##
@@ -4769,7 +4788,7 @@ index 83e899c..9426db5 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1381,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1400,30 @@ interface(`apache_cgi_domain',`
########################################
##
@@ -4802,7 +4821,7 @@ index 83e899c..9426db5 100644
##
##
##
-@@ -1183,18 +1421,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1440,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4831,7 +4850,7 @@ index 83e899c..9426db5 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1443,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1462,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4845,7 +4864,7 @@ index 83e899c..9426db5 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1457,141 @@ interface(`apache_admin',`
+@@ -1218,9 +1476,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -8410,7 +8429,7 @@ index aebe7cb..33fe57b 100644
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
-index 60e76be..0730647 100644
+index 60e76be..f1f2bcf 100644
--- a/avahi.te
+++ b/avahi.te
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
@@ -8459,6 +8478,17 @@ index 60e76be..0730647 100644
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
+@@ -102,6 +106,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ pcp_pmproxy_dbus_chat(avahi_t)
++')
++
++optional_policy(`
+ rpcbind_signull(avahi_t)
+ ')
+
diff --git a/awstats.te b/awstats.te
index d6ab824..116176d 100644
--- a/awstats.te
@@ -8689,10 +8719,10 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..f755e6b 100644
+index 2b9a3a1..750788c 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,75 @@
+@@ -1,54 +1,76 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -8732,6 +8762,7 @@ index 2b9a3a1..f755e6b 100644
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-control -- gen_context(system_u:object_r:named_exec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -9765,7 +9796,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..44edba7 100644
+index 7c92aa1..b326c23 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,20 @@
@@ -9791,7 +9822,7 @@ index 7c92aa1..44edba7 100644
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -9870,7 +9901,11 @@ index 7c92aa1..44edba7 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
++manage_dirs_pattern(boinc_t, boinc_project_tmp_t, boinc_project_tmp_t)
++manage_files_pattern(boinc_t, boinc_project_tmp_t, boinc_project_tmp_t)
++
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -9967,7 +10002,7 @@ index 7c92aa1..44edba7 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
+@@ -130,55 +154,69 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -24267,10 +24302,10 @@ index 0000000..683dfdc
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..2f0fa26
+index 0000000..2faebf0
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,279 @@
+@@ -0,0 +1,280 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -24387,6 +24422,7 @@ index 0000000..2f0fa26
+kernel_read_all_sysctls(docker_t)
+kernel_rw_net_sysctls(docker_t)
+kernel_setsched(docker_t)
++kernel_read_all_proc(docker_t)
+
+domain_use_interactive_fds(docker_t)
+
@@ -28905,10 +28941,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..b9d0b86
+index 0000000..d964114
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,59 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -28964,6 +29000,10 @@ index 0000000..b9d0b86
+ networkmanager_dbus_chat(geoclue_t)
+ ')
+')
++
++optional_policy(`
++ pcscd_stream_connect(geoclue_t)
++')
diff --git a/gift.te b/gift.te
index 395238e..af76abb 100644
--- a/gift.te
@@ -36334,10 +36374,31 @@ index 2fb7a20..c6ba007 100644
+ ')
+')
diff --git a/jockey.te b/jockey.te
-index d59ec10..dec1b3b 100644
+index d59ec10..a46018d 100644
--- a/jockey.te
+++ b/jockey.te
-@@ -44,16 +44,19 @@ dev_read_urand(jockey_t)
+@@ -15,6 +15,9 @@ files_type(jockey_cache_t)
+ type jockey_var_log_t;
+ logging_log_file(jockey_var_log_t)
+
++type jockey_tmpfs_t;
++files_tmpfs_file(jockey_tmpfs_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -33,6 +36,10 @@ create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+ setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+ logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
+
++manage_dirs_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t)
++manage_files_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t)
++fs_tmpfs_filetrans(jockey_t, jockey_tmpfs_t, { dir file })
++
+ kernel_read_system_state(jockey_t)
+
+ corecmd_exec_bin(jockey_t)
+@@ -44,16 +51,19 @@ dev_read_urand(jockey_t)
domain_use_interactive_fds(jockey_t)
@@ -45178,7 +45239,7 @@ index 6ffaba2..ab66d2f 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..7490fe3 100644
+index 6194b80..ecab2e6 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -45890,7 +45951,7 @@ index 6194b80..7490fe3 100644
##
##
##
-@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +520,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -45939,10 +46000,11 @@ index 6194b80..7490fe3 100644
+
gen_require(`
- type mozilla_plugin_home_t;
-+ type mozilla_home_t;
++ type mozilla_home_t, mozilla_plugin_rw_t;
')
- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
++ files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
@@ -56408,10 +56470,10 @@ index 379af96..41ff159 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..dae3360 100644
+index 57c0161..4534676 100644
--- a/nut.if
+++ b/nut.if
-@@ -1,39 +1,24 @@
+@@ -1,39 +1,59 @@
-## Network UPS Tools
+## nut - Network UPS Tools
@@ -56420,36 +56482,67 @@ index 57c0161..dae3360 100644
##
-## All of the rules required to
-## administrate an nut environment.
-+## Execute swift server in the swift domain.
++## Creates types and rules for a basic
++## Network UPS Tools systemd daemon domain.
##
- ##
+-##
-##
-## Domain allowed access.
-##
-+##
-+## Domain allowed to transition.
-+##
- ##
+-##
-##
-##
-## Role allowed access.
-##
--##
++##
++##
++## Prefix for the domain.
++##
+ ##
-##
#
-interface(`nut_admin',`
-- gen_require(`
-- attribute nut_domain;
++template(`nut_domain_template',`
+ gen_require(`
+ attribute nut_domain;
- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t;
-- ')
--
+ ')
+
- allow $1 nut_domain:process { ptrace signal_perms };
- ps_process_pattern($1, nut_domain_t)
--
++ type nut_$1_t, nut_domain;
++ type nut_$1_exec_t;
++ init_daemon_domain(nut_$1_t, nut_$1_exec_t)
++
++ type nut_$1_tmp_t;
++ files_tmp_file(nut_$1_tmp_t)
++
++ manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
++ manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
++ manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
++ files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
++ fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
+
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
++ auth_use_nsswitch(nut_$1_t)
++
++ logging_send_syslog_msg(nut_$1_t)
++
++')
++
++#######################################
++##
++## Execute swift server in the swift domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
+interface(`nut_systemctl',`
+ gen_require(`
+ type nut_t;
@@ -56467,7 +56560,7 @@ index 57c0161..dae3360 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..76988d6 100644
+index 0c9deb7..8ee90b0 100644
--- a/nut.te
+++ b/nut.te
@@ -1,4 +1,4 @@
@@ -56476,10 +56569,29 @@ index 0c9deb7..76988d6 100644
########################################
#
-@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain;
- type nut_upsdrvctl_exec_t;
- init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+@@ -7,131 +7,124 @@ policy_module(nut, 1.2.4)
+
+ attribute nut_domain;
+
++nut_domain_template(upsd)
++nut_domain_template(upsmon)
++nut_domain_template(upsdrvctl)
++
+ type nut_conf_t;
+ files_config_file(nut_conf_t)
+-type nut_upsd_t, nut_domain;
+-type nut_upsd_exec_t;
+-init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
+-
+-type nut_upsmon_t, nut_domain;
+-type nut_upsmon_exec_t;
+-init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
+-
+-type nut_upsdrvctl_t, nut_domain;
+-type nut_upsdrvctl_exec_t;
+-init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+-
-type nut_initrc_exec_t;
-init_script_file(nut_initrc_exec_t)
-
@@ -56509,12 +56621,15 @@ index 0c9deb7..76988d6 100644
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
--
++allow nut_domain self:capability { setgid setuid dac_override };
+
-kernel_read_kernel_sysctls(nut_domain)
-
-logging_send_syslog_msg(nut_domain)
--
++allow nut_domain self:process signal_perms;
+
-miscfiles_read_localization(nut_domain)
++allow nut_domain self:fifo_file rw_fifo_file_perms;
+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
########################################
@@ -56524,16 +56639,15 @@ index 0c9deb7..76988d6 100644
#
-allow nut_upsd_t self:tcp_socket { accept listen };
-+allow nut_upsd_t self:capability { setgid setuid dac_override };
-+allow nut_upsd_t self:process signal_perms;
++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
-+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
-+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
@@ -56541,29 +56655,25 @@ index 0c9deb7..76988d6 100644
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
-+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
-
--corenet_sendrecv_ups_server_packets(nut_upsd_t)
--corenet_tcp_bind_ups_port(nut_upsd_t)
+# pid file
+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
--corenet_sendrecv_generic_server_packets(nut_upsd_t)
--corenet_tcp_bind_generic_port(nut_upsd_t)
+-corenet_sendrecv_ups_server_packets(nut_upsd_t)
+-corenet_tcp_bind_ups_port(nut_upsd_t)
+kernel_read_kernel_sysctls(nut_upsd_t)
--files_read_usr_files(nut_upsd_t)
+-corenet_sendrecv_generic_server_packets(nut_upsd_t)
+corenet_tcp_bind_ups_port(nut_upsd_t)
-+corenet_tcp_bind_generic_port(nut_upsd_t)
+ corenet_tcp_bind_generic_port(nut_upsd_t)
+-
+-files_read_usr_files(nut_upsd_t)
+-
+-auth_use_nsswitch(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
- auth_use_nsswitch(nut_upsd_t)
-
-+logging_send_syslog_msg(nut_upsd_t)
-+
########################################
#
-# Upsmon local policy
@@ -56572,11 +56682,9 @@ index 0c9deb7..76988d6 100644
-allow nut_upsmon_t self:capability dac_read_search;
-allow nut_upsmon_t self:unix_stream_socket connectto;
-+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
-+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
++allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
-+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
@@ -56612,13 +56720,11 @@ index 0c9deb7..76988d6 100644
+# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)
+-auth_use_nsswitch(nut_upsmon_t)
+# upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
-+logging_send_syslog_msg(nut_upsmon_t)
-+
- auth_use_nsswitch(nut_upsmon_t)
mta_send_mail(nut_upsmon_t)
@@ -56634,10 +56740,8 @@ index 0c9deb7..76988d6 100644
+# Local policy for upsdrvctl
#
-+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
-+allow nut_upsdrvctl_t self:process { sigchld signal signull };
++allow nut_upsdrvctl_t self:capability { kill };
allow nut_upsdrvctl_t self:fd use;
-+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
@@ -56658,19 +56762,16 @@ index 0c9deb7..76988d6 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t)
+@@ -139,22 +132,29 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
+-
+-auth_use_nsswitch(nut_upsdrvctl_t)
+term_use_usb_ttys(nut_upsdrvctl_t)
- auth_use_nsswitch(nut_upsdrvctl_t)
-
init_sigchld(nut_upsdrvctl_t)
-+logging_send_syslog_msg(nut_upsdrvctl_t)
-+
-+
#######################################
#
-# Cgi local policy
@@ -61070,7 +61171,7 @@ index bf59ef7..2d8335f 100644
+')
+
diff --git a/passenger.te b/passenger.te
-index 4e114ff..1b1cb71 100644
+index 4e114ff..d688bab 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
@@ -61149,7 +61250,7 @@ index 4e114ff..1b1cb71 100644
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
-@@ -66,14 +74,14 @@ dev_read_urand(passenger_t)
+@@ -66,19 +74,20 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
@@ -61166,7 +61267,13 @@ index 4e114ff..1b1cb71 100644
userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
-@@ -90,14 +98,21 @@ optional_policy(`
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
++ apache_rw_stream_sockets(passenger_t)
+ ')
+
+ optional_policy(`
+@@ -90,14 +99,21 @@ optional_policy(`
')
optional_policy(`
@@ -61256,10 +61363,10 @@ index 0000000..9b8cb6b
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
-index 0000000..ba24b40
+index 0000000..87aeb51
--- /dev/null
+++ b/pcp.if
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,160 @@
+## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation
+
+######################################
@@ -61287,6 +61394,27 @@ index 0000000..ba24b40
+
+')
+
++########################################
++##
++## Send and receive messages from
++## pcp_pmproxy_t over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pcp_pmproxy_dbus_chat',`
++ gen_require(`
++ type pcp_pmproxy_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 pcp_pmproxy_t:dbus send_msg;
++ allow pcp_pmproxy_t $1:dbus send_msg;
++')
++
+######################################
+##
+## Allow domain to read pcp lib files
@@ -63906,10 +64034,10 @@ index 0000000..b975b85
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..d1265c4
+index 0000000..47fb375
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,291 @@
+@@ -0,0 +1,292 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -63996,6 +64124,7 @@ index 0000000..d1265c4
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
@@ -68610,7 +68739,7 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..0d1dd3c 100644
+index b2b5dba..e71e924 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -68686,7 +68815,7 @@ index b2b5dba..0d1dd3c 100644
type pptp_log_t;
logging_log_file(pptp_log_t)
-@@ -67,54 +74,57 @@ logging_log_file(pptp_log_t)
+@@ -67,54 +74,59 @@ logging_log_file(pptp_log_t)
type pptp_var_run_t;
files_pid_file(pptp_var_run_t)
@@ -68702,6 +68831,7 @@ index b2b5dba..0d1dd3c 100644
allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
++dontaudit pppd_t self:capability2 block_suspend;
+allow pppd_t self:process { getsched setsched signal_perms };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
@@ -68743,6 +68873,7 @@ index b2b5dba..0d1dd3c 100644
manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
++manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
-can_exec(pppd_t, pppd_exec_t)
@@ -68760,7 +68891,7 @@ index b2b5dba..0d1dd3c 100644
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t)
-@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t)
+@@ -122,10 +134,10 @@ kernel_read_network_state(pppd_t)
kernel_request_load_module(pppd_t)
dev_read_urand(pppd_t)
@@ -68772,7 +68903,7 @@ index b2b5dba..0d1dd3c 100644
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_generic_if(pppd_t)
corenet_raw_sendrecv_generic_if(pppd_t)
-@@ -135,9 +145,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
+@@ -135,9 +147,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
corenet_udp_sendrecv_generic_node(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
@@ -68796,7 +68927,7 @@ index b2b5dba..0d1dd3c 100644
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)
-@@ -147,36 +170,31 @@ files_exec_etc_files(pppd_t)
+@@ -147,36 +172,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
@@ -68842,7 +68973,7 @@ index b2b5dba..0d1dd3c 100644
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
-@@ -186,11 +204,13 @@ optional_policy(`
+@@ -186,11 +206,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t)
@@ -68857,7 +68988,7 @@ index b2b5dba..0d1dd3c 100644
')
')
-@@ -218,16 +238,19 @@ optional_policy(`
+@@ -218,16 +240,19 @@ optional_policy(`
########################################
#
@@ -68880,7 +69011,7 @@ index b2b5dba..0d1dd3c 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +259,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +261,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -68937,7 +69068,7 @@ index b2b5dba..0d1dd3c 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +303,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +305,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@@ -68952,7 +69083,7 @@ index b2b5dba..0d1dd3c 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +320,10 @@ optional_policy(`
+@@ -299,6 +322,10 @@ optional_policy(`
')
optional_policy(`
@@ -99847,15 +99978,17 @@ index cb9b5bb..3aa7952 100644
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/usbmuxd.fc b/usbmuxd.fc
-index 220f6ad..cd80b9b 100644
+index 220f6ad..8e3bbd2 100644
--- a/usbmuxd.fc
+++ b/usbmuxd.fc
-@@ -1,3 +1,4 @@
+@@ -1,3 +1,6 @@
/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
-/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
++
++/var/lib/lockdown -- gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
diff --git a/usbmuxd.if b/usbmuxd.if
index 1ec5e99..88e287d 100644
--- a/usbmuxd.if
@@ -99928,10 +100061,10 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..d2c7596 100644
+index 8840be6..bb7c53f 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
-@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles;
+@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
type usbmuxd_t;
type usbmuxd_exec_t;
@@ -99942,21 +100075,40 @@ index 8840be6..d2c7596 100644
type usbmuxd_var_run_t;
files_pid_file(usbmuxd_var_run_t)
++type usbmuxd_var_lib_t;
++files_type(usbmuxd_var_lib_t)
++
+type usbmuxd_unit_file_t;
+systemd_unit_file(usbmuxd_unit_file_t)
+
########################################
#
# Local policy
-@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t)
+ #
+
allow usbmuxd_t self:capability { kill setgid setuid };
++dontaudit usbmuxd_t self:capability sys_resource;
allow usbmuxd_t self:process { signal signull };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow usbmuxd_t self:unix_stream_socket connectto;
manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
-@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
+ manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+ files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
++manage_dirs_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
++manage_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
++manage_lnk_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
++files_var_lib_filetrans(usbmuxd_t, usbmuxd_var_lib_t, { dir file })
++
+ kernel_read_kernel_sysctls(usbmuxd_t)
+ kernel_read_system_state(usbmuxd_t)
+
+ dev_read_sysfs(usbmuxd_t)
++dev_read_urand(usbmuxd_t)
+ dev_rw_generic_usb_dev(usbmuxd_t)
auth_use_nsswitch(usbmuxd_t)
@@ -103051,7 +103203,7 @@ index 9dec06c..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..34b36bc 100644
+index 1f22fba..d894b4d 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,224 @@
@@ -103349,7 +103501,7 @@ index 1f22fba..34b36bc 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -150,295 +227,130 @@ ifdef(`enable_mls',`
+@@ -150,295 +227,132 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -103638,6 +103790,8 @@ index 1f22fba..34b36bc 100644
-corenet_sendrecv_all_client_packets(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
++init_dontaudit_read_state(svirt_t)
++
+#######################################
+#
+# svirt_prot_exec local policy
@@ -103720,7 +103874,7 @@ index 1f22fba..34b36bc 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +360,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +362,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -103767,7 +103921,7 @@ index 1f22fba..34b36bc 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +395,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +397,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -103777,19 +103931,19 @@ index 1f22fba..34b36bc 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +408,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +410,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -103797,7 +103951,7 @@ index 1f22fba..34b36bc 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +416,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +418,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -103825,7 +103979,7 @@ index 1f22fba..34b36bc 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +436,27 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +438,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -103858,7 +104012,7 @@ index 1f22fba..34b36bc 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +487,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +489,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -103878,7 +104032,7 @@ index 1f22fba..34b36bc 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +509,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +511,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -103915,7 +104069,7 @@ index 1f22fba..34b36bc 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +537,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +539,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -103924,7 +104078,7 @@ index 1f22fba..34b36bc 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +562,12 @@ optional_policy(`
+@@ -658,20 +564,12 @@ optional_policy(`
')
optional_policy(`
@@ -103945,7 +104099,7 @@ index 1f22fba..34b36bc 100644
')
optional_policy(`
-@@ -684,14 +580,20 @@ optional_policy(`
+@@ -684,14 +582,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -103968,7 +104122,7 @@ index 1f22fba..34b36bc 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +606,13 @@ optional_policy(`
+@@ -704,11 +608,13 @@ optional_policy(`
')
optional_policy(`
@@ -103982,7 +104136,7 @@ index 1f22fba..34b36bc 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +623,18 @@ optional_policy(`
+@@ -719,10 +625,18 @@ optional_policy(`
')
optional_policy(`
@@ -104001,19 +104155,18 @@ index 1f22fba..34b36bc 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +649,277 @@ optional_policy(`
+@@ -737,44 +651,277 @@ optional_policy(`
udev_read_db(virtd_t)
')
-########################################
--#
--# Virsh local policy
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
+########################################
-+#
+ #
+-# Virsh local policy
+# virtual domains common policy
#
+allow virt_domain self:capability2 compromise_kernel;
@@ -104107,7 +104260,7 @@ index 1f22fba..34b36bc 100644
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
-+
+
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
@@ -104225,7 +104378,7 @@ index 1f22fba..34b36bc 100644
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
+')
-
++
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -104303,7 +104456,7 @@ index 1f22fba..34b36bc 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +930,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +932,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -104330,7 +104483,7 @@ index 1f22fba..34b36bc 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +950,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +952,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -104364,7 +104517,7 @@ index 1f22fba..34b36bc 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +987,20 @@ optional_policy(`
+@@ -847,14 +989,20 @@ optional_policy(`
')
optional_policy(`
@@ -104386,7 +104539,7 @@ index 1f22fba..34b36bc 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +1025,65 @@ optional_policy(`
+@@ -879,49 +1027,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -104470,7 +104623,7 @@ index 1f22fba..34b36bc 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1095,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1097,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -104490,7 +104643,7 @@ index 1f22fba..34b36bc 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1116,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1118,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -104514,7 +104667,7 @@ index 1f22fba..34b36bc 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1141,315 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1143,315 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -104967,7 +105120,7 @@ index 1f22fba..34b36bc 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1462,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1464,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -104982,7 +105135,7 @@ index 1f22fba..34b36bc 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1480,8 @@ optional_policy(`
+@@ -1183,9 +1482,8 @@ optional_policy(`
########################################
#
@@ -104993,7 +105146,7 @@ index 1f22fba..34b36bc 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1494,219 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1496,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 521857e..4e54ce3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 182%{?dist}
+Release: 183%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Sep 04 2014 Lukas Vrabec 3.12.1-183
+- Allow init to read all config files
+- Add new interface to allow creation of file with lib_t type
+- Add init_dontaudit_read_state() interface.
+- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource (#1136128)
+- Allow docker to read all of /proc
+- Label /usr/sbin/unbound-control as named_exec_t (#1130510)
+- Dontaudit read init state for svirt_t.
+- Allow boinc_t manage boinc_project_tmp_t files and dirs (#1135687)
+- ALlow passeneger to read/write apache stream socket.
+- Allow geoclue to stream connect to smart card service
+- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide
+- Allow jockey_t to use tmpfs files
+- Allow pppd to create sock_files in /var/run
+- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface.
+- Allow usbmuxd connect to itself by stream socket. (#1135945)
+- Allow nswrapper_32_64.nppdf.so to be created with the proper label
+- Allow avahi_t communicate with pcp_pmproxy_t over dbus.
+- Allwo pki_tomcat to create link files in /var/lib/pki-ca.
+
* Wed Aug 27 2014 Lukas Vrabec 3.12.1-182
- Allow pppd to connect to http port. (#1128947)
- Allow fail2ban to read audit logs