diff --git a/booleans.subs_dist b/booleans.subs_dist
index d39b6c0..5ca6aa7 100644
--- a/booleans.subs_dist
+++ b/booleans.subs_dist
@@ -53,3 +53,4 @@ condor_domain_can_network_connect condor_tcp_network_connect
icecast_connect_any icecast_use_any_tcp_ports
named_bind_http_port named_tcp_bind_http_port
user_rw_noexattrfile selinuxuser_rw_noexattrfile
+puppet_manage_all_files puppetagent_manage_all_files
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 19dd80d..7665122 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -8191,7 +8191,7 @@ index 089430a..b0bed70 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index a579c3b..f27656d 100644
+index a579c3b..11dbe9d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,12 +22,16 @@ type automount_tmp_t;
@@ -8220,7 +8220,15 @@ index a579c3b..f27656d 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -86,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
+
+ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
++files_getattr_all_files(automount_t)
+ files_getattr_default_dirs(automount_t)
+ files_getattr_home_dir(automount_t)
+ files_getattr_isid_type_dirs(automount_t)
+@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
@@ -8228,7 +8236,7 @@ index a579c3b..f27656d 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -108,6 +110,7 @@ fs_manage_autofs_symlinks(automount_t)
+@@ -108,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t)
fs_mount_all_fs(automount_t)
fs_mount_autofs(automount_t)
fs_read_nfs_files(automount_t)
@@ -8236,7 +8244,7 @@ index a579c3b..f27656d 100644
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
-@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
+@@ -130,15 +134,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -8259,7 +8267,7 @@ index a579c3b..f27656d 100644
fstools_domtrans(automount_t)
')
-@@ -160,3 +166,8 @@ optional_policy(`
+@@ -160,3 +167,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -14403,10 +14411,10 @@ index 0000000..54b4b04
+')
diff --git a/conman.te b/conman.te
new file mode 100644
-index 0000000..0de2d4d
+index 0000000..d6b0314
--- /dev/null
+++ b/conman.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,49 @@
+policy_module(conman, 1.0.0)
+
+########################################
@@ -14434,7 +14442,7 @@ index 0000000..0de2d4d
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
-+allow conman_t self:tcp_socket { listen create_socket_perms };
++allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
@@ -14449,6 +14457,10 @@ index 0000000..0de2d4d
+
+logging_send_syslog_msg(conman_t)
+
++sysnet_dns_name_resolve(conman_t)
++
++userdom_use_user_ptys(conman_t)
++
+optional_policy(`
+ freeipmi_stream_connect(conman_t)
+')
@@ -23506,10 +23518,10 @@ index 0000000..66fe66d
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..c80e06c
+index 0000000..f6fe2c3
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,265 @@
+@@ -0,0 +1,271 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23653,6 +23665,7 @@ index 0000000..c80e06c
+auth_use_nsswitch(docker_t)
+
+init_read_state(docker_t)
++init_status(docker_t)
+
+logging_send_audit_msgs(docker_t)
+logging_send_syslog_msg(docker_t)
@@ -23732,6 +23745,11 @@ index 0000000..c80e06c
+
+modutils_domtrans_insmod(docker_t)
+
++systemd_status_all_unit_files(docker_t)
++
++userdom_stream_connect(docker_t)
++userdom_search_user_home_content(docker_t)
++
+optional_policy(`
+ dbus_system_bus_client(docker_t)
+ init_dbus_chat(docker_t)
@@ -27660,10 +27678,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
-index 0000000..6c32f79
+index 0000000..e6a1c7c
--- /dev/null
+++ b/gear.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,101 @@
+policy_module(gear, 1.0.0)
+
+########################################
@@ -27691,6 +27709,8 @@ index 0000000..6c32f79
+#
+# gear local policy
+#
++allow gear_t self:capability chown;
++allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
+allow gear_t self:fifo_file rw_fifo_file_perms;
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
@@ -27722,6 +27742,7 @@ index 0000000..6c32f79
+kernel_rw_net_sysctls(gear_t)
+
+domain_use_interactive_fds(gear_t)
++domain_read_all_domains_state(gear_t)
+
+corecmd_exec_bin(gear_t)
+corecmd_exec_shell(gear_t)
@@ -27742,6 +27763,8 @@ index 0000000..6c32f79
+init_read_state(gear_t)
+init_dbus_chat(gear_t)
+
++iptables_domtrans(gear_t)
++
+logging_send_audit_msgs(gear_t)
+logging_send_syslog_msg(gear_t)
+
@@ -27753,6 +27776,8 @@ index 0000000..6c32f79
+
+sysnet_dns_name_resolve(gear_t)
+
++sysnet_domtrans_ifconfig(gear_t)
++
+systemd_manage_all_unit_files(gear_t)
+
+optional_policy(`
@@ -57794,7 +57819,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..265896b 100644
+index 3270ff9..fcda1bc 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -57821,7 +57846,7 @@ index 3270ff9..265896b 100644
+## connect to the TCP network.
+##
+##
-+gen_tunable(openvpn_can_network_connect, false)
++gen_tunable(openvpn_can_network_connect, true)
+
attribute_role openvpn_roles;
@@ -60321,7 +60346,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..6c3afa0 100644
+index 7bcf327..37539ec 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -60345,7 +60370,7 @@ index 7bcf327..6c3afa0 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,324 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -60523,6 +60548,8 @@ index 7bcf327..6c3afa0 100644
+# pegasus openlmi service local policy
+#
+
++fs_getattr_all_fs(pegasus_openlmi_admin_t)
++
+init_manage_transient_unit(pegasus_openlmi_admin_t)
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
@@ -60537,6 +60564,9 @@ index 7bcf327..6c3afa0 100644
+
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+
++logging_read_syslog_pid(pegasus_openlmi_admin_t)
++logging_read_generic_logs(pegasus_openlmi_admin_t)
++
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
+
@@ -60670,7 +60700,7 @@ index 7bcf327..6c3afa0 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +357,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -60701,7 +60731,7 @@ index 7bcf327..6c3afa0 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +383,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -60734,7 +60764,7 @@ index 7bcf327..6c3afa0 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +411,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -60746,7 +60776,7 @@ index 7bcf327..6c3afa0 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +427,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -60782,7 +60812,7 @@ index 7bcf327..6c3afa0 100644
')
optional_policy(`
-@@ -151,16 +456,24 @@ optional_policy(`
+@@ -151,16 +461,24 @@ optional_policy(`
')
optional_policy(`
@@ -60811,7 +60841,7 @@ index 7bcf327..6c3afa0 100644
')
optional_policy(`
-@@ -168,7 +481,7 @@ optional_policy(`
+@@ -168,7 +486,7 @@ optional_policy(`
')
optional_policy(`
@@ -60820,7 +60850,7 @@ index 7bcf327..6c3afa0 100644
')
optional_policy(`
-@@ -180,6 +493,8 @@ optional_policy(`
+@@ -180,6 +498,8 @@ optional_policy(`
')
optional_policy(`
@@ -69683,28 +69713,35 @@ index e31bbe1..5f0e288 100644
+ rtkit_scheduled(pulseaudio_client)
')
diff --git a/puppet.fc b/puppet.fc
-index 4ecda09..8c0b242 100644
+index 4ecda09..cad91e2 100644
--- a/puppet.fc
+++ b/puppet.fc
-@@ -1,14 +1,12 @@
+@@ -1,14 +1,20 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
++/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
- /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
++#helper scripts
++/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
--
++/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
--
++/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
@@ -70051,16 +70088,16 @@ index 7cb8b1f..9422c90 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index f2309f4..a375475 100644
+index f2309f4..0903e67 100644
--- a/puppet.te
+++ b/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.3.7)
-+policy_module(puppet, 1.3.0)
++policy_module(puppet, 1.4.0)
########################################
#
-@@ -6,15 +6,19 @@ policy_module(puppet, 1.3.7)
+@@ -6,25 +6,32 @@ policy_module(puppet, 1.3.7)
#
##
@@ -70073,7 +70110,8 @@ index f2309f4..a375475 100644
+## types.
+##
##
- gen_tunable(puppet_manage_all_files, false)
+-gen_tunable(puppet_manage_all_files, false)
++gen_tunable(puppetagent_manage_all_files, false)
-attribute_role puppetca_roles;
-roleattribute system_r puppetca_roles;
@@ -70084,9 +70122,27 @@ index f2309f4..a375475 100644
+##
+gen_tunable(puppetmaster_use_db, false)
- type puppet_t;
- type puppet_exec_t;
-@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t)
+-type puppet_t;
+-type puppet_exec_t;
+-init_daemon_domain(puppet_t, puppet_exec_t)
++type puppetagent_t;
++type puppetagent_exec_t;
++typealias puppetagent_exec_t alias puppet_exec_t;
++typealias puppetagent_t alias puppet_t;
++init_daemon_domain(puppetagent_t, puppetagent_exec_t)
+
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+
+-type puppet_initrc_exec_t;
+-init_script_file(puppet_initrc_exec_t)
++type puppetagent_initrc_exec_t;
++typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
++init_script_file(puppetagent_initrc_exec_t)
+
+ type puppet_log_t;
+ logging_log_file(puppet_log_t)
+@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
@@ -70100,7 +70156,7 @@ index f2309f4..a375475 100644
type puppetmaster_t;
type puppetmaster_exec_t;
-@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,156 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
@@ -70109,198 +70165,252 @@ index f2309f4..a375475 100644
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
-+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
- allow puppet_t self:process { signal signull getsched setsched };
- allow puppet_t self:fifo_file rw_fifo_file_perms;
- allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+-allow puppet_t self:process { signal signull getsched setsched };
+-allow puppet_t self:fifo_file rw_fifo_file_perms;
+-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket { accept listen };
-+allow puppet_t self:tcp_socket create_stream_socket_perms;
- allow puppet_t self:udp_socket create_socket_perms;
-
+-allow puppet_t self:udp_socket create_socket_perms;
+-
-allow puppet_t puppet_etc_t:dir list_dir_perms;
-allow puppet_t puppet_etc_t:file read_file_perms;
-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
-
- manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
- manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-
+-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
-+files_search_var_lib(puppet_t)
-
+-
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-
+-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+-
-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
- create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
- logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
-
- manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
-
- kernel_dontaudit_search_sysctl(puppet_t)
- kernel_dontaudit_search_kernel_sysctl(puppet_t)
-+kernel_read_system_state(puppet_t)
- kernel_read_crypto_sysctls(puppet_t)
- kernel_read_kernel_sysctls(puppet_t)
+-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+-
+-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+-
+-kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
+-kernel_read_crypto_sysctls(puppet_t)
+-kernel_read_kernel_sysctls(puppet_t)
-kernel_read_net_sysctls(puppet_t)
-kernel_read_network_state(puppet_t)
-
-+corecmd_read_all_executables(puppet_t)
-+corecmd_dontaudit_access_all_executables(puppet_t)
- corecmd_exec_bin(puppet_t)
- corecmd_exec_shell(puppet_t)
+-
+-corecmd_exec_bin(puppet_t)
+-corecmd_exec_shell(puppet_t)
-corecmd_read_all_executables(puppet_t)
-
- corenet_all_recvfrom_netlabel(puppet_t)
+-
+-corenet_all_recvfrom_netlabel(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
- corenet_tcp_sendrecv_generic_if(puppet_t)
- corenet_tcp_sendrecv_generic_node(puppet_t)
+-corenet_tcp_sendrecv_generic_if(puppet_t)
+-corenet_tcp_sendrecv_generic_node(puppet_t)
-
-corenet_sendrecv_puppet_client_packets(puppet_t)
-+corenet_tcp_bind_generic_node(puppet_t)
- corenet_tcp_connect_puppet_port(puppet_t)
+-corenet_tcp_connect_puppet_port(puppet_t)
-corenet_tcp_sendrecv_puppet_port(puppet_t)
-+corenet_sendrecv_puppet_client_packets(puppet_t)
-
- dev_read_rand(puppet_t)
- dev_read_sysfs(puppet_t)
- dev_read_urand(puppet_t)
-
+-
+-dev_read_rand(puppet_t)
+-dev_read_sysfs(puppet_t)
+-dev_read_urand(puppet_t)
+-
-domain_interactive_fd(puppet_t)
- domain_read_all_domains_state(puppet_t)
-+domain_interactive_fd(puppet_t)
-
- files_manage_config_files(puppet_t)
- files_manage_config_dirs(puppet_t)
- files_manage_etc_dirs(puppet_t)
- files_manage_etc_files(puppet_t)
+-domain_read_all_domains_state(puppet_t)
+-
+-files_manage_config_files(puppet_t)
+-files_manage_config_dirs(puppet_t)
+-files_manage_etc_dirs(puppet_t)
+-files_manage_etc_files(puppet_t)
-files_read_usr_files(puppet_t)
- files_read_usr_symlinks(puppet_t)
- files_relabel_config_dirs(puppet_t)
- files_relabel_config_files(puppet_t)
+-files_read_usr_symlinks(puppet_t)
+-files_relabel_config_dirs(puppet_t)
+-files_relabel_config_files(puppet_t)
-files_search_var_lib(puppet_t)
-
+-
-selinux_get_fs_mount(puppet_t)
-selinux_search_fs(puppet_t)
- selinux_set_all_booleans(puppet_t)
- selinux_set_generic_booleans(puppet_t)
- selinux_validate_context(puppet_t)
-@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t)
- term_dontaudit_getattr_unallocated_ttys(puppet_t)
- term_dontaudit_getattr_all_ttys(puppet_t)
-
-+auth_use_nsswitch(puppet_t)
-+
- init_all_labeled_script_domtrans(puppet_t)
- init_domtrans_script(puppet_t)
- init_read_utmp(puppet_t)
-@@ -143,18 +138,19 @@ init_signull_script(puppet_t)
- logging_send_syslog_msg(puppet_t)
-
- miscfiles_read_hwdata(puppet_t)
+-selinux_set_all_booleans(puppet_t)
+-selinux_set_generic_booleans(puppet_t)
+-selinux_validate_context(puppet_t)
+-
+-term_dontaudit_getattr_unallocated_ttys(puppet_t)
+-term_dontaudit_getattr_all_ttys(puppet_t)
+-
+-init_all_labeled_script_domtrans(puppet_t)
+-init_domtrans_script(puppet_t)
+-init_read_utmp(puppet_t)
+-init_signull_script(puppet_t)
+-
+-logging_send_syslog_msg(puppet_t)
+-
+-miscfiles_read_hwdata(puppet_t)
-miscfiles_read_localization(puppet_t)
-
-mount_domtrans(puppet_t)
-
- seutil_domtrans_setfiles(puppet_t)
- seutil_domtrans_semanage(puppet_t)
-+seutil_read_file_contexts(puppet_t)
-
- sysnet_run_ifconfig(puppet_t, system_r)
+-
+-seutil_domtrans_setfiles(puppet_t)
+-seutil_domtrans_semanage(puppet_t)
+-
+-sysnet_run_ifconfig(puppet_t, system_r)
-sysnet_use_ldap(puppet_t)
-+
-+usermanage_access_check_groupadd(puppet_t)
-+usermanage_access_check_passwd(puppet_t)
-+usermanage_access_check_useradd(puppet_t)
-
- tunable_policy(`puppet_manage_all_files',`
+-
+-tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
-+ files_manage_non_security_files(puppet_t)
- ')
-
- optional_policy(`
-@@ -196,21 +192,86 @@ optional_policy(`
- ')
-
- optional_policy(`
-- usermanage_domtrans_groupadd(puppet_t)
-- usermanage_domtrans_useradd(puppet_t)
-+ auth_filetrans_named_content(puppet_t)
-+')
++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
++allow puppetagent_t self:process { signal signull getsched setsched };
++allow puppetagent_t self:fifo_file rw_fifo_file_perms;
++allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
++allow puppetagent_t self:tcp_socket create_stream_socket_perms;
++allow puppetagent_t self:udp_socket create_socket_perms;
+
-+optional_policy(`
-+ alsa_filetrans_named_content(puppet_t)
-+')
++read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+
-+optional_policy(`
-+ bootloader_filetrans_config(puppet_t)
-+')
++manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
++manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
++files_search_var_lib(puppetagent_t)
+
-+optional_policy(`
-+ devicekit_filetrans_named_content(puppet_t)
-+')
++manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
++manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
++files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
+
-+optional_policy(`
-+ dnsmasq_filetrans_named_content(puppet_t)
-+')
++create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
++create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
++append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
++logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
+
-+optional_policy(`
-+ kerberos_filetrans_named_content(puppet_t)
-+')
++manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
++manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
++files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
+
-+optional_policy(`
-+ libs_filetrans_named_content(puppet_t)
-+')
++kernel_dontaudit_search_sysctl(puppetagent_t)
++kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
++kernel_read_system_state(puppetagent_t)
++kernel_read_crypto_sysctls(puppetagent_t)
++kernel_read_kernel_sysctls(puppetagent_t)
+
-+optional_policy(`
-+ miscfiles_filetrans_named_content(puppet_t)
-+')
++corecmd_read_all_executables(puppetagent_t)
++corecmd_dontaudit_access_all_executables(puppetagent_t)
++corecmd_exec_bin(puppetagent_t)
++corecmd_exec_shell(puppetagent_t)
+
-+optional_policy(`
-+ mta_filetrans_named_content(puppet_t)
-+')
++corenet_all_recvfrom_netlabel(puppetagent_t)
++corenet_tcp_sendrecv_generic_if(puppetagent_t)
++corenet_tcp_sendrecv_generic_node(puppetagent_t)
++corenet_tcp_bind_generic_node(puppetagent_t)
++corenet_tcp_connect_puppet_port(puppetagent_t)
++corenet_sendrecv_puppet_client_packets(puppetagent_t)
+
-+optional_policy(`
-+ modules_filetrans_named_content(puppet_t)
-+')
++dev_read_rand(puppetagent_t)
++dev_read_sysfs(puppetagent_t)
++dev_read_urand(puppetagent_t)
+
-+optional_policy(`
-+ networkmanager_filetrans_named_content(puppet_t)
-+')
++domain_read_all_domains_state(puppetagent_t)
++domain_interactive_fd(puppetagent_t)
++domain_named_filetrans(puppetagent_t)
+
-+optional_policy(`
-+ nx_filetrans_named_content(puppet_t)
-+')
++files_manage_config_files(puppetagent_t)
++files_manage_config_dirs(puppetagent_t)
++files_manage_etc_dirs(puppetagent_t)
++files_manage_etc_files(puppetagent_t)
++files_read_usr_symlinks(puppetagent_t)
++files_relabel_config_dirs(puppetagent_t)
++files_relabel_config_files(puppetagent_t)
+
-+optional_policy(`
-+ postfix_filetrans_named_content(puppet_t)
-+')
++selinux_set_all_booleans(puppetagent_t)
++selinux_set_generic_booleans(puppetagent_t)
++selinux_validate_context(puppetagent_t)
+
-+optional_policy(`
-+ openshift_initrc_domtrans(puppet_t)
-+')
++term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
++term_dontaudit_getattr_all_ttys(puppetagent_t)
+
-+optional_policy(`
-+ quota_filetrans_named_content(puppet_t)
-+')
++auth_use_nsswitch(puppetagent_t)
+
-+optional_policy(`
-+ sysnet_filetrans_named_content(puppet_t)
-+')
++init_all_labeled_script_domtrans(puppetagent_t)
++init_domtrans_script(puppetagent_t)
++init_read_utmp(puppetagent_t)
++init_signull_script(puppetagent_t)
+
-+optional_policy(`
-+ virt_filetrans_home_content(puppet_t)
-+')
++logging_send_syslog_msg(puppetagent_t)
++
++miscfiles_read_hwdata(puppetagent_t)
++
++seutil_domtrans_setfiles(puppetagent_t)
++seutil_domtrans_semanage(puppetagent_t)
++seutil_read_file_contexts(puppetagent_t)
++
++sysnet_run_ifconfig(puppetagent_t, system_r)
++
++usermanage_access_check_groupadd(puppetagent_t)
++usermanage_access_check_passwd(puppetagent_t)
++usermanage_access_check_useradd(puppetagent_t)
+
++tunable_policy(`puppetagent_manage_all_files',`
++ files_manage_non_security_files(puppetagent_t)
+ ')
+
+ optional_policy(`
+- cfengine_read_lib_files(puppet_t)
++ mysql_stream_connect(puppetagent_t)
+ ')
+
+ optional_policy(`
+- consoletype_exec(puppet_t)
++ postgresql_stream_connect(puppetagent_t)
+ ')
+
+ optional_policy(`
+- hostname_exec(puppet_t)
++ cfengine_read_lib_files(puppetagent_t)
+ ')
+
+ optional_policy(`
+- mount_domtrans(puppet_t)
++ consoletype_exec(puppetagent_t)
+ ')
+
+ optional_policy(`
+- mta_send_mail(puppet_t)
++ hostname_exec(puppetagent_t)
+ ')
+
+ optional_policy(`
+- portage_domtrans(puppet_t)
+- portage_domtrans_fetch(puppet_t)
+- portage_domtrans_gcc_config(puppet_t)
++ mount_domtrans(puppetagent_t)
+ ')
+
+ optional_policy(`
+- files_rw_var_files(puppet_t)
++ mta_send_mail(puppetagent_t)
++')
+
+- rpm_domtrans(puppet_t)
+- rpm_manage_db(puppet_t)
+- rpm_manage_log(puppet_t)
+optional_policy(`
-+ ssh_filetrans_admin_home_content(puppet_t)
++ portage_domtrans(puppetagent_t)
++ portage_domtrans_fetch(puppetagent_t)
++ portage_domtrans_gcc_config(puppetagent_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain(puppet_t)
++ files_rw_var_files(puppetagent_t)
++
++ rpm_domtrans(puppetagent_t)
++ rpm_manage_db(puppetagent_t)
++ rpm_manage_log(puppetagent_t)
+ ')
+
+ optional_policy(`
+- usermanage_domtrans_groupadd(puppet_t)
+- usermanage_domtrans_useradd(puppet_t)
++ unconfined_domain_noaudit(puppetagent_t)
')
########################################
@@ -70319,7 +70429,7 @@ index f2309f4..a375475 100644
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +222,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
@@ -70327,7 +70437,7 @@ index f2309f4..a375475 100644
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
-@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +231,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
@@ -70343,7 +70453,7 @@ index f2309f4..a375475 100644
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +305,47 @@ optional_policy(`
+@@ -246,38 +245,47 @@ optional_policy(`
hostname_exec(puppetca_t)
')
@@ -70407,7 +70517,7 @@ index f2309f4..a375475 100644
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +297,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -70438,7 +70548,7 @@ index f2309f4..a375475 100644
selinux_validate_context(puppetmaster_t)
-@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +323,31 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
@@ -70475,7 +70585,7 @@ index f2309f4..a375475 100644
')
optional_policy(`
-@@ -342,3 +416,9 @@ optional_policy(`
+@@ -342,3 +356,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7173126..7c5c00f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 152%{?dist}
+Release: 153%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Apr 9 2014 Miroslav Grepl 3.12.1-153
+- Back port puppet fixes from rawhide
+- Allow automount to getattr all files
+- openvpn_can_network_connect boolean set default on
+- Allow conman to resolve DNS and use user ptys
+- update pegasus_openlmi_admin_t policy
+- Allow docker to status any unit file and allow it to start generic unit files
+- Additional perms for gear domain
+
* Tue Apr 8 2014 Miroslav Grepl 3.12.1-152
- Change hsperfdata_root to have as user_tmp_t
- Allow rsyslog low-level network access