From 4f56c465ae320f01bb49b524e4e75f30961e3c3d Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Apr 09 2014 08:49:07 +0000
Subject: - Back port puppet fixes from rawhide

- Allow automount to getattr all files
- openvpn_can_network_connect boolean set default on
- Allow conman to resolve DNS and use user ptys
- update pegasus_openlmi_admin_t policy
- Allow docker to status any unit file and allow it to start generic unit files
- Additional perms for gear domain

---

diff --git a/booleans.subs_dist b/booleans.subs_dist
index d39b6c0..5ca6aa7 100644
--- a/booleans.subs_dist
+++ b/booleans.subs_dist
@@ -53,3 +53,4 @@ condor_domain_can_network_connect condor_tcp_network_connect
 icecast_connect_any icecast_use_any_tcp_ports
 named_bind_http_port named_tcp_bind_http_port
 user_rw_noexattrfile selinuxuser_rw_noexattrfile
+puppet_manage_all_files puppetagent_manage_all_files
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 19dd80d..7665122 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -8191,7 +8191,7 @@ index 089430a..b0bed70 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index a579c3b..f27656d 100644
+index a579c3b..11dbe9d 100644
 --- a/automount.te
 +++ b/automount.te
 @@ -22,12 +22,16 @@ type automount_tmp_t;
@@ -8220,7 +8220,15 @@ index a579c3b..f27656d 100644
  corenet_all_recvfrom_netlabel(automount_t)
  corenet_tcp_sendrecv_generic_if(automount_t)
  corenet_udp_sendrecv_generic_if(automount_t)
-@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -86,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
+ 
+ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
++files_getattr_all_files(automount_t)
+ files_getattr_default_dirs(automount_t)
+ files_getattr_home_dir(automount_t)
+ files_getattr_isid_type_dirs(automount_t)
+@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
  files_mounton_all_mountpoints(automount_t)
  files_mounton_mnt(automount_t)
  files_read_etc_runtime_files(automount_t)
@@ -8228,7 +8236,7 @@ index a579c3b..f27656d 100644
  files_search_boot(automount_t)
  files_search_all(automount_t)
  files_unmount_all_file_type_fs(automount_t)
-@@ -108,6 +110,7 @@ fs_manage_autofs_symlinks(automount_t)
+@@ -108,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t)
  fs_mount_all_fs(automount_t)
  fs_mount_autofs(automount_t)
  fs_read_nfs_files(automount_t)
@@ -8236,7 +8244,7 @@ index a579c3b..f27656d 100644
  fs_search_all(automount_t)
  fs_search_auto_mountpoints(automount_t)
  fs_unmount_all_fs(automount_t)
-@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
+@@ -130,15 +134,18 @@ auth_use_nsswitch(automount_t)
  logging_send_syslog_msg(automount_t)
  logging_search_logs(automount_t)
  
@@ -8259,7 +8267,7 @@ index a579c3b..f27656d 100644
  	fstools_domtrans(automount_t)
  ')
  
-@@ -160,3 +166,8 @@ optional_policy(`
+@@ -160,3 +167,8 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(automount_t)
  ')
@@ -14403,10 +14411,10 @@ index 0000000..54b4b04
 +')
 diff --git a/conman.te b/conman.te
 new file mode 100644
-index 0000000..0de2d4d
+index 0000000..d6b0314
 --- /dev/null
 +++ b/conman.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,49 @@
 +policy_module(conman, 1.0.0)
 +
 +########################################
@@ -14434,7 +14442,7 @@ index 0000000..0de2d4d
 +
 +allow conman_t self:fifo_file rw_fifo_file_perms;
 +allow conman_t self:unix_stream_socket create_stream_socket_perms;
-+allow conman_t self:tcp_socket { listen create_socket_perms };
++allow conman_t self:tcp_socket { accept listen create_socket_perms };
 +
 +manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
 +manage_files_pattern(conman_t, conman_log_t, conman_log_t)
@@ -14449,6 +14457,10 @@ index 0000000..0de2d4d
 +
 +logging_send_syslog_msg(conman_t)
 +
++sysnet_dns_name_resolve(conman_t)
++
++userdom_use_user_ptys(conman_t)
++
 +optional_policy(`
 +    freeipmi_stream_connect(conman_t)
 +')
@@ -23506,10 +23518,10 @@ index 0000000..66fe66d
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..c80e06c
+index 0000000..f6fe2c3
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,265 @@
+@@ -0,0 +1,271 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -23653,6 +23665,7 @@ index 0000000..c80e06c
 +auth_use_nsswitch(docker_t)
 +
 +init_read_state(docker_t)
++init_status(docker_t)
 +
 +logging_send_audit_msgs(docker_t)
 +logging_send_syslog_msg(docker_t)
@@ -23732,6 +23745,11 @@ index 0000000..c80e06c
 +
 +modutils_domtrans_insmod(docker_t)
 +
++systemd_status_all_unit_files(docker_t)
++
++userdom_stream_connect(docker_t)
++userdom_search_user_home_content(docker_t)
++
 +optional_policy(`
 +	dbus_system_bus_client(docker_t)
 +	init_dbus_chat(docker_t)
@@ -27660,10 +27678,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..6c32f79
+index 0000000..e6a1c7c
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,101 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@@ -27691,6 +27709,8 @@ index 0000000..6c32f79
 +#
 +# gear local policy
 +#
++allow gear_t self:capability chown;
++allow gear_t self:capability2 block_suspend;
 +allow gear_t self:process { getattr signal_perms };
 +allow gear_t self:fifo_file rw_fifo_file_perms;
 +allow gear_t self:unix_stream_socket create_stream_socket_perms;
@@ -27722,6 +27742,7 @@ index 0000000..6c32f79
 +kernel_rw_net_sysctls(gear_t)
 +
 +domain_use_interactive_fds(gear_t)
++domain_read_all_domains_state(gear_t)
 +
 +corecmd_exec_bin(gear_t)
 +corecmd_exec_shell(gear_t)
@@ -27742,6 +27763,8 @@ index 0000000..6c32f79
 +init_read_state(gear_t)
 +init_dbus_chat(gear_t)
 +
++iptables_domtrans(gear_t)
++
 +logging_send_audit_msgs(gear_t)
 +logging_send_syslog_msg(gear_t)
 +
@@ -27753,6 +27776,8 @@ index 0000000..6c32f79
 +
 +sysnet_dns_name_resolve(gear_t)
 +
++sysnet_domtrans_ifconfig(gear_t)
++
 +systemd_manage_all_unit_files(gear_t)
 +
 +optional_policy(`
@@ -57794,7 +57819,7 @@ index 6837e9a..21e6dae 100644
  	domain_system_change_exemption($1)
  	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..265896b 100644
+index 3270ff9..fcda1bc 100644
 --- a/openvpn.te
 +++ b/openvpn.te
 @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -57821,7 +57846,7 @@ index 3270ff9..265896b 100644
 +##  connect to the TCP network.
 +##  </p>
 +## </desc>
-+gen_tunable(openvpn_can_network_connect, false)
++gen_tunable(openvpn_can_network_connect, true)
 +
  attribute_role openvpn_roles;
  
@@ -60321,7 +60346,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..6c3afa0 100644
+index 7bcf327..37539ec 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -60345,7 +60370,7 @@ index 7bcf327..6c3afa0 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,324 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -60523,6 +60548,8 @@ index 7bcf327..6c3afa0 100644
 +# pegasus openlmi service local policy
 +#
 +
++fs_getattr_all_fs(pegasus_openlmi_admin_t)
++
 +init_manage_transient_unit(pegasus_openlmi_admin_t)
 +init_disable_services(pegasus_openlmi_admin_t)
 +init_enable_services(pegasus_openlmi_admin_t)
@@ -60537,6 +60564,9 @@ index 7bcf327..6c3afa0 100644
 +
 +allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
 +
++logging_read_syslog_pid(pegasus_openlmi_admin_t)
++logging_read_generic_logs(pegasus_openlmi_admin_t)
++
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_openlmi_admin_t)
 +    
@@ -60670,7 +60700,7 @@ index 7bcf327..6c3afa0 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +357,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -60701,7 +60731,7 @@ index 7bcf327..6c3afa0 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +383,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -60734,7 +60764,7 @@ index 7bcf327..6c3afa0 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +411,11 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -60746,7 +60776,7 @@ index 7bcf327..6c3afa0 100644
  
  files_list_var_lib(pegasus_t)
  files_read_var_lib_files(pegasus_t)
-@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +427,29 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -60782,7 +60812,7 @@ index 7bcf327..6c3afa0 100644
  ')
  
  optional_policy(`
-@@ -151,16 +456,24 @@ optional_policy(`
+@@ -151,16 +461,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60811,7 +60841,7 @@ index 7bcf327..6c3afa0 100644
  ')
  
  optional_policy(`
-@@ -168,7 +481,7 @@ optional_policy(`
+@@ -168,7 +486,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60820,7 +60850,7 @@ index 7bcf327..6c3afa0 100644
  ')
  
  optional_policy(`
-@@ -180,6 +493,8 @@ optional_policy(`
+@@ -180,6 +498,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69683,28 +69713,35 @@ index e31bbe1..5f0e288 100644
 +    rtkit_scheduled(pulseaudio_client)
  ')
 diff --git a/puppet.fc b/puppet.fc
-index 4ecda09..8c0b242 100644
+index 4ecda09..cad91e2 100644
 --- a/puppet.fc
 +++ b/puppet.fc
-@@ -1,14 +1,12 @@
+@@ -1,14 +1,20 @@
 -/etc/puppet(/.*)?	gen_context(system_u:object_r:puppet_etc_t,s0)
-+/etc/puppet(/.*)?			gen_context(system_u:object_r:puppet_etc_t,s0)
++/etc/puppet(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
  
- /etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/puppetmaster	--	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/puppet	    --	gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
  
 -/usr/sbin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
 -/usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 -/usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-+/usr/sbin/puppetca		--	gen_context(system_u:object_r:puppetca_exec_t,s0)
-+/usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
-+/usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
++#helper scripts
++/usr/bin/start-puppet-agent       --  gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/bin/start-puppet-master      --  gen_context(system_u:object_r:puppetmaster_exec_t,s0)
  
 -/var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
--
++/usr/bin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/bin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/bin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ 
 -/var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
--
++/usr/sbin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/sbin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/sbin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ 
 -/var/run/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_run_t,s0)
 +/var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
 +/var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
@@ -70051,16 +70088,16 @@ index 7cb8b1f..9422c90 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index f2309f4..a375475 100644
+index f2309f4..0903e67 100644
 --- a/puppet.te
 +++ b/puppet.te
 @@ -1,4 +1,4 @@
 -policy_module(puppet, 1.3.7)
-+policy_module(puppet, 1.3.0)
++policy_module(puppet, 1.4.0)
  
  ########################################
  #
-@@ -6,15 +6,19 @@ policy_module(puppet, 1.3.7)
+@@ -6,25 +6,32 @@ policy_module(puppet, 1.3.7)
  #
  
  ## <desc>
@@ -70073,7 +70110,8 @@ index f2309f4..a375475 100644
 +## types.
 +## </p>
  ## </desc>
- gen_tunable(puppet_manage_all_files, false)
+-gen_tunable(puppet_manage_all_files, false)
++gen_tunable(puppetagent_manage_all_files, false)
  
 -attribute_role puppetca_roles;
 -roleattribute system_r puppetca_roles;
@@ -70084,9 +70122,27 @@ index f2309f4..a375475 100644
 +## </desc>
 +gen_tunable(puppetmaster_use_db, false)
  
- type puppet_t;
- type puppet_exec_t;
-@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t)
+-type puppet_t;
+-type puppet_exec_t;
+-init_daemon_domain(puppet_t, puppet_exec_t)
++type puppetagent_t;
++type puppetagent_exec_t;
++typealias puppetagent_exec_t alias puppet_exec_t;
++typealias puppetagent_t alias puppet_t;
++init_daemon_domain(puppetagent_t, puppetagent_exec_t)
+ 
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+ 
+-type puppet_initrc_exec_t;
+-init_script_file(puppet_initrc_exec_t)
++type puppetagent_initrc_exec_t;
++typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
++init_script_file(puppetagent_initrc_exec_t)
+ 
+ type puppet_log_t;
+ logging_log_file(puppet_log_t)
+@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t)
  
  type puppet_var_run_t;
  files_pid_file(puppet_var_run_t)
@@ -70100,7 +70156,7 @@ index f2309f4..a375475 100644
  
  type puppetmaster_t;
  type puppetmaster_exec_t;
-@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,156 @@ files_tmp_file(puppetmaster_tmp_t)
  
  ########################################
  #
@@ -70109,198 +70165,252 @@ index f2309f4..a375475 100644
  #
  
 -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
-+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
- allow puppet_t self:process { signal signull getsched setsched };
- allow puppet_t self:fifo_file rw_fifo_file_perms;
- allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+-allow puppet_t self:process { signal signull getsched setsched };
+-allow puppet_t self:fifo_file rw_fifo_file_perms;
+-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
 -allow puppet_t self:tcp_socket { accept listen };
-+allow puppet_t self:tcp_socket create_stream_socket_perms;
- allow puppet_t self:udp_socket create_socket_perms;
- 
+-allow puppet_t self:udp_socket create_socket_perms;
+-
 -allow puppet_t puppet_etc_t:dir list_dir_perms;
 -allow puppet_t puppet_etc_t:file read_file_perms;
 -allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
- 
- manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
- manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-
+-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 -can_exec(puppet_t, puppet_var_lib_t)
-+files_search_var_lib(puppet_t)
- 
+-
 -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
- 
+-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+-
 -allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
 -append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
- create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
 -read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
 -setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
- logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
- 
- manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
- 
- kernel_dontaudit_search_sysctl(puppet_t)
- kernel_dontaudit_search_kernel_sysctl(puppet_t)
-+kernel_read_system_state(puppet_t)
- kernel_read_crypto_sysctls(puppet_t)
- kernel_read_kernel_sysctls(puppet_t)
+-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+-
+-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+-
+-kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
+-kernel_read_crypto_sysctls(puppet_t)
+-kernel_read_kernel_sysctls(puppet_t)
 -kernel_read_net_sysctls(puppet_t)
 -kernel_read_network_state(puppet_t)
- 
-+corecmd_read_all_executables(puppet_t)
-+corecmd_dontaudit_access_all_executables(puppet_t)
- corecmd_exec_bin(puppet_t)
- corecmd_exec_shell(puppet_t)
+-
+-corecmd_exec_bin(puppet_t)
+-corecmd_exec_shell(puppet_t)
 -corecmd_read_all_executables(puppet_t)
- 
- corenet_all_recvfrom_netlabel(puppet_t)
+-
+-corenet_all_recvfrom_netlabel(puppet_t)
 -corenet_all_recvfrom_unlabeled(puppet_t)
- corenet_tcp_sendrecv_generic_if(puppet_t)
- corenet_tcp_sendrecv_generic_node(puppet_t)
+-corenet_tcp_sendrecv_generic_if(puppet_t)
+-corenet_tcp_sendrecv_generic_node(puppet_t)
 -
 -corenet_sendrecv_puppet_client_packets(puppet_t)
-+corenet_tcp_bind_generic_node(puppet_t)
- corenet_tcp_connect_puppet_port(puppet_t)
+-corenet_tcp_connect_puppet_port(puppet_t)
 -corenet_tcp_sendrecv_puppet_port(puppet_t)
-+corenet_sendrecv_puppet_client_packets(puppet_t)
- 
- dev_read_rand(puppet_t)
- dev_read_sysfs(puppet_t)
- dev_read_urand(puppet_t)
- 
+-
+-dev_read_rand(puppet_t)
+-dev_read_sysfs(puppet_t)
+-dev_read_urand(puppet_t)
+-
 -domain_interactive_fd(puppet_t)
- domain_read_all_domains_state(puppet_t)
-+domain_interactive_fd(puppet_t)
- 
- files_manage_config_files(puppet_t)
- files_manage_config_dirs(puppet_t)
- files_manage_etc_dirs(puppet_t)
- files_manage_etc_files(puppet_t)
+-domain_read_all_domains_state(puppet_t)
+-
+-files_manage_config_files(puppet_t)
+-files_manage_config_dirs(puppet_t)
+-files_manage_etc_dirs(puppet_t)
+-files_manage_etc_files(puppet_t)
 -files_read_usr_files(puppet_t)
- files_read_usr_symlinks(puppet_t)
- files_relabel_config_dirs(puppet_t)
- files_relabel_config_files(puppet_t)
+-files_read_usr_symlinks(puppet_t)
+-files_relabel_config_dirs(puppet_t)
+-files_relabel_config_files(puppet_t)
 -files_search_var_lib(puppet_t)
- 
+-
 -selinux_get_fs_mount(puppet_t)
 -selinux_search_fs(puppet_t)
- selinux_set_all_booleans(puppet_t)
- selinux_set_generic_booleans(puppet_t)
- selinux_validate_context(puppet_t)
-@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t)
- term_dontaudit_getattr_unallocated_ttys(puppet_t)
- term_dontaudit_getattr_all_ttys(puppet_t)
- 
-+auth_use_nsswitch(puppet_t)
-+
- init_all_labeled_script_domtrans(puppet_t)
- init_domtrans_script(puppet_t)
- init_read_utmp(puppet_t)
-@@ -143,18 +138,19 @@ init_signull_script(puppet_t)
- logging_send_syslog_msg(puppet_t)
- 
- miscfiles_read_hwdata(puppet_t)
+-selinux_set_all_booleans(puppet_t)
+-selinux_set_generic_booleans(puppet_t)
+-selinux_validate_context(puppet_t)
+-
+-term_dontaudit_getattr_unallocated_ttys(puppet_t)
+-term_dontaudit_getattr_all_ttys(puppet_t)
+-
+-init_all_labeled_script_domtrans(puppet_t)
+-init_domtrans_script(puppet_t)
+-init_read_utmp(puppet_t)
+-init_signull_script(puppet_t)
+-
+-logging_send_syslog_msg(puppet_t)
+-
+-miscfiles_read_hwdata(puppet_t)
 -miscfiles_read_localization(puppet_t)
 -
 -mount_domtrans(puppet_t)
- 
- seutil_domtrans_setfiles(puppet_t)
- seutil_domtrans_semanage(puppet_t)
-+seutil_read_file_contexts(puppet_t)
- 
- sysnet_run_ifconfig(puppet_t, system_r)
+-
+-seutil_domtrans_setfiles(puppet_t)
+-seutil_domtrans_semanage(puppet_t)
+-
+-sysnet_run_ifconfig(puppet_t, system_r)
 -sysnet_use_ldap(puppet_t)
-+
-+usermanage_access_check_groupadd(puppet_t)
-+usermanage_access_check_passwd(puppet_t)
-+usermanage_access_check_useradd(puppet_t)
- 
- tunable_policy(`puppet_manage_all_files',`
+-
+-tunable_policy(`puppet_manage_all_files',`
 -	files_manage_non_auth_files(puppet_t)
-+	files_manage_non_security_files(puppet_t)
- ')
- 
- optional_policy(`
-@@ -196,21 +192,86 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	usermanage_domtrans_groupadd(puppet_t)
--	usermanage_domtrans_useradd(puppet_t)
-+	auth_filetrans_named_content(puppet_t)
-+')
++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
++allow puppetagent_t self:process { signal signull getsched setsched };
++allow puppetagent_t self:fifo_file rw_fifo_file_perms;
++allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
++allow puppetagent_t self:tcp_socket create_stream_socket_perms;
++allow puppetagent_t self:udp_socket create_socket_perms;
 +
-+optional_policy(`
-+	alsa_filetrans_named_content(puppet_t)
-+')
++read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
 +
-+optional_policy(`
-+	bootloader_filetrans_config(puppet_t)
-+')
++manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
++manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
++files_search_var_lib(puppetagent_t)
 +
-+optional_policy(`
-+	devicekit_filetrans_named_content(puppet_t)
-+')
++manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
++manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
++files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
 +
-+optional_policy(`
-+	dnsmasq_filetrans_named_content(puppet_t)
-+')
++create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
++create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
++append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
++logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
 +
-+optional_policy(`
-+	kerberos_filetrans_named_content(puppet_t)
-+')
++manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
++manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
++files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
 +
-+optional_policy(`
-+	libs_filetrans_named_content(puppet_t)
-+')
++kernel_dontaudit_search_sysctl(puppetagent_t)
++kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
++kernel_read_system_state(puppetagent_t)
++kernel_read_crypto_sysctls(puppetagent_t)
++kernel_read_kernel_sysctls(puppetagent_t)
 +
-+optional_policy(`
-+	miscfiles_filetrans_named_content(puppet_t)
-+')
++corecmd_read_all_executables(puppetagent_t)
++corecmd_dontaudit_access_all_executables(puppetagent_t)
++corecmd_exec_bin(puppetagent_t)
++corecmd_exec_shell(puppetagent_t)
 +
-+optional_policy(`
-+	mta_filetrans_named_content(puppet_t)
-+')
++corenet_all_recvfrom_netlabel(puppetagent_t)
++corenet_tcp_sendrecv_generic_if(puppetagent_t)
++corenet_tcp_sendrecv_generic_node(puppetagent_t)
++corenet_tcp_bind_generic_node(puppetagent_t)
++corenet_tcp_connect_puppet_port(puppetagent_t)
++corenet_sendrecv_puppet_client_packets(puppetagent_t)
 +
-+optional_policy(`
-+	modules_filetrans_named_content(puppet_t)
-+')
++dev_read_rand(puppetagent_t)
++dev_read_sysfs(puppetagent_t)
++dev_read_urand(puppetagent_t)
 +
-+optional_policy(`
-+	networkmanager_filetrans_named_content(puppet_t)
-+')
++domain_read_all_domains_state(puppetagent_t)
++domain_interactive_fd(puppetagent_t)
++domain_named_filetrans(puppetagent_t)
 +
-+optional_policy(`
-+	nx_filetrans_named_content(puppet_t)
-+')
++files_manage_config_files(puppetagent_t)
++files_manage_config_dirs(puppetagent_t)
++files_manage_etc_dirs(puppetagent_t)
++files_manage_etc_files(puppetagent_t)
++files_read_usr_symlinks(puppetagent_t)
++files_relabel_config_dirs(puppetagent_t)
++files_relabel_config_files(puppetagent_t)
 +
-+optional_policy(`
-+	postfix_filetrans_named_content(puppet_t)
-+')
++selinux_set_all_booleans(puppetagent_t)
++selinux_set_generic_booleans(puppetagent_t)
++selinux_validate_context(puppetagent_t)
 +
-+optional_policy(`
-+	openshift_initrc_domtrans(puppet_t)
-+')
++term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
++term_dontaudit_getattr_all_ttys(puppetagent_t)
 +
-+optional_policy(`
-+	quota_filetrans_named_content(puppet_t)
-+')
++auth_use_nsswitch(puppetagent_t)
 +
-+optional_policy(`
-+	sysnet_filetrans_named_content(puppet_t)
-+')
++init_all_labeled_script_domtrans(puppetagent_t)
++init_domtrans_script(puppetagent_t)
++init_read_utmp(puppetagent_t)
++init_signull_script(puppetagent_t)
 +
-+optional_policy(`
-+	virt_filetrans_home_content(puppet_t)
-+')
++logging_send_syslog_msg(puppetagent_t)
++
++miscfiles_read_hwdata(puppetagent_t)
++
++seutil_domtrans_setfiles(puppetagent_t)
++seutil_domtrans_semanage(puppetagent_t)
++seutil_read_file_contexts(puppetagent_t)
++
++sysnet_run_ifconfig(puppetagent_t, system_r)
++
++usermanage_access_check_groupadd(puppetagent_t)
++usermanage_access_check_passwd(puppetagent_t)
++usermanage_access_check_useradd(puppetagent_t)
 +
++tunable_policy(`puppetagent_manage_all_files',`
++	files_manage_non_security_files(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	cfengine_read_lib_files(puppet_t)
++    mysql_stream_connect(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	consoletype_exec(puppet_t)
++    postgresql_stream_connect(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	hostname_exec(puppet_t)
++	cfengine_read_lib_files(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	mount_domtrans(puppet_t)
++	consoletype_exec(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	mta_send_mail(puppet_t)
++	hostname_exec(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	portage_domtrans(puppet_t)
+-	portage_domtrans_fetch(puppet_t)
+-	portage_domtrans_gcc_config(puppet_t)
++	mount_domtrans(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	files_rw_var_files(puppet_t)
++	mta_send_mail(puppetagent_t)
++')
+ 
+-	rpm_domtrans(puppet_t)
+-	rpm_manage_db(puppet_t)
+-	rpm_manage_log(puppet_t)
 +optional_policy(`
-+	ssh_filetrans_admin_home_content(puppet_t)
++	portage_domtrans(puppetagent_t)
++	portage_domtrans_fetch(puppetagent_t)
++	portage_domtrans_gcc_config(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	unconfined_domain(puppet_t)
++	files_rw_var_files(puppetagent_t)
++
++	rpm_domtrans(puppetagent_t)
++	rpm_manage_db(puppetagent_t)
++	rpm_manage_log(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	usermanage_domtrans_groupadd(puppet_t)
+-	usermanage_domtrans_useradd(puppet_t)
++    unconfined_domain_noaudit(puppetagent_t)
  ')
  
  ########################################
@@ -70319,7 +70429,7 @@ index f2309f4..a375475 100644
  
  allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
  manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +222,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
  allow puppetca_t puppet_var_run_t:dir search_dir_perms;
  
  kernel_read_system_state(puppetca_t)
@@ -70327,7 +70437,7 @@ index f2309f4..a375475 100644
  kernel_read_kernel_sysctls(puppetca_t)
  
  corecmd_exec_bin(puppetca_t)
-@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +231,12 @@ corecmd_exec_shell(puppetca_t)
  dev_read_urand(puppetca_t)
  dev_search_sysfs(puppetca_t)
  
@@ -70343,7 +70453,7 @@ index f2309f4..a375475 100644
  miscfiles_read_generic_certs(puppetca_t)
  
  seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +305,47 @@ optional_policy(`
+@@ -246,38 +245,47 @@ optional_policy(`
  	hostname_exec(puppetca_t)
  ')
  
@@ -70407,7 +70517,7 @@ index f2309f4..a375475 100644
  
  kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
  kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +297,24 @@ corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
  
  corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -70438,7 +70548,7 @@ index f2309f4..a375475 100644
  
  selinux_validate_context(puppetmaster_t)
  
-@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +323,31 @@ auth_use_nsswitch(puppetmaster_t)
  logging_send_syslog_msg(puppetmaster_t)
  
  miscfiles_read_generic_certs(puppetmaster_t)
@@ -70475,7 +70585,7 @@ index f2309f4..a375475 100644
  ')
  
  optional_policy(`
-@@ -342,3 +416,9 @@ optional_policy(`
+@@ -342,3 +356,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7173126..7c5c00f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 152%{?dist}
+Release: 153%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Apr 9 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153
+- Back port puppet fixes from rawhide
+- Allow automount to getattr all files
+- openvpn_can_network_connect boolean set default on
+- Allow conman to resolve DNS and use user ptys
+- update pegasus_openlmi_admin_t policy
+- Allow docker to status any unit file and allow it to start generic unit files
+- Additional perms for gear domain
+
 * Tue Apr 8 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-152
 - Change hsperfdata_root to have as user_tmp_t
 - Allow rsyslog low-level network access