From 93ea6d11ab8ad47f9ef8f70d7c51e03945a55961 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Aug 20 2014 15:42:41 +0000
Subject: * Wed Aug 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-181

- Allow docker lots more access.
- Added interface kernel_dontaudit_setsched
- Added interface kernel_signull
- Allow qpid to read passwd files BZ (#1130086)
- Allow sendmail to append dead.letter located in
var/spool/nagios/dead.letter.
- Allow mdadm to seng signull kernel_t which is proces type of mdadm on
early boot.
- geoclue needs to connect to http and http_cache ports

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 4ceed02..fdd54a6 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -17370,10 +17370,60 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..4a102cb 100644
+index 649e458..847133d 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
+@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
+ 
+ ########################################
+ ## <summary>
++##	Dontaudit attempts to set the priority of kernel threads.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_dontaudit_setsched',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	dontaudit $1 kernel_t:process setsched;
++')
++
++########################################
++## <summary>
+ ##	Send a SIGCHLD signal to kernel threads.
+ ## </summary>
+ ## <param name="domain">
+@@ -180,6 +198,24 @@ interface(`kernel_signal',`
+ 
+ ########################################
+ ## <summary>
++##	Send signull to kernel threads.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_signull',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	allow $1 kernel_t:process signull;
++')
++
++########################################
++## <summary>
+ ##	Allows the kernel to share state information with
+ ##	the caller.
+ ## </summary>
+@@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
  		type kernel_t;
  	')
  
@@ -17382,7 +17432,7 @@ index 649e458..4a102cb 100644
  ')
  
  ########################################
-@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',`
+@@ -762,8 +798,8 @@ interface(`kernel_manage_debugfs',`
  	')
  
  	manage_files_pattern($1, debugfs_t, debugfs_t)
@@ -17392,7 +17442,7 @@ index 649e458..4a102cb 100644
  ')
  
  ########################################
-@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
+@@ -786,6 +822,24 @@ interface(`kernel_mount_kvmfs',`
  
  ########################################
  ## <summary>
@@ -17417,7 +17467,7 @@ index 649e458..4a102cb 100644
  ##	Unmount the proc filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',`
+@@ -804,6 +858,24 @@ interface(`kernel_unmount_proc',`
  
  ########################################
  ## <summary>
@@ -17442,7 +17492,7 @@ index 649e458..4a102cb 100644
  ##	Get the attributes of the proc filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1063,10 @@ interface(`kernel_read_proc_symlinks',`
  #
  interface(`kernel_read_system_state',`
  	gen_require(`
@@ -17458,7 +17508,7 @@ index 649e458..4a102cb 100644
  ')
  
  ########################################
-@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',`
  
  ########################################
  ## <summary>
@@ -17484,7 +17534,7 @@ index 649e458..4a102cb 100644
  ##	Do not audit attempts by caller to
  ##	read system state information in proc.
  ## </summary>
-@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1296,25 @@ interface(`kernel_read_messages',`
  
  ########################################
  ## <summary>
@@ -17510,7 +17560,32 @@ index 649e458..4a102cb 100644
  ##	Allow caller to get the attributes of kernel message
  ##	interface (/proc/kmsg).
  ## </summary>
-@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1458,6 +1565,24 @@ interface(`kernel_list_all_proc',`
+ 
+ ########################################
+ ## <summary>
++##	Allow attempts to mounton all proc directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_mounton_all_proc',`
++	gen_require(`
++		attribute proc_type;
++	')
++
++	allow $1 proc_type:dir mounton;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to list all proc directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
  
  ########################################
  ## <summary>
@@ -17535,7 +17610,7 @@ index 649e458..4a102cb 100644
  ##	Do not audit attempts by caller to search
  ##	the base directory of sysctls.
  ## </summary>
-@@ -1672,7 +1761,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
  	')
  
  	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17544,7 +17619,7 @@ index 649e458..4a102cb 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -1693,7 +1782,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
  	')
  
  	rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17553,7 +17628,7 @@ index 649e458..4a102cb 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -1715,7 +1804,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
  	')
  
  	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -17561,16 +17636,37 @@ index 649e458..4a102cb 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -2085,7 +2173,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2227,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
 -	dontaudit $1 sysctl_type:file getattr;
 +	dontaudit $1 sysctl_type:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	Allow attempts to mounton all sysctl directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_mounton_all_sysctls',`
++	gen_require(`
++		attribute sysctl_type;
++	')
++
++	allow $1 sysctl_type:dir mounton;
  ')
  
++
  ########################################
-@@ -2282,6 +2370,25 @@ interface(`kernel_list_unlabeled',`
+ ## <summary>
+ ##	Allow caller to read all sysctls.
+@@ -2282,6 +2443,25 @@ interface(`kernel_list_unlabeled',`
  
  ########################################
  ## <summary>
@@ -17596,7 +17692,7 @@ index 649e458..4a102cb 100644
  ##	Read the process state (/proc/pid) of all unlabeled_t.
  ## </summary>
  ## <param name="domain">
-@@ -2306,7 +2413,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2486,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17605,7 +17701,7 @@ index 649e458..4a102cb 100644
  ##	</summary>
  ## </param>
  #
-@@ -2488,6 +2595,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2668,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
@@ -17630,7 +17726,7 @@ index 649e458..4a102cb 100644
  ##	Do not audit attempts by caller to get attributes for
  ##	unlabeled character devices.
  ## </summary>
-@@ -2525,6 +2650,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2723,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
  
  ########################################
  ## <summary>
@@ -17655,7 +17751,7 @@ index 649e458..4a102cb 100644
  ##	Allow caller to relabel unlabeled files.
  ## </summary>
  ## <param name="domain">
-@@ -2632,7 +2775,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2848,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
  	allow $1 unlabeled_t:association { sendto recvfrom };
  
  	# temporary hack until labeling on packets is supported
@@ -17664,7 +17760,7 @@ index 649e458..4a102cb 100644
  ')
  
  ########################################
-@@ -2670,6 +2813,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2886,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -17689,7 +17785,7 @@ index 649e458..4a102cb 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2697,6 +2858,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2931,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -17715,7 +17811,7 @@ index 649e458..4a102cb 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2806,6 +2986,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +3059,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -17749,7 +17845,7 @@ index 649e458..4a102cb 100644
  
  ########################################
  ## <summary>
-@@ -2961,6 +3168,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3241,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -17774,7 +17870,7 @@ index 649e458..4a102cb 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2975,5 +3200,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3273,300 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 3cc1787..c361d6e 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4988,7 +4988,7 @@ index 83e899c..9426db5 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..d2693f8 100644
+index 1a82e29..0cbe4c8 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,381 @@
@@ -5694,7 +5694,7 @@ index 1a82e29..d2693f8 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -5778,6 +5778,7 @@ index 1a82e29..d2693f8 100644
 +files_exec_usr_files(httpd_t)
  files_list_mnt(httpd_t)
 +files_read_mnt_symlinks(httpd_t)
++files_search_all(httpd_t)
  files_search_spool(httpd_t)
  files_read_var_symlinks(httpd_t)
  files_read_var_lib_files(httpd_t)
@@ -5932,7 +5933,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -5992,7 +5993,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +796,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -6083,7 +6084,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +843,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6164,7 +6165,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  optional_policy(`
-@@ -744,24 +895,32 @@ optional_policy(`
+@@ -744,24 +896,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6203,7 +6204,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  optional_policy(`
-@@ -770,6 +929,10 @@ optional_policy(`
+@@ -770,6 +930,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
  		avahi_dbus_chat(httpd_t)
  	')
@@ -6214,7 +6215,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  optional_policy(`
-@@ -781,34 +944,58 @@ optional_policy(`
+@@ -781,34 +945,58 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6284,7 +6285,7 @@ index 1a82e29..d2693f8 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +1003,18 @@ optional_policy(`
+@@ -816,8 +1004,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6303,7 +6304,7 @@ index 1a82e29..d2693f8 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +1023,7 @@ optional_policy(`
+@@ -826,6 +1024,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6311,7 +6312,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  optional_policy(`
-@@ -836,20 +1034,40 @@ optional_policy(`
+@@ -836,20 +1035,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6358,7 +6359,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1075,35 @@ optional_policy(`
+@@ -857,19 +1076,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6394,7 +6395,7 @@ index 1a82e29..d2693f8 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1111,173 @@ optional_policy(`
+@@ -877,65 +1112,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6590,7 +6591,7 @@ index 1a82e29..d2693f8 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1286,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1287,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6745,7 +6746,7 @@ index 1a82e29..d2693f8 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1370,106 @@ optional_policy(`
+@@ -1077,172 +1371,106 @@ optional_policy(`
  	')
  ')
  
@@ -6982,7 +6983,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1477,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1478,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7079,7 +7080,7 @@ index 1a82e29..d2693f8 100644
  
  ########################################
  #
-@@ -1315,8 +1552,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1553,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7096,7 +7097,7 @@ index 1a82e29..d2693f8 100644
  ')
  
  ########################################
-@@ -1324,49 +1568,38 @@ optional_policy(`
+@@ -1324,49 +1569,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7161,7 +7162,7 @@ index 1a82e29..d2693f8 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1609,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1610,100 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -24262,10 +24263,10 @@ index 0000000..683dfdc
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..342d8bf
+index 0000000..2f0fa26
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,279 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -24374,7 +24375,7 @@ index 0000000..342d8bf
 +manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
 +files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
 +
-+allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
 +term_create_pty(docker_t, docker_devpts_t)
 +
 +kernel_read_system_state(docker_t)
@@ -24457,6 +24458,8 @@ index 0000000..342d8bf
 +kernel_get_sysvipc_info(docker_t)
 +kernel_request_load_module(docker_t)
 +kernel_mounton_messages(docker_t)
++kernel_mounton_all_proc(docker_t)
++kernel_mounton_all_sysctls(docker_t)
 +
 +dev_getattr_all_blk_files(docker_t)
 +dev_getattr_sysfs_fs(docker_t)
@@ -28896,10 +28899,10 @@ index 0000000..9e17d3e
 +')
 diff --git a/geoclue.te b/geoclue.te
 new file mode 100644
-index 0000000..d809c15
+index 0000000..b9d0b86
 --- /dev/null
 +++ b/geoclue.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,55 @@
 +policy_module(geoclue, 1.0.0)
 +
 +########################################
@@ -28938,6 +28941,7 @@ index 0000000..d809c15
 +auth_read_passwd(geoclue_t)
 +
 +corenet_tcp_connect_http_port(geoclue_t)
++corenet_tcp_connect_http_cache_port(geoclue_t)
 +
 +corecmd_exec_bin(geoclue_t)
 +
@@ -48639,7 +48643,7 @@ index ed81cac..837a43a 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..2bd8062 100644
+index afd2fad..00557d0 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -1,4 +1,4 @@
@@ -48926,7 +48930,7 @@ index afd2fad..2bd8062 100644
  ')
  
  optional_policy(`
-@@ -264,10 +161,16 @@ optional_policy(`
+@@ -264,10 +161,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48940,10 +48944,11 @@ index afd2fad..2bd8062 100644
 +')
 +
 +optional_policy(`
++    nagios_append_spool(system_mail_t)
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -278,6 +181,19 @@ optional_policy(`
+@@ -278,6 +182,19 @@ optional_policy(`
  	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -48963,7 +48968,7 @@ index afd2fad..2bd8062 100644
  ')
  
  optional_policy(`
-@@ -293,42 +209,36 @@ optional_policy(`
+@@ -293,42 +210,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49016,7 +49021,7 @@ index afd2fad..2bd8062 100644
  
  allow mailserver_delivery mail_spool_t:dir list_dir_perms;
  create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +247,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +248,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -49065,7 +49070,7 @@ index afd2fad..2bd8062 100644
  	files_search_var_lib(mailserver_delivery)
  
  	mailman_domtrans(mailserver_delivery)
-@@ -378,6 +274,17 @@ optional_policy(`
+@@ -378,6 +275,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49083,7 +49088,7 @@ index afd2fad..2bd8062 100644
  	postfix_rw_inherited_master_pipes(mailserver_delivery)
  ')
  
-@@ -387,24 +294,177 @@ optional_policy(`
+@@ -387,24 +295,177 @@ optional_policy(`
  
  ########################################
  #
@@ -51168,7 +51173,7 @@ index d78dfc3..1c81436 100644
  
 -/var/spool/nagios(/.*)?	gen_context(system_u:object_r:nagios_spool_t,s0)
 diff --git a/nagios.if b/nagios.if
-index 0641e97..d7d9a79 100644
+index 0641e97..cad402c 100644
 --- a/nagios.if
 +++ b/nagios.if
 @@ -1,12 +1,13 @@
@@ -51273,13 +51278,32 @@ index 0641e97..d7d9a79 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -132,13 +125,14 @@ interface(`nagios_search_spool',`
+@@ -132,13 +125,33 @@ interface(`nagios_search_spool',`
  		type nagios_spool_t;
  	')
  
 -	files_search_spool($1)
  	allow $1 nagios_spool_t:dir search_dir_perms;
 +	files_search_spool($1)
++')
++
++########################################
++## <summary>
++##	Append nagios spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`nagios_append_spool',`
++	gen_require(`
++		type nagios_spool_t;
++	')
++
++	allow $1 nagios_spool_t:file append_file_perms;
++	files_search_spool($1)
  ')
  
  ########################################
@@ -51290,17 +51314,18 @@ index 0641e97..d7d9a79 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',`
+@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',`
  		type nagios_tmp_t;
  	')
  
 -	files_search_tmp($1)
  	allow $1 nagios_tmp_t:file read_file_perms;
 +	files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Execute nrpe with a domain transition.
 +##	Allow the specified domain to read
 +##	nagios temporary files.
 +## </summary>
@@ -51317,17 +51342,16 @@ index 0641e97..d7d9a79 100644
 +
 +	allow $1 nagios_tmp_t:file rw_inherited_file_perms;
 +	files_search_tmp($1)
- ')
- 
- ########################################
- ## <summary>
--##	Execute nrpe with a domain transition.
++')
++
++########################################
++## <summary>
 +##	Execute the nagios NRPE with
 +##	a domain transition.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',`
+@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',`
  		type nrpe_t, nrpe_exec_t;
  	')
  
@@ -51344,7 +51368,7 @@ index 0641e97..d7d9a79 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',`
+@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -53614,10 +53638,10 @@ index 0000000..d6de5b6
 +/var/run/nova(/.*)?     gen_context(system_u:object_r:nova_var_run_t,s0)
 diff --git a/nova.if b/nova.if
 new file mode 100644
-index 0000000..28936b4
+index 0000000..ce897e2
 --- /dev/null
 +++ b/nova.if
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,59 @@
 +## <summary>openstack-nova</summary>
 +
 +######################################
@@ -53667,7 +53691,9 @@ index 0000000..28936b4
 +
 +	manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
 +	manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
-+	files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
++	manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
++	files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
++	fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
 +	can_exec(nova_$1_t, nova_$1_tmp_t)
 +
 +	kernel_read_system_state(nova_$1_t)
@@ -74248,7 +74274,7 @@ index cd51b96..f7e9c70 100644
 +    admin_pattern($1, qpidd_var_run_t)
  ')
 diff --git a/qpid.te b/qpid.te
-index 76f5b39..8bb80a2 100644
+index 76f5b39..f7670b2 100644
 --- a/qpid.te
 +++ b/qpid.te
 @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -74261,7 +74287,7 @@ index 76f5b39..8bb80a2 100644
  type qpidd_tmpfs_t;
  files_tmpfs_file(qpidd_tmpfs_t)
  
-@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -33,41 +36,54 @@ allow qpidd_t self:shm create_shm_perms;
  allow qpidd_t self:tcp_socket { accept listen };
  allow qpidd_t self:unix_stream_socket { accept listen };
  
@@ -74288,6 +74314,8 @@ index 76f5b39..8bb80a2 100644
  kernel_read_system_state(qpidd_t)
  
 -corenet_all_recvfrom_unlabeled(qpidd_t)
++auth_read_passwd(qpidd_t)
++
  corenet_all_recvfrom_netlabel(qpidd_t)
 +corenet_tcp_bind_generic_node(qpidd_t)
  corenet_tcp_sendrecv_generic_if(qpidd_t)
@@ -75953,7 +75981,7 @@ index 951db7f..c0cabe8 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..aa0ff54 100644
+index 2c1730b..fe05f23 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t;
@@ -75975,7 +76003,7 @@ index 2c1730b..aa0ff54 100644
  type mdadm_var_run_t alias mdadm_map_t;
  files_pid_file(mdadm_var_run_t)
  dev_associate(mdadm_var_run_t)
-@@ -25,43 +37,68 @@ dev_associate(mdadm_var_run_t)
+@@ -25,43 +37,72 @@ dev_associate(mdadm_var_run_t)
  #
  
  allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -76015,6 +76043,10 @@ index 2c1730b..aa0ff54 100644
  kernel_request_load_module(mdadm_t)
  kernel_rw_software_raid_state(mdadm_t)
 +kernel_setsched(mdadm_t)
++kernel_dontaudit_setsched(mdadm_t)
++kernel_signal(mdadm_t)
++kernel_signull(mdadm_t)
++kernel_stream_connect(mdadm_t)
  
  corecmd_exec_bin(mdadm_t)
  corecmd_exec_shell(mdadm_t)
@@ -76053,7 +76085,7 @@ index 2c1730b..aa0ff54 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +107,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +111,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -76075,7 +76107,7 @@ index 2c1730b..aa0ff54 100644
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -89,17 +131,38 @@ optional_policy(`
+@@ -89,17 +135,38 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -101169,7 +101201,7 @@ index c30da4c..9ccc90c 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..d179539 100644
+index 9dec06c..c43ef2e 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -102218,7 +102250,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,266 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -102367,6 +102399,7 @@ index 9dec06c..d179539 100644
 +	manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +	manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +	manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	allow $1 svirt_sandbox_file_t:dir_file_class_set { relabelfrom relabelto };
 +')
 +
 +#######################################
@@ -102506,7 +102539,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -935,19 +961,17 @@ interface(`virt_read_log',`
+@@ -935,19 +962,17 @@ interface(`virt_read_log',`
  ##	</summary>
  ## </param>
  #
@@ -102530,7 +102563,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -955,20 +979,17 @@ interface(`virt_append_log',`
+@@ -955,20 +980,17 @@ interface(`virt_append_log',`
  ##	</summary>
  ## </param>
  #
@@ -102555,7 +102588,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +998,17 @@ interface(`virt_manage_log',`
  ##	</summary>
  ## </param>
  #
@@ -102578,7 +102611,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
+@@ -995,36 +1016,57 @@ interface(`virt_search_images',`
  ##	</summary>
  ## </param>
  #
@@ -102655,7 +102688,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1074,28 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -102691,7 +102724,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',`
  ##	</summary>
  ## </param>
  #
@@ -102839,7 +102872,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -102913,7 +102946,7 @@ index 9dec06c..d179539 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c83599c..b196087 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 180%{?dist}
+Release: 181%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Aug 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-181
+- Allow docker lots more access.
+- Added interface kernel_dontaudit_setsched
+- Added interface kernel_signull
+- Allow qpid to read passwd files BZ (#1130086)
+- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
+- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.
+- geoclue needs to connect to http and http_cache ports
+
 * Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-180
 - label /usr/libexec/cockpit-agent as shell_exec_t
 - sysadm_t should be allowed to communicate with networkmanager