From 54335bde73af3b2f289458f9f13709f07e3f1231 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: May 02 2014 13:19:11 +0000
Subject: * Fri May 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.25

- Add interface sysnet_manage_ifconfig_run
- Added sysnet_filetrans_named_content_ifconfig interface
- Added dnsmasq_read_state interface
- Add some rules from F20 branch in quantum policy
- Allow exim to use pam stack to check passwords

---

diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 9e6f2d3..af4d7ad 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -35253,7 +35253,7 @@ index 346a7cc..42a48b6 100644
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..0bd8d93 100644
+index 6944526..a76e22c 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35528,7 +35528,7 @@ index 6944526..0bd8d93 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +918,114 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -35581,6 +35581,24 @@ index 6944526..0bd8d93 100644
 +
 +########################################
 +## <summary>
++##	Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sysnet_filetrans_named_content_ifconfig',`
++	gen_require(`
++		type ifconfig_var_run_t;
++	')
++
++	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
++')
++
++########################################
++## <summary>
 +##	Transition to sysnet named content
 +## </summary>
 +## <param name="domain">
@@ -35605,6 +35623,26 @@ index 6944526..0bd8d93 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
 +')
++
++########################################
++## <summary>
++##	Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sysnet_manage_ifconfig_run',`
++	gen_require(`
++		type ifconfig_var_run_t;
++	')
++
++	manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++	manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++	manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
 index b7686d5..087fe08 100644
 --- a/policy/modules/system/sysnetwork.te
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index ef54c62..d1644f4 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -21641,7 +21641,7 @@ index 23ab808..4a801b5 100644
  
  /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..1e8b244 100644
+index 19aa0b8..c3fc3f4 100644
 --- a/dnsmasq.if
 +++ b/dnsmasq.if
 @@ -10,7 +10,6 @@
@@ -21785,7 +21785,7 @@ index 19aa0b8..1e8b244 100644
  	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
  ')
  
-@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +292,63 @@ interface(`dnsmasq_create_pid_dirs',`
  
  ########################################
  ## <summary>
@@ -21797,34 +21797,26 @@ index 19aa0b8..1e8b244 100644
  ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
--##	</summary>
--## </param>
--## <param name="file_type">
--##	<summary>
--##	Directory to transition on.
--##	</summary>
--## </param>
--## <param name="object">
--##	<summary>
--##	The object class of the object being created.
 +##      Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
+-## <param name="file_type">
 +## <param name="private type">
  ##	<summary>
--##	The name of the object being created.
+-##	Directory to transition on.
 +##	The type of the directory for the object to be created.
  ##	</summary>
  ## </param>
- #
--interface(`dnsmasq_spec_filetrans_pid',`
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
++#
 +interface(`dnsmasq_filetrans_named_content_fromdir',`
- 	gen_require(`
- 		type dnsmasq_var_run_t;
- 	')
- 
--	filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
++	gen_require(`
++		type dnsmasq_var_run_t;
++	')
++
 +	filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
 +	filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
 +')
@@ -21837,7 +21829,8 @@ index 19aa0b8..1e8b244 100644
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
-+## </param>
+ ## </param>
+-## <param name="name" optional="true">
 +#
 +interface(`dnsmasq_filetrans_named_content',`
 +		gen_require(`
@@ -21847,10 +21840,32 @@ index 19aa0b8..1e8b244 100644
 +	files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
 +	files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
 +	virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
++')
++
++########################################
++## <summary>
++##	Create dnsmasq pid directories.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The name of the object being created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dnsmasq_spec_filetrans_pid',`
++interface(`dnsmasq_read_state',`
+ 	gen_require(`
+-		type dnsmasq_var_run_t;
++		type dnsmasq_t;
+ 	')
+-
+-	filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
++    ps_process_pattern($1, dnsmasq_t)
  ')
  
  ########################################
-@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +371,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
  interface(`dnsmasq_admin',`
  	gen_require(`
  		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -21871,7 +21886,7 @@ index 19aa0b8..1e8b244 100644
  	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +391,13 @@ interface(`dnsmasq_admin',`
  	files_list_var_lib($1)
  	admin_pattern($1, dnsmasq_lease_t)
  
@@ -67148,10 +67163,10 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..d7d6b4a 100644
+index 769d1fd..bf904a9 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -1,96 +1,122 @@
+@@ -1,96 +1,130 @@
 -policy_module(quantum, 1.0.2)
 +policy_module(quantum, 1.0.3)
  
@@ -67169,7 +67184,7 @@ index 769d1fd..d7d6b4a 100644
  
 -type quantum_initrc_exec_t;
 -init_script_file(quantum_initrc_exec_t)
-+type neutron_initrc_exec_t alias qauntum_initrc_exec_t;
++type neutron_initrc_exec_t alias quantum_initrc_exec_t;
 +init_script_file(neutron_initrc_exec_t)
  
 -type quantum_log_t;
@@ -67201,13 +67216,13 @@ index 769d1fd..d7d6b4a 100644
 -allow quantum_t self:key manage_key_perms;
 -allow quantum_t self:tcp_socket { accept listen };
 -allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin };
++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
 +allow neutron_t self:process { setsched setrlimit };
 +allow neutron_t self:fifo_file rw_fifo_file_perms;
 +allow neutron_t self:key manage_key_perms;
 +allow neutron_t self:tcp_socket { accept listen };
-+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
 +allow neutron_t self:unix_stream_socket { accept listen };
++allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
 +
 +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@@ -67235,8 +67250,8 @@ index 769d1fd..d7d6b4a 100644
 -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
 -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
 +kernel_read_kernel_sysctls(neutron_t)
-+kernel_read_network_state(neutron_t)
 +kernel_read_system_state(neutron_t)
++kernel_read_network_state(neutron_t)
 +kernel_request_load_module(neutron_t)
  
 -can_exec(quantum_t, quantum_tmp_t)
@@ -67269,66 +67284,74 @@ index 769d1fd..d7d6b4a 100644
 +dev_read_urand(neutron_t)
 +dev_mounton_sysfs(neutron_t)
 +dev_mount_sysfs_fs(neutron_t)
++dev_unmount_sysfs_fs(neutron_t)
  
 -dev_list_sysfs(quantum_t)
 -dev_read_urand(quantum_t)
-+auth_use_nsswitch(neutron_t)
++files_mounton_non_security(neutron_t)
  
 -files_read_usr_files(quantum_t)
-+libs_exec_ldconfig(neutron_t)
++auth_use_nsswitch(neutron_t)
  
 -auth_use_nsswitch(quantum_t)
-+logging_send_audit_msgs(neutron_t)
-+logging_send_syslog_msg(neutron_t)
++libs_exec_ldconfig(neutron_t)
  
 -libs_exec_ldconfig(quantum_t)
-+sysnet_domtrans_ifconfig(neutron_t)
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
  
 -logging_send_audit_msgs(quantum_t)
 -logging_send_syslog_msg(quantum_t)
-+optional_policy(`
-+	brctl_domtrans(neutron_t)
-+')
++sysnet_exec_ifconfig(neutron_t)
++sysnet_manage_ifconfig_run(neutron_t)
++sysnet_filetrans_named_content_ifconfig(neutron_t)
  
 -miscfiles_read_localization(quantum_t)
 +optional_policy(`
-+    dnsmasq_domtrans(neutron_t)
++	brctl_domtrans(neutron_t)
 +')
  
 -sysnet_domtrans_ifconfig(quantum_t)
 +optional_policy(`
-+    iptables_domtrans(neutron_t)
++    dnsmasq_domtrans(neutron_t)
++    dnsmasq_signal(neutron_t)
++    dnsmasq_kill(neutron_t)
++    dnsmasq_read_state(neutron_t)
 +')
  
  optional_policy(`
 -	brctl_domtrans(quantum_t)
-+	mysql_stream_connect(neutron_t)
-+	mysql_read_config(neutron_t)
-+
-+	mysql_tcp_connect(neutron_t)
++    iptables_domtrans(neutron_t)
  ')
  
  optional_policy(`
 -	mysql_stream_connect(quantum_t)
 -	mysql_read_config(quantum_t)
-+	postgresql_stream_connect(neutron_t)
-+	postgresql_unpriv_client(neutron_t)
++	mysql_stream_connect(neutron_t)
++	mysql_read_config(neutron_t)
  
 -	mysql_tcp_connect(quantum_t)
-+	postgresql_tcp_connect(neutron_t)
++	mysql_tcp_connect(neutron_t)
  ')
  
  optional_policy(`
 -	postgresql_stream_connect(quantum_t)
 -	postgresql_unpriv_client(quantum_t)
-+    openvswitch_domtrans(neutron_t)
-+    openvswitch_stream_connect(neutron_t)
++	postgresql_stream_connect(neutron_t)
++	postgresql_unpriv_client(neutron_t)
++
++	postgresql_tcp_connect(neutron_t)
 +')
  
 -	postgresql_tcp_connect(quantum_t)
 +optional_policy(`
-+	sudo_exec(neutron_t)
++    openvswitch_domtrans(neutron_t)
++    openvswitch_stream_connect(neutron_t)
  ')
++
++optional_policy(`
++	sudo_exec(neutron_t)
++')  
 diff --git a/quota.fc b/quota.fc
 index cadabe3..0ee2489 100644
 --- a/quota.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 31c6914..c8d5ead 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 74.24%{?dist}
+Release: 74.25%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -542,6 +542,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri May 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.25
+- Add interface sysnet_manage_ifconfig_run
+- Added sysnet_filetrans_named_content_ifconfig interface
+- Added dnsmasq_read_state interface
+- Add some rules from F20 branch in quantum policy
+- Allow exim to use pam stack to check passwords
+
 * Mon  Apr 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.24
 - Add modutils_dontaudit_exec_insmod interface
 - Allow rabbitmq to bind to amanda port