +
 +optional_policy(`
 +	docker_stream_connect(gear_t)
 +')
 diff --git a/geoclue.fc b/geoclue.fc
 new file mode 100644
 index 0000000..a97f14f
@ -41276,10 +41706,10 @@ index 0000000..3f433f1
 +')
 diff --git a/mcollective.te b/mcollective.te
 new file mode 100644
-index 0000000..a04dd6b
+index 0000000..8bc27f4
 --- /dev/null
 +++ b/mcollective.te
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,27 @@
 +policy_module(mcollective, 1.0.0)
 +
 +########################################
@ -41292,8 +41722,6 @@ index 0000000..a04dd6b
 +init_daemon_domain(mcollective_t, mcollective_exec_t)
 +cron_system_entry(mcollective_t, mcollective_exec_t)
 +
 +permissive mcollective_t;
 +
 +type mcollective_etc_rw_t;
 +files_type(mcollective_etc_rw_t)
 +
@ -50610,7 +51038,7 @@ index 86dc29d..1cd0d0e 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
 ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..ed9adbc 100644
+index 55f2009..63b8998 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -50635,7 +51063,7 @@ index 55f2009..ed9adbc 100644
 type NetworkManager_log_t;
 logging_log_file(NetworkManager_log_t)
-@@ -39,25 +42,50 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,53 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
 # Local policy
 #
@ -50654,6 +51082,9 @@ index 55f2009..ed9adbc 100644
 +
 +allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
 +
 +allow NetworkManager_t self:process setfscreate;
 +selinux_validate_context(NetworkManager_t)
 +
 +tunable_policy(`deny_ptrace',`',`
 +	allow NetworkManager_t self:capability sys_ptrace;
 +	allow NetworkManager_t self:process ptrace;
@ -50683,10 +51114,10 @@ index 55f2009..ed9adbc 100644
 +can_exec(NetworkManager_t, NetworkManager_exec_t)
 +#wicd
 +can_exec(NetworkManager_t, wpa_cli_exec_t)
-+
+ 
 +list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
 +read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
- 
+
 +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
 +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
 +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
@ -50695,7 +51126,7 @@ index 55f2009..ed9adbc 100644
 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +96,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +99,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
 setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@ -50703,7 +51134,7 @@ index 55f2009..ed9adbc 100644
 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +110,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +113,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@ -50722,7 +51153,7 @@ index 55f2009..ed9adbc 100644
 corenet_all_recvfrom_netlabel(NetworkManager_t)
 corenet_tcp_sendrecv_generic_if(NetworkManager_t)
 corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +128,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +131,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
 corenet_tcp_sendrecv_all_ports(NetworkManager_t)
 corenet_udp_sendrecv_all_ports(NetworkManager_t)
 corenet_udp_bind_generic_node(NetworkManager_t)
@ -50748,7 +51179,7 @@ index 55f2009..ed9adbc 100644
 dev_rw_sysfs(NetworkManager_t)
 dev_read_rand(NetworkManager_t)
 dev_read_urand(NetworkManager_t)
-@@ -125,13 +144,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +147,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
 dev_getattr_all_chr_files(NetworkManager_t)
 dev_rw_wireless(NetworkManager_t)
@ -50762,7 +51193,7 @@ index 55f2009..ed9adbc 100644
 fs_getattr_all_fs(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
 fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +152,33 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +155,33 @@ mls_file_read_all_levels(NetworkManager_t)
 selinux_dontaudit_search_fs(NetworkManager_t)
@ -50797,7 +51228,7 @@ index 55f2009..ed9adbc 100644
 seutil_read_config(NetworkManager_t)
-@@ -166,21 +193,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +196,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
 sysnet_read_dhcpc_state(NetworkManager_t)
 sysnet_delete_dhcpc_state(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
@ -50834,7 +51265,7 @@ index 55f2009..ed9adbc 100644
 ')
 optional_policy(`
-@@ -196,10 +234,6 @@ optional_policy(`
+@@ -196,10 +237,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -50845,7 +51276,7 @@ index 55f2009..ed9adbc 100644
 	consoletype_exec(NetworkManager_t)
 ')
-@@ -210,16 +244,11 @@ optional_policy(`
+@@ -210,16 +247,11 @@ optional_policy(`
 optional_policy(`
 	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@ -50864,7 +51295,7 @@ index 55f2009..ed9adbc 100644
 	')
 ')
-@@ -231,18 +260,27 @@ optional_policy(`
+@@ -231,18 +263,27 @@ optional_policy(`
 	dnsmasq_kill(NetworkManager_t)
 	dnsmasq_signal(NetworkManager_t)
 	dnsmasq_signull(NetworkManager_t)
@ -50895,7 +51326,7 @@ index 55f2009..ed9adbc 100644
 ')
 optional_policy(`
-@@ -250,6 +288,10 @@ optional_policy(`
+@@ -250,6 +291,10 @@ optional_policy(`
 	ipsec_kill_mgmt(NetworkManager_t)
 	ipsec_signal_mgmt(NetworkManager_t)
 	ipsec_signull_mgmt(NetworkManager_t)
@ -50906,7 +51337,7 @@ index 55f2009..ed9adbc 100644
 ')
 optional_policy(`
-@@ -257,15 +299,19 @@ optional_policy(`
+@@ -257,15 +302,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -50928,7 +51359,7 @@ index 55f2009..ed9adbc 100644
 ')
 optional_policy(`
-@@ -274,10 +320,17 @@ optional_policy(`
+@@ -274,10 +323,17 @@ optional_policy(`
 	nscd_signull(NetworkManager_t)
 	nscd_kill(NetworkManager_t)
 	nscd_initrc_domtrans(NetworkManager_t)
@ -50946,7 +51377,7 @@ index 55f2009..ed9adbc 100644
 ')
 optional_policy(`
-@@ -289,6 +342,7 @@ optional_policy(`
+@@ -289,6 +345,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -50954,7 +51385,7 @@ index 55f2009..ed9adbc 100644
 	policykit_domtrans_auth(NetworkManager_t)
 	policykit_read_lib(NetworkManager_t)
 	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +350,7 @@ optional_policy(`
+@@ -296,7 +353,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -50963,7 +51394,7 @@ index 55f2009..ed9adbc 100644
 ')
 optional_policy(`
-@@ -307,6 +361,7 @@ optional_policy(`
+@@ -307,6 +364,7 @@ optional_policy(`
 	ppp_signal(NetworkManager_t)
 	ppp_signull(NetworkManager_t)
 	ppp_read_config(NetworkManager_t)
@ -50971,7 +51402,7 @@ index 55f2009..ed9adbc 100644
 ')
 optional_policy(`
-@@ -320,14 +375,20 @@ optional_policy(`
+@@ -320,14 +378,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -50997,7 +51428,7 @@ index 55f2009..ed9adbc 100644
 ')
 optional_policy(`
-@@ -357,6 +418,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +421,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 40%{?dist}
+Release: 41%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -584,6 +584,13 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Thu Mar 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-41
 - Turn on gear_port_t
 - Add gear policy and remove permissive domains.
 - Add labels for ostree
 - Add SELinux awareness for NM
 - Label /usr/sbin/pwhistory_helper as updpwd_exec_t
 * Wed Mar 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-40
 - update storage_filetrans_all_named_dev for sg* devices
 - Allow auditctl_t  to getattr on all removeable devices