@@ -46479,7 +46541,7 @@ index 3eca020..1d39c1b 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +72,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +73,31 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -46512,7 +46574,7 @@ index 3eca020..1d39c1b 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +108,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -46524,7 +46586,7 @@ index 3eca020..1d39c1b 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +127,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +128,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -46541,7 +46603,7 @@ index 3eca020..1d39c1b 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -120,6 +140,9 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+@@ -120,6 +141,9 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
dontaudit svirt_t virt_content_t:file write_file_perms;
dontaudit svirt_t virt_content_t:dir write;
@@ -46551,7 +46613,7 @@ index 3eca020..1d39c1b 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
-@@ -133,6 +156,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +157,8 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
@@ -46560,7 +46622,7 @@ index 3eca020..1d39c1b 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +172,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +173,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -46576,7 +46638,7 @@ index 3eca020..1d39c1b 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +189,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +190,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -46599,7 +46661,7 @@ index 3eca020..1d39c1b 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +214,33 @@ optional_policy(`
+@@ -174,21 +215,33 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -46637,7 +46699,7 @@ index 3eca020..1d39c1b 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +252,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +253,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -46646,6 +46708,7 @@ index 3eca020..1d39c1b 100644
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++allow virtd_t virt_ptynode:chr_file rw_term_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -46654,7 +46717,7 @@ index 3eca020..1d39c1b 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +278,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +280,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -46662,7 +46725,7 @@ index 3eca020..1d39c1b 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +298,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +300,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -46695,7 +46758,7 @@ index 3eca020..1d39c1b 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +330,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +332,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -46714,7 +46777,7 @@ index 3eca020..1d39c1b 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +365,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +367,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -46745,7 +46808,7 @@ index 3eca020..1d39c1b 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +407,10 @@ optional_policy(`
+@@ -313,6 +409,10 @@ optional_policy(`
')
optional_policy(`
@@ -46756,7 +46819,7 @@ index 3eca020..1d39c1b 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,6 +427,10 @@ optional_policy(`
+@@ -329,6 +429,10 @@ optional_policy(`
')
optional_policy(`
@@ -46767,7 +46830,7 @@ index 3eca020..1d39c1b 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +467,8 @@ optional_policy(`
+@@ -365,6 +469,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -46776,7 +46839,7 @@ index 3eca020..1d39c1b 100644
')
optional_policy(`
-@@ -394,14 +498,26 @@ optional_policy(`
+@@ -394,14 +500,26 @@ optional_policy(`
# virtual domains common policy
#
@@ -46805,7 +46868,7 @@ index 3eca020..1d39c1b 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +538,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +540,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -46813,7 +46876,7 @@ index 3eca020..1d39c1b 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +546,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +548,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -46826,7 +46889,7 @@ index 3eca020..1d39c1b 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +559,14 @@ files_search_all(virt_domain)
+@@ -440,6 +561,14 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -46841,7 +46904,7 @@ index 3eca020..1d39c1b 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +584,117 @@ optional_policy(`
+@@ -457,8 +586,117 @@ optional_policy(`
')
optional_policy(`
@@ -46866,7 +46929,7 @@ index 3eca020..1d39c1b 100644
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config };
-+allow virsh_t self:process { getcap getsched setcap signal };
++allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c0798d7..d74f323 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 33%{?dist}
+Release: 34%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
%endif
%changelog
+* Fri Jul 15 2011 Miroslav Grepl