diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index e8c0f81..ce5354b 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -27655,7 +27655,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..ee26201 100644
+index dd3be8d..5fc4cd6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27895,7 +27895,7 @@ index dd3be8d..ee26201 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +273,186 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +273,188 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27921,6 +27921,8 @@ index dd3be8d..ee26201 100644
+
+storage_raw_rw_fixed_disk(init_t)
+
++sysnet_read_dhcpc_state(init_t)
++
+optional_policy(`
+ kdump_read_crash(init_t)
+')
@@ -28090,7 +28092,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -216,6 +460,27 @@ optional_policy(`
+@@ -216,6 +462,27 @@ optional_policy(`
')
optional_policy(`
@@ -28118,7 +28120,7 @@ index dd3be8d..ee26201 100644
unconfined_domain(init_t)
')
-@@ -225,8 +490,9 @@ optional_policy(`
+@@ -225,8 +492,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28130,7 +28132,7 @@ index dd3be8d..ee26201 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +523,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +525,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28147,7 +28149,7 @@ index dd3be8d..ee26201 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +548,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +550,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28190,7 +28192,7 @@ index dd3be8d..ee26201 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +585,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +587,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28202,7 +28204,7 @@ index dd3be8d..ee26201 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +597,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +599,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28213,7 +28215,7 @@ index dd3be8d..ee26201 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +608,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +610,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28223,7 +28225,7 @@ index dd3be8d..ee26201 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +617,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +619,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28231,7 +28233,7 @@ index dd3be8d..ee26201 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +624,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +626,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28239,7 +28241,7 @@ index dd3be8d..ee26201 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +632,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +634,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28257,7 +28259,7 @@ index dd3be8d..ee26201 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +650,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +652,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28271,7 +28273,7 @@ index dd3be8d..ee26201 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +665,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +667,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28285,7 +28287,7 @@ index dd3be8d..ee26201 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +678,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +680,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28293,7 +28295,7 @@ index dd3be8d..ee26201 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +690,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +692,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28301,7 +28303,7 @@ index dd3be8d..ee26201 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +709,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +711,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28325,7 +28327,7 @@ index dd3be8d..ee26201 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +742,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +744,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28333,7 +28335,7 @@ index dd3be8d..ee26201 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +776,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +778,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28344,7 +28346,7 @@ index dd3be8d..ee26201 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +800,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +802,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28353,7 +28355,7 @@ index dd3be8d..ee26201 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +815,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +817,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28361,7 +28363,7 @@ index dd3be8d..ee26201 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +836,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +838,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28369,7 +28371,7 @@ index dd3be8d..ee26201 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +846,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +848,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28414,7 +28416,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -558,14 +891,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +893,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28446,7 +28448,7 @@ index dd3be8d..ee26201 100644
')
')
-@@ -576,6 +926,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +928,39 @@ ifdef(`distro_suse',`
')
')
@@ -28486,7 +28488,7 @@ index dd3be8d..ee26201 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +971,8 @@ optional_policy(`
+@@ -588,6 +973,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28495,7 +28497,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -609,6 +994,7 @@ optional_policy(`
+@@ -609,6 +996,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28503,7 +28505,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -625,6 +1011,17 @@ optional_policy(`
+@@ -625,6 +1013,17 @@ optional_policy(`
')
optional_policy(`
@@ -28521,7 +28523,7 @@ index dd3be8d..ee26201 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1038,13 @@ optional_policy(`
+@@ -641,9 +1040,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28535,7 +28537,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -656,15 +1057,11 @@ optional_policy(`
+@@ -656,15 +1059,11 @@ optional_policy(`
')
optional_policy(`
@@ -28553,7 +28555,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -685,6 +1082,15 @@ optional_policy(`
+@@ -685,6 +1084,15 @@ optional_policy(`
')
optional_policy(`
@@ -28569,7 +28571,7 @@ index dd3be8d..ee26201 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1131,7 @@ optional_policy(`
+@@ -725,6 +1133,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28577,7 +28579,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -742,7 +1149,14 @@ optional_policy(`
+@@ -742,7 +1151,14 @@ optional_policy(`
')
optional_policy(`
@@ -28592,7 +28594,7 @@ index dd3be8d..ee26201 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1179,10 @@ optional_policy(`
+@@ -765,6 +1181,10 @@ optional_policy(`
')
optional_policy(`
@@ -28603,7 +28605,7 @@ index dd3be8d..ee26201 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1192,20 @@ optional_policy(`
+@@ -774,10 +1194,20 @@ optional_policy(`
')
optional_policy(`
@@ -28624,7 +28626,7 @@ index dd3be8d..ee26201 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1214,10 @@ optional_policy(`
+@@ -786,6 +1216,10 @@ optional_policy(`
')
optional_policy(`
@@ -28635,7 +28637,7 @@ index dd3be8d..ee26201 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1239,6 @@ optional_policy(`
+@@ -807,8 +1241,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28644,7 +28646,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -817,6 +1247,10 @@ optional_policy(`
+@@ -817,6 +1249,10 @@ optional_policy(`
')
optional_policy(`
@@ -28655,7 +28657,7 @@ index dd3be8d..ee26201 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1260,12 @@ optional_policy(`
+@@ -826,10 +1262,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28668,7 +28670,7 @@ index dd3be8d..ee26201 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1292,27 @@ optional_policy(`
+@@ -856,12 +1294,27 @@ optional_policy(`
')
optional_policy(`
@@ -28697,7 +28699,7 @@ index dd3be8d..ee26201 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1322,18 @@ optional_policy(`
+@@ -871,6 +1324,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28716,7 +28718,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -886,6 +1349,10 @@ optional_policy(`
+@@ -886,6 +1351,10 @@ optional_policy(`
')
optional_policy(`
@@ -28727,7 +28729,7 @@ index dd3be8d..ee26201 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1363,196 @@ optional_policy(`
+@@ -896,3 +1365,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28925,20 +28927,21 @@ index dd3be8d..ee26201 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..ef9370d 100644
+index 662e79b..3cbc35d 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,19 @@
+@@ -1,14 +1,21 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
--/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
-+/etc/(strongswan)?/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-+/etc/(strongswan)?/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+ /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
@@ -28951,7 +28954,7 @@ index 662e79b..ef9370d 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,12 +31,15 @@
+@@ -26,12 +33,15 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -28967,17 +28970,17 @@ index 662e79b..ef9370d 100644
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
-@@ -39,3 +47,5 @@
+@@ -39,3 +49,5 @@
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..f133407 100644
+index 0d4c8d3..e6ffda3 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -55,6 +55,63 @@ interface(`ipsec_domtrans_mgmt',`
+@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',`
domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
')
@@ -29015,6 +29018,7 @@ index 0d4c8d3..f133407 100644
+ ')
+
+ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
++ files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets")
+')
+
+########################################
@@ -29041,7 +29045,7 @@ index 0d4c8d3..f133407 100644
########################################
##
-+## Allow gssd to read temp directory. For access to kerberos tgt. ++## Allow gssd to list tmp directories and read the kerberos credential cache. +##
## -gen_tunable(allow_gssd_read_tmp, false) diff --git a/selinux-policy.spec b/selinux-policy.spec index 1bdd0c2..e90f9c4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.7%{?dist} +Release: 74.8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 26 2013 Lukas Vrabec