From 5d15cbb533a285a64f33d76e98aefae1191f96e9 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Jan 08 2014 10:27:09 +0000
Subject: Add neutron fixes
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 9331692..4718a40 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -31691,7 +31691,7 @@ index 4e94884..ae63d78 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..616d6a8 100644
+index 39ea221..e2be79a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -31712,7 +31712,7 @@ index 39ea221..616d6a8 100644
+## Allow syslogd the ability to read/write terminals
+##
+##
-+gen_tunable(logging_syslogd_use_tty, false)
++gen_tunable(logging_syslogd_use_tty, true)
attribute logfile;
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 31259b3..34c8553 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -17844,7 +17844,7 @@ index 06da9a0..c7834c8 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..d084359 100644
+index 9f34c2e..5997cc2 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -18114,12 +18114,13 @@ index 9f34c2e..d084359 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
++libs_exec_ldconfig(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -18140,7 +18141,7 @@ index 9f34c2e..d084359 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +305,8 @@ optional_policy(`
+@@ -275,6 +306,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -18149,7 +18150,7 @@ index 9f34c2e..d084359 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +317,10 @@ optional_policy(`
+@@ -285,8 +318,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -18160,7 +18161,7 @@ index 9f34c2e..d084359 100644
')
')
-@@ -299,8 +333,8 @@ optional_policy(`
+@@ -299,8 +334,8 @@ optional_policy(`
')
optional_policy(`
@@ -18170,7 +18171,7 @@ index 9f34c2e..d084359 100644
')
optional_policy(`
-@@ -309,7 +343,6 @@ optional_policy(`
+@@ -309,7 +344,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -18178,7 +18179,7 @@ index 9f34c2e..d084359 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +370,11 @@ optional_policy(`
+@@ -337,7 +371,11 @@ optional_policy(`
')
optional_policy(`
@@ -18191,7 +18192,7 @@ index 9f34c2e..d084359 100644
')
########################################
-@@ -345,12 +382,11 @@ optional_policy(`
+@@ -345,12 +383,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -18207,7 +18208,7 @@ index 9f34c2e..d084359 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +412,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -18228,7 +18229,7 @@ index 9f34c2e..d084359 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +430,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -18249,7 +18250,7 @@ index 9f34c2e..d084359 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +447,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -18261,7 +18262,7 @@ index 9f34c2e..d084359 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +473,12 @@ optional_policy(`
+@@ -452,9 +474,12 @@ optional_policy(`
')
optional_policy(`
@@ -18275,7 +18276,7 @@ index 9f34c2e..d084359 100644
')
optional_policy(`
-@@ -490,10 +514,6 @@ optional_policy(`
+@@ -490,10 +515,6 @@ optional_policy(`
# Lpd local policy
#
@@ -18286,7 +18287,7 @@ index 9f34c2e..d084359 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +532,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -18320,7 +18321,7 @@ index 9f34c2e..d084359 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +558,6 @@ optional_policy(`
+@@ -546,7 +559,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -18328,7 +18329,7 @@ index 9f34c2e..d084359 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +574,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -18480,7 +18481,7 @@ index 9f34c2e..d084359 100644
########################################
#
-@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +618,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -18488,7 +18489,7 @@ index 9f34c2e..d084359 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +627,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -18502,7 +18503,7 @@ index 9f34c2e..d084359 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +639,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -18511,7 +18512,7 @@ index 9f34c2e..d084359 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +650,4 @@ optional_policy(`
+@@ -769,3 +651,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -22832,10 +22833,10 @@ index 0000000..543baf1
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..68e0556
+index 0000000..b744b8c
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,152 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -22905,6 +22906,7 @@ index 0000000..68e0556
+corecmd_exec_shell(docker_t)
+
+corenet_tcp_bind_generic_node(docker_t)
++corenet_tcp_connect_http_port(docker_t)
+
+files_read_etc_files(docker_t)
+
@@ -22914,6 +22916,9 @@ index 0000000..68e0556
+
+auth_use_nsswitch(docker_t)
+
++logging_send_audit_msgs(docker_t)
++logging_send_syslog_msg(docker_t)
++
+miscfiles_read_localization(docker_t)
+
+mount_domtrans(docker_t)
@@ -31998,6 +32003,82 @@ index 94ec5f8..6cbbf7d 100644
logging_send_syslog_msg(iodined_t)
+diff --git a/ipa.fc b/ipa.fc
+new file mode 100644
+index 0000000..9278f85
+--- /dev/null
++++ b/ipa.fc
+@@ -0,0 +1,4 @@
++/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
++
++/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++
+diff --git a/ipa.if b/ipa.if
+new file mode 100644
+index 0000000..c6cf456
+--- /dev/null
++++ b/ipa.if
+@@ -0,0 +1,21 @@
++## Policy for IPA services.
++
++########################################
++##
++## Execute rtas_errd in the rtas_errd domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ipa_domtrans_otpd',`
++ gen_require(`
++ type ipa_otpd_t, ipa_otpd_t_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
++')
++
+diff --git a/ipa.te b/ipa.te
+new file mode 100644
+index 0000000..02f7cfa
+--- /dev/null
++++ b/ipa.te
+@@ -0,0 +1,33 @@
++policy_module(ipa, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute ipa_domain;
++
++type ipa_otpd_t, ipa_domain;
++type ipa_otpd_exec_t;
++init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
++
++type ipa_otpd_unit_file_t;
++systemd_unit_file(ipa_otpd_unit_file_t)
++
++########################################
++#
++# ipa_otpd local policy
++#
++
++allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
++allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
++
++corenet_tcp_connect_radius_port(ipa_otpd_t)
++
++optional_policy(`
++ dirsrv_stream_connect(ipa_otpd_t)
++')
++
++optional_policy(`
++ kerberos_use(ipa_otpd_t)
++')
diff --git a/irc.fc b/irc.fc
index 48e7739..c3285c2 100644
--- a/irc.fc
@@ -35087,7 +35168,7 @@ index f9de9fc..11e6268 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..353c4ce 100644
+index 3465a9a..15b3d6d 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
@@ -35248,7 +35329,7 @@ index 3465a9a..353c4ce 100644
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,6 +173,10 @@ optional_policy(`
+@@ -154,11 +173,16 @@ optional_policy(`
')
optional_policy(`
@@ -35259,7 +35340,13 @@ index 3465a9a..353c4ce 100644
nis_use_ypbind(kadmind_t)
')
-@@ -174,24 +197,27 @@ optional_policy(`
+ optional_policy(`
+ sssd_read_public_files(kadmind_t)
++ sssd_stream_connect(kadmind_t)
+ ')
+
+ optional_policy(`
+@@ -174,24 +198,27 @@ optional_policy(`
# Krb5kdc local policy
#
@@ -35291,7 +35378,7 @@ index 3465a9a..353c4ce 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+@@ -203,54 +230,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
@@ -35357,7 +35444,7 @@ index 3465a9a..353c4ce 100644
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +286,11 @@ optional_policy(`
+@@ -261,11 +287,11 @@ optional_policy(`
')
optional_policy(`
@@ -35371,7 +35458,7 @@ index 3465a9a..353c4ce 100644
')
optional_policy(`
-@@ -273,6 +298,10 @@ optional_policy(`
+@@ -273,6 +299,10 @@ optional_policy(`
')
optional_policy(`
@@ -35382,7 +35469,7 @@ index 3465a9a..353c4ce 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +310,12 @@ optional_policy(`
+@@ -281,10 +311,12 @@ optional_policy(`
# kpropd local policy
#
@@ -35398,7 +35485,7 @@ index 3465a9a..353c4ce 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +335,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -48952,7 +49039,7 @@ index 0e8508c..ee2e3de 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..7688ca5 100644
+index 0b48a30..8350f85 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -49107,7 +49194,7 @@ index 0b48a30..7688ca5 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +149,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +149,31 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -49125,7 +49212,9 @@ index 0b48a30..7688ca5 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +168,11 @@ init_domtrans_script(NetworkManager_t)
+ init_dontaudit_write_utmp(NetworkManager_t)
+ init_domtrans_script(NetworkManager_t)
++init_signull_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -49138,7 +49227,7 @@ index 0b48a30..7688ca5 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +187,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +188,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -49175,7 +49264,7 @@ index 0b48a30..7688ca5 100644
')
optional_policy(`
-@@ -196,10 +228,6 @@ optional_policy(`
+@@ -196,10 +229,6 @@ optional_policy(`
')
optional_policy(`
@@ -49186,7 +49275,7 @@ index 0b48a30..7688ca5 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +238,11 @@ optional_policy(`
+@@ -210,16 +239,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -49205,7 +49294,7 @@ index 0b48a30..7688ca5 100644
')
')
-@@ -231,18 +254,23 @@ optional_policy(`
+@@ -231,18 +255,23 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -49232,7 +49321,7 @@ index 0b48a30..7688ca5 100644
')
optional_policy(`
-@@ -250,6 +278,10 @@ optional_policy(`
+@@ -250,6 +279,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -49243,7 +49332,7 @@ index 0b48a30..7688ca5 100644
')
optional_policy(`
-@@ -257,11 +289,10 @@ optional_policy(`
+@@ -257,11 +290,10 @@ optional_policy(`
')
optional_policy(`
@@ -49259,7 +49348,7 @@ index 0b48a30..7688ca5 100644
')
optional_policy(`
-@@ -274,10 +305,17 @@ optional_policy(`
+@@ -274,10 +306,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -49277,7 +49366,7 @@ index 0b48a30..7688ca5 100644
')
optional_policy(`
-@@ -289,6 +327,7 @@ optional_policy(`
+@@ -289,6 +328,7 @@ optional_policy(`
')
optional_policy(`
@@ -49285,7 +49374,7 @@ index 0b48a30..7688ca5 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +335,7 @@ optional_policy(`
+@@ -296,7 +336,7 @@ optional_policy(`
')
optional_policy(`
@@ -49294,7 +49383,7 @@ index 0b48a30..7688ca5 100644
')
optional_policy(`
-@@ -307,6 +346,7 @@ optional_policy(`
+@@ -307,6 +347,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -49302,7 +49391,7 @@ index 0b48a30..7688ca5 100644
')
optional_policy(`
-@@ -320,13 +360,19 @@ optional_policy(`
+@@ -320,13 +361,19 @@ optional_policy(`
')
optional_policy(`
@@ -49326,7 +49415,7 @@ index 0b48a30..7688ca5 100644
')
optional_policy(`
-@@ -356,6 +402,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +403,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -57396,10 +57485,10 @@ index 96db654..6d3feb9 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..4694942 100644
+index dfd46e4..fabf59e 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,29 @@
+@@ -1,15 +1,30 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -57437,6 +57526,7 @@ index dfd46e4..4694942 100644
+/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
@@ -70161,10 +70251,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..0ef5efc 100644
+index 769d1fd..2cd8df3 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,109 @@
+@@ -1,96 +1,123 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -70214,55 +70304,49 @@ index 769d1fd..0ef5efc 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { setgid setuid sys_resource };
++allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin };
+allow neutron_t self:process { setsched setrlimit };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen };
-
--manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
--append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--logging_log_filetrans(quantum_t, quantum_log_t, dir)
++
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
-
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
--manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
--can_exec(quantum_t, quantum_tmp_t)
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+can_exec(neutron_t, neutron_tmp_t)
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+kernel_read_kernel_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
++kernel_read_network_state(neutron_t)
++kernel_request_load_module(neutron_t)
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
+-can_exec(quantum_t, quantum_tmp_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
@@ -70270,65 +70354,85 @@ index 769d1fd..0ef5efc 100644
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
--files_read_usr_files(quantum_t)
-+dev_list_sysfs(neutron_t)
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
++domain_named_filetrans(neutron_t)
+
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
++dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
++dev_mounton_sysfs(neutron_t)
++dev_mount_sysfs_fs(neutron_t)
--auth_use_nsswitch(quantum_t)
+-files_read_usr_files(quantum_t)
+auth_use_nsswitch(neutron_t)
--libs_exec_ldconfig(quantum_t)
+-auth_use_nsswitch(quantum_t)
+libs_exec_ldconfig(neutron_t)
--logging_send_audit_msgs(quantum_t)
--logging_send_syslog_msg(quantum_t)
+-libs_exec_ldconfig(quantum_t)
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
--miscfiles_read_localization(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
+sysnet_exec_ifconfig(neutron_t)
--sysnet_domtrans_ifconfig(quantum_t)
+-miscfiles_read_localization(quantum_t)
+optional_policy(`
+ brctl_domtrans(neutron_t)
+')
+-sysnet_domtrans_ifconfig(quantum_t)
++optional_policy(`
++ dnsmasq_domtrans(neutron_t)
++')
+
optional_policy(`
- brctl_domtrans(quantum_t)
-+ mysql_stream_connect(neutron_t)
-+ mysql_read_config(neutron_t)
-+
-+ mysql_tcp_connect(neutron_t)
++ iptables_domtrans(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ postgresql_stream_connect(neutron_t)
-+ postgresql_unpriv_client(neutron_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_config(neutron_t)
- mysql_tcp_connect(quantum_t)
-+ postgresql_tcp_connect(neutron_t)
++ mysql_tcp_connect(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
-+ openvswitch_domtrans(neutron_t)
-+ openvswitch_stream_connect(neutron_t)
++ postgresql_stream_connect(neutron_t)
++ postgresql_unpriv_client(neutron_t)
++
++ postgresql_tcp_connect(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+optional_policy(`
-+ sudo_exec(neutron_t)
++ openvswitch_domtrans(neutron_t)
++ openvswitch_stream_connect(neutron_t)
')
++
++optional_policy(`
++ sudo_exec(neutron_t)
++')
diff --git a/quota.fc b/quota.fc
index cadabe3..54ba01d 100644
--- a/quota.fc
@@ -93953,7 +94057,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..9f596dc 100644
+index 7116181..92703c0 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -93966,7 +94070,7 @@ index 7116181..9f596dc 100644
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
-@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t)
# Local policy
#
@@ -93979,10 +94083,11 @@ index 7116181..9f596dc 100644
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow tuned_t self:netlink_socket create_socket_perms;
+allow tuned_t self:udp_socket create_socket_perms;
++allow tuned_t self:socket create_socket_perms;
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+@@ -41,14 +48,19 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -94001,11 +94106,12 @@ index 7116181..9f596dc 100644
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
++allow tuned_t tuned_var_run_t:file relabel_file_perms;
+can_exec(tuned_t, tuned_var_run_t)
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
-@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +69,8 @@ kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
kernel_rw_hotplug_sysctls(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
@@ -94014,7 +94120,7 @@ index 7116181..9f596dc 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +76,57 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +78,57 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)