From 208de24a1999e88c2b858e02befb658e2658d7ae Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Jan 16 2014 20:56:46 +0000
Subject: - Fix mirrormanager_read_lib_files()

- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files
- Allow ctdb to create sock files in /var/run/ctdb
- Add sblim_filetrans_named_content() interface
- Allow rpm scritplets to create /run/gather with correct labeling
- Allow gnome keyring domains to create gnome config dirs
- Dontaudit read/write to init stream socket for lsmd_plugin_t
- Allow automount to read nfs link files
- Allow lsm plugins to read/write lsmd stream socket
- Allow certmonger to connect ldap port to make IPA CA certificate renewal working.
- Add also labeling for /var/run/ctdb
- Add missing labeling for /var/lib/ctdb
- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446
- Dontaudit hypervkvp to search homedirs
- Dontaudit hypervkvp to search admin homedirs
- Allow hypervkvp to execute bin_t and ifconfig in the caller domain
- Dontaudit xguest_t to read ABRT conf files
- Add abrt_dontaudit_read_config()
- Allow namespace-init to getattr on fs
- Add thumb_role() also for xguest
- Add filename transitions to create .spamassassin with correct labeling
- Allow apache domain to read mirrormanager pid files
- Allow domains to read/write shm and sem owned by mozilla_plugin_t
- Allow alsactl to send a generic signal to kernel_t
- Allow plymouthd to read run/udev/queue.bin
- Allow sys_chroot for NM required by iodine service
- Change glusterd to allow mounton all non securit

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 42c6b4f..8ba89c5 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -28225,7 +28225,7 @@ index 24e7804..76da5dd 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..8b457a1 100644
+index dd3be8d..3f4f878 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -28332,8 +28332,12 @@ index dd3be8d..8b457a1 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -108,14 +150,37 @@ allow init_t self:capability ~sys_module;
  
+ allow init_t self:fifo_file rw_fifo_file_perms;
+ 
++allow init_t self:service manage_service_perms;
++
  # Re-exec itself
  can_exec(init_t, init_exec_t)
 -
@@ -28372,7 +28376,7 @@ index dd3be8d..8b457a1 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +190,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -28392,7 +28396,7 @@ index dd3be8d..8b457a1 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +209,20 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
@@ -28413,7 +28417,7 @@ index dd3be8d..8b457a1 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +232,52 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -28459,17 +28463,17 @@ index dd3be8d..8b457a1 100644
 +
 +miscfiles_manage_localization(init_t)
 +miscfiles_filetrans_named_content(init_t)
- 
--miscfiles_read_localization(init_t)
++
 +userdom_use_user_ttys(init_t)
 +userdom_manage_tmp_dirs(init_t)
 +userdom_manage_tmp_sockets(init_t)
-+
+ 
+-miscfiles_read_localization(init_t)
 +allow init_t self:process setsched;
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +286,208 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -28499,19 +28503,19 @@ index dd3be8d..8b457a1 100644
 +
 +optional_policy(`
 +	chronyd_read_keys(init_t)
-+')
-+
-+optional_policy(`
-+	kdump_read_crash(init_t)
  ')
  
  optional_policy(`
 -	auth_rw_login_records(init_t)
-+	gnome_filetrans_home_content(init_t)
-+	gnome_manage_data(init_t)
++	kdump_read_crash(init_t)
  ')
  
  optional_policy(`
++	gnome_filetrans_home_content(init_t)
++	gnome_manage_data(init_t)
++')
++
++optional_policy(`
 +	iscsi_read_lib_files(init_t)
 +')
 +
@@ -28673,20 +28677,20 @@ index dd3be8d..8b457a1 100644
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
-+		networkmanager_stream_connect(init_t)
  ')
  
  optional_policy(`
 -	nscd_use(init_t)
++		networkmanager_stream_connect(init_t)
++')
++
++optional_policy(`
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
  ')
  
  optional_policy(`
-@@ -216,7 +493,30 @@ optional_policy(`
+@@ -216,7 +495,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28717,7 +28721,7 @@ index dd3be8d..8b457a1 100644
  ')
  
  ########################################
-@@ -225,8 +525,9 @@ optional_policy(`
+@@ -225,8 +527,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28729,7 +28733,7 @@ index dd3be8d..8b457a1 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28746,7 +28750,7 @@ index dd3be8d..8b457a1 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -28789,7 +28793,7 @@ index dd3be8d..8b457a1 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -28801,7 +28805,7 @@ index dd3be8d..8b457a1 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +634,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -28812,7 +28816,7 @@ index dd3be8d..8b457a1 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +645,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -28822,7 +28826,7 @@ index dd3be8d..8b457a1 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +654,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -28830,7 +28834,7 @@ index dd3be8d..8b457a1 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28838,7 +28842,7 @@ index dd3be8d..8b457a1 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +669,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -28856,7 +28860,7 @@ index dd3be8d..8b457a1 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +687,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -28870,7 +28874,7 @@ index dd3be8d..8b457a1 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +702,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -28884,7 +28888,7 @@ index dd3be8d..8b457a1 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +715,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -28892,7 +28896,7 @@ index dd3be8d..8b457a1 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +727,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -28900,7 +28904,7 @@ index dd3be8d..8b457a1 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +746,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -28924,7 +28928,7 @@ index dd3be8d..8b457a1 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +779,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -28932,7 +28936,7 @@ index dd3be8d..8b457a1 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +813,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -28943,7 +28947,7 @@ index dd3be8d..8b457a1 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +835,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +837,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -28952,7 +28956,7 @@ index dd3be8d..8b457a1 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +850,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +852,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -28960,7 +28964,7 @@ index dd3be8d..8b457a1 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +871,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +873,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -28968,7 +28972,7 @@ index dd3be8d..8b457a1 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +881,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +883,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -29013,7 +29017,7 @@ index dd3be8d..8b457a1 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +926,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +928,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -29045,7 +29049,7 @@ index dd3be8d..8b457a1 100644
  	')
  ')
  
-@@ -576,6 +961,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +963,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -29085,7 +29089,7 @@ index dd3be8d..8b457a1 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1006,8 @@ optional_policy(`
+@@ -588,6 +1008,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -29094,7 +29098,7 @@ index dd3be8d..8b457a1 100644
  ')
  
  optional_policy(`
-@@ -609,6 +1029,7 @@ optional_policy(`
+@@ -609,6 +1031,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -29102,7 +29106,7 @@ index dd3be8d..8b457a1 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1046,17 @@ optional_policy(`
+@@ -625,6 +1048,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29120,7 +29124,7 @@ index dd3be8d..8b457a1 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1073,13 @@ optional_policy(`
+@@ -641,9 +1075,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -29134,7 +29138,7 @@ index dd3be8d..8b457a1 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1092,11 @@ optional_policy(`
+@@ -656,15 +1094,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29152,7 +29156,7 @@ index dd3be8d..8b457a1 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1117,15 @@ optional_policy(`
+@@ -685,6 +1119,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29168,7 +29172,7 @@ index dd3be8d..8b457a1 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1166,7 @@ optional_policy(`
+@@ -725,6 +1168,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -29176,7 +29180,7 @@ index dd3be8d..8b457a1 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1184,13 @@ optional_policy(`
+@@ -742,7 +1186,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29191,7 +29195,7 @@ index dd3be8d..8b457a1 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1213,10 @@ optional_policy(`
+@@ -765,6 +1215,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29202,7 +29206,7 @@ index dd3be8d..8b457a1 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1226,20 @@ optional_policy(`
+@@ -774,10 +1228,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29223,7 +29227,7 @@ index dd3be8d..8b457a1 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1248,10 @@ optional_policy(`
+@@ -786,6 +1250,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29234,7 +29238,7 @@ index dd3be8d..8b457a1 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1273,6 @@ optional_policy(`
+@@ -807,8 +1275,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -29243,7 +29247,7 @@ index dd3be8d..8b457a1 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1281,10 @@ optional_policy(`
+@@ -817,6 +1283,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29254,7 +29258,7 @@ index dd3be8d..8b457a1 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1294,12 @@ optional_policy(`
+@@ -826,10 +1296,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -29267,7 +29271,7 @@ index dd3be8d..8b457a1 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1326,35 @@ optional_policy(`
+@@ -856,12 +1328,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29304,7 +29308,7 @@ index dd3be8d..8b457a1 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1364,18 @@ optional_policy(`
+@@ -871,6 +1366,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29323,7 +29327,7 @@ index dd3be8d..8b457a1 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1391,10 @@ optional_policy(`
+@@ -886,6 +1393,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29334,7 +29338,7 @@ index dd3be8d..8b457a1 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1405,218 @@ optional_policy(`
+@@ -896,3 +1407,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index c50e452..f02fdf7 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4816,7 +4816,7 @@ index 83e899c..64beed7 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..9ac02fd 100644
+index 1a82e29..94764d1 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,367 @@
@@ -6027,7 +6027,7 @@ index 1a82e29..9ac02fd 100644
 +')
 +
 +optional_policy(`
-+	mirrormanager_read_pid_files(httpd_t)
++	mirrormanager_manage_pid_files(httpd_t)
 +	mirrormanager_read_lib_files(httpd_t)
 +	mirrormanager_read_log(httpd_t)
 +')
@@ -8026,7 +8026,7 @@ index 089430a..b0bed70 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index a579c3b..294b5f4 100644
+index a579c3b..f27656d 100644
 --- a/automount.te
 +++ b/automount.te
 @@ -22,12 +22,16 @@ type automount_tmp_t;
@@ -8063,7 +8063,15 @@ index a579c3b..294b5f4 100644
  files_search_boot(automount_t)
  files_search_all(automount_t)
  files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
+@@ -108,6 +110,7 @@ fs_manage_autofs_symlinks(automount_t)
+ fs_mount_all_fs(automount_t)
+ fs_mount_autofs(automount_t)
+ fs_read_nfs_files(automount_t)
++fs_read_nfs_symlinks(automount_t)
+ fs_search_all(automount_t)
+ fs_search_auto_mountpoints(automount_t)
+ fs_unmount_all_fs(automount_t)
+@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
  logging_send_syslog_msg(automount_t)
  logging_search_logs(automount_t)
  
@@ -8086,7 +8094,7 @@ index a579c3b..294b5f4 100644
  	fstools_domtrans(automount_t)
  ')
  
-@@ -160,3 +165,8 @@ optional_policy(`
+@@ -160,3 +166,8 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(automount_t)
  ')
@@ -10627,7 +10635,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 2354e21..fb4590f 100644
+index 2354e21..8b373e6 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10664,7 +10672,7 @@ index 2354e21..fb4590f 100644
  
  corenet_all_recvfrom_unlabeled(certmonger_t)
  corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,16 +55,23 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
  
  corenet_sendrecv_certmaster_client_packets(certmonger_t)
  corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -10672,6 +10680,8 @@ index 2354e21..fb4590f 100644
 +corenet_tcp_connect_http_port(certmonger_t)
 +corenet_tcp_connect_http_cache_port(certmonger_t)
 +
++corenet_tcp_connect_ldap_port(certmonger_t)
++
 +corenet_tcp_connect_pki_ca_port(certmonger_t)
  corenet_tcp_sendrecv_certmaster_port(certmonger_t)
  
@@ -10687,7 +10697,7 @@ index 2354e21..fb4590f 100644
  files_list_tmp(certmonger_t)
  
  fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
+@@ -70,16 +83,17 @@ init_getattr_all_script_files(certmonger_t)
  
  logging_send_syslog_msg(certmonger_t)
  
@@ -10708,7 +10718,7 @@ index 2354e21..fb4590f 100644
  ')
  
  optional_policy(`
-@@ -92,11 +104,47 @@ optional_policy(`
+@@ -92,11 +106,47 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17532,7 +17542,7 @@ index b25b01d..e99c5c6 100644
  ')
 +
 diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..06f71d5 100644
+index 6ce66e7..d95f222 100644
 --- a/ctdb.te
 +++ b/ctdb.te
 @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -17560,7 +17570,7 @@ index 6ce66e7..06f71d5 100644
  
  append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
  create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-@@ -57,7 +62,13 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
+@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
  exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
  manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
  manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
@@ -17575,7 +17585,11 @@ index 6ce66e7..06f71d5 100644
  
  manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
  manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-@@ -72,9 +83,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
++manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+ files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
+ 
+ kernel_read_network_state(ctdbd_t)
+@@ -72,9 +84,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
  corenet_tcp_sendrecv_generic_if(ctdbd_t)
  corenet_tcp_sendrecv_generic_node(ctdbd_t)
  corenet_tcp_bind_generic_node(ctdbd_t)
@@ -17587,7 +17601,7 @@ index 6ce66e7..06f71d5 100644
  corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
  
  corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +98,14 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +99,14 @@ dev_read_urand(ctdbd_t)
  
  domain_dontaudit_read_all_domains_state(ctdbd_t)
  
@@ -17604,7 +17618,7 @@ index 6ce66e7..06f71d5 100644
  miscfiles_read_public_files(ctdbd_t)
  
  optional_policy(`
-@@ -109,6 +124,7 @@ optional_policy(`
+@@ -109,6 +125,7 @@ optional_policy(`
  	samba_initrc_domtrans(ctdbd_t)
  	samba_domtrans_net(ctdbd_t)
  	samba_rw_var_files(ctdbd_t)
@@ -27594,7 +27608,7 @@ index e39de43..6a6db28 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..74170f8 100644
+index d03fd43..4155cd4 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,157 @@
@@ -28657,7 +28671,7 @@ index d03fd43..74170f8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -704,12 +778,913 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +778,931 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
@@ -29069,6 +29083,24 @@ index d03fd43..74170f8 100644
 +    delete_files_pattern($1, config_home_t, config_home_t)
 +')
 +
++########################################
++## <summary>
++##	Create gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_create_home_config_dirs',`
++	gen_require(`
++		type cache_home_t;
++	')
++
++	allow $1 config_home_t:dir create_dir_perms;
++')
++
 +#######################################
 +## <summary>
 +##  setattr gnome homedir content (.config)
@@ -29577,7 +29609,7 @@ index d03fd43..74170f8 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
  ')
 diff --git a/gnome.te b/gnome.te
-index 20f726b..2af3f4b 100644
+index 20f726b..45fe41c 100644
 --- a/gnome.te
 +++ b/gnome.te
 @@ -1,18 +1,36 @@
@@ -29621,7 +29653,7 @@ index 20f726b..2af3f4b 100644
  typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
  typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
  typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,225 @@ type gconfd_exec_t;
+@@ -29,107 +47,226 @@ type gconfd_exec_t;
  typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
  typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
  userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -29882,6 +29914,7 @@ index 20f726b..2af3f4b 100644
  
  optional_policy(`
 -	telepathy_mission_control_read_state(gkeyringd_domain)
++    gnome_create_home_config_dirs(gkeyringd_domain)
 +	gnome_read_home_config(gkeyringd_domain)
 +    gnome_manage_generic_cache_files(gkeyringd_domain)
 +	gnome_manage_cache_home_dir(gkeyringd_domain)
@@ -38507,10 +38540,10 @@ index 0000000..da30c5d
 +')
 diff --git a/lsm.te b/lsm.te
 new file mode 100644
-index 0000000..ba791e5
+index 0000000..5a9d09d
 --- /dev/null
 +++ b/lsm.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,72 @@
 +policy_module(lsm, 1.0.0)
 +
 +########################################
@@ -38562,6 +38595,7 @@ index 0000000..ba791e5
 +allow lsmd_plugin_t self:udp_socket create_socket_perms;
 +
 +domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
++allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
 +
 +allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
 +stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
@@ -38577,6 +38611,7 @@ index 0000000..ba791e5
 +corecmd_exec_bin(lsmd_plugin_t)
 +
 +init_stream_connect(lsmd_plugin_t)
++init_dontaudit_rw_stream_socket(lsmd_plugin_t)
 +
 +logging_send_syslog_msg(lsmd_plugin_t)
 +
@@ -40620,10 +40655,10 @@ index 0000000..c713b27
 +/var/run/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
 diff --git a/mirrormanager.if b/mirrormanager.if
 new file mode 100644
-index 0000000..dd049c7
+index 0000000..adf2319
 --- /dev/null
 +++ b/mirrormanager.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,243 @@
 +
 +## <summary>policy for mirrormanager</summary>
 +
@@ -40741,6 +40776,7 @@ index 0000000..dd049c7
 +	')
 +
 +	files_search_var_lib($1)
++    list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
 +	read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
 +')
 +
@@ -40801,6 +40837,24 @@ index 0000000..dd049c7
 +	read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
 +')
 +
++########################################
++## <summary>
++##	Manage mirrormanager PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_manage_pid_files',`
++	gen_require(`
++		type mirrormanager_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
 +
 +########################################
 +## <summary>
@@ -57802,7 +57856,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..6fa25ba 100644
+index 7bcf327..e4f2a0a 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -57826,7 +57880,7 @@ index 7bcf327..6fa25ba 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,291 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,293 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -58065,6 +58119,8 @@ index 7bcf327..6fa25ba 100644
 +udev_domtrans(pegasus_openlmi_storage_t)
 +udev_read_pid_files(pegasus_openlmi_storage_t)
 +
++miscfiles_read_hwdata(pegasus_openlmi_storage_t)
++
 +optional_policy(`
 +    dmidecode_domtrans(pegasus_openlmi_storage_t)  
 +')
@@ -58123,7 +58179,7 @@ index 7bcf327..6fa25ba 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +324,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +326,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -58154,7 +58210,7 @@ index 7bcf327..6fa25ba 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +350,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +352,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -58187,7 +58243,7 @@ index 7bcf327..6fa25ba 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,9 +378,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +380,11 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -58199,7 +58255,7 @@ index 7bcf327..6fa25ba 100644
  
  files_list_var_lib(pegasus_t)
  files_read_var_lib_files(pegasus_t)
-@@ -128,18 +394,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +396,29 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -58235,7 +58291,7 @@ index 7bcf327..6fa25ba 100644
  ')
  
  optional_policy(`
-@@ -151,16 +428,24 @@ optional_policy(`
+@@ -151,16 +430,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58264,7 +58320,7 @@ index 7bcf327..6fa25ba 100644
  ')
  
  optional_policy(`
-@@ -168,7 +453,7 @@ optional_policy(`
+@@ -168,7 +455,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -74202,7 +74258,7 @@ index 47de2d6..a7e8263 100644
 +/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..f1ee87e 100644
+index 56bc01f..1337d42 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -74573,7 +74629,7 @@ index 56bc01f..f1ee87e 100644
  ')
  
  ######################################
-@@ -446,52 +497,360 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +497,361 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -74826,6 +74882,7 @@ index 56bc01f..f1ee87e 100644
 +    ')
 +
 +    rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
++    delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
 +')
 +
 +#####################################
@@ -74963,7 +75020,7 @@ index 56bc01f..f1ee87e 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..f8b98bd 100644
+index 2c2de9a..9b2ddd8 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -75339,7 +75396,15 @@ index 2c2de9a..f8b98bd 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -148,9 +433,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -140,6 +425,7 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+ 
+ corenet_sendrecv_zented_server_packets(fenced_t)
+ corenet_tcp_bind_zented_port(fenced_t)
++corenet_udp_bind_zented_port(fenced_t)
+ corenet_tcp_sendrecv_zented_port(fenced_t)
+ 
+ corenet_sendrecv_http_client_packets(fenced_t)
+@@ -148,9 +434,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -75350,7 +75415,7 @@ index 2c2de9a..f8b98bd 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +443,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +444,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -75359,7 +75424,7 @@ index 2c2de9a..f8b98bd 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +465,8 @@ optional_policy(`
+@@ -182,7 +466,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75369,7 +75434,7 @@ index 2c2de9a..f8b98bd 100644
  ')
  
  optional_policy(`
-@@ -190,12 +474,12 @@ optional_policy(`
+@@ -190,12 +475,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75385,7 +75450,7 @@ index 2c2de9a..f8b98bd 100644
  ')
  
  optional_policy(`
-@@ -203,6 +487,13 @@ optional_policy(`
+@@ -203,6 +488,13 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -75399,7 +75464,7 @@ index 2c2de9a..f8b98bd 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +512,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +513,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -75420,7 +75485,7 @@ index 2c2de9a..f8b98bd 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -257,6 +550,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +551,8 @@ storage_getattr_removable_dev(gfs_controld_t)
  
  init_rw_script_tmp_files(gfs_controld_t)
  
@@ -75429,7 +75494,7 @@ index 2c2de9a..f8b98bd 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +570,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +571,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -75471,7 +75536,7 @@ index 2c2de9a..f8b98bd 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +645,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +646,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -78744,7 +78809,7 @@ index 0628d50..e9dbd7e 100644
 +	allow rpm_script_t $1:process sigchld;
  ')
 diff --git a/rpm.te b/rpm.te
-index 5cbe81c..5b28e97 100644
+index 5cbe81c..ab091de 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,13 @@
@@ -79143,7 +79208,7 @@ index 5cbe81c..5b28e97 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -363,41 +379,61 @@ ifdef(`distro_redhat',`
+@@ -363,41 +379,65 @@ ifdef(`distro_redhat',`
  	')
  ')
  
@@ -79163,6 +79228,10 @@ index 5cbe81c..5b28e97 100644
 +
 +optional_policy(`
 +	cups_filetrans_named_content(rpm_script_t)
++')
++
++optional_policy(`
++    sblim_filetrans_named_content(rpm_script_t)
  ')
  
  optional_policy(`
@@ -79215,7 +79284,7 @@ index 5cbe81c..5b28e97 100644
  
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +445,6 @@ optional_policy(`
+@@ -409,6 +449,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -84028,7 +84097,7 @@ index 68a550d..e976fc6 100644
  
  /var/run/gather(/.*)?	gen_context(system_u:object_r:sblim_var_run_t,s0)
 diff --git a/sblim.if b/sblim.if
-index 98c9e0a..df51942 100644
+index 98c9e0a..d4aa009 100644
 --- a/sblim.if
 +++ b/sblim.if
 @@ -1,8 +1,36 @@
@@ -84079,25 +84148,41 @@ index 98c9e0a..df51942 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',`
+@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',`
  
  ########################################
  ## <summary>
 -##	All of the rules required to
 -##	administrate an sblim environment.
-+##	All of the rules required to administrate
-+##	an gatherd environment
++##	Transition to sblim named content
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##      Domain allowed access.
  ##	</summary>
  ## </param>
 -## <param name="role">
--##	<summary>
++#
++interface(`sblim_filetrans_named_content',`
++	gen_require(`
++		type sblim_var_run_t;
++	')
++
++	files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an gatherd environment
++## </summary>
++## <param name="domain">
+ ##	<summary>
 -##	Role allowed access.
--##	</summary>
--## </param>
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
  ## <rolecap/>
  #
  interface(`sblim_admin',`
@@ -99912,6 +99997,132 @@ index 9ead775..b5285e7 100644
  userdom_dontaudit_search_user_home_dirs(vlock_t)
 -userdom_use_user_terminals(vlock_t)
 +userdom_use_inherited_user_terminals(vlock_t)
+diff --git a/vmtools.fc b/vmtools.fc
+new file mode 100644
+index 0000000..5726cdb
+--- /dev/null
++++ b/vmtools.fc
+@@ -0,0 +1,3 @@
++/usr/bin/vmtoolsd		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
++
++/usr/lib/systemd/system/vmtoolsd.*		--	gen_context(system_u:object_r:vmtools_unit_file_t,s0)
+diff --git a/vmtools.if b/vmtools.if
+new file mode 100644
+index 0000000..044be2f
+--- /dev/null
++++ b/vmtools.if
+@@ -0,0 +1,78 @@
++## <summary>VMware Tools daemon</summary>
++
++########################################
++## <summary>
++##	Execute vmtools in the vmtools domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_domtrans',`
++	gen_require(`
++		type vmtools_t, vmtools_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, vmtools_exec_t, vmtools_t)
++')
++########################################
++## <summary>
++##	Execute vmtools server in the vmtools domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`vmtools_systemctl',`
++	gen_require(`
++		type vmtools_t;
++		type vmtools_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 vmtools_unit_file_t:file read_file_perms;
++	allow $1 vmtools_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, vmtools_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an vmtools environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`vmtools_admin',`
++	gen_require(`
++		type vmtools_t;
++		type vmtools_unit_file_t;
++	')
++
++	allow $1 vmtools_t:process { signal_perms };
++	ps_process_pattern($1, vmtools_t)
++
++	tunable_policy(`deny_ptrace',`',`
++		allow $1 ninfod_t:process ptrace;
++	')
++
++	vmtools_systemctl($1)
++	admin_pattern($1, vmtools_unit_file_t)
++	allow $1 vmtools_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/vmtools.te b/vmtools.te
+new file mode 100644
+index 0000000..7918651
+--- /dev/null
++++ b/vmtools.te
+@@ -0,0 +1,27 @@
++policy_module(vmtools, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type vmtools_t;
++type vmtools_exec_t;
++init_daemon_domain(vmtools_t, vmtools_exec_t)
++
++type vmtools_unit_file_t;
++systemd_unit_file(vmtools_unit_file_t)
++
++########################################
++#
++# vmtools local policy
++#
++allow vmtools_t self:fifo_file rw_fifo_file_perms;
++allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
++allow vmtools_t self:unix_dgram_socket create_socket_perms;
++
++auth_use_nsswitch(vmtools_t)
++
++dev_read_urand(vmtools_t)
++
++logging_send_syslog_msg(vmtools_t)
 diff --git a/vmware.if b/vmware.if
 index 20a1fb2..470ea95 100644
 --- a/vmware.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ed7629e..fd041b4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 117%{?dist}
+Release: 118%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,42 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Jan 16 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-118
+- Allow init_t to work on transitient and snapshot unit files
+- Add logging_manage_syslog_config()
+- Update sysnet_dns_name_resolve() to allow connect to dnssec por
+- Allow pegasus_openlmi_storage_t to read hwdata
+- Fix rhcs_rw_cluster_tmpfs()
+- Allow fenced_t to bind on zented udp port
+- Added policy for vmtools
+- Fix mirrormanager_read_lib_files()
+- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files
+- Allow ctdb to create sock files in /var/run/ctdb
+- Add sblim_filetrans_named_content() interface
+- Allow rpm scritplets to create /run/gather with correct labeling
+- Allow gnome keyring domains to create gnome config dirs
+- Dontaudit read/write to init stream socket for lsmd_plugin_t
+- Allow automount to read nfs link files
+- Allow lsm plugins to read/write lsmd stream socket
+- Allow certmonger to connect ldap port to make IPA CA certificate renewal working.
+- Add also labeling for /var/run/ctdb
+- Add missing labeling for /var/lib/ctdb
+- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446
+- Dontaudit hypervkvp to search homedirs
+- Dontaudit hypervkvp to search admin homedirs
+- Allow hypervkvp to execute bin_t and ifconfig in the caller domain
+- Dontaudit xguest_t to read ABRT conf files
+- Add abrt_dontaudit_read_config()
+- Allow namespace-init to getattr on fs
+- Add thumb_role() also for xguest
+- Add filename transitions to create .spamassassin with correct labeling
+- Allow apache domain to read mirrormanager pid files
+- Allow domains to read/write shm and sem owned by mozilla_plugin_t
+- Allow alsactl to send a generic signal to kernel_t
+- Allow plymouthd to read run/udev/queue.bin
+- Allow sys_chroot for NM required by iodine service
+- Change glusterd to allow mounton all non security
+
 * Wed Jan 15 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-117
 - Add back rpm_run for unconfined_t