- Allow ldconfig to write to kdumpctl fifo files

- allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks
2013-09-12 08:58:13 +02:00 · 2013-09-12 08:58:13 +02:00 · fcf0156ca3
parent 0d477c9190
commit fcf0156ca3
3 changed files with 222 additions and 153 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3582,7 +3582,7 @@ index 644d4d7..f9bcd44 100644
 +/usr/lib/ruby/gems/.*/agents(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/virtualbox/VBoxManage		--	gen_context(system_u:object_r:bin_t,s0)
 diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..7f08657 100644
+index 9e9263a..77e6c8c 100644
 --- a/policy/modules/kernel/corecommands.if
 +++ b/policy/modules/kernel/corecommands.if
@@ -8,6 +8,22 @@
@ -3608,7 +3608,19 @@ index 9e9263a..7f08657 100644
 ########################################
 ## <summary>
 ##	Make the specified type usable for files
-@@ -122,6 +138,7 @@ interface(`corecmd_search_bin',`
+@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',`
+ interface(`corecmd_bin_entry_type',`
+ 	gen_require(`
+ 		type bin_t;
+		type usr_t;
+ 	')
+ 
+ 	domain_entry_file($1, bin_t)
+	domain_entry_file($1, usr_t)
+ ')
+ 
+ ########################################
+@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',`
 		type bin_t;
 	')
 
@ -3616,7 +3628,7 @@ index 9e9263a..7f08657 100644
 	search_dirs_pattern($1, bin_t, bin_t)
 ')
 
-@@ -158,6 +175,7 @@ interface(`corecmd_list_bin',`
+@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',`
 		type bin_t;
 	')
 
@ -3624,7 +3636,7 @@ index 9e9263a..7f08657 100644
 	list_dirs_pattern($1, bin_t, bin_t)
 ')
 
-@@ -203,7 +221,7 @@ interface(`corecmd_getattr_bin_files',`
+@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3633,7 +3645,7 @@ index 9e9263a..7f08657 100644
 ##	</summary>
 ## </param>
 #
-@@ -231,6 +249,7 @@ interface(`corecmd_read_bin_files',`
+@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',`
 		type bin_t;
 	')
 
@ -3641,7 +3653,7 @@ index 9e9263a..7f08657 100644
 	read_files_pattern($1, bin_t, bin_t)
 ')
 
-@@ -254,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
+@@ -254,6 +275,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
 
 ########################################
 ## <summary>
@ -3666,7 +3678,7 @@ index 9e9263a..7f08657 100644
 ##	Read symbolic links in bin directories.
 ## </summary>
 ## <param name="domain">
-@@ -285,6 +322,7 @@ interface(`corecmd_read_bin_pipes',`
+@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',`
 		type bin_t;
 	')
 
@ -3674,7 +3686,7 @@ index 9e9263a..7f08657 100644
 	read_fifo_files_pattern($1, bin_t, bin_t)
 ')
 
-@@ -303,6 +341,7 @@ interface(`corecmd_read_bin_sockets',`
+@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',`
 		type bin_t;
 	')
 
@ -3682,7 +3694,7 @@ index 9e9263a..7f08657 100644
 	read_sock_files_pattern($1, bin_t, bin_t)
 ')
 
-@@ -345,6 +384,10 @@ interface(`corecmd_exec_bin',`
+@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',`
 	read_lnk_files_pattern($1, bin_t, bin_t)
 	list_dirs_pattern($1, bin_t, bin_t)
 	can_exec($1, bin_t)
@ -3693,7 +3705,7 @@ index 9e9263a..7f08657 100644
 ')
 
 ########################################
-@@ -362,6 +405,7 @@ interface(`corecmd_manage_bin_files',`
+@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',`
 		type bin_t;
 	')
 
@ -3701,7 +3713,7 @@ index 9e9263a..7f08657 100644
 	manage_files_pattern($1, bin_t, bin_t)
 ')
 
-@@ -398,6 +442,7 @@ interface(`corecmd_mmap_bin_files',`
+@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',`
 		type bin_t;
 	')
 
@ -3709,7 +3721,7 @@ index 9e9263a..7f08657 100644
 	mmap_files_pattern($1, bin_t, bin_t)
 ')
 
-@@ -440,10 +485,14 @@ interface(`corecmd_mmap_bin_files',`
+@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',`
 interface(`corecmd_bin_spec_domtrans',`
 	gen_require(`
 		type bin_t;
@ -3724,7 +3736,7 @@ index 9e9263a..7f08657 100644
 ')
 
 ########################################
-@@ -483,10 +532,12 @@ interface(`corecmd_bin_spec_domtrans',`
+@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',`
 interface(`corecmd_bin_domtrans',`
 	gen_require(`
 		type bin_t;
@ -3737,7 +3749,7 @@ index 9e9263a..7f08657 100644
 ')
 
 ########################################
-@@ -945,6 +996,7 @@ interface(`corecmd_shell_domtrans',`
+@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',`
 interface(`corecmd_exec_chroot',`
 	gen_require(`
 		type chroot_exec_t;
@ -3745,7 +3757,7 @@ index 9e9263a..7f08657 100644
 	')
 
 	read_lnk_files_pattern($1, bin_t, bin_t)
-@@ -954,6 +1006,24 @@ interface(`corecmd_exec_chroot',`
+@@ -954,6 +1008,24 @@ interface(`corecmd_exec_chroot',`
 
 ########################################
 ## <summary>
@ -3770,7 +3782,7 @@ index 9e9263a..7f08657 100644
 ##	Get the attributes of all executable files.
 ## </summary>
 ## <param name="domain">
-@@ -1012,6 +1082,10 @@ interface(`corecmd_exec_all_executables',`
+@@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',`
 	can_exec($1, exec_type)
 	list_dirs_pattern($1, bin_t, bin_t)
 	read_lnk_files_pattern($1, bin_t, exec_type)
@ -3781,7 +3793,7 @@ index 9e9263a..7f08657 100644
 ')
 
 ########################################
-@@ -1049,6 +1123,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',`
 		type bin_t;
 	')
 
@ -3789,7 +3801,7 @@ index 9e9263a..7f08657 100644
 	manage_files_pattern($1, bin_t, exec_type)
 	manage_lnk_files_pattern($1, bin_t, bin_t)
 ')
-@@ -1091,3 +1166,36 @@ interface(`corecmd_mmap_all_executables',`
+@@ -1091,3 +1168,36 @@ interface(`corecmd_mmap_all_executables',`
 
 	mmap_files_pattern($1, bin_t, exec_type)
 ')
@ -5411,7 +5423,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..cbc0e69 100644
+index 4edc40d..836d056 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5641,7 +5653,7 @@ index 4edc40d..cbc0e69 100644
 network_port(pegasus_https, tcp,5989,s0)
 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pingd, tcp,9125,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
+network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
 +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
 +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
 +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
@ -27634,7 +27646,7 @@ index 24e7804..c4155c7 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..b717a9e 100644
+index dd3be8d..729cc4f 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@ -27875,7 +27887,7 @@ index dd3be8d..b717a9e 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +274,182 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +274,186 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -27902,20 +27914,24 @@ index dd3be8d..b717a9e 100644
 +storage_raw_rw_fixed_disk(init_t)
 +
 +optional_policy(`
+	kdump_read_crash(init_t)
+')
+
+optional_policy(`
 +	gnome_filetrans_home_content(init_t)
+')
+
+optional_policy(`
+	iscsi_read_lib_files(init_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(init_t)
+	modutils_list_module_config(init_t)
 ')
 
 optional_policy(`
 -	auth_rw_login_records(init_t)
-+	iscsi_read_lib_files(init_t)
- ')
- 
- optional_policy(`
-+	modutils_domtrans_insmod(init_t)
-+	modutils_list_module_config(init_t)
-+')
-+
-+optional_policy(`
 +	postfix_exec(init_t)
 +	postfix_list_spool(init_t)
 +	mta_read_aliases(init_t)
@ -28039,9 +28055,9 @@ index dd3be8d..b717a9e 100644
 +optional_policy(`
 +	lvm_rw_pipes(init_t)
 +	lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
 +	consolekit_manage_log(init_t)
 +')
 +
@ -28049,24 +28065,24 @@ index dd3be8d..b717a9e 100644
 +	dbus_connect_system_bus(init_t)
 	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
- ')
- 
- optional_policy(`
-	nscd_use(init_t)
+')
+
+optional_policy(`
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_use(init_t)
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
 ')
 
 optional_policy(`
-@@ -216,7 +457,29 @@ optional_policy(`
+@@ -216,7 +461,29 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28096,7 +28112,7 @@ index dd3be8d..b717a9e 100644
 ')
 
 ########################################
-@@ -225,8 +488,9 @@ optional_policy(`
+@@ -225,8 +492,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -28108,7 +28124,7 @@ index dd3be8d..b717a9e 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -257,12 +521,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +525,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -28125,7 +28141,7 @@ index dd3be8d..b717a9e 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +550,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -28168,7 +28184,7 @@ index dd3be8d..b717a9e 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +583,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +587,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -28180,7 +28196,7 @@ index dd3be8d..b717a9e 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -312,8 +595,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +599,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -28191,7 +28207,7 @@ index dd3be8d..b717a9e 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -321,8 +606,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +610,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -28201,7 +28217,7 @@ index dd3be8d..b717a9e 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -331,7 +615,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +619,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -28209,7 +28225,7 @@ index dd3be8d..b717a9e 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -339,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +626,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -28217,7 +28233,7 @@ index dd3be8d..b717a9e 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -346,14 +630,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +634,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -28235,7 +28251,7 @@ index dd3be8d..b717a9e 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -363,8 +648,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +652,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -28249,7 +28265,7 @@ index dd3be8d..b717a9e 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -374,10 +663,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +667,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -28263,7 +28279,7 @@ index dd3be8d..b717a9e 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -386,6 +676,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +680,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -28271,7 +28287,7 @@ index dd3be8d..b717a9e 100644
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -397,6 +688,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +692,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -28279,7 +28295,7 @@ index dd3be8d..b717a9e 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -415,20 +707,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +711,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -28303,7 +28319,7 @@ index dd3be8d..b717a9e 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +740,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +744,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -28311,7 +28327,7 @@ index dd3be8d..b717a9e 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +774,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +778,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -28322,7 +28338,7 @@ index dd3be8d..b717a9e 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -505,7 +798,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +802,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -28331,7 +28347,7 @@ index dd3be8d..b717a9e 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -520,6 +813,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +817,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -28339,7 +28355,7 @@ index dd3be8d..b717a9e 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +834,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +838,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -28347,7 +28363,7 @@ index dd3be8d..b717a9e 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +844,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +848,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -28392,7 +28408,7 @@ index dd3be8d..b717a9e 100644
 	')
 
 	optional_policy(`
-@@ -558,14 +889,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +893,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -28424,7 +28440,7 @@ index dd3be8d..b717a9e 100644
 	')
 ')
 
-@@ -576,6 +924,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +928,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -28464,7 +28480,7 @@ index dd3be8d..b717a9e 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +969,8 @@ optional_policy(`
+@@ -588,6 +973,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -28473,7 +28489,7 @@ index dd3be8d..b717a9e 100644
 ')
 
 optional_policy(`
-@@ -609,6 +992,7 @@ optional_policy(`
+@@ -609,6 +996,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -28481,7 +28497,7 @@ index dd3be8d..b717a9e 100644
 ')
 
 optional_policy(`
-@@ -625,6 +1009,17 @@ optional_policy(`
+@@ -625,6 +1013,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28499,7 +28515,7 @@ index dd3be8d..b717a9e 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -641,9 +1036,13 @@ optional_policy(`
+@@ -641,9 +1040,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -28513,7 +28529,7 @@ index dd3be8d..b717a9e 100644
 	')
 
 	optional_policy(`
-@@ -656,15 +1055,11 @@ optional_policy(`
+@@ -656,15 +1059,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28531,7 +28547,7 @@ index dd3be8d..b717a9e 100644
 ')
 
 optional_policy(`
-@@ -685,6 +1080,15 @@ optional_policy(`
+@@ -685,6 +1084,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28547,7 +28563,7 @@ index dd3be8d..b717a9e 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -725,6 +1129,7 @@ optional_policy(`
+@@ -725,6 +1133,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -28555,7 +28571,7 @@ index dd3be8d..b717a9e 100644
 ')
 
 optional_policy(`
-@@ -742,7 +1147,13 @@ optional_policy(`
+@@ -742,7 +1151,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28570,7 +28586,7 @@ index dd3be8d..b717a9e 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -765,6 +1176,10 @@ optional_policy(`
+@@ -765,6 +1180,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28581,7 +28597,7 @@ index dd3be8d..b717a9e 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -774,10 +1189,20 @@ optional_policy(`
+@@ -774,10 +1193,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28602,7 +28618,7 @@ index dd3be8d..b717a9e 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -786,6 +1211,10 @@ optional_policy(`
+@@ -786,6 +1215,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28613,7 +28629,7 @@ index dd3be8d..b717a9e 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -807,8 +1236,6 @@ optional_policy(`
+@@ -807,8 +1240,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -28622,7 +28638,7 @@ index dd3be8d..b717a9e 100644
 ')
 
 optional_policy(`
-@@ -817,6 +1244,10 @@ optional_policy(`
+@@ -817,6 +1248,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28633,7 +28649,7 @@ index dd3be8d..b717a9e 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -826,10 +1257,12 @@ optional_policy(`
+@@ -826,10 +1261,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -28646,7 +28662,7 @@ index dd3be8d..b717a9e 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1289,28 @@ optional_policy(`
+@@ -856,12 +1293,28 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28676,7 +28692,7 @@ index dd3be8d..b717a9e 100644
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1320,18 @@ optional_policy(`
+@@ -871,6 +1324,18 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -28695,7 +28711,7 @@ index dd3be8d..b717a9e 100644
 ')
 
 optional_policy(`
-@@ -886,6 +1347,10 @@ optional_policy(`
+@@ -886,6 +1351,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28706,7 +28722,7 @@ index dd3be8d..b717a9e 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -896,3 +1361,196 @@ optional_policy(`
+@@ -896,3 +1365,196 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -28953,10 +28969,10 @@ index 662e79b..ef9370d 100644
 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..a89c4a2 100644
+index 0d4c8d3..f133407 100644
 --- a/policy/modules/system/ipsec.if
 +++ b/policy/modules/system/ipsec.if
-@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',`
+@@ -55,6 +55,63 @@ interface(`ipsec_domtrans_mgmt',`
 	domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
 ')
 
@ -29008,18 +29024,19 @@ index 0d4c8d3..a89c4a2 100644
 +#
 +interface(`ipsec_mgmt_read_pid',`
 +	gen_require(`
+		type ipsec_var_run_t;
 +		type ipsec_mgmt_var_run_t;
 +	')
 +
 +	files_search_pids($1)
-+	read_files_pattern($1, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
+	read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t)
 +')
 +
 +
 ########################################
 ## <summary>
 ##	Connect to racoon using a unix domain stream socket.
-@@ -120,7 +176,6 @@ interface(`ipsec_exec_mgmt',`
+@@ -120,7 +177,6 @@ interface(`ipsec_exec_mgmt',`
 ##	</summary>
 ## </param>
 #
@ -29027,7 +29044,7 @@ index 0d4c8d3..a89c4a2 100644
 interface(`ipsec_signal_mgmt',`
 	gen_require(`
 		type ipsec_mgmt_t;
-@@ -139,7 +194,6 @@ interface(`ipsec_signal_mgmt',`
+@@ -139,7 +195,6 @@ interface(`ipsec_signal_mgmt',`
 ##	</summary>
 ## </param>
 #
@ -29035,7 +29052,7 @@ index 0d4c8d3..a89c4a2 100644
 interface(`ipsec_signull_mgmt',`
 	gen_require(`
 		type ipsec_mgmt_t;
-@@ -158,7 +212,6 @@ interface(`ipsec_signull_mgmt',`
+@@ -158,7 +213,6 @@ interface(`ipsec_signull_mgmt',`
 ##	</summary>
 ## </param>
 #
@ -29043,7 +29060,7 @@ index 0d4c8d3..a89c4a2 100644
 interface(`ipsec_kill_mgmt',`
 	gen_require(`
 		type ipsec_mgmt_t;
-@@ -167,6 +220,60 @@ interface(`ipsec_kill_mgmt',`
+@@ -167,6 +221,60 @@ interface(`ipsec_kill_mgmt',`
 	allow $1 ipsec_mgmt_t:process sigkill;
 ')
 
@ -29104,7 +29121,7 @@ index 0d4c8d3..a89c4a2 100644
 ######################################
 ## <summary>
 ##	Send and receive messages from
-@@ -225,6 +332,7 @@ interface(`ipsec_match_default_spd',`
+@@ -225,6 +333,7 @@ interface(`ipsec_match_default_spd',`
 
 	allow $1 ipsec_spd_t:association polmatch;
 	allow $1 self:association sendto;
@ -29112,7 +29129,7 @@ index 0d4c8d3..a89c4a2 100644
 ')
 
 ########################################
-@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +478,26 @@ interface(`ipsec_run_setkey',`
 	ipsec_domtrans_setkey($1)
 	role $2 types setkey_t;
 ')
@ -29140,7 +29157,7 @@ index 0d4c8d3..a89c4a2 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..788c774 100644
+index 9e54bf9..5975418 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -29263,8 +29280,11 @@ index 9e54bf9..788c774 100644
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -210,10 +228,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+@@ -208,12 +226,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+ 
+ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
 
 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 +manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@ -29276,7 +29296,7 @@ index 9e54bf9..788c774 100644
 
 # _realsetup needs to be able to cat /var/run/pluto.pid,
 # run ps on that pid, and delete the file
-@@ -246,6 +265,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +266,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
 
@ -29293,7 +29313,7 @@ index 9e54bf9..788c774 100644
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
-@@ -255,6 +284,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +285,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 
@ -29302,7 +29322,7 @@ index 9e54bf9..788c774 100644
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
 
-@@ -278,9 +309,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +310,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
 
 term_use_console(ipsec_mgmt_t)
@ -29314,7 +29334,7 @@ index 9e54bf9..788c774 100644
 
 init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +322,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +323,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 
 logging_send_syslog_msg(ipsec_mgmt_t)
 
@ -29338,7 +29358,7 @@ index 9e54bf9..788c774 100644
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +357,10 @@ optional_policy(`
+@@ -322,6 +358,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29349,7 +29369,7 @@ index 9e54bf9..788c774 100644
 	modutils_domtrans_insmod(ipsec_mgmt_t)
 ')
 
-@@ -335,7 +374,7 @@ optional_policy(`
+@@ -335,7 +375,7 @@ optional_policy(`
 #
 
 allow racoon_t self:capability { net_admin net_bind_service };
@ -29358,7 +29378,7 @@ index 9e54bf9..788c774 100644
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +409,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +410,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
 
@ -29378,7 +29398,7 @@ index 9e54bf9..788c774 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
 
-@@ -401,10 +439,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +440,10 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
 
@ -29391,7 +29411,7 @@ index 9e54bf9..788c774 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +477,9 @@ corenet_setcontext_all_spds(setkey_t)
 
 locallogin_use_fds(setkey_t)
 
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2023,16 +2023,17 @@ index 7f4dfbc..4d750fa 100644
 /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 
 diff --git a/amanda.te b/amanda.te
-index ed45974..cd5a4fa 100644
+index ed45974..d4df671 100644
 --- a/amanda.te
 +++ b/amanda.te
-@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles;
+@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
 roleattribute system_r amanda_recover_roles;
 
 type amanda_t;
 +type amanda_exec_t;
 type amanda_inetd_exec_t;
 -inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+application_executable_file(amanda_exec_t)
 +init_daemon_domain(amanda_t, amanda_inetd_exec_t)
 +role system_r types amanda_t;
 
@ -2043,7 +2044,7 @@ index ed45974..cd5a4fa 100644
 
 type amanda_log_t;
 logging_log_file(amanda_log_t)
-@@ -60,7 +62,7 @@ optional_policy(`
+@@ -60,7 +63,7 @@ optional_policy(`
 #
 
 allow amanda_t self:capability { chown dac_override setuid kill };
@ -2052,7 +2053,7 @@ index ed45974..cd5a4fa 100644
 allow amanda_t self:fifo_file rw_fifo_file_perms;
 allow amanda_t self:unix_stream_socket { accept listen };
 allow amanda_t self:tcp_socket { accept listen };
-@@ -71,6 +73,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
 
 manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
 manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@ -2060,7 +2061,7 @@ index ed45974..cd5a4fa 100644
 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 
 allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +103,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
 corecmd_exec_shell(amanda_t)
 corecmd_exec_bin(amanda_t)
 
@ -2076,7 +2077,7 @@ index ed45974..cd5a4fa 100644
 corenet_sendrecv_all_server_packets(amanda_t)
 corenet_tcp_bind_all_rpc_ports(amanda_t)
 corenet_tcp_bind_generic_port(amanda_t)
-@@ -170,7 +174,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +175,6 @@ kernel_read_system_state(amanda_recover_t)
 corecmd_exec_shell(amanda_recover_t)
 corecmd_exec_bin(amanda_recover_t)
 
@ -2084,7 +2085,7 @@ index ed45974..cd5a4fa 100644
 corenet_all_recvfrom_netlabel(amanda_recover_t)
 corenet_tcp_sendrecv_generic_if(amanda_recover_t)
 corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +198,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +199,16 @@ files_search_tmp(amanda_recover_t)
 
 auth_use_nsswitch(amanda_recover_t)
 
@ -2682,10 +2683,10 @@ index 0000000..df5b3be
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..e10fe0d
+index 0000000..fd48ed9
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,261 @@
+@@ -0,0 +1,269 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@ -2740,6 +2741,9 @@ index 0000000..e10fe0d
 +typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
 +files_type(antivirus_db_t)
 +
+type antivirus_home_t;
+userdom_user_home_content(antivirus_home_t)
+
 +type antivirus_tmp_t;
 +typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
 +files_tmp_file(antivirus_tmp_t)
@ -2766,6 +2770,11 @@ index 0000000..e10fe0d
 +manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
 +manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
 +
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+
 +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
@ -25155,7 +25164,7 @@ index 9eacb2c..229782f 100644
 	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
 	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..95cf77c 100644
+index e0a4f46..16dcb5b 100644
 --- a/glance.te
 +++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@ -25236,7 +25245,7 @@ index e0a4f46..95cf77c 100644
 
 logging_send_syslog_msg(glance_registry_t)
 
-@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
 files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
 can_exec(glance_api_t, glance_tmp_t)
 
@ -25249,6 +25258,7 @@ index e0a4f46..95cf77c 100644
 
 +corenet_tcp_bind_glance_port(glance_api_t)
 corenet_sendrecv_glance_registry_client_packets(glance_api_t)
+corenet_tcp_connect_amqp_port(glance_api_t)
 corenet_tcp_connect_glance_registry_port(glance_api_t)
 +corenet_tcp_connect_mysqld_port(glance_api_t)
 +corenet_tcp_connect_http_port(glance_api_t)
@ -31888,7 +31898,7 @@ index a49ae4e..913a0e3 100644
 -/usr/sbin/kexec	--	gen_context(system_u:object_r:kdump_exec_t,s0)
 +/var/crash(/.*)?		gen_context(system_u:object_r:kdump_crash_t,s0)
 diff --git a/kdump.if b/kdump.if
-index 3a00b3a..7cc27b6 100644
+index 3a00b3a..dd70d05 100644
 --- a/kdump.if
 +++ b/kdump.if
@@ -1,4 +1,4 @@
@ -31959,7 +31969,7 @@ index 3a00b3a..7cc27b6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,68 @@ interface(`kdump_read_config',`
 	allow $1 kdump_etc_t:file read_file_perms;
 ')
 
@ -31980,7 +31990,7 @@ index 3a00b3a..7cc27b6 100644
 +
 +	files_search_var($1)
 +	read_files_pattern($1, kdump_crash_t, kdump_crash_t)
-+    list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+	list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
 +')
 +
 +
@ -32001,6 +32011,7 @@ index 3a00b3a..7cc27b6 100644
 +
 +	files_search_var($1)
 +	manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
+	list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
 +')
 +
 +#####################################
@ -32029,7 +32040,7 @@ index 3a00b3a..7cc27b6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -76,10 +177,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +178,32 @@ interface(`kdump_manage_config',`
 	allow $1 kdump_etc_t:file manage_file_perms;
 ')
 
@ -32051,6 +32062,7 @@ index 3a00b3a..7cc27b6 100644
 +        files_search_tmp($1)
 +        manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
 +	manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+	manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
 +	manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
 +')
 +
@ -32063,7 +32075,7 @@ index 3a00b3a..7cc27b6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -88,19 +210,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +212,24 @@ interface(`kdump_manage_config',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -32093,7 +32105,7 @@ index 3a00b3a..7cc27b6 100644
 
 	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -110,6 +237,10 @@ interface(`kdump_admin',`
+@@ -110,6 +239,10 @@ interface(`kdump_admin',`
 	files_search_etc($1)
 	admin_pattern($1, kdump_etc_t)
 
@ -39189,7 +39201,7 @@ index 6ffaba2..154cade 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..f1a5676 100644
+index 6194b80..bb32d40 100644
 --- a/mozilla.if
 +++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -39475,7 +39487,7 @@ index 6194b80..f1a5676 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -265,140 +173,152 @@ interface(`mozilla_exec_user_plugin_home_files',`
+@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',`
 ## </param>
 #
 interface(`mozilla_execmod_user_home_files',`
@ -39537,6 +39549,7 @@ index 6194b80..f1a5676 100644
 
 -	corecmd_search_bin($1)
 -	domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+	domain_entry_file($2, mozilla_exec_t)
 +	domtrans_pattern($1, mozilla_exec_t, $2)
 ')
 
@ -39688,7 +39701,7 @@ index 6194b80..f1a5676 100644
 ')
 
 ########################################
-@@ -424,8 +344,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',`
 
 ########################################
 ## <summary>
@ -39698,7 +39711,7 @@ index 6194b80..f1a5676 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -433,76 +352,126 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
 ##	</summary>
 ## </param>
 #
@ -39854,7 +39867,7 @@ index 6194b80..f1a5676 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -510,19 +479,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -39879,7 +39892,7 @@ index 6194b80..f1a5676 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -530,45 +498,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +499,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -41035,10 +41048,10 @@ index 5fa77c7..2e01c7d 100644
 	domain_system_change_exemption($1)
 	role_transition $2 mpd_initrc_exec_t system_r;
 diff --git a/mpd.te b/mpd.te
-index 7c8afcc..2f41af9 100644
+index 7c8afcc..29d8881 100644
 --- a/mpd.te
 +++ b/mpd.te
-@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t)
+@@ -62,18 +62,22 @@ files_type(mpd_var_lib_t)
 type mpd_user_data_t;
 userdom_user_home_content(mpd_user_data_t) # customizable
 
@ -41048,7 +41061,13 @@ index 7c8afcc..2f41af9 100644
 ########################################
 #
 # Local policy
-@@ -74,6 +77,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
+ #
+ 
+ allow mpd_t self:capability { dac_override kill setgid setuid };
+-allow mpd_t self:process { getsched setsched setrlimit signal signull };
+allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
+ allow mpd_t self:fifo_file rw_fifo_file_perms;
+ allow mpd_t self:unix_stream_socket { accept connectto listen };
 allow mpd_t self:unix_dgram_socket sendto;
 allow mpd_t self:tcp_socket { accept listen };
 allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -66565,10 +66584,10 @@ index afc0068..3105104 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..80a4b99 100644
+index 769d1fd..801835e 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -1,96 +1,108 @@
+@@ -1,96 +1,109 @@
 -policy_module(quantum, 1.0.2)
 +policy_module(quantum, 1.0.3)
 
@ -66678,6 +66697,7 @@ index 769d1fd..80a4b99 100644
 -dev_read_urand(quantum_t)
 +corenet_tcp_bind_quantum_port(neutron_t)
 +corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
 +corenet_tcp_connect_mysqld_port(neutron_t)
 
 -files_read_usr_files(quantum_t)
@ -76527,7 +76547,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 57c034b..d48911d 100644
+index 57c034b..b1c78f8 100644
 --- a/samba.te
 +++ b/samba.te
@@ -1,4 +1,4 @@
@ -77214,7 +77234,7 @@ index 57c034b..d48911d 100644
 ')
 
 optional_policy(`
-@@ -600,17 +600,24 @@ optional_policy(`
+@@ -600,19 +600,26 @@ optional_policy(`
 
 ########################################
 #
@ -77241,8 +77261,11 @@ index 57c034b..d48911d 100644
 
 +files_search_var_lib(smbcontrol_t)
 samba_read_config(smbcontrol_t)
- samba_rw_var_files(smbcontrol_t)
+-samba_rw_var_files(smbcontrol_t)
+manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
 samba_search_var(smbcontrol_t)
+ samba_read_winbind_pid(smbcontrol_t)
+ 
@@ -620,16 +627,12 @@ domain_use_interactive_fds(smbcontrol_t)
 
 dev_read_urand(smbcontrol_t)
@ -90698,10 +90721,10 @@ index 0be8535..b96e329 100644
 
 optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index c30da4c..b81eaa0 100644
+index c30da4c..459fbcf 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,52 +1,86 @@
+@@ -1,52 +1,91 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@ -90765,18 +90788,18 @@ index c30da4c..b81eaa0 100644
 -/var/lib/libvirt/images(/.*)?	gen_context(system_u:object_r:virt_image_t,s0)
 -/var/lib/libvirt/isos(/.*)?	gen_context(system_u:object_r:virt_content_t,s0)
 -/var/lib/libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
-
-/var/log/log(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/libvirt(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/vdsm(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
-
-/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/libvirt/boot(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
 +/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 
+-/var/log/log(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/libvirt(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/vdsm(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
+-
+-/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
+-
 -/var/run/libguestfs(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/lock/xl		--	gen_context(system_u:object_r:virt_log_t,s0)
 +/var/log/log(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
@ -90816,16 +90839,21 @@ index c30da4c..b81eaa0 100644
 +/usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 +/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 +
-+/usr/libexec/qemu-ga(/.*)?	gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+/etc/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 +/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)?  gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+/var/run/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+
+/usr/libexec/qemu-ga(/.*)?	gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
 +
 +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
 +/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
 +/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
 +
 +/usr/bin/qemu-ga                --      gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
 +/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
 index 9dec06c..4e31afe 100644
@ -92515,7 +92543,7 @@ index 9dec06c..4e31afe 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
 ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..76ccef3 100644
+index 1f22fba..348df8f 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,94 +1,104 @@
@ -93991,11 +94019,6 @@ index 1f22fba..76ccef3 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+	apache_exec_modules(svirt_sandbox_domain)
-+	apache_read_sys_content(svirt_sandbox_domain)
-+')
 
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@ -94080,6 +94103,11 @@ index 1f22fba..76ccef3 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
+	apache_exec_modules(svirt_sandbox_domain)
+	apache_read_sys_content(svirt_sandbox_domain)
+')
+
+optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
 +
@ -94199,11 +94227,11 @@ index 1f22fba..76ccef3 100644
 +allow svirt_qemu_net_t self:rawip_socket create_socket_perms;
 +allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
- 
-allow svirt_prot_exec_t self:process { execmem execstack };
+
 +kernel_read_network_state(svirt_qemu_net_t)
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +dev_read_sysfs(svirt_qemu_net_t)
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
@ -94274,7 +94302,7 @@ index 1f22fba..76ccef3 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1352,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1352,122 @@ kernel_read_network_state(virt_bridgehelper_t)
 
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 
@ -94309,6 +94337,8 @@ index 1f22fba..76ccef3 100644
 +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
 +logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
 +
+kernel_read_system_state(virt_qemu_ga_t)
+
 +corecmd_exec_shell(virt_qemu_ga_t)
 +corecmd_exec_bin(virt_qemu_ga_t)
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 79%{?dist}
+Release: 80%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -570,6 +570,25 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Sep 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-80
+- Allow ldconfig to write to kdumpctl fifo files
+- allow neutron to connect to amqp ports
+- Allow kdump_manage_crash to list the kdump_crash_t directory
+- Allow glance-api to connect to amqp port
+- Allow virt_qemu_ga_t to read meminfo
+- Add antivirus_home_t type for antivirus date in HOMEDIRS
+- Allow mpd setcap which is needed by pulseaudio
+- Allow smbcontrol to create content in /var/lib/samba
+- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec
+- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts
+- amanda_exec_t needs to be executable file
+- Allow block_suspend cap for samba-net
+- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
+- Allow init_t to run crash utility
+- Treat usr_t just like bin_t for transitions and executions
+- Add port definition of pka_ca to port 829 for openshift
+- Allow selinux_store to use symlinks
+
 * Mon Sep 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-79
 - Allow block_suspend cap for samba-net
 - Allow t-mission-control to manage gabble cache files