diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index d584c58..62763f2 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2470,5 +2470,11 @@ bacula = module
#
# rhnsd policy
#
-
rhnsd = module
+
+# Layer: contrib
+# Module: gear
+#
+# gear policy
+#
+gear = module
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 3ce9971..c0669db 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5597,7 +5597,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..b826766 100644
+index 4edc40d..72e1a41 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5671,7 +5671,7 @@ index 4edc40d..b826766 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,54 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,54 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5737,6 +5737,8 @@ index 4edc40d..b826766 100644
+network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
++network_port(gear, tcp,43273,s0, udp,43273,s0)
++network_port(gdomap, tcp,538,s0, udp,538,s0)
network_port(gds_db, tcp,3050,s0, udp,3050,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
@@ -5746,7 +5748,7 @@ index 4edc40d..b826766 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +176,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5813,7 +5815,7 @@ index 4edc40d..b826766 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +227,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +229,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5854,7 +5856,7 @@ index 4edc40d..b826766 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,51 +266,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,51 +268,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5923,7 +5925,7 @@ index 4edc40d..b826766 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +330,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5936,7 +5938,7 @@ index 4edc40d..b826766 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +347,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5963,7 +5965,7 @@ index 4edc40d..b826766 100644
########################################
#
-@@ -330,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +396,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5972,7 +5974,7 @@ index 4edc40d..b826766 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +410,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -26296,7 +26298,7 @@ index 6bf0ecc..0d55916 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..e71983d 100644
+index 2696452..173a535 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -26933,7 +26935,7 @@ index 2696452..e71983d 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +688,145 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +688,149 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -27019,6 +27021,10 @@ index 2696452..e71983d 100644
+')
+
+optional_policy(`
++ remotelogin_signull(xdm_t)
++')
++
++optional_policy(`
+ spamassassin_filetrans_home_content(xdm_t)
+ spamassassin_filetrans_admin_home_content(xdm_t)
+')
@@ -27085,7 +27091,7 @@ index 2696452..e71983d 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +840,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +844,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -27112,7 +27118,7 @@ index 2696452..e71983d 100644
')
optional_policy(`
-@@ -514,12 +867,57 @@ optional_policy(`
+@@ -514,12 +871,57 @@ optional_policy(`
')
optional_policy(`
@@ -27170,7 +27176,7 @@ index 2696452..e71983d 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +935,78 @@ optional_policy(`
+@@ -537,28 +939,78 @@ optional_policy(`
')
optional_policy(`
@@ -27258,7 +27264,7 @@ index 2696452..e71983d 100644
')
optional_policy(`
-@@ -570,6 +1018,14 @@ optional_policy(`
+@@ -570,6 +1022,14 @@ optional_policy(`
')
optional_policy(`
@@ -27273,7 +27279,7 @@ index 2696452..e71983d 100644
xfs_stream_connect(xdm_t)
')
-@@ -584,7 +1040,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -584,7 +1044,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -27282,7 +27288,7 @@ index 2696452..e71983d 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1054,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -27295,7 +27301,7 @@ index 2696452..e71983d 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1071,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -27311,7 +27317,7 @@ index 2696452..e71983d 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1087,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -27322,7 +27328,7 @@ index 2696452..e71983d 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1102,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -27344,7 +27350,7 @@ index 2696452..e71983d 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1122,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -27358,7 +27364,7 @@ index 2696452..e71983d 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1148,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -27390,7 +27396,7 @@ index 2696452..e71983d 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1180,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -27408,7 +27414,7 @@ index 2696452..e71983d 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1199,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1203,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -27432,7 +27438,7 @@ index 2696452..e71983d 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1222,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -27441,7 +27447,7 @@ index 2696452..e71983d 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1262,44 @@ optional_policy(`
+@@ -775,16 +1266,44 @@ optional_policy(`
')
optional_policy(`
@@ -27487,7 +27493,7 @@ index 2696452..e71983d 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1308,10 @@ optional_policy(`
+@@ -793,6 +1312,10 @@ optional_policy(`
')
optional_policy(`
@@ -27498,7 +27504,7 @@ index 2696452..e71983d 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1331,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27512,7 +27518,7 @@ index 2696452..e71983d 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1342,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -27521,7 +27527,7 @@ index 2696452..e71983d 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1351,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1355,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27556,7 +27562,7 @@ index 2696452..e71983d 100644
')
optional_policy(`
-@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1420,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27565,7 +27571,7 @@ index 2696452..e71983d 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1474,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -27597,7 +27603,7 @@ index 2696452..e71983d 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1520,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index ea17349..e95d9b2 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -23100,10 +23100,10 @@ index 0000000..1c4ac02
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..867fd78
+index 0000000..66fe66d
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,344 @@
+
+## The open-source application container engine.
+
@@ -23386,6 +23386,26 @@ index 0000000..867fd78
+
+########################################
+##
++## Connect to docker over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`docker_stream_connect',`
++ gen_require(`
++ type docker_t, docker_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
++')
++
++
++########################################
++##
+## All of the rules required to administrate
+## an docker environment
+##
@@ -25681,10 +25701,10 @@ index 0872e50..cdea6d0 100644
+ apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
-index 79b9273..6bf3534 100644
+index 79b9273..28dec44 100644
--- a/fcoe.te
+++ b/fcoe.te
-@@ -20,25 +20,27 @@ files_pid_file(fcoemon_var_run_t)
+@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
@@ -25716,6 +25736,10 @@ index 79b9273..6bf3534 100644
optional_policy(`
lldpad_dgram_send(fcoemon_t)
')
++
++optional_policy(`
++ networkmanager_dgram_send(fcoemon_t)
++')
diff --git a/fetchmail.fc b/fetchmail.fc
index 2486e2a..fef9bff 100644
--- a/fetchmail.fc
@@ -27271,6 +27295,413 @@ index fc3b036..10a1bbe 100644
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+diff --git a/gear.fc b/gear.fc
+new file mode 100644
+index 0000000..5eabf35
+--- /dev/null
++++ b/gear.fc
+@@ -0,0 +1,7 @@
++/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
++
++/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
++
++/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
++
++/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
+diff --git a/gear.if b/gear.if
+new file mode 100644
+index 0000000..04e159f
+--- /dev/null
++++ b/gear.if
+@@ -0,0 +1,288 @@
++
++## The open-source application container engine.
++
++########################################
++##
++## Execute gear in the gear domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gear_domtrans',`
++ gen_require(`
++ type gear_t, gear_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, gear_exec_t, gear_t)
++')
++
++########################################
++##
++## Search gear lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_search_lib',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ allow $1 gear_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Execute gear lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_exec_lib',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ allow $1 gear_var_lib_t:dir search_dir_perms;
++ can_exec($1, gear_var_lib_t)
++')
++
++########################################
++##
++## Read gear lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_read_lib_files',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++##
++## Manage gear lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_manage_lib_files',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++ manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++##
++## Manage gear lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_manage_lib_dirs',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++##
++## Create objects in a gear var lib directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`gear_lib_filetrans',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
++')
++
++########################################
++##
++## Read gear PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_read_pid_files',`
++ gen_require(`
++ type gear_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, gear_var_run_t, gear_var_run_t)
++')
++
++########################################
++##
++## Execute gear server in the gear domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gear_systemctl',`
++ gen_require(`
++ type gear_t;
++ type gear_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 gear_unit_file_t:file read_file_perms;
++ allow $1 gear_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, gear_t)
++')
++
++########################################
++##
++## Read and write gear shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_rw_sem',`
++ gen_require(`
++ type gear_t;
++ ')
++
++ allow $1 gear_t:sem rw_sem_perms;
++')
++
++#######################################
++##
++## Read and write the gear pty type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_use_ptys',`
++ gen_require(`
++ type gear_devpts_t;
++ ')
++
++ allow $1 gear_devpts_t:chr_file rw_term_perms;
++')
++
++#######################################
++##
++## Allow domain to create gear content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_filetrans_named_content',`
++ gen_require(`
++ type gear_var_lib_t;
++ type gear_var_run_t;
++ ')
++
++ files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
++ files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an gear environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gear_admin',`
++ gen_require(`
++ type gear_t;
++ type gear_var_lib_t, gear_var_run_t;
++ type gear_unit_file_t;
++ type gear_lock_t;
++ type gear_log_t;
++ ')
++
++ allow $1 gear_t:process { ptrace signal_perms };
++ ps_process_pattern($1, gear_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, gear_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, gear_var_run_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, gear_log_t)
++
++ gear_systemctl($1)
++ admin_pattern($1, gear_unit_file_t)
++ allow $1 gear_unit_file_t:service all_service_perms;
++')
+diff --git a/gear.te b/gear.te
+new file mode 100644
+index 0000000..6c32f79
+--- /dev/null
++++ b/gear.te
+@@ -0,0 +1,94 @@
++policy_module(gear, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gear_t;
++type gear_exec_t;
++init_daemon_domain(gear_t, gear_exec_t)
++
++type gear_var_lib_t;
++files_type(gear_var_lib_t)
++
++type gear_log_t;
++logging_log_file(gear_log_t)
++
++type gear_var_run_t;
++files_pid_file(gear_var_run_t)
++
++type gear_unit_file_t;
++systemd_unit_file(gear_unit_file_t)
++
++########################################
++#
++# gear local policy
++#
++allow gear_t self:process { getattr signal_perms };
++allow gear_t self:fifo_file rw_fifo_file_perms;
++allow gear_t self:unix_stream_socket create_stream_socket_perms;
++allow gear_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
++manage_files_pattern(gear_t, gear_log_t, gear_log_t)
++manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
++logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
++
++gear_filetrans_named_content(gear_t)
++
++manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(gear_t)
++kernel_read_network_state(gear_t)
++kernel_read_all_sysctls(gear_t)
++kernel_rw_net_sysctls(gear_t)
++
++domain_use_interactive_fds(gear_t)
++
++corecmd_exec_bin(gear_t)
++corecmd_exec_shell(gear_t)
++
++corenet_tcp_bind_generic_node(gear_t)
++corenet_tcp_sendrecv_generic_if(gear_t)
++corenet_tcp_sendrecv_generic_node(gear_t)
++corenet_tcp_sendrecv_generic_port(gear_t)
++corenet_tcp_bind_gear_port(gear_t)
++
++files_read_etc_files(gear_t)
++
++fs_read_cgroup_files(gear_t)
++fs_read_tmpfs_symlinks(gear_t)
++
++auth_use_nsswitch(gear_t)
++
++init_read_state(gear_t)
++init_dbus_chat(gear_t)
++
++logging_send_audit_msgs(gear_t)
++logging_send_syslog_msg(gear_t)
++
++miscfiles_read_localization(gear_t)
++
++mount_domtrans(gear_t)
++
++seutil_read_default_contexts(gear_t)
++
++sysnet_dns_name_resolve(gear_t)
++
++systemd_manage_all_unit_files(gear_t)
++
++optional_policy(`
++ docker_stream_connect(gear_t)
++')
diff --git a/gift.te b/gift.te
index 395238e..af76abb 100644
--- a/gift.te
@@ -27366,7 +27797,7 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..7db7bdd 100644
+index 93b0301..6acc1f0 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -27440,7 +27871,19 @@ index 93b0301..7db7bdd 100644
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -255,12 +256,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -248,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',`
+ fs_dontaudit_read_nfs_files(httpd_git_script_t)
+ ')
+
++
++optional_policy(`
++ gitosis_read_lib_files(httpd_git_script_t)
++')
++
+ ########################################
+ #
+ # Git global policy
+@@ -255,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -40890,10 +41333,10 @@ index 0000000..3f433f1
+')
diff --git a/mcollective.te b/mcollective.te
new file mode 100644
-index 0000000..a04dd6b
+index 0000000..8bc27f4
--- /dev/null
+++ b/mcollective.te
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,27 @@
+policy_module(mcollective, 1.0.0)
+
+########################################
@@ -40906,8 +41349,6 @@ index 0000000..a04dd6b
+init_daemon_domain(mcollective_t, mcollective_exec_t)
+cron_system_entry(mcollective_t, mcollective_exec_t)
+
-+permissive mcollective_t;
-+
+type mcollective_etc_rw_t;
+files_type(mcollective_etc_rw_t)
+
@@ -50377,7 +50818,7 @@ index 0e8508c..9a7332c 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..559c66f 100644
+index 0b48a30..9e9b2dc 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -50638,7 +51079,7 @@ index 0b48a30..559c66f 100644
')
')
-@@ -231,18 +261,27 @@ optional_policy(`
+@@ -231,10 +261,11 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -50647,16 +51088,14 @@ index 0b48a30..559c66f 100644
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
-+ hal_write_log(NetworkManager_t)
++ fcoe_dgram_send_fcoemon(NetworkManager_t)
')
optional_policy(`
-- hal_write_log(NetworkManager_t)
-+ howl_signal(NetworkManager_t)
+@@ -246,10 +277,26 @@ optional_policy(`
')
optional_policy(`
-- howl_signal(NetworkManager_t)
+ gnome_dontaudit_search_config(NetworkManager_t)
+')
+
@@ -50666,10 +51105,10 @@ index 0b48a30..559c66f 100644
+
+optional_policy(`
+ iodined_domtrans(NetworkManager_t)
- ')
-
- optional_policy(`
-@@ -250,6 +289,10 @@ optional_policy(`
++')
++
++optional_policy(`
+ ipsec_domtrans_mgmt(NetworkManager_t)
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -50680,7 +51119,7 @@ index 0b48a30..559c66f 100644
')
optional_policy(`
-@@ -257,15 +300,19 @@ optional_policy(`
+@@ -257,15 +304,19 @@ optional_policy(`
')
optional_policy(`
@@ -50702,7 +51141,7 @@ index 0b48a30..559c66f 100644
')
optional_policy(`
-@@ -274,10 +321,17 @@ optional_policy(`
+@@ -274,10 +325,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -50720,7 +51159,7 @@ index 0b48a30..559c66f 100644
')
optional_policy(`
-@@ -289,6 +343,7 @@ optional_policy(`
+@@ -289,6 +347,7 @@ optional_policy(`
')
optional_policy(`
@@ -50728,7 +51167,7 @@ index 0b48a30..559c66f 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +351,7 @@ optional_policy(`
+@@ -296,7 +355,7 @@ optional_policy(`
')
optional_policy(`
@@ -50737,7 +51176,7 @@ index 0b48a30..559c66f 100644
')
optional_policy(`
-@@ -307,6 +362,7 @@ optional_policy(`
+@@ -307,6 +366,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -50745,7 +51184,7 @@ index 0b48a30..559c66f 100644
')
optional_policy(`
-@@ -320,13 +376,19 @@ optional_policy(`
+@@ -320,13 +380,19 @@ optional_policy(`
')
optional_policy(`
@@ -50769,7 +51208,7 @@ index 0b48a30..559c66f 100644
')
optional_policy(`
-@@ -356,6 +418,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -75436,7 +75875,7 @@ index 327baf0..d8691bd 100644
+
# Remote login currently has no file contexts.
diff --git a/remotelogin.if b/remotelogin.if
-index a9ce68e..31be971 100644
+index a9ce68e..92520aa 100644
--- a/remotelogin.if
+++ b/remotelogin.if
@@ -1,4 +1,4 @@
@@ -75460,24 +75899,23 @@ index a9ce68e..31be971 100644
##
##
##
-@@ -36,44 +35,3 @@ interface(`remotelogin_signal',`
+@@ -39,8 +38,7 @@ interface(`remotelogin_signal',`
- allow $1 remote_login_t:process signal;
- ')
--
--########################################
--##
+ ########################################
+ ##
-## Create, read, write, and delete
-## remote login temporary content.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## allow Domain to signal remote login domain.
+ ##
+ ##
+ ##
+@@ -48,32 +46,10 @@ interface(`remotelogin_signal',`
+ ##
+ ##
+ #
-interface(`remotelogin_manage_tmp_content',`
-- gen_require(`
++interface(`remotelogin_signull',`
+ gen_require(`
- type remote_login_tmp_t;
- ')
-
@@ -75499,12 +75937,14 @@ index a9ce68e..31be971 100644
-interface(`remotelogin_relabel_tmp_content',`
- gen_require(`
- type remote_login_tmp_t;
-- ')
--
++ type remote_login_t;
+ ')
+
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir relabel_dir_perms;
- allow $1 remote_login_tmp_t:file relabel_file_perms;
--')
++ allow $1 remote_login_t:process signull;
+ ')
diff --git a/remotelogin.te b/remotelogin.te
index c51a32c..bef8238 100644
--- a/remotelogin.te
@@ -98316,7 +98756,7 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 77be35a..0e9a7d1 100644
+index 77be35a..9ed83d0 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -98327,7 +98767,7 @@ index 77be35a..0e9a7d1 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
-@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,20 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
@@ -98344,14 +98784,19 @@ index 77be35a..0e9a7d1 100644
-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
-+
-+term_use_virtio_console(vdagent_t)
-miscfiles_read_localization(vdagent_t)
++term_use_virtio_console(vdagent_t)
++
+logging_send_syslog_msg(vdagent_t)
userdom_read_all_users_state(vdagent_t)
++xserver_read_xdm_state(vdagent_t)
++
+ optional_policy(`
+ dbus_system_bus_client(vdagent_t)
+
diff --git a/vhostmd.if b/vhostmd.if
index 22edd58..c3a5364 100644
--- a/vhostmd.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4ed9461..291ab2f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 147%{?dist}
+Release: 148%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 28 2014 Miroslav Grepl 3.12.1-148
+- Allow kdm to send signull to remote_login_t process
+- Add gear policy
+- Turn on gear_port_t
+- Allow cgit to read gitosis lib files by default
+- Allow vdagent to read xdm state
+- Allow NM and fcoeadm to talk together over unix_dgram_socket
+
* Thu Mar 27 2014 Miroslav Grepl 3.12.1-147
- back port fixes for pegasus_openlmi_admin_t from rawhide
- Add labels for ostree