++##
++## Determine whether neutron can
++## connect to all TCP ports
++##
++##
++gen_tunable(neutron_can_network, false)
-type quantum_initrc_exec_t;
-init_script_file(quantum_initrc_exec_t)
-+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
-+init_script_file(neutron_initrc_exec_t)
++type neutron_t alias quantum_t;
++type neutron_exec_t alias quantum_exec_t;
++init_daemon_domain(neutron_t, neutron_exec_t)
-type quantum_log_t;
-logging_log_file(quantum_log_t)
-+type neutron_log_t alias quantum_log_t;
-+logging_log_file(neutron_log_t)
++type neutron_initrc_exec_t alias quantum_initrc_exec_t;
++init_script_file(neutron_initrc_exec_t)
-type quantum_tmp_t;
-files_tmp_file(quantum_tmp_t)
-+type neutron_tmp_t alias quantum_tmp_t;
-+files_tmp_file(neutron_tmp_t)
++type neutron_log_t alias quantum_log_t;
++logging_log_file(neutron_log_t)
-type quantum_var_lib_t;
-files_type(quantum_var_lib_t)
++type neutron_tmp_t alias quantum_tmp_t;
++files_tmp_file(neutron_tmp_t)
++
+type neutron_var_lib_t alias quantum_var_lib_t;
+files_type(neutron_var_lib_t)
+
@@ -74259,6 +74536,43 @@ index 769d1fd..ad29df7 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
+-
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+-
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+-
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+-
+-can_exec(quantum_t, quantum_tmp_t)
+-
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+-
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+-
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
+-
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
+-
+-files_read_usr_files(quantum_t)
+-
+-auth_use_nsswitch(quantum_t)
+-
+-libs_exec_ldconfig(quantum_t)
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
@@ -74285,76 +74599,50 @@ index 769d1fd..ad29df7 100644
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
-
--manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
--append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--logging_log_filetrans(quantum_t, quantum_log_t, dir)
++
+can_exec(neutron_t, neutron_tmp_t)
-
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
-
--manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
++
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
-
--can_exec(quantum_t, quantum_tmp_t)
++
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
+corenet_tcp_sendrecv_generic_node(neutron_t)
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
-
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
++
+corenet_tcp_bind_neutron_port(neutron_t)
++corenet_tcp_connect_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
++corenet_tcp_connect_commplex_main_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
-
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
++
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
-
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
++
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
-
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
++
+files_mounton_non_security(neutron_t)
-
--files_read_usr_files(quantum_t)
++
+fs_getattr_all_fs(neutron_t)
-
--auth_use_nsswitch(quantum_t)
++
+auth_use_nsswitch(neutron_t)
-
--libs_exec_ldconfig(quantum_t)
++
+libs_exec_ldconfig(neutron_t)
-
--logging_send_audit_msgs(quantum_t)
--logging_send_syslog_msg(quantum_t)
++
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
+
@@ -74365,6 +74653,14 @@ index 769d1fd..ad29df7 100644
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
+
++tunable_policy(`neutron_can_network',`
++ corenet_sendrecv_all_client_packets(neutron_t)
++ corenet_tcp_connect_all_ports(neutron_t)
++ corenet_tcp_sendrecv_all_ports(neutron_t)
++')
+
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
+optional_policy(`
+ brctl_domtrans(neutron_t)
+')
@@ -95078,10 +95374,10 @@ index c6aaac7..84cdcac 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
-index 0000000..d9a58dc
+index 0000000..7e59e7e
--- /dev/null
+++ b/swift.fc
-@@ -0,0 +1,31 @@
+@@ -0,0 +1,33 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -95100,6 +95396,8 @@ index 0000000..d9a58dc
+/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
+
++/usr/bin/swift-proxy-server -- gen_context(system_u:object_r:swift_exec_t,s0)
++
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+
+/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0)
@@ -95276,10 +95574,10 @@ index 0000000..6a1f575
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..d3fe02a
+index 0000000..3d21c49
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,126 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -95366,9 +95664,12 @@ index 0000000..d3fe02a
+
+# bug in swift
+corenet_tcp_bind_xserver_port(swift_t)
++
++corenet_tcp_bind_swift_port(swift_t)
+corenet_tcp_bind_http_cache_port(swift_t)
+
+corenet_tcp_connect_xserver_port(swift_t)
++corenet_tcp_connect_swift_port(swift_t)
+
+corecmd_exec_shell(swift_t)
+corecmd_exec_bin(swift_t)
@@ -95396,6 +95697,10 @@ index 0000000..d3fe02a
+')
+
+optional_policy(`
++ apache_search_config(swift_t)
++')
++
++optional_policy(`
+ rpm_exec(swift_t)
+ rpm_dontaudit_manage_db(swift_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 233422d..88856be 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 173%{?dist}
+Release: 174%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jun 26 2014 Miroslav Grepl