From 61a8737e37620bf7f65d6636fffb0739ee638ed3 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Aug 23 2013 12:32:45 +0000
Subject: - Fix collectd_t can read /etc/passwd file
- Fix lsm.if summary
- Add policy for lsmd
- Cleanup raid.te
- Add support for abrt-upload-watch
- Dontaudit access check on cert_t for httpd_t
- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
- Allow glusterd to read domains state
- Allow swift to crete cache dirs with correct labeling
- Add support for pam_mount to mount user's encrypted home When a user logs in and logs o
- Add support for .Xauthority-n
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index d5daf33..63fd39f 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -20167,7 +20167,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..dac68b3 100644
+index 5fc0391..2d08ed2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20470,7 +20470,7 @@ index 5fc0391..dac68b3 100644
')
optional_policy(`
-@@ -257,11 +307,24 @@ optional_policy(`
+@@ -257,11 +307,28 @@ optional_policy(`
')
optional_policy(`
@@ -20492,11 +20492,15 @@ index 5fc0391..dac68b3 100644
optional_policy(`
- kerberos_keytab_template(sshd, sshd_t)
++ lvm_domtrans(sshd_t)
++')
++
++optional_policy(`
+ nx_read_home_files(sshd_t)
')
optional_policy(`
-@@ -269,6 +332,10 @@ optional_policy(`
+@@ -269,6 +336,10 @@ optional_policy(`
')
optional_policy(`
@@ -20507,7 +20511,7 @@ index 5fc0391..dac68b3 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +346,69 @@ optional_policy(`
+@@ -279,13 +350,69 @@ optional_policy(`
')
optional_policy(`
@@ -20577,7 +20581,7 @@ index 5fc0391..dac68b3 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +417,26 @@ optional_policy(`
+@@ -294,19 +421,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -20605,7 +20609,7 @@ index 5fc0391..dac68b3 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +453,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20618,7 +20622,7 @@ index 5fc0391..dac68b3 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +467,138 @@ optional_policy(`
+@@ -331,3 +471,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -20915,7 +20919,7 @@ index d1f64a0..8f50bb9 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..188613e 100644
+index 6bf0ecc..15e1047 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -21869,7 +21873,7 @@ index 6bf0ecc..188613e 100644
')
########################################
-@@ -1284,10 +1655,622 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1655,623 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -22369,6 +22373,7 @@ index 6bf0ecc..188613e 100644
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
@@ -22495,7 +22500,7 @@ index 6bf0ecc..188613e 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..509319f 100644
+index 2696452..df66dcb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -22745,7 +22750,7 @@ index 2696452..509319f 100644
')
########################################
-@@ -247,48 +321,88 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -22811,6 +22816,7 @@ index 2696452..509319f 100644
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth")
@@ -22845,7 +22851,7 @@ index 2696452..509319f 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +413,107 @@ optional_policy(`
+@@ -299,64 +414,107 @@ optional_policy(`
# XDM Local policy
#
@@ -22963,7 +22969,7 @@ index 2696452..509319f 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +522,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +523,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -22995,7 +23001,7 @@ index 2696452..509319f 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +554,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +555,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23048,7 +23054,7 @@ index 2696452..509319f 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +606,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +607,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23077,7 +23083,7 @@ index 2696452..509319f 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +636,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +637,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23124,7 +23130,7 @@ index 2696452..509319f 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +681,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +682,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23275,7 +23281,7 @@ index 2696452..509319f 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +832,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +833,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23302,7 +23308,7 @@ index 2696452..509319f 100644
')
optional_policy(`
-@@ -514,12 +859,72 @@ optional_policy(`
+@@ -514,12 +860,72 @@ optional_policy(`
')
optional_policy(`
@@ -23375,7 +23381,7 @@ index 2696452..509319f 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +942,78 @@ optional_policy(`
+@@ -537,28 +943,78 @@ optional_policy(`
')
optional_policy(`
@@ -23463,7 +23469,7 @@ index 2696452..509319f 100644
')
optional_policy(`
-@@ -570,6 +1025,14 @@ optional_policy(`
+@@ -570,6 +1026,14 @@ optional_policy(`
')
optional_policy(`
@@ -23478,7 +23484,7 @@ index 2696452..509319f 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23491,7 +23497,7 @@ index 2696452..509319f 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23507,7 +23513,7 @@ index 2696452..509319f 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23518,7 +23524,7 @@ index 2696452..509319f 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1106,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23540,7 +23546,7 @@ index 2696452..509319f 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1126,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23554,7 +23560,7 @@ index 2696452..509319f 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1152,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23586,7 +23592,7 @@ index 2696452..509319f 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1184,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23604,7 +23610,7 @@ index 2696452..509319f 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1206,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1207,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23628,7 +23634,7 @@ index 2696452..509319f 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1226,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23637,7 +23643,7 @@ index 2696452..509319f 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1269,44 @@ optional_policy(`
+@@ -775,16 +1270,44 @@ optional_policy(`
')
optional_policy(`
@@ -23683,7 +23689,7 @@ index 2696452..509319f 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1315,10 @@ optional_policy(`
+@@ -793,6 +1316,10 @@ optional_policy(`
')
optional_policy(`
@@ -23694,7 +23700,7 @@ index 2696452..509319f 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1335,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23708,7 +23714,7 @@ index 2696452..509319f 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1346,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23717,7 +23723,7 @@ index 2696452..509319f 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1358,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1359,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23752,7 +23758,7 @@ index 2696452..509319f 100644
')
optional_policy(`
-@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1424,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23761,7 +23767,7 @@ index 2696452..509319f 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1478,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23793,7 +23799,7 @@ index 2696452..509319f 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1524,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -30638,7 +30644,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..bb695cf 100644
+index 39ea221..aae7b7d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -30954,7 +30960,7 @@ index 39ea221..bb695cf 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +575,36 @@ optional_policy(`
+@@ -502,15 +575,40 @@ optional_policy(`
')
optional_policy(`
@@ -30981,6 +30987,10 @@ index 39ea221..bb695cf 100644
')
optional_policy(`
++ psad_search_lib_files(syslogd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(syslogd_t)
+ snmp_read_snmp_var_lib_files(syslogd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
@@ -30991,7 +31001,7 @@ index 39ea221..bb695cf 100644
')
optional_policy(`
-@@ -521,3 +615,26 @@ optional_policy(`
+@@ -521,3 +619,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -31019,10 +31029,10 @@ index 39ea221..bb695cf 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..7daaff3 100644
+index 879bb1e..5aa4eeb 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
+@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
@@ -31039,6 +31049,7 @@ index 879bb1e..7daaff3 100644
# /sbin
#
+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -31058,7 +31069,7 @@ index 879bb1e..7daaff3 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +95,71 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -31132,7 +31143,7 @@ index 879bb1e..7daaff3 100644
#
# /var
-@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +167,8 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 4ddf547..34382d4 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..4e4cbd4 100644
+index e4f84de..2fe1152 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,40 @@
+@@ -1,30 +1,41 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -22,6 +22,7 @@ index e4f84de..4e4cbd4 100644
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -518,7 +519,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..da5b191 100644
+index cc43d25..d345054 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -527,7 +528,7 @@ index cc43d25..da5b191 100644
########################################
#
-@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,128 @@ policy_module(abrt, 1.3.4)
#
##
@@ -549,6 +550,14 @@ index cc43d25..da5b191 100644
-## the abrt_handle_event_t domain to
-## handle ABRT event scripts.
-##
++##
++## Allow abrt-handle-upload to modify public files
++## used for public file transfer services in /var/spool/abrt-upload/.
++##
++##
++gen_tunable(abrt_upload_watch_anon_write, true)
++
++##
+##
+## Allow ABRT to run in abrt_handle_event_t domain
+## to handle ABRT event scripts
@@ -627,15 +636,15 @@ index cc43d25..da5b191 100644
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
-+
-+#
-+# Support for ABRT retrace server
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+#
++# Support for ABRT retrace server
++
++#
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
@@ -660,7 +669,10 @@ index cc43d25..da5b191 100644
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
-')
--
++# Support for abrt-upload-watch
++abrt_basic_types_template(abrt_upload_watch)
++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
########################################
#
-# Local policy
@@ -689,7 +701,7 @@ index cc43d25..da5b191 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +135,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -718,7 +730,7 @@ index cc43d25..da5b191 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +162,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -737,7 +749,7 @@ index cc43d25..da5b191 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +186,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -778,7 +790,7 @@ index cc43d25..da5b191 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +224,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -795,7 +807,7 @@ index cc43d25..da5b191 100644
')
optional_policy(`
-@@ -209,6 +224,16 @@ optional_policy(`
+@@ -209,6 +236,16 @@ optional_policy(`
')
optional_policy(`
@@ -812,7 +824,7 @@ index cc43d25..da5b191 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +245,7 @@ optional_policy(`
+@@ -220,6 +257,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -820,7 +832,7 @@ index cc43d25..da5b191 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +256,7 @@ optional_policy(`
+@@ -230,6 +268,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -828,7 +840,7 @@ index cc43d25..da5b191 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +267,17 @@ optional_policy(`
+@@ -240,9 +279,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -847,7 +859,7 @@ index cc43d25..da5b191 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +300,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -862,7 +874,7 @@ index cc43d25..da5b191 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +319,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -870,7 +882,7 @@ index cc43d25..da5b191 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +328,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -891,7 +903,7 @@ index cc43d25..da5b191 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +349,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -918,7 +930,7 @@ index cc43d25..da5b191 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +385,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -932,7 +944,7 @@ index cc43d25..da5b191 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +391,11 @@ optional_policy(`
+@@ -330,10 +403,11 @@ optional_policy(`
#######################################
#
@@ -946,7 +958,7 @@ index cc43d25..da5b191 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +426,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1008,7 +1020,7 @@ index cc43d25..da5b191 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +484,29 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1021,18 +1033,28 @@ index cc43d25..da5b191 100644
#######################################
#
-# Global local policy
-+# Local policy for all abrt domain
++# abrt-upload-watch local policy
#
-kernel_read_system_state(abrt_domain)
++corecmd_exec_bin(abrt_upload_watch_t)
+
+-files_read_etc_files(abrt_domain)
++tunable_policy(`abrt_upload_watch_anon_write',`
++ miscfiles_manage_public_files(abrt_upload_watch_t)
++')
++
++#######################################
++#
++# Local policy for all abrt domain
++#
+
+-logging_send_syslog_msg(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
- files_read_etc_files(abrt_domain)
--
--logging_send_syslog_msg(abrt_domain)
--
-miscfiles_read_localization(abrt_domain)
++files_read_etc_files(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
--- a/accountsd.fc
@@ -4596,7 +4618,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..40e2876 100644
+index 1a82e29..12b3640 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5284,7 +5306,7 @@ index 1a82e29..40e2876 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5401,9 +5423,10 @@ index 1a82e29..40e2876 100644
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
-
--seutil_dontaudit_search_config(httpd_t)
-
+-seutil_dontaudit_search_config(httpd_t)
++miscfiles_dontaudit_access_check_cert(httpd_t)
+
userdom_use_unpriv_users_fds(httpd_t)
-ifdef(`TODO',`
@@ -5514,7 +5537,7 @@ index 1a82e29..40e2876 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5574,7 +5597,7 @@ index 1a82e29..40e2876 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +771,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +772,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5664,7 +5687,7 @@ index 1a82e29..40e2876 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +817,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +818,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5745,7 +5768,7 @@ index 1a82e29..40e2876 100644
')
optional_policy(`
-@@ -743,14 +869,6 @@ optional_policy(`
+@@ -743,14 +870,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5760,7 +5783,7 @@ index 1a82e29..40e2876 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +883,23 @@ optional_policy(`
+@@ -765,6 +884,23 @@ optional_policy(`
')
optional_policy(`
@@ -5784,7 +5807,7 @@ index 1a82e29..40e2876 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +916,42 @@ optional_policy(`
+@@ -781,34 +917,42 @@ optional_policy(`
')
optional_policy(`
@@ -5838,7 +5861,7 @@ index 1a82e29..40e2876 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +959,18 @@ optional_policy(`
+@@ -816,8 +960,18 @@ optional_policy(`
')
optional_policy(`
@@ -5857,7 +5880,7 @@ index 1a82e29..40e2876 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +979,7 @@ optional_policy(`
+@@ -826,6 +980,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5865,7 +5888,7 @@ index 1a82e29..40e2876 100644
')
optional_policy(`
-@@ -836,20 +990,39 @@ optional_policy(`
+@@ -836,20 +991,39 @@ optional_policy(`
')
optional_policy(`
@@ -5911,7 +5934,7 @@ index 1a82e29..40e2876 100644
')
optional_policy(`
-@@ -857,19 +1030,35 @@ optional_policy(`
+@@ -857,19 +1031,35 @@ optional_policy(`
')
optional_policy(`
@@ -5947,7 +5970,7 @@ index 1a82e29..40e2876 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1066,170 @@ optional_policy(`
+@@ -877,65 +1067,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6140,7 +6163,7 @@ index 1a82e29..40e2876 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1238,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1239,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6295,7 +6318,7 @@ index 1a82e29..40e2876 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1322,104 @@ optional_policy(`
+@@ -1077,172 +1323,104 @@ optional_policy(`
')
')
@@ -6531,7 +6554,7 @@ index 1a82e29..40e2876 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1427,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1428,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6628,7 +6651,7 @@ index 1a82e29..40e2876 100644
########################################
#
-@@ -1315,8 +1502,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1503,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6645,7 +6668,7 @@ index 1a82e29..40e2876 100644
')
########################################
-@@ -1324,49 +1518,38 @@ optional_policy(`
+@@ -1324,49 +1519,38 @@ optional_policy(`
# User content local policy
#
@@ -6710,7 +6733,7 @@ index 1a82e29..40e2876 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1559,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1560,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -12458,7 +12481,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..dbb3f45 100644
+index 6471fa8..dc0423c 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -12486,7 +12509,7 @@ index 6471fa8..dbb3f45 100644
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +55,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
@@ -12494,6 +12517,9 @@ index 6471fa8..dbb3f45 100644
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
++
++auth_getattr_passwd(collectd_t)
++auth_read_passwd(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
@@ -12519,7 +12545,7 @@ index 6471fa8..dbb3f45 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +86,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
@@ -24977,7 +25003,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index e0a4f46..79bc951 100644
+index e0a4f46..95cf77c 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -25011,7 +25037,7 @@ index e0a4f46..79bc951 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -25030,6 +25056,7 @@ index e0a4f46..79bc951 100644
corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
++dev_read_sysfs(glance_domain)
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
@@ -25042,7 +25069,7 @@ index e0a4f46..79bc951 100644
sysnet_dns_name_resolve(glance_domain)
########################################
-@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -25057,7 +25084,7 @@ index e0a4f46..79bc951 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -25264,10 +25291,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..7244e2c
+index 0000000..06e17e3
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,169 @@
+policy_module(glusterfs, 1.0.1)
+
+##
@@ -25396,6 +25423,8 @@ index 0000000..7244e2c
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+
++domain_read_all_domains_state(glusterd_t)
++
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
@@ -35686,6 +35715,163 @@ index b9270f7..15f3748 100644
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
+diff --git a/lsm.fc b/lsm.fc
+new file mode 100644
+index 0000000..711c04b
+--- /dev/null
++++ b/lsm.fc
+@@ -0,0 +1,5 @@
++/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
++
++/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
++
++/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
+diff --git a/lsm.if b/lsm.if
+new file mode 100644
+index 0000000..aaf4080
+--- /dev/null
++++ b/lsm.if
+@@ -0,0 +1,103 @@
++
++## libStorageMgmt plug-in daemon
++
++########################################
++##
++## Execute TEMPLATE in the lsmd domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`lsmd_domtrans',`
++ gen_require(`
++ type lsmd_t, lsmd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, lsmd_exec_t, lsmd_t)
++')
++########################################
++##
++## Read lsmd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lsmd_read_pid_files',`
++ gen_require(`
++ type lsmd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
++')
++
++########################################
++##
++## Execute lsmd server in the lsmd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`lsmd_systemctl',`
++ gen_require(`
++ type lsmd_t;
++ type lsmd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 lsmd_unit_file_t:file read_file_perms;
++ allow $1 lsmd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, lsmd_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an lsmd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`lsmd_admin',`
++ gen_require(`
++ type lsmd_t;
++ type lsmd_var_run_t;
++ type lsmd_unit_file_t;
++ ')
++
++ allow $1 lsmd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, lsmd_t)
++
++ files_search_pids($1)
++ admin_pattern($1, lsmd_var_run_t)
++
++ lsmd_systemctl($1)
++ admin_pattern($1, lsmd_unit_file_t)
++ allow $1 lsmd_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/lsm.te b/lsm.te
+new file mode 100644
+index 0000000..14fe4d7
+--- /dev/null
++++ b/lsm.te
+@@ -0,0 +1,31 @@
++policy_module(lsm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type lsmd_t;
++type lsmd_exec_t;
++init_daemon_domain(lsmd_t, lsmd_exec_t)
++
++type lsmd_var_run_t;
++files_pid_file(lsmd_var_run_t)
++
++type lsmd_unit_file_t;
++systemd_unit_file(lsmd_unit_file_t)
++
++########################################
++#
++# lsmd local policy
++#
++allow lsmd_t self:capability { setgid };
++allow lsmd_t self:process { fork };
++allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++
++logging_send_syslog_msg(lsmd_t)
diff --git a/mailman.fc b/mailman.fc
index 7fa381b..bbe6b01 100644
--- a/mailman.fc
@@ -42859,7 +43045,7 @@ index 97370e4..92138ca 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index c48dc17..f93fa69 100644
+index c48dc17..6355fb4 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,11 +1,24 @@
@@ -42895,7 +43081,7 @@ index c48dc17..f93fa69 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -13,13 +26,15 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -42911,6 +43097,7 @@ index c48dc17..f93fa69 100644
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
++/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
@@ -43450,7 +43637,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..0f6abcb 100644
+index 9f6179e..94457fe 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -43623,7 +43810,7 @@ index 9f6179e..0f6abcb 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,22 @@ optional_policy(`
+@@ -153,29 +160,23 @@ optional_policy(`
#######################################
#
@@ -43649,6 +43836,7 @@ index 9f6179e..0f6abcb 100644
-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -43659,7 +43847,7 @@ index 9f6179e..0f6abcb 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +187,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +188,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -43687,7 +43875,7 @@ index 9f6179e..0f6abcb 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +209,7 @@ optional_policy(`
+@@ -205,7 +210,7 @@ optional_policy(`
########################################
#
@@ -43696,7 +43884,7 @@ index 9f6179e..0f6abcb 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +218,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +219,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -43714,7 +43902,7 @@ index 9f6179e..0f6abcb 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +231,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +232,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -46315,10 +46503,10 @@ index 0000000..02dc6dc
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
-index 0000000..cf8f660
+index 0000000..28936b4
--- /dev/null
+++ b/nova.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,57 @@
+## openstack-nova
+
+######################################
@@ -46373,13 +46561,15 @@ index 0000000..cf8f660
+
+ kernel_read_system_state(nova_$1_t)
+
++ logging_send_syslog_msg(nova_$1_t)
++
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..92134cc
+index 0000000..36d6129
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,320 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -46393,6 +46583,7 @@ index 0000000..92134cc
+#
+
+attribute nova_domain;
++attribute nova_sudo_domain;
+
+nova_domain_template(ajax)
+nova_domain_template(api)
@@ -46406,6 +46597,12 @@ index 0000000..92134cc
+nova_domain_template(vncproxy)
+nova_domain_template(volume)
+
++typeattribute nova_api_t nova_sudo_domain;
++typeattribute nova_cert_t nova_sudo_domain;
++typeattribute nova_console_t nova_sudo_domain;
++typeattribute nova_network_t nova_sudo_domain;
++typeattribute nova_volume_t nova_sudo_domain;
++
+type nova_log_t;
+logging_log_file(nova_log_t)
+
@@ -46437,6 +46634,8 @@ index 0000000..92134cc
+corenet_tcp_connect_amqp_port(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+
++kernel_read_network_state(nova_domain)
++
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
@@ -46489,15 +46688,6 @@ index 0000000..92134cc
+
+miscfiles_read_certs(nova_api_t)
+
-+ifdef(`hide_broken_symptoms',`
-+ optional_policy(`
-+ sudo_exec(nova_api_t)
-+ allow nova_api_t self:capability { setuid sys_resource setgid };
-+ allow nova_api_t self:process { setsched setrlimit };
-+ logging_send_audit_msgs(nova_api_t)
-+ ')
-+')
-+
+optional_policy(`
+ iptables_domtrans(nova_api_t)
+')
@@ -46609,15 +46799,6 @@ index 0000000..92134cc
+
+logging_send_syslog_msg(nova_network_t)
+
-+ifdef(`hide_broken_symptoms',`
-+ optional_policy(`
-+ sudo_exec(nova_network_t)
-+ allow nova_network_t self:capability { setuid sys_resource setgid };
-+ allow nova_network_t self:process { setsched setrlimit };
-+ logging_send_audit_msgs(nova_network_t)
-+ ')
-+')
-+
+optional_policy(`
+ brctl_domtrans(nova_network_t)
+')
@@ -46691,23 +46872,24 @@ index 0000000..92134cc
+ lvm_domtrans(nova_volume_t)
+')
+
-+ifdef(`hide_broken_symptoms',`
-+ require {
-+ type sudo_exec_t;
-+ }
-+
-+ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans };
-+
-+ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write };
-+ allow nova_volume_t self:process { setsched setrlimit };
++optional_policy(`
++ unconfined_domain(nova_volume_t)
++')
+
-+ logging_send_audit_msgs(nova_volume_t)
++#######################################
++#
++# nova sudo domain local policy
++#
+
++ifdef(`hide_broken_symptoms',`
++ optional_policy(`
++ sudo_exec(nova_sudo_domain)
++ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
++ allow nova_sudo_domain self:process { setsched setrlimit };
++ logging_send_audit_msgs(nova_sudo_domain)
++ ')
+')
+
-+optional_policy(`
-+ unconfined_domain(nova_volume_t)
-+')
diff --git a/nscd.fc b/nscd.fc
index ba64485..429bd79 100644
--- a/nscd.fc
@@ -51622,7 +51804,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..83daba9 100644
+index 3270ff9..60a7af6 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -51639,7 +51821,22 @@ index 3270ff9..83daba9 100644
##
## Determine whether openvpn can
## read generic user home content files.
-@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t)
+@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3)
+ ##
+ gen_tunable(openvpn_enable_homedirs, false)
+
++##
++##
++## Determine whether openvpn can
++## connect to the TCP network.
++##
++##
++gen_tunable(openvpn_can_network_connect, false)
++
+ attribute_role openvpn_roles;
+
+ type openvpn_t;
+@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -51658,7 +51855,7 @@ index 3270ff9..83daba9 100644
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)
-@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t)
+@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
@@ -51667,7 +51864,7 @@ index 3270ff9..83daba9 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
@@ -51680,7 +51877,7 @@ index 3270ff9..83daba9 100644
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t)
+@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -51688,7 +51885,7 @@ index 3270ff9..83daba9 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -103,13 +121,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
@@ -51705,7 +51902,7 @@ index 3270ff9..83daba9 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +141,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
@@ -51733,7 +51930,18 @@ index 3270ff9..83daba9 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -155,3 +181,27 @@ optional_policy(`
+@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
+ ')
+
++tunable_policy(`openvpn_can_network_connect',`
++ corenet_tcp_connect_all_ports(openvpn_t)
++')
++
+ optional_policy(`
+ daemontools_service_domain(openvpn_t, openvpn_exec_t)
+ ')
+@@ -155,3 +193,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -53076,7 +53284,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..92780c3 100644
+index 7bcf327..0d93ae2 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -53135,8 +53343,8 @@ index 7bcf327..92780c3 100644
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
+allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
+
-+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
-+rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+
+corecmd_exec_bin(pegasus_openlmi_domain)
+corecmd_exec_shell(pegasus_openlmi_domain)
@@ -61310,7 +61518,7 @@ index 0000000..4f6badd
+
+miscfiles_read_localization(prosody_t)
diff --git a/psad.if b/psad.if
-index d4dcf78..59ab964 100644
+index d4dcf78..3cce82e 100644
--- a/psad.if
+++ b/psad.if
@@ -93,9 +93,8 @@ interface(`psad_manage_config',`
@@ -61380,7 +61588,7 @@ index d4dcf78..59ab964 100644
## Read and write psad fifo files.
##
##
-@@ -198,6 +236,26 @@ interface(`psad_rw_fifo_file',`
+@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',`
#######################################
##
@@ -61404,10 +61612,29 @@ index d4dcf78..59ab964 100644
+
+#######################################
+##
++## Allow search to psad lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`psad_search_lib_files',`
++ gen_require(`
++ type psad_t, psad_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
++')
++
++#######################################
++##
## Read and write psad temporary files.
##
##
-@@ -235,30 +293,34 @@ interface(`psad_rw_tmp_files',`
+@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
@@ -66535,7 +66762,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..1e9ad6b 100644
+index 2c1730b..0bf7d02 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -66616,7 +66843,7 @@ index 2c1730b..1e9ad6b 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -66634,10 +66861,11 @@ index 2c1730b..1e9ad6b 100644
-miscfiles_read_localization(mdadm_t)
+systemd_exec_systemctl(mdadm_t)
++systemd_start_systemd_services(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +122,17 @@ optional_policy(`
+@@ -97,9 +123,17 @@ optional_policy(`
')
optional_policy(`
@@ -83864,10 +84092,10 @@ index c6aaac7..a5600a8 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
-index 0000000..e5433ad
+index 0000000..744f0ce
--- /dev/null
+++ b/swift.fc
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,29 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -83887,7 +84115,8 @@ index 0000000..e5433ad
+
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+
-+/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0)
++/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
++/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
+
+# This seems to be a de-facto standard when using swift.
+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
@@ -84027,10 +84256,10 @@ index 0000000..015c2c9
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..39f1ca1
+index 0000000..c7b2bf6
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,69 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -84042,6 +84271,9 @@ index 0000000..39f1ca1
+type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t)
+
++type swift_var_cache_t;
++files_type(swift_var_cache_t)
++
+type swift_var_run_t;
+files_pid_file(swift_var_run_t)
+
@@ -84056,10 +84288,18 @@ index 0000000..39f1ca1
+# swift local policy
+#
+
++allow swift_t self:process signal;
++
+allow swift_t self:fifo_file rw_fifo_file_perms;
++allow swift_t self:tcp_socket create_stream_socket_perms;
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms;
+
++manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++files_var_filetrans(swift_t,swift_var_cache_t, { dir file })
++
+manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
@@ -84072,6 +84312,7 @@ index 0000000..39f1ca1
+
+kernel_dgram_send(swift_t)
+kernel_read_system_state(swift_t)
++kernel_read_network_state(swift_t)
+
+corecmd_exec_shell(swift_t)
+
@@ -84079,11 +84320,15 @@ index 0000000..39f1ca1
+
+domain_use_interactive_fds(swift_t)
+
++files_dontaudit_search_home(swift_t)
++
+auth_use_nsswitch(swift_t)
+
+libs_exec_ldconfig(swift_t)
+
+logging_send_syslog_msg(swift_t)
++
++userdom_dontaudit_search_user_home_dirs(swift_t)
diff --git a/swift_alias.fc b/swift_alias.fc
new file mode 100644
index 0000000..b7db254
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ba44369..c6decf8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 71%{?dist}
+Release: 72%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Aug 23 2013 Miroslav Grepl 3.12.1-72
+- Fix collectd_t can read /etc/passwd file
+- Fix lsm.if summary
+- Add policy for lsmd
+- Cleanup raid.te
+- Add support for abrt-upload-watch
+- Dontaudit access check on cert_t for httpd_t
+- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
+- Allow glusterd to read domains state
+- Allow swift to crete cache dirs with correct labeling
+- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh
+- Add support for .Xauthority-n
+
* Tue Aug 20 2013 Miroslav Grepl 3.12.1-71
- Allow boinc to connect to @/tmp/.X11-unix/X0
- Allow beam.smp to connect to tcp/5984