From 5c1b9a43d7f49d1b1e514b3ef74f424deaafb58f Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Mar 14 2014 11:53:26 +0000
Subject: * Fri Mar 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-138

- Make rtas_errd_t as unconfined domain for F20.It needs additional
fixes. It runs rpm at least.
- Allow net_admin cap for fence_virtd running as fenced_t
- Make  abrt-java-connector working
- Make cimtest script 03_defineVS.py of ComputerSystem group working
- Fix git_system_enable_homedirs boolean
- Allow munin mail plugins to read network systcl

---

diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 6efd3be..ccff28f 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -27330,7 +27330,7 @@ index 1e29af1..6c64f55 100644
 +		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
 +')
 diff --git a/git.te b/git.te
-index 93b0301..f719b0a 100644
+index 93b0301..7db7bdd 100644
 --- a/git.te
 +++ b/git.te
 @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -27393,17 +27393,18 @@ index 93b0301..f719b0a 100644
  files_search_var_lib(git_system_t)
  
  auth_use_nsswitch(git_system_t)
-@@ -165,6 +162,9 @@ logging_send_syslog_msg(git_system_t)
+@@ -165,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
  
  tunable_policy(`git_system_enable_homedirs',`
  	userdom_search_user_home_dirs(git_system_t)
 +	list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
++	list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
 +	read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
 +
  ')
  
  tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -255,12 +255,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -255,12 +256,9 @@ tunable_policy(`git_cgi_use_nfs',`
  
  allow git_daemon self:fifo_file rw_fifo_file_perms;
  
@@ -43969,7 +43970,7 @@ index 6194b80..03c6414 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..bf0f92d 100644
+index 6a306ee..f238761 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -44415,7 +44416,7 @@ index 6a306ee..bf0f92d 100644
  ')
  
  optional_policy(`
-@@ -300,259 +326,243 @@ optional_policy(`
+@@ -300,259 +326,247 @@ optional_policy(`
  
  ########################################
  #
@@ -44678,12 +44679,12 @@ index 6a306ee..bf0f92d 100644
  
 -userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 -userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
- 
+-
 -userdom_manage_user_home_content_dirs(mozilla_plugin_t)
 -userdom_manage_user_home_content_files(mozilla_plugin_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+ 
 -userdom_write_user_tmp_sockets(mozilla_plugin_t)
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
@@ -44707,26 +44708,28 @@ index 6a306ee..bf0f92d 100644
 -ifndef(`enable_mls',`
 -	fs_list_dos(mozilla_plugin_t)
 -	fs_read_dos_files(mozilla_plugin_t)
--
--	fs_search_removable(mozilla_plugin_t)
--	fs_read_removable_files(mozilla_plugin_t)
--	fs_read_removable_symlinks(mozilla_plugin_t)
 +userdom_read_user_home_content_files(mozilla_plugin_t)
 +userdom_read_user_home_content_symlinks(mozilla_plugin_t)
 +userdom_read_home_certs(mozilla_plugin_t)
 +userdom_read_home_audio_files(mozilla_plugin_t)
 +userdom_exec_user_tmp_files(mozilla_plugin_t)
  
--	fs_read_iso9660_files(mozilla_plugin_t)
--')
+-	fs_search_removable(mozilla_plugin_t)
+-	fs_read_removable_files(mozilla_plugin_t)
+-	fs_read_removable_symlinks(mozilla_plugin_t)
 +userdom_home_manager(mozilla_plugin_t)
  
--tunable_policy(`allow_execmem',`
--	allow mozilla_plugin_t self:process execmem;
+-	fs_read_iso9660_files(mozilla_plugin_t)
 +tunable_policy(`mozilla_plugin_can_network_connect',`
 +	corenet_tcp_connect_all_ports(mozilla_plugin_t)
  ')
  
+-tunable_policy(`allow_execmem',`
+-	allow mozilla_plugin_t self:process execmem;
++optional_policy(`
++    abrt_stream_connect(mozilla_plugin_t)
+ ')
+ 
 -tunable_policy(`mozilla_execstack',`
 -	allow mozilla_plugin_t self:process { execmem execstack };
 +optional_policy(`
@@ -44808,7 +44811,7 @@ index 6a306ee..bf0f92d 100644
  ')
  
  optional_policy(`
-@@ -560,7 +570,11 @@ optional_policy(`
+@@ -560,7 +574,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44821,7 +44824,7 @@ index 6a306ee..bf0f92d 100644
  ')
  
  optional_policy(`
-@@ -568,108 +582,131 @@ optional_policy(`
+@@ -568,108 +586,131 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47494,7 +47497,7 @@ index b744fe3..4c1b6a8 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index 97370e4..bd217aa 100644
+index 97370e4..e53abbb 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -37,44 +37,47 @@ munin_plugin_template(disk)
@@ -47647,7 +47650,7 @@ index 97370e4..bd217aa 100644
  ####################################
  #
  # Mail local policy
-@@ -275,27 +273,36 @@ optional_policy(`
+@@ -275,27 +273,38 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
@@ -47656,6 +47659,8 @@ index 97370e4..bd217aa 100644
 +
  rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
++kernel_read_net_sysctls(mail_munin_plugin_t)
++
  dev_read_urand(mail_munin_plugin_t)
  
  logging_read_generic_logs(mail_munin_plugin_t)
@@ -47688,7 +47693,7 @@ index 97370e4..bd217aa 100644
  ')
  
  optional_policy(`
-@@ -320,6 +327,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -320,6 +329,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
  allow services_munin_plugin_t self:udp_socket create_socket_perms;
  allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
  
@@ -47698,7 +47703,7 @@ index 97370e4..bd217aa 100644
  corenet_sendrecv_all_client_packets(services_munin_plugin_t)
  corenet_tcp_connect_all_ports(services_munin_plugin_t)
  corenet_tcp_connect_http_port(services_munin_plugin_t)
-@@ -331,7 +341,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -331,7 +343,7 @@ dev_read_rand(services_munin_plugin_t)
  sysnet_read_config(services_munin_plugin_t)
  
  optional_policy(`
@@ -47707,7 +47712,7 @@ index 97370e4..bd217aa 100644
  ')
  
  optional_policy(`
-@@ -353,7 +363,11 @@ optional_policy(`
+@@ -353,7 +365,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47720,7 +47725,7 @@ index 97370e4..bd217aa 100644
  ')
  
  optional_policy(`
-@@ -385,6 +399,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +401,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
  
  kernel_read_network_state(system_munin_plugin_t)
  kernel_read_all_sysctls(system_munin_plugin_t)
@@ -47728,7 +47733,7 @@ index 97370e4..bd217aa 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +428,31 @@ optional_policy(`
+@@ -413,3 +430,31 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
@@ -59613,7 +59618,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..230c9af 100644
+index 7bcf327..225cd64 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -60110,6 +60115,14 @@ index 7bcf327..230c9af 100644
  ')
  
  optional_policy(`
+@@ -180,6 +491,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    virt_getattr_images(pegasus_t)
+ 	virt_domtrans(pegasus_t)
+ 	virt_stream_connect(pegasus_t)
+ 	virt_manage_config(pegasus_t)
 diff --git a/pesign.fc b/pesign.fc
 new file mode 100644
 index 0000000..7b54c39
@@ -76856,7 +76869,7 @@ index 56bc01f..1337d42 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..dc590fc 100644
+index 2c2de9a..881a1a9 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -77215,9 +77228,10 @@ index 2c2de9a..dc590fc 100644
  # fenced local policy
  #
  
- allow fenced_t self:capability { sys_rawio sys_resource };
+-allow fenced_t self:capability { sys_rawio sys_resource };
 -allow fenced_t self:process { getsched signal_perms };
 -allow fenced_t self:tcp_socket { accept listen };
++allow fenced_t self:capability { net_admin sys_rawio sys_resource };
 +allow fenced_t self:process { getsched setpgid signal_perms };
 +
 +allow fenced_t self:tcp_socket create_stream_socket_perms;
@@ -82181,10 +82195,10 @@ index 0000000..0ec3302
 +')
 diff --git a/rtas.te b/rtas.te
 new file mode 100644
-index 0000000..52a39f8
+index 0000000..d6d29bd
 --- /dev/null
 +++ b/rtas.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,65 @@
 +policy_module(rtas, 1.0.0)
 +
 +########################################
@@ -82247,6 +82261,9 @@ index 0000000..52a39f8
 +
 +logging_read_generic_logs(rtas_errd_t)
 +
++optional_policy(`
++    unconfined_domain(rtas_errd_t)
++')
 diff --git a/rtkit.if b/rtkit.if
 index bd35afe..051addd 100644
 --- a/rtkit.if
@@ -86227,7 +86244,7 @@ index 98c9e0a..d4aa009 100644
  	files_search_pids($1)
  	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 4a23d84..bcf1556 100644
+index 4a23d84..6fa941d 100644
 --- a/sblim.te
 +++ b/sblim.te
 @@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
@@ -86333,7 +86350,7 @@ index 4a23d84..bcf1556 100644
  ')
  
  optional_policy(`
-@@ -117,6 +133,32 @@ optional_policy(`
+@@ -117,6 +133,33 @@ optional_policy(`
  # Reposd local policy
  #
  
@@ -86361,6 +86378,7 @@ index 4a23d84..bcf1556 100644
 +auth_use_nsswitch(sblim_sfcbd_t)
 +
 +corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
++corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
 +
 +dev_read_rand(sblim_sfcbd_t)
 +dev_read_urand(sblim_sfcbd_t)
@@ -98346,7 +98364,7 @@ index c30da4c..6351bcb 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..fddb027 100644
+index 9dec06c..f2c0191 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -98797,17 +98815,35 @@ index 9dec06c..fddb027 100644
  	manage_files_pattern($1, virt_etc_t, virt_etc_t)
  	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
  	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +251,25 @@ interface(`virt_manage_config',`
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt image files.
 +##	Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_getattr_content',`
++	gen_require(`
++		type virt_content_t;
++	')
++
++    allow $1 virt_content_t:file getattr_file_perms;
++')
++
++########################################
++## <summary>
++##	Allow domain to manage virt image files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -450,8 +286,7 @@ interface(`virt_read_content',`
+@@ -450,8 +304,7 @@ interface(`virt_read_content',`
  
  ########################################
  ## <summary>
@@ -98817,7 +98853,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,35 +294,17 @@ interface(`virt_read_content',`
+@@ -459,35 +312,17 @@ interface(`virt_read_content',`
  ##	</summary>
  ## </param>
  #
@@ -98856,7 +98892,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +330,37 @@ interface(`virt_manage_virt_content',`
  ##	</summary>
  ## </param>
  #
@@ -98920,7 +98956,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +368,21 @@ interface(`virt_home_filetrans_virt_content',`
  ##	</summary>
  ## </param>
  #
@@ -98963,7 +98999,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +390,36 @@ interface(`virt_manage_svirt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -99012,7 +99048,7 @@ index 9dec06c..fddb027 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +428,36 @@ interface(`virt_relabel_svirt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -99076,7 +99112,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +465,38 @@ interface(`virt_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -99143,7 +99179,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +504,58 @@ interface(`virt_manage_generic_virt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -99182,14 +99218,31 @@ index 9dec06c..fddb027 100644
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
 +## <rolecap/>
++#
++interface(`virt_read_log',`
++	gen_require(`
++		type virt_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, virt_log_t, virt_log_t)
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to append
++##	virt log files.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The name of the object being created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
  #
 -interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_read_log',`
++interface(`virt_append_log',`
  	gen_require(`
 -		type virt_home_t;
 +		type virt_log_t;
@@ -99197,23 +99250,22 @@ index 9dec06c..fddb027 100644
  
 -	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
 +	logging_search_logs($1)
-+	read_files_pattern($1, virt_log_t, virt_log_t)
++	append_files_pattern($1, virt_log_t, virt_log_t)
  ')
  
  ########################################
  ## <summary>
 -##	Read virt pid files.
-+##	Allow the specified domain to append
-+##	virt log files.
++##	Allow domain to manage virt log files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +563,19 @@ interface(`virt_home_filetrans_virt_home',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_pid_files',`
-+interface(`virt_append_log',`
++interface(`virt_manage_log',`
  	gen_require(`
 -		type virt_var_run_t;
 +		type virt_log_t;
@@ -99221,34 +99273,34 @@ index 9dec06c..fddb027 100644
  
 -	files_search_pids($1)
 -	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	logging_search_logs($1)
-+	append_files_pattern($1, virt_log_t, virt_log_t)
++	manage_dirs_pattern($1, virt_log_t, virt_log_t)
++	manage_files_pattern($1, virt_log_t, virt_log_t)
++	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt pid files.
-+##	Allow domain to manage virt log files
++##	Allow domain to getattr virt image direcories
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +583,18 @@ interface(`virt_read_pid_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_pid_files',`
-+interface(`virt_manage_log',`
++interface(`virt_getattr_images',`
  	gen_require(`
 -		type virt_var_run_t;
-+		type virt_log_t;
++		attribute virt_image_type;
  	')
  
 -	files_search_pids($1)
 -	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	manage_dirs_pattern($1, virt_log_t, virt_log_t)
-+	manage_files_pattern($1, virt_log_t, virt_log_t)
-+	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
++	virt_search_lib($1)
++	allow $1 virt_image_type:file getattr_file_perms;
  ')
  
  ########################################
@@ -99258,7 +99310,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +602,18 @@ interface(`virt_manage_pid_files',`
  ##	</summary>
  ## </param>
  #
@@ -99282,7 +99334,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +621,73 @@ interface(`virt_search_lib',`
  ##	</summary>
  ## </param>
  #
@@ -99361,7 +99413,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,74 +658,265 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -99424,10 +99476,12 @@ index 9dec06c..fddb027 100644
 +    manage_dirs_pattern($1, virt_image_t, virt_image_t)
 +    manage_files_pattern($1, virt_image_t, virt_image_t)
 +    read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in virt pid
+-##	directories with a private type.
 +##	Execute virt server in the virt domain.
 +## </summary>
 +## <param name="domain">
@@ -99447,12 +99501,10 @@ index 9dec06c..fddb027 100644
 +	allow $1 virtd_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, virtd_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in virt pid
--##	directories with a private type.
++')
++
++########################################
++## <summary>
 +##	Ptrace the svirt domain
 +## </summary>
 +## <param name="domain">
@@ -99472,12 +99524,13 @@ index 9dec06c..fddb027 100644
 +#######################################
 +## <summary>
 +##	Execute Sandbox Files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
 +#
 +interface(`virt_exec_sandbox_files',`
 +	gen_require(`
@@ -99490,13 +99543,14 @@ index 9dec06c..fddb027 100644
 +#######################################
 +## <summary>
 +##	Manage Sandbox Files
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	The type of the object to be created.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="private type">
+-## <param name="object">
 +#
 +interface(`virt_manage_sandbox_files',`
 +	gen_require(`
@@ -99516,11 +99570,11 @@ index 9dec06c..fddb027 100644
 +## </summary>
 +## <param name="domain">
  ##	<summary>
--##	The type of the object to be created.
+-##	The object class of the object being created.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="object">
+-## <param name="name" optional="true">
 +#
 +interface(`virt_relabel_sandbox_filesystem',`
 +	gen_require(`
@@ -99536,14 +99590,16 @@ index 9dec06c..fddb027 100644
 +## </summary>
 +## <param name="domain">
  ##	<summary>
--##	The object class of the object being created.
+-##	The name of the object being created.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
-+#
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`virt_pid_filetrans',`
 +interface(`virt_mounton_sandbox_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_var_run_t;
 +		type svirt_sandbox_file_t;
 +	')
 +
@@ -99555,17 +99611,13 @@ index 9dec06c..fddb027 100644
 +##	Connect to virt over a unix domain stream socket.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The name of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
++##	</summary>
++## </param>
++#
 +interface(`virt_stream_connect_sandbox',`
- 	gen_require(`
--		type virt_var_run_t;
++	gen_require(`
 +		attribute svirt_sandbox_domain;
 +		type svirt_sandbox_file_t;
  	')
@@ -99621,10 +99673,11 @@ index 9dec06c..fddb027 100644
 +	optional_policy(`
 +		ptchown_run(virt_domain, $2)
 +	')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Append virt log files.
 +##	Do not audit attempts to write virt daemon unnamed pipes.
 +## </summary>
 +## <param name="domain">
@@ -99640,16 +99693,15 @@ index 9dec06c..fddb027 100644
 +
 +	dontaudit $1 virtd_t:fd use;
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Append virt log files.
++')
++
++########################################
++## <summary>
 +##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -935,19 +924,17 @@ interface(`virt_read_log',`
+@@ -935,19 +961,17 @@ interface(`virt_read_log',`
  ##	</summary>
  ## </param>
  #
@@ -99673,7 +99725,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -955,20 +942,17 @@ interface(`virt_append_log',`
+@@ -955,20 +979,17 @@ interface(`virt_append_log',`
  ##	</summary>
  ## </param>
  #
@@ -99698,7 +99750,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -976,18 +960,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
  ##	</summary>
  ## </param>
  #
@@ -99721,7 +99773,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,36 +978,57 @@ interface(`virt_search_images',`
+@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
  ##	</summary>
  ## </param>
  #
@@ -99798,7 +99850,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1032,20 +1036,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -99834,7 +99886,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1053,37 +1065,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1102,131 @@ interface(`virt_rw_all_image_chr_files',`
  ##	</summary>
  ## </param>
  #
@@ -99980,7 +100032,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +1197,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1234,54 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -100054,7 +100106,7 @@ index 9dec06c..fddb027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1260,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1297,36 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -100096,8 +100148,7 @@ index 9dec06c..fddb027 100644
 -
 -	files_search_tmp($1)
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+	allow $1 virt_domain:process signal_perms;
- 
+-
 -	files_search_etc($1)
 -	admin_pattern($1, { virt_etc_t virt_etc_rw_t })
 -
@@ -100106,7 +100157,8 @@ index 9dec06c..fddb027 100644
 -
 -	files_search_pids($1)
 -	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++	allow $1 virt_domain:process signal_perms;
+ 
 -	files_search_var($1)
 -	admin_pattern($1, svirt_cache_t)
 -
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 262a9a8..8038549 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 137%{?dist}
+Release: 138%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,14 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Mar 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-138
+- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least.
+- Allow net_admin cap for fence_virtd running as fenced_t
+- Make  abrt-java-connector working
+- Make cimtest script 03_defineVS.py of ComputerSystem group working
+- Fix git_system_enable_homedirs boolean
+- Allow munin mail plugins to read network systcl
+
 * Thu Mar 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-137
 - Allow vmtools_helper_t to execute bin_t
 - Add support for /usr/share/joomla