- Add kernel_mounton_messages() interface

- init wants to manage lock files for iscsi - Add support for dey_sapi port - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - drbdadm executes drbdmeta - Added osad policy - Allow postfix to deliver to procmail - Allow vmtools to execute /usr/bin/lsb_release - Allow geoclue to read /etc/passwd - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl
2014-02-05 08:52:08 +01:00 · 2014-02-05 08:52:08 +01:00 · fc059db54d
parent 4cde844b7e
commit fc059db54d
3 changed files with 1155 additions and 551 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..51daa72 100644
+index b191055..b60c687 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5497,7 +5497,7 @@ index b191055..51daa72 100644
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
-@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0)
+@@ -96,43 +119,53 @@ network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
 network_port(biff) # no defined portcon
 network_port(certmaster, tcp,51235,s0)
@ -5521,7 +5521,11 @@ index b191055..51daa72 100644
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
 network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,20 +143,28 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+ network_port(dbskkd, tcp,1178,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dccm, tcp,5679,s0, udp,5679,s0)
+network_port(dey_sapi, tcp,4330,s0)
+ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
 network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
@ -5552,7 +5556,7 @@ index b191055..51daa72 100644
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +172,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5619,7 +5623,7 @@ index b191055..51daa72 100644
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mxi, tcp,8005,s0, udp,8005,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
@ -5659,7 +5663,7 @@ index b191055..51daa72 100644
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-@@ -215,39 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
@ -5712,7 +5716,7 @@ index b191055..51daa72 100644
 network_port(ssh, tcp,22,s0)
 network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
 network_port(tcs, tcp, 30003, s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
@ -5723,7 +5727,7 @@ index b191055..51daa72 100644
 network_port(transproxy, tcp,8081,s0)
 network_port(trisoap, tcp,10200,s0, udp,10200,s0)
 network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -271,10 +327,10 @@ network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
@ -5736,7 +5740,7 @@ index b191055..51daa72 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +344,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
@ -5763,7 +5767,7 @@ index b191055..51daa72 100644
 
 ########################################
 #
-@@ -333,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +393,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5772,7 +5776,7 @@ index b191055..51daa72 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -345,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +407,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -14917,7 +14921,7 @@ index 7be4ddf..d5ef507 100644
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..6f745f0 100644
+index e100d88..ee4c057 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@ -15031,7 +15035,33 @@ index e100d88..6f745f0 100644
 ##	Do not audit attempts by caller to
 ##	read system state information in proc.
 ## </summary>
-@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
+ 
+ ########################################
+ ## <summary>
+##	Allow caller to read kernel messages
+##	using the /proc/kmsg interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_messages',`
+	gen_require(`
+		type proc_kmsg_t, proc_t;
+	')
+
+    allow $1 proc_kmsg_t:dir mounton;
+')
+
+########################################
+## <summary>
+ ##	Allow caller to get the attributes of kernel message
+ ##	interface (/proc/kmsg).
+ ## </summary>
+@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
 
 ########################################
 ## <summary>
@ -15056,7 +15086,7 @@ index e100d88..6f745f0 100644
 ##	Do not audit attempts by caller to search
 ##	the base directory of sysctls.
 ## </summary>
-@@ -1750,16 +1820,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1839,9 @@ interface(`kernel_rw_unix_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -15074,7 +15104,7 @@ index e100d88..6f745f0 100644
 ')
 
 ########################################
-@@ -1771,16 +1834,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1853,9 @@ interface(`kernel_read_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -15092,7 +15122,7 @@ index e100d88..6f745f0 100644
 ')
 
 ########################################
-@@ -1792,16 +1848,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1867,9 @@ interface(`kernel_rw_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -15110,7 +15140,7 @@ index e100d88..6f745f0 100644
 ')
 
 ########################################
-@@ -1813,16 +1862,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1881,9 @@ interface(`kernel_read_modprobe_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -15128,7 +15158,7 @@ index e100d88..6f745f0 100644
 ')
 
 ########################################
-@@ -2085,7 +2127,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2146,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')
 
 	dontaudit $1 sysctl_type:dir list_dir_perms;
@ -15137,7 +15167,7 @@ index e100d88..6f745f0 100644
 ')
 
 ########################################
-@@ -2282,6 +2324,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2343,25 @@ interface(`kernel_list_unlabeled',`
 
 ########################################
 ## <summary>
@ -15163,7 +15193,7 @@ index e100d88..6f745f0 100644
 ##	Read the process state (/proc/pid) of all unlabeled_t.
 ## </summary>
 ## <param name="domain">
-@@ -2306,7 +2367,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2386,7 @@ interface(`kernel_read_unlabeled_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -15172,7 +15202,7 @@ index e100d88..6f745f0 100644
 ##	</summary>
 ## </param>
 #
-@@ -2488,6 +2549,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2568,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 
 ########################################
 ## <summary>
@ -15197,7 +15227,7 @@ index e100d88..6f745f0 100644
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled character devices.
 ## </summary>
-@@ -2525,6 +2604,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2623,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 
 ########################################
 ## <summary>
@ -15222,7 +15252,7 @@ index e100d88..6f745f0 100644
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
-@@ -2667,6 +2764,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2783,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 
 ########################################
 ## <summary>
@ -15247,7 +15277,7 @@ index e100d88..6f745f0 100644
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
-@@ -2694,6 +2809,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2828,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 
 ########################################
 ## <summary>
@ -15273,7 +15303,7 @@ index e100d88..6f745f0 100644
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
-@@ -2803,6 +2937,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2956,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
@ -15307,7 +15337,7 @@ index e100d88..6f745f0 100644
 
 ########################################
 ## <summary>
-@@ -2958,6 +3119,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3138,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 
 ########################################
 ## <summary>
@ -15332,7 +15362,7 @@ index e100d88..6f745f0 100644
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
-@@ -2972,5 +3151,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3170,565 @@ interface(`kernel_unconfined',`
 	')
 
 	typeattribute $1 kern_unconfined;
@ -29278,7 +29308,7 @@ index 79a45f6..9a14d49 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..fdd335a 100644
+index 17eda24..17932ac 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -29526,7 +29556,7 @@ index 17eda24..fdd335a 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +286,212 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +286,213 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -29571,6 +29601,7 @@ index 17eda24..fdd335a 100644
 +
 +optional_policy(`
 +	iscsi_read_lib_files(init_t)
+	iscsi_manage_lock(init_t)
 +')
 +
 +optional_policy(`
@ -29747,7 +29778,7 @@ index 17eda24..fdd335a 100644
 ')
 
 optional_policy(`
-@@ -216,7 +499,30 @@ optional_policy(`
+@@ -216,7 +500,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29778,7 +29809,7 @@ index 17eda24..fdd335a 100644
 ')
 
 ########################################
-@@ -225,9 +531,9 @@ optional_policy(`
+@@ -225,9 +532,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -29790,7 +29821,7 @@ index 17eda24..fdd335a 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +564,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +565,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -29807,7 +29838,7 @@ index 17eda24..fdd335a 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +589,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +590,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -29850,7 +29881,7 @@ index 17eda24..fdd335a 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +626,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +627,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -29862,7 +29893,7 @@ index 17eda24..fdd335a 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +638,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +639,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -29873,7 +29904,7 @@ index 17eda24..fdd335a 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +649,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +650,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -29883,7 +29914,7 @@ index 17eda24..fdd335a 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +658,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +659,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -29891,7 +29922,7 @@ index 17eda24..fdd335a 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +665,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +666,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -29899,7 +29930,7 @@ index 17eda24..fdd335a 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +673,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +674,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -29917,7 +29948,7 @@ index 17eda24..fdd335a 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +691,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +692,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -29931,7 +29962,7 @@ index 17eda24..fdd335a 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +706,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +707,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -29945,7 +29976,7 @@ index 17eda24..fdd335a 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +719,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +720,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -29956,7 +29987,7 @@ index 17eda24..fdd335a 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +732,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +733,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -29964,7 +29995,7 @@ index 17eda24..fdd335a 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +751,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +752,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -29988,7 +30019,7 @@ index 17eda24..fdd335a 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +784,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +785,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -29996,7 +30027,7 @@ index 17eda24..fdd335a 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +818,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +819,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -30007,7 +30038,7 @@ index 17eda24..fdd335a 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +842,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +843,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -30016,7 +30047,7 @@ index 17eda24..fdd335a 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +857,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +858,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -30024,7 +30055,7 @@ index 17eda24..fdd335a 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +878,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +879,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -30032,7 +30063,7 @@ index 17eda24..fdd335a 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +888,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +889,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -30077,7 +30108,7 @@ index 17eda24..fdd335a 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +933,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +934,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -30109,7 +30140,7 @@ index 17eda24..fdd335a 100644
 	')
 ')
 
-@@ -577,6 +968,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +969,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -30149,7 +30180,7 @@ index 17eda24..fdd335a 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1013,8 @@ optional_policy(`
+@@ -589,6 +1014,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -30158,7 +30189,7 @@ index 17eda24..fdd335a 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1036,7 @@ optional_policy(`
+@@ -610,6 +1037,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -30166,7 +30197,7 @@ index 17eda24..fdd335a 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1053,17 @@ optional_policy(`
+@@ -626,6 +1054,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30184,7 +30215,7 @@ index 17eda24..fdd335a 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1080,13 @@ optional_policy(`
+@@ -642,9 +1081,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -30198,7 +30229,7 @@ index 17eda24..fdd335a 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1099,11 @@ optional_policy(`
+@@ -657,15 +1100,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30216,7 +30247,7 @@ index 17eda24..fdd335a 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1124,15 @@ optional_policy(`
+@@ -686,6 +1125,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30232,7 +30263,7 @@ index 17eda24..fdd335a 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1173,7 @@ optional_policy(`
+@@ -726,6 +1174,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -30240,7 +30271,7 @@ index 17eda24..fdd335a 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1191,13 @@ optional_policy(`
+@@ -743,7 +1192,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30255,7 +30286,7 @@ index 17eda24..fdd335a 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1220,10 @@ optional_policy(`
+@@ -766,6 +1221,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30266,7 +30297,7 @@ index 17eda24..fdd335a 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1233,20 @@ optional_policy(`
+@@ -775,10 +1234,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30287,7 +30318,7 @@ index 17eda24..fdd335a 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1255,10 @@ optional_policy(`
+@@ -787,6 +1256,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30298,7 +30329,7 @@ index 17eda24..fdd335a 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1280,6 @@ optional_policy(`
+@@ -808,8 +1281,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -30307,7 +30338,7 @@ index 17eda24..fdd335a 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1288,10 @@ optional_policy(`
+@@ -818,6 +1289,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30318,7 +30349,7 @@ index 17eda24..fdd335a 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1301,12 @@ optional_policy(`
+@@ -827,10 +1302,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -30331,7 +30362,7 @@ index 17eda24..fdd335a 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1333,60 @@ optional_policy(`
+@@ -857,21 +1334,60 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30393,7 +30424,7 @@ index 17eda24..fdd335a 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1402,10 @@ optional_policy(`
+@@ -887,6 +1403,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30404,7 +30435,7 @@ index 17eda24..fdd335a 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1416,218 @@ optional_policy(`
+@@ -897,3 +1417,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -32364,7 +32395,7 @@ index b50c5fe..e55a556 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..6118015 100644
+index 4e94884..b144ffe 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -32516,12 +32547,19 @@ index 4e94884..6118015 100644
 +interface(`logging_read_syslog_pid',`
 +	gen_require(`
 +		type syslogd_var_run_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 devlog_t:lnk_file read_lnk_file_perms;
+-	allow $1 devlog_t:sock_file write_sock_file_perms;
 +    read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 +    list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 +')
-+
+ 
+-	# the type of socket depends on the syslog daemon
+-	allow $1 syslogd_t:unix_dgram_socket sendto;
+-	allow $1 syslogd_t:unix_stream_socket connectto;
+-	allow $1 self:unix_dgram_socket create_socket_perms;
+-	allow $1 self:unix_stream_socket create_socket_perms;
 +########################################
 +## <summary>
 +##	Relabel the syslog pid sock_file.
@ -32535,18 +32573,15 @@ index 4e94884..6118015 100644
 +interface(`logging_relabel_syslog_pid_socket',`
 +	gen_require(`
 +		type syslogd_var_run_t;
- 	')
+	')
 
-	allow $1 devlog_t:lnk_file read_lnk_file_perms;
-	allow $1 devlog_t:sock_file write_sock_file_perms;
+-	# If syslog is down, the glibc syslog() function
+-	# will write to the console.
+-	term_write_console($1)
+-	term_dontaudit_read_console($1)
 +	allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
 +')
- 
-	# the type of socket depends on the syslog daemon
-	allow $1 syslogd_t:unix_dgram_socket sendto;
-	allow $1 syslogd_t:unix_stream_socket connectto;
-	allow $1 self:unix_dgram_socket create_socket_perms;
-	allow $1 self:unix_stream_socket create_socket_perms;
+
 +########################################
 +## <summary>
 +##	Connect to the syslog control unix stream socket.
@ -32561,11 +32596,7 @@ index 4e94884..6118015 100644
 +	gen_require(`
 +		type syslogd_t, syslogd_var_run_t;
 +	')
- 
-	# If syslog is down, the glibc syslog() function
-	# will write to the console.
-	term_write_console($1)
-	term_dontaudit_read_console($1)
+
 +	files_search_pids($1)
 +	stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
 ')
@ -32808,13 +32839,32 @@ index 4e94884..6118015 100644
 
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -1085,3 +1380,35 @@ interface(`logging_admin',`
+@@ -1085,3 +1380,54 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
 +
 +########################################
 +## <summary>
+##	Transition to syslog.conf
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_filetrans_named_conf',`
+	gen_require(`
+        type  syslog_conf_t;
+	')
+
+    files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
+    files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
+')
+
+########################################
+## <summary>
 +##	Transition to logging named content
 +## </summary>
 +## <param name="domain">
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -578,6 +578,30 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-21
+- Add kernel_mounton_messages() interface
+- init wants to manage lock files for iscsi
+- Add support for dey_sapi port
+- Fixes needed for docker
+- Allow epmd to manage /var/log/rabbitmq/startup_err file
+- Allow beam.smp connect to amqp port
+- drbdadm executes drbdmeta
+- Added osad policy
+- Allow postfix to deliver to procmail
+- Allow vmtools to execute /usr/bin/lsb_release
+- Allow geoclue to read /etc/passwd
+- Allow docker to write system net ctrls
+- Add support for rhnsd unit file
+- Add dbus_chat_session_bus() interface
+- Add dbus_stream_connect_session_bus() interface
+- Fix pcp.te
+- Fix logrotate_use_nfs boolean
+- Add lot of pcp fixes found in RHEL7
+- fix labeling for pmie for pcp pkg
+- Change thumb_t to be allowed to chat/connect with session bus type
+- Add logrotate_use_nfs boolean
+- Allow setroubleshootd to read rpc sysctl
+
 * Thu Jan 30 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-20
 - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
 - Allow geoclue to create temporary files/dirs in /tmp