From 33dc49718362de2bf158c441667a3f30db80f025 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jul 14 2014 19:59:18 +0000
Subject: * Mon Jul 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-177

- Allow lircd_t to use tty_device_t for use withmythtv
- Allow mysqld to bind and connect to tram port BZ #1118052
- Allow deltacloudd_t to read network state BZ #1116940
- Allow apache to manage pid sock files
- Add capability sys_ptrace to stapserver
- Added support for vdsm
- Allow chrome sandbox to use udp_sockets leaked in by its parent
- Allow logrotate to manage virt_cache
- varnishd needs to have fsetid capability
- Allow sshd to send signal to chkpwd_t
- Set proper labeling on /var/run/sddm

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 300776f..d2395b3 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -24029,7 +24029,7 @@ index fe0c682..e8dcfa7 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..97291d1 100644
+index 5fc0391..980e658 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3)
@@ -24280,7 +24280,7 @@ index 5fc0391..97291d1 100644
  
  files_read_etc_files(ssh_keysign_t)
  
-@@ -223,33 +264,55 @@ optional_policy(`
+@@ -223,33 +264,56 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -24312,6 +24312,7 @@ index 5fc0391..97291d1 100644
  corenet_sendrecv_xserver_server_packets(sshd_t)
  
 +auth_exec_login_program(sshd_t)
++auth_signal_chk_passwd(sshd_t)
 +
 +userdom_read_user_home_content_files(sshd_t)
 +userdom_read_user_home_content_symlinks(sshd_t)
@@ -24345,7 +24346,7 @@ index 5fc0391..97291d1 100644
  ')
  
  optional_policy(`
-@@ -257,11 +320,28 @@ optional_policy(`
+@@ -257,11 +321,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24375,7 +24376,7 @@ index 5fc0391..97291d1 100644
  ')
  
  optional_policy(`
-@@ -269,6 +349,10 @@ optional_policy(`
+@@ -269,6 +350,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24386,7 +24387,7 @@ index 5fc0391..97291d1 100644
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -279,13 +363,93 @@ optional_policy(`
+@@ -279,13 +364,93 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24480,7 +24481,7 @@ index 5fc0391..97291d1 100644
  ########################################
  #
  # ssh_keygen local policy
-@@ -294,19 +458,33 @@ optional_policy(`
+@@ -294,19 +459,33 @@ optional_policy(`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -24515,7 +24516,7 @@ index 5fc0391..97291d1 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -322,7 +500,14 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -322,7 +501,14 @@ auth_use_nsswitch(ssh_keygen_t)
  
  logging_send_syslog_msg(ssh_keygen_t)
  
@@ -24530,7 +24531,7 @@ index 5fc0391..97291d1 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +516,148 @@ optional_policy(`
+@@ -331,3 +517,148 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -24680,7 +24681,7 @@ index 5fc0391..97291d1 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..7acda6c 100644
+index d1f64a0..b79dbb4 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,35 @@
@@ -24786,7 +24787,7 @@ index d1f64a0..7acda6c 100644
  
  /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
  
-@@ -92,25 +130,50 @@ ifndef(`distro_debian',`
+@@ -92,25 +130,51 @@ ifndef(`distro_debian',`
  
  /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -24828,11 +24829,12 @@ index d1f64a0..7acda6c 100644
 +/var/run/slim.*     	--  	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
- 
++/var/run/sddm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
++
 +/var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
 +/var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
 +/var/run/systemd/multi-session-x(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
-+
+ 
  ifdef(`distro_suse',`
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
  ')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index a4a6124..99dd61b 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4966,7 +4966,7 @@ index 83e899c..9426db5 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..17a51e3 100644
+index 1a82e29..d2693f8 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,381 @@
@@ -6192,7 +6192,7 @@ index 1a82e29..17a51e3 100644
  ')
  
  optional_policy(`
-@@ -781,34 +944,57 @@ optional_policy(`
+@@ -781,34 +944,58 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6211,6 +6211,7 @@ index 1a82e29..17a51e3 100644
 +
 +optional_policy(`
 +	mirrormanager_manage_pid_files(httpd_t)
++    mirrormanager_manage_pid_sock_files(httpd_t)
 +	mirrormanager_read_lib_files(httpd_t)
 +	mirrormanager_read_log(httpd_t)
 +')
@@ -6261,7 +6262,7 @@ index 1a82e29..17a51e3 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +1002,18 @@ optional_policy(`
+@@ -816,8 +1003,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6280,7 +6281,7 @@ index 1a82e29..17a51e3 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +1022,7 @@ optional_policy(`
+@@ -826,6 +1023,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6288,7 +6289,7 @@ index 1a82e29..17a51e3 100644
  ')
  
  optional_policy(`
-@@ -836,20 +1033,40 @@ optional_policy(`
+@@ -836,20 +1034,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6335,7 +6336,7 @@ index 1a82e29..17a51e3 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1074,35 @@ optional_policy(`
+@@ -857,19 +1075,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6371,7 +6372,7 @@ index 1a82e29..17a51e3 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1110,173 @@ optional_policy(`
+@@ -877,65 +1111,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6567,7 +6568,7 @@ index 1a82e29..17a51e3 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1285,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1286,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6722,7 +6723,7 @@ index 1a82e29..17a51e3 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1369,106 @@ optional_policy(`
+@@ -1077,172 +1370,106 @@ optional_policy(`
  	')
  ')
  
@@ -6959,7 +6960,7 @@ index 1a82e29..17a51e3 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1476,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1477,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7056,7 +7057,7 @@ index 1a82e29..17a51e3 100644
  
  ########################################
  #
-@@ -1315,8 +1551,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1552,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7073,7 +7074,7 @@ index 1a82e29..17a51e3 100644
  ')
  
  ########################################
-@@ -1324,49 +1567,38 @@ optional_policy(`
+@@ -1324,49 +1568,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7138,7 +7139,7 @@ index 1a82e29..17a51e3 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1608,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1609,100 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -11380,10 +11381,10 @@ index 0000000..d020d89
 +HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
 diff --git a/chrome.if b/chrome.if
 new file mode 100644
-index 0000000..23407b8
+index 0000000..7beaafe
 --- /dev/null
 +++ b/chrome.if
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,138 @@
 +
 +## <summary>policy for chrome</summary>
 +
@@ -11475,6 +11476,7 @@ index 0000000..23407b8
 +	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
 +	allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
 +	dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
++    allow chrome_sandbox_t $2:udp_socket rw_socket_perms;
 +	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
 +	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
 +	allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
@@ -12850,10 +12852,10 @@ index 0000000..8ac848b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..496ce03
+index 0000000..2b47a40
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,300 @@
+@@ -0,0 +1,301 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -13052,6 +13054,7 @@ index 0000000..496ce03
 +
 +kernel_read_kernel_sysctls(deltacloudd_t)
 +kernel_read_system_state(deltacloudd_t)
++kernel_read_network_state(deltacloudd_t)
 +
 +corecmd_exec_bin(deltacloudd_t)
 +
@@ -40143,7 +40146,7 @@ index dff21a7..b6981c8 100644
  	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/lircd.te b/lircd.te
-index 98b5405..7d982bb 100644
+index 98b5405..1150694 100644
 --- a/lircd.te
 +++ b/lircd.te
 @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -40163,11 +40166,12 @@ index 98b5405..7d982bb 100644
  
  read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
  
-@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t)
+@@ -64,9 +65,9 @@ files_manage_generic_locks(lircd_t)
  files_read_all_locks(lircd_t)
  
  term_use_ptmx(lircd_t)
 +term_use_usb_ttys(lircd_t)
++term_use_unallocated_ttys(lircd_t)
  
  logging_send_syslog_msg(lircd_t)
  
@@ -40466,7 +40470,7 @@ index dd8e01a..9cd6b0b 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..5fef0a4 100644
+index 7bab8e5..6234385 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -1,20 +1,26 @@
@@ -40755,8 +40759,14 @@ index 7bab8e5..5fef0a4 100644
  	su_exec(logrotate_t)
  ')
  
-@@ -241,13 +295,11 @@ optional_policy(`
+@@ -239,15 +293,17 @@ optional_policy(`
+ 	varnishd_manage_log(logrotate_t)
+ ')
  
++optional_policy(`
++	virt_manage_cache(logrotate_t)
++')
++
  #######################################
  #
 -# Mail local policy
@@ -43485,10 +43495,10 @@ index 0000000..c713b27
 +/var/run/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
 diff --git a/mirrormanager.if b/mirrormanager.if
 new file mode 100644
-index 0000000..fbb831d
+index 0000000..86467cf
 --- /dev/null
 +++ b/mirrormanager.if
-@@ -0,0 +1,237 @@
+@@ -0,0 +1,256 @@
 +
 +## <summary>policy for mirrormanager</summary>
 +
@@ -43688,6 +43698,25 @@ index 0000000..fbb831d
 +
 +########################################
 +## <summary>
++##     Manage mirrormanager PID sock files.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed access.
++##     </summary>
++## </param>
++#
++interface(`mirrormanager_manage_pid_sock_files',`
++       gen_require(`
++               type mirrormanager_var_run_t;
++       ')
++
++       files_search_pids($1)
++       manage_sock_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate
 +##	an mirrormanager environment
 +## </summary>
@@ -50287,7 +50316,7 @@ index 687af38..a77dc09 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 9f6179e..6e73360 100644
+index 9f6179e..919fdc3 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -1,4 +1,4 @@
@@ -50377,7 +50406,7 @@ index 9f6179e..6e73360 100644
  
  manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
  manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +92,55 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -93,50 +92,57 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
  
@@ -50404,11 +50433,13 @@ index 9f6179e..6e73360 100644
 -corenet_sendrecv_mysqld_server_packets(mysqld_t)
  corenet_tcp_bind_mysqld_port(mysqld_t)
 -corenet_sendrecv_mysqld_client_packets(mysqld_t)
++corenet_tcp_bind_tram_port(mysqld_t)
  corenet_tcp_connect_mysqld_port(mysqld_t)
 -corenet_tcp_sendrecv_mysqld_port(mysqld_t)
 -
 -corecmd_exec_bin(mysqld_t)
 -corecmd_exec_shell(mysqld_t)
++corenet_tcp_connect_tram_port(mysqld_t)
 +corenet_sendrecv_mysqld_client_packets(mysqld_t)
 +corenet_sendrecv_mysqld_server_packets(mysqld_t)
  
@@ -50450,7 +50481,7 @@ index 9f6179e..6e73360 100644
  ')
  
  optional_policy(`
-@@ -144,6 +148,10 @@ optional_policy(`
+@@ -144,6 +150,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50461,7 +50492,7 @@ index 9f6179e..6e73360 100644
  	seutil_sigchld_newrole(mysqld_t)
  ')
  
-@@ -153,29 +161,25 @@ optional_policy(`
+@@ -153,29 +163,25 @@ optional_policy(`
  
  #######################################
  #
@@ -50500,7 +50531,7 @@ index 9f6179e..6e73360 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +189,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
  corecmd_exec_bin(mysqld_safe_t)
  corecmd_exec_shell(mysqld_safe_t)
  
@@ -50536,7 +50567,7 @@ index 9f6179e..6e73360 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -205,7 +217,7 @@ optional_policy(`
+@@ -205,7 +219,7 @@ optional_policy(`
  
  ########################################
  #
@@ -50545,7 +50576,7 @@ index 9f6179e..6e73360 100644
  #
  
  allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +228,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -50563,7 +50594,7 @@ index 9f6179e..6e73360 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -226,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +241,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -95037,7 +95068,7 @@ index 0000000..80c6480
 +')
 diff --git a/stapserver.te b/stapserver.te
 new file mode 100644
-index 0000000..6aeecac
+index 0000000..337d201
 --- /dev/null
 +++ b/stapserver.te
 @@ -0,0 +1,114 @@
@@ -95073,7 +95104,7 @@ index 0000000..6aeecac
 +allow stapserver_t self:capability { setuid setgid };
 +allow stapserver_t self:process setsched;
 +
-+allow stapserver_t self:capability { dac_override kill };
++allow stapserver_t self:capability { dac_override kill sys_ptrace};
 +allow stapserver_t self:process { setrlimit signal };
 +
 +allow stapserver_t self:fifo_file rw_fifo_file_perms;
@@ -100565,7 +100596,7 @@ index 1c35171..2cba4df 100644
  	domain_system_change_exemption($1)
  	role_transition $2 varnishd_initrc_exec_t system_r;
 diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..8cade37 100644
+index 9d4d8cb..1189323 100644
 --- a/varnishd.te
 +++ b/varnishd.te
 @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -100590,7 +100621,7 @@ index 9d4d8cb..8cade37 100644
  #
  
 -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
-+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner fsetid };
  dontaudit varnishd_t self:capability sys_tty_config;
 -allow varnishd_t self:process signal;
 +allow varnishd_t self:process { execmem signal };
@@ -100820,10 +100851,10 @@ index 0be8535..b96e329 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index c30da4c..6351bcb 100644
+index c30da4c..9ccc90c 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,52 +1,92 @@
+@@ -1,52 +1,97 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@@ -100931,6 +100962,11 @@ index c30da4c..6351bcb 100644
 +/usr/bin/vios-proxy-host	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/vios-proxy-guest	--  gen_context(system_u:object_r:virtd_exec_t,s0)
 +
++#support for vdsm
++/usr/share/vdsm/vdsm    --       gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/share/vdsm/respawn    --       gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/share/vdsm/supervdsmServer    --       gen_context(system_u:object_r:virtd_exec_t,s0)
++
 +# support for nova-stack
 +/usr/bin/nova-compute       --  gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5d53ad2..202b049 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 176%{?dist}
+Release: 177%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,19 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Jul 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-177
+- Allow lircd_t to use tty_device_t for use withmythtv
+- Allow mysqld to bind and connect to tram port BZ #1118052
+- Allow deltacloudd_t to read network state BZ #1116940
+- Allow apache to manage pid sock files
+- Add capability sys_ptrace to stapserver
+- Added support for vdsm
+- Allow chrome sandbox to use udp_sockets leaked in by its parent
+- Allow logrotate to manage virt_cache
+- varnishd needs to have fsetid capability
+- Allow sshd to send signal to chkpwd_t
+- Set proper labeling on /var/run/sddm
+
 * Wed Jul 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-176
 - Allow apache to search ipa lib files by default