From 3c65b0d92e49bbef900ee2c19fccb5f9b663f4d3 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jan 29 2015 16:40:10 +0000
Subject: * Fri Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-198

-  Dontaudit couchdb search in gconf_home_t. BZ(1177717)
- Allow pingd to read /dev/urandom. BZ(1181831)

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 908cfb5..31e36be 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -40300,10 +40300,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..a10f4ee
+index 0000000..ea7a44f
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,639 @@
+@@ -0,0 +1,638 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -40893,9 +40893,8 @@ index 0000000..a10f4ee
 +#
 +# systemd_sysctl domains local policy
 +#
-+allow systemd_sysctl_t self:capability { sys_admin net_admin };
++allow systemd_sysctl_t self:capability { net_admin sys_admin sys_rawio };
 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
-+
 +kernel_dgram_send(systemd_sysctl_t)
 +kernel_rw_all_sysctls(systemd_sysctl_t)
 +
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 8ce15bc..590a3cc 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2980,10 +2980,10 @@ index 0000000..ae5f0a3
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..cb58319
+index 0000000..a3e6156
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,271 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@@ -3089,6 +3089,7 @@ index 0000000..cb58319
 +
 +can_exec(antivirus_domain, antivirus_exec_t)
 +
++kernel_read_system_state(antivirus_domain)
 +kernel_read_network_state(antivirus_domain)
 +kernel_read_all_sysctls(antivirus_domain)
 +
@@ -15946,7 +15947,7 @@ index 83d6744..3f0c0dc 100644
 +	')
  ')
 diff --git a/couchdb.te b/couchdb.te
-index 503adab..726f653 100644
+index 503adab..509e73c 100644
 --- a/couchdb.te
 +++ b/couchdb.te
 @@ -27,6 +27,13 @@ files_type(couchdb_var_lib_t)
@@ -15991,7 +15992,7 @@ index 503adab..726f653 100644
  
  corecmd_exec_bin(couchdb_t)
  corecmd_exec_shell(couchdb_t)
-@@ -75,14 +84,32 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +84,34 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
  corenet_tcp_bind_couchdb_port(couchdb_t)
  corenet_tcp_sendrecv_couchdb_port(couchdb_t)
  
@@ -16004,6 +16005,8 @@ index 503adab..726f653 100644
 +files_getattr_lost_found_dirs(couchdb_t)
 +files_dontaudit_list_var(couchdb_t)
 +
++gnome_dontaudit_search_config(couchdb_t)
++
  dev_list_sysfs(couchdb_t)
  dev_read_sysfs(couchdb_t)
  dev_read_urand(couchdb_t)
@@ -63039,7 +63042,7 @@ index 21a6ecb..b99e4cb 100644
  	domain_system_change_exemption($1)
  	role_transition $2 pingd_initrc_exec_t system_r;
 diff --git a/pingd.te b/pingd.te
-index 0f77942..0e3f230 100644
+index 0f77942..1ee68e9 100644
 --- a/pingd.te
 +++ b/pingd.te
 @@ -10,7 +10,7 @@ type pingd_exec_t;
@@ -63051,7 +63054,14 @@ index 0f77942..0e3f230 100644
  
  type pingd_initrc_exec_t;
  init_script_file(pingd_initrc_exec_t)
-@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t)
+@@ -45,10 +45,10 @@ corenet_tcp_bind_generic_node(pingd_t)
+ corenet_sendrecv_pingd_server_packets(pingd_t)
+ corenet_tcp_bind_pingd_port(pingd_t)
+ 
++dev_read_urand(pingd_t)
++
+ auth_use_nsswitch(pingd_t)
+ 
  files_search_usr(pingd_t)
  
  logging_send_syslog_msg(pingd_t)
@@ -88879,7 +88889,7 @@ index cd6c213..34b861a 100644
 +	allow $1 sanlock_unit_file_t:service all_service_perms;
  ')
 diff --git a/sanlock.te b/sanlock.te
-index a34eac4..735ebd1 100644
+index a34eac4..e19c914 100644
 --- a/sanlock.te
 +++ b/sanlock.te
 @@ -1,4 +1,4 @@
@@ -89014,17 +89024,18 @@ index a34eac4..735ebd1 100644
  ')
  
  optional_policy(`
-@@ -100,7 +118,9 @@ optional_policy(`
+@@ -100,7 +118,10 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	virt_kill_all_virt_domains(sanlock_t)
 +	virt_kill_svirt(sanlock_t)
 +	virt_kill(sanlock_t)
-+    virt_signal(sanlock_t)
++	virt_signal(sanlock_t)
  	virt_manage_lib_files(sanlock_t)
 -	virt_signal_all_virt_domains(sanlock_t)
 +	virt_signal_svirt(sanlock_t)
++	virt_read_pid_files(sanlock_t)
  ')
 diff --git a/sasl.fc b/sasl.fc
 index 54f41c2..7e58679 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a896c26..fd2b127 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 197%{?dist}
+Release: 198%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-198
+-  Dontaudit couchdb search in gconf_home_t. BZ(1177717)
+- Allow pingd to read /dev/urandom. BZ(1181831)
+
 * Fri Jan 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-197
 - allow mozilla plugins to connect to bluetooth devices
 - Allow system_mail_t to create content in /var/lib/munin