[selinux-policy/f18] * Tue Sep 03 2013 Lukas Vrabec <lvrabec at redhat.com> 3.10.1-102 - Fix syntax error in mock policy - A
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Sep 3 12:10:54 UTC 2013
commit 7ebc712d65b6f3c4c833b2a0de6d6c05735be72b
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Sep 3 14:10:04 2013 +0200
* Tue Sep 03 2013 Lukas Vrabec <lvrabec at redhat.com> 3.10.1-102
- Fix syntax error in mock policy
- Allow glusterd to create sock_file in /run
- Add rpm_read_log interface
- Add interface userhelper_dontaudit_write_config
- Add support to strongswam in ipsec policy
- Add interface corenet_relabel_tun_tap_dev
policy-f18-base.patch | 375 +++++++++++++++++++++++++++++-----------------
policy-f18-contrib.patch | 96 ++++++------
selinux-policy.spec | 16 ++-
3 files changed, 299 insertions(+), 188 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 1f60169..d0eb01f 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -113007,7 +113007,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..affff65 100644
+index 07126bd..97e23d2 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@@ -114023,7 +114023,7 @@ index 07126bd..affff65 100644
## Do not audit attempts to connect TCP sockets
## all rpc ports.
## </summary>
-@@ -1993,6 +2584,41 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
@@ -114042,8 +114042,18 @@ index 07126bd..affff65 100644
+
+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
+')
++
+########################################
+## <summary>
+ ## Do not audit attempts to read or write the TUN/TAP
+ ## virtual network device.
+ ## </summary>
+@@ -2010,6 +2619,24 @@ interface(`corenet_dontaudit_rw_tun_tap_dev',`
+ dontaudit $1 tun_tap_device_t:chr_file { read write };
+ ')
+
++######################################
++## <summary>
+## Relabel to and from the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
@@ -114059,13 +114069,11 @@ index 07126bd..affff65 100644
+
+ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t)
+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to read or write the TUN/TAP
- ## virtual network device.
- ## </summary>
-@@ -2049,6 +2675,25 @@ interface(`corenet_rw_ppp_dev',`
++
+ ########################################
+ ## <summary>
+ ## Getattr the point-to-point device.
+@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -114091,7 +114099,7 @@ index 07126bd..affff65 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2713,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -114116,7 +114124,7 @@ index 07126bd..affff65 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2857,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -114142,7 +114150,7 @@ index 07126bd..affff65 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,7 +2895,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -114151,7 +114159,7 @@ index 07126bd..affff65 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2221,10 +2903,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </summary>
## </param>
#
@@ -114169,7 +114177,7 @@ index 07126bd..affff65 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2936,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -114196,7 +114204,7 @@ index 07126bd..affff65 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2976,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -114224,7 +114232,7 @@ index 07126bd..affff65 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,15 +3261,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -114244,7 +114252,7 @@ index 07126bd..affff65 100644
')
########################################
-@@ -2567,11 +3290,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
#
interface(`corenet_all_recvfrom_netlabel',`
gen_require(`
@@ -114282,7 +114290,7 @@ index 07126bd..affff65 100644
')
########################################
-@@ -2585,6 +3331,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -114290,7 +114298,7 @@ index 07126bd..affff65 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3360,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -114327,7 +114335,7 @@ index 07126bd..affff65 100644
')
########################################
-@@ -2727,6 +3502,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -114335,7 +114343,7 @@ index 07126bd..affff65 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3910,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
@@ -114943,7 +114951,7 @@ index 02b7ac1..1fc53d1 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d820975..02a2acf 100644
+index d820975..a07675d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -115881,28 +115889,27 @@ index d820975..02a2acf 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3927,23 +4304,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3927,8 +4304,31 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
-## Create, read, write, and delete sysfs
-## directories.
+## Read cpu online hardware state information.
- ## </summary>
++## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read /sys/devices/system/cpu/online file.
+## </p>
+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_manage_sysfs_dirs',`
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`dev_read_cpu_online',`
- gen_require(`
++ gen_require(`
+ type cpu_online_t;
+ ')
+
@@ -115913,15 +115920,16 @@ index d820975..02a2acf 100644
+########################################
+## <summary>
+## Relabel cpu online hardware state information.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3936,14 +4336,17 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_relabel_cpu_online',`
-+ gen_require(`
+ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@@ -116049,12 +116057,10 @@ index d820975..02a2acf 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4407,6 +4903,23 @@ interface(`dev_rw_userio_dev',`
+@@ -4410,6 +4906,25 @@ interface(`dev_rw_userio_dev',`
- rw_chr_files_pattern($1, device_t, userio_device_t)
- ')
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+## Read and write the VFIO devices.
+## </summary>
+## <param name="domain">
@@ -116068,12 +116074,16 @@ index d820975..02a2acf 100644
+ type device_t, vfio_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, vfio_device_t)
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
-
- ########################################
- ## <summary>
-@@ -4520,6 +5033,24 @@ interface(`dev_rw_vhost',`
++
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the attributes
+ ## of video4linux device nodes.
+ ## </summary>
+@@ -4520,6 +5035,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -116098,7 +116108,7 @@ index d820975..02a2acf 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4725,6 +5256,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4725,6 +5258,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -116125,7 +116135,7 @@ index d820975..02a2acf 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4814,3 +5365,917 @@ interface(`dev_unconfined',`
+@@ -4814,3 +5367,917 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -136316,19 +136326,33 @@ index 4a88fa1..9c0b2c0 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index ec85acb..3451447 100644
+index ec85acb..ef9370d 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,7 +1,7 @@
+@@ -1,14 +1,19 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
- /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+-/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++
++/etc/(strongswan)?/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/(strongswan)?/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-@@ -26,11 +26,7 @@
+ /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+ /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+-/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++
++/etc/(strongswan)?/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+ /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+
+@@ -26,17 +31,15 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -136341,14 +136365,22 @@ index ec85acb..3451447 100644
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
-@@ -44,3 +40,5 @@
+ /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
++/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+
+ /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+
+ /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+
+@@ -44,3 +47,5 @@
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..0c32fb4 100644
+index 0d4c8d3..a89c4a2 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',`
@@ -136507,11 +136539,54 @@ index 0d4c8d3..0c32fb4 100644
')
########################################
+@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',`
+ ipsec_domtrans_setkey($1)
+ role $2 types setkey_t;
+ ')
++
++#######################################
++## <summary>
++## Execute strongswan in the ipsec_mgmt domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ipsec_mgmt_systemctl',`
++ gen_require(`
++ type ipsec_mgmt_unit_file_t;
++ type ipsec_mgmt_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms;
++ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ipsec_mgmt_t)
++')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index a30840c..5980b7e 100644
+index a30840c..18ef725 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
-@@ -72,14 +72,18 @@ role system_r types setkey_t;
+@@ -1,4 +1,4 @@
+-policy_module(ipsec, 1.13.0)
++policy_module(ipsec, 1.13.3)
+
+ ########################################
+ #
+@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+ corecmd_shell_entry_type(ipsec_mgmt_t)
+ role system_r types ipsec_mgmt_t;
+
++type ipsec_mgmt_unit_file_t;
++systemd_unit_file(ipsec_mgmt_unit_file_t)
++
+ type ipsec_mgmt_lock_t;
+ files_lock_file(ipsec_mgmt_lock_t)
+
+@@ -72,14 +75,18 @@ role system_r types setkey_t;
# ipsec Local policy
#
@@ -136532,7 +136607,7 @@ index a30840c..5980b7e 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -113,6 +117,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+@@ -113,6 +120,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
kernel_read_kernel_sysctls(ipsec_t)
@@ -136540,7 +136615,7 @@ index a30840c..5980b7e 100644
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
-@@ -127,20 +132,22 @@ corecmd_exec_shell(ipsec_t)
+@@ -127,20 +135,22 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -136570,7 +136645,7 @@ index a30840c..5980b7e 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -156,6 +163,8 @@ files_dontaudit_search_home(ipsec_t)
+@@ -156,6 +166,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -136579,7 +136654,7 @@ index a30840c..5980b7e 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -164,11 +173,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -164,16 +176,22 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -136594,7 +136669,16 @@ index a30840c..5980b7e 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,10 +197,10 @@ optional_policy(`
+
+ optional_policy(`
++ iptables_domtrans(ipsec_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ipsec_t)
+ ')
+
+@@ -186,10 +204,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -136609,15 +136693,26 @@ index a30840c..5980b7e 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -209,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
- files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+@@ -205,14 +223,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+ manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
+-allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+-files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
++manage_files_pattern(ipsec_mgmt_t, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
++files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, { file })
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-@@ -245,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file })
+
+ # _realsetup needs to be able to cat /var/run/pluto.pid,
+ # run ps on that pid, and delete the file
+@@ -245,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -136634,7 +136729,7 @@ index a30840c..5980b7e 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -254,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -254,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -136643,7 +136738,7 @@ index a30840c..5980b7e 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -277,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -136655,7 +136750,7 @@ index a30840c..5980b7e 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -289,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -289,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -136679,7 +136774,7 @@ index a30840c..5980b7e 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -321,6 +349,10 @@ optional_policy(`
+@@ -321,11 +356,15 @@ optional_policy(`
')
optional_policy(`
@@ -136690,7 +136785,13 @@ index a30840c..5980b7e 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -334,7 +366,7 @@ optional_policy(`
+ optional_policy(`
+- nscd_socket_use(ipsec_mgmt_t)
++ nscd_use(ipsec_mgmt_t)
+ ')
+
+ ########################################
+@@ -334,7 +373,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -136699,7 +136800,7 @@ index a30840c..5980b7e 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -369,13 +401,12 @@ kernel_request_load_module(racoon_t)
+@@ -369,13 +408,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -136719,7 +136820,7 @@ index a30840c..5980b7e 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -400,10 +431,11 @@ locallogin_use_fds(racoon_t)
+@@ -400,10 +438,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -136732,7 +136833,7 @@ index a30840c..5980b7e 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -437,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -437,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -141990,14 +142091,15 @@ index bea4629..06e2834 100644
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
-index efa9c27..591f581 100644
+index efa9c27..75bdcd0 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
-@@ -40,3 +40,21 @@ interface(`setrans_translate_context',`
+@@ -40,3 +40,23 @@ interface(`setrans_translate_context',`
stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
files_list_pids($1)
')
-+#######################################
++
++######################################
+## <summary>
+## Allow a domain to manage pid files
+## </summary>
@@ -142015,6 +142117,7 @@ index efa9c27..591f581 100644
+ files_search_pids($1)
+ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
+')
++
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..d5e6fb9 100644
--- a/policy/modules/system/setrans.te
@@ -145942,7 +146045,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..9c9a616 100644
+index e720dcd..9a6a3b0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -148102,11 +148205,13 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -2298,6 +2975,44 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
+@@ -2296,6 +2973,45 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
+ dontaudit $1 user_tmp_t:file append_file_perms;
+ ')
- ########################################
- ## <summary>
-+## Relabel user tmp files.
++#######################################
++## <summary>
++## Set the attributes of user tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -148115,17 +148220,17 @@ index e720dcd..9c9a616 100644
+## </param>
+## <rolecap/>
+#
-+interface(`userdom_relabel_user_tmp_files',`
++interface(`userdom_setattr_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ allow $1 user_tmp_t:file relabel_file_perms;
-+')
-+
++ allow $1 user_tmp_t:file setattr;
++')
++
+########################################
+## <summary>
-+## Set the attributes of user tmp files.
++## Relabel user tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -148134,20 +148239,19 @@ index e720dcd..9c9a616 100644
+## </param>
+## <rolecap/>
+#
-+interface(`userdom_setattr_user_tmp_files',`
++interface(`userdom_relabel_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ allow $1 user_tmp_t:file setattr;
++ allow $1 user_tmp_t:file relabel_file_perms;
+')
+
-+########################################
-+## <summary>
++
+ ########################################
+ ## <summary>
## Read and write user temporary files.
- ## </summary>
- ## <param name="domain">
-@@ -2521,6 +3236,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3237,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -148173,7 +148277,7 @@ index e720dcd..9c9a616 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3271,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3272,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -148189,7 +148293,7 @@ index e720dcd..9c9a616 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3299,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3300,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -148198,7 +148302,7 @@ index e720dcd..9c9a616 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3307,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,14 +3308,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -148233,7 +148337,7 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -2674,6 +3425,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3426,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -148258,7 +148362,7 @@ index e720dcd..9c9a616 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3461,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3462,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -148301,7 +148405,7 @@ index e720dcd..9c9a616 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3497,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3498,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -148339,7 +148443,7 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -2742,8 +3542,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3543,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -148369,7 +148473,7 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -2815,69 +3634,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3635,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -148470,7 +148574,7 @@ index e720dcd..9c9a616 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3703,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3704,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -148485,7 +148589,7 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -2954,7 +3772,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3773,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -148494,7 +148598,7 @@ index e720dcd..9c9a616 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,16 +3788,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,16 +3789,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -148516,7 +148620,7 @@ index e720dcd..9c9a616 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2987,30 +3807,12 @@ interface(`userdom_search_user_home_content',`
+@@ -2987,30 +3808,12 @@ interface(`userdom_search_user_home_content',`
## </summary>
## </param>
#
@@ -148549,7 +148653,7 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -3074,7 +3876,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3877,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -148558,7 +148662,7 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -3129,7 +3931,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3932,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -148624,7 +148728,7 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -3147,7 +4006,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3147,7 +4007,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -148633,7 +148737,7 @@ index e720dcd..9c9a616 100644
')
########################################
-@@ -3166,6 +4025,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3166,6 +4026,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -148641,7 +148745,7 @@ index e720dcd..9c9a616 100644
kernel_search_proc($1)
')
-@@ -3242,6 +4102,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4103,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -148684,7 +148788,7 @@ index e720dcd..9c9a616 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4158,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4159,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -148709,7 +148813,7 @@ index e720dcd..9c9a616 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3295,4 +4209,1400 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3295,4 +4210,1401 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -149325,6 +149429,24 @@ index e720dcd..9c9a616 100644
+ allow $1 user_tmp_t:file { getattr append };
+')
+
++########################################
++## <summary>
++## Dontaudit append files inherited from the admin home dir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_append_inherited_admin_home_file',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file append_inherited_file_perms;
++')
++
+######################################
+## <summary>
+## Read audio files in the users homedir.
@@ -149584,7 +149706,7 @@ index e720dcd..9c9a616 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_read_admin_home_file',`
++interface(`userdom_dontaudit_read_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
@@ -149602,31 +149724,14 @@ index e720dcd..9c9a616 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_read_inherited_admin_home_file',`
++interface(`userdom_dontaudit_read_inherited_admin_home_files',`
+ gen_require(`
+ attribute admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file read_inherited_file_perms;
+')
-+
-+########################################
-+## <summary>
-+## Dontaudit append files inherited from the admin home dir.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_append_inherited_admin_home_file',`
-+ gen_require(`
-+ attribute admin_home_t;
-+ ')
+
-+ dontaudit $1 admin_home_t:file append_inherited_file_perms;
-+')
+
+########################################
+## <summary>
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 891a691..b755ee5 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -370,7 +370,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..9906206 100644
+index 30861ec..9551f2f 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,41 @@ policy_module(abrt, 1.2.0)
@@ -591,7 +591,7 @@ index 30861ec..9906206 100644
+miscfiles_read_public_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
-+userdom_dontaudit_read_admin_home_file(abrt_t)
++userdom_dontaudit_read_admin_home_files(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
@@ -24633,10 +24633,10 @@ index 0000000..e15bbb0
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..5200157
+index 0000000..bd14f46
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,142 @@
+policy_module(glusterd, 1.0.0)
+
+## <desc>
@@ -24718,7 +24718,8 @@ index 0000000..5200157
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
@@ -60895,7 +60896,7 @@ index b2a0b6a..ea27ee5 100644
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
diff --git a/rpm.if b/rpm.if
-index 951d8f6..fb48b05 100644
+index 951d8f6..c9f8056 100644
--- a/rpm.if
+++ b/rpm.if
@@ -13,10 +13,13 @@
@@ -60987,32 +60988,7 @@ index 951d8f6..fb48b05 100644
')
########################################
-@@ -296,6 +342,24 @@ interface(`rpm_manage_log',`
- logging_rw_generic_log_dirs($1)
- allow $1 rpm_log_t:file manage_file_perms;
- ')
-+########################################
-+## <summary>
-+## Create, read, write, and delete the RPM log.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_read_log',`
-+ gen_require(`
-+ type rpm_log_t;
-+ ')
-+
-+ read_files_pattern($1, rpm_log_t, rpm_log_t)
-+')
-+
-
- ########################################
- ## <summary>
-@@ -332,7 +396,9 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -61022,7 +60998,7 @@ index 951d8f6..fb48b05 100644
')
#####################################
-@@ -351,8 +417,7 @@ interface(`rpm_append_tmp_files',`
+@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -61032,7 +61008,7 @@ index 951d8f6..fb48b05 100644
')
########################################
-@@ -372,7 +437,9 @@ interface(`rpm_manage_tmp_files',`
+@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -61042,7 +61018,7 @@ index 951d8f6..fb48b05 100644
')
########################################
-@@ -456,6 +523,7 @@ interface(`rpm_read_db',`
+@@ -456,6 +505,7 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -61050,7 +61026,7 @@ index 951d8f6..fb48b05 100644
')
########################################
-@@ -499,6 +567,26 @@ interface(`rpm_manage_db',`
+@@ -499,6 +549,26 @@ interface(`rpm_manage_db',`
########################################
## <summary>
@@ -61077,7 +61053,7 @@ index 951d8f6..fb48b05 100644
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
-@@ -513,7 +601,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -513,11 +583,29 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -61086,6 +61062,28 @@ index 951d8f6..fb48b05 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
++########################################
++## <summary>
++## Create, read, write, and delete the RPM log.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_read_log',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++
++ read_files_pattern($1, rpm_log_t, rpm_log_t)
++')
++
+ #####################################
+ ## <summary>
+ ## Read rpm pid files.
@@ -573,3 +661,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
@@ -72830,7 +72828,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 65baaac..16d4548 100644
+index 65baaac..4262175 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -72878,10 +72876,12 @@ index 65baaac..16d4548 100644
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -204,6 +195,25 @@ interface(`userhelper_dontaudit_search_config',`
+@@ -202,6 +193,25 @@ interface(`userhelper_dontaudit_search_config',`
+ dontaudit $1 userhelper_conf_t:dir search_dir_perms;
+ ')
- ########################################
- ## <summary>
++#######################################
++## <summary>
+## Do not audit attempts to write
+## the userhelper configuration files.
+## </summary>
@@ -72896,14 +72896,12 @@ index 65baaac..16d4548 100644
+ type userhelper_conf_t;
+ ')
+
-+ dontaudit $1 userhelper_conf_t:file write;
++ dontaudit $1 userhelper_conf_t:file write;
+')
-+
-+########################################
-+## <summary>
++
+ ########################################
+ ## <summary>
## Allow domain to use userhelper file descriptor.
- ## </summary>
- ## <param name="domain">
@@ -255,3 +265,91 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
@@ -74790,7 +74788,7 @@ index 6f0736b..b6aaf56 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..1ff7327 100644
+index 947bbc6..3ae3c76 100644
--- a/virt.te
+++ b/virt.te
@@ -4,57 +4,97 @@ policy_module(virt, 1.5.0)
@@ -75989,7 +75987,7 @@ index 947bbc6..1ff7327 100644
+
+userdom_use_inherited_user_terminals(svirt_lxc_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain)
-+userdom_dontaudit_read_inherited_admin_home_file(svirt_lxc_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain)
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a50438e..70d3b90 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -8,10 +8,10 @@
%define BUILD_TARGETED 1
%endif
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
-%define BUILD_MINIMUM 1
+%define BUILD_MINIMUM 0
%endif
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
-%define BUILD_MLS 1
+%define BUILD_MLS 0
%endif
%define POLICYVER 27
%define POLICYCOREUTILSVER 2.1.13-34
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 101%{?dist}
+Release: 102%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,14 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Tue Sep 03 2013 Lukas Vrabec <lvrabec at redhat.com> 3.10.1-102
+- Fix syntax error in mock policy
+- Allow glusterd to create sock_file in /run
+- Add rpm_read_log interface
+- Add interface userhelper_dontaudit_write_config
+- Add support to strongswam in ipsec policy
+- Add interface corenet_relabel_tun_tap_dev
+
* Thu Aug 29 2013 Lukas Vrabec <lvrabec at redhat.com> 3.11.1-101
- Allow ssh_t to use /dev/ptmx
- Allow syslogd to search psad lib files
@@ -587,7 +595,7 @@ SELinux Reference policy mls base module.
- Allow to create .mplayer with the correct labeling for unconfined
- Allow iscsiadmin to create lock file with the correct labeling
-* Tue Jun 27 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-97
+* Thu Jun 27 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-97
- Make DSPAM to act as a LDA working
- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)
- condor_collector uses tcp/9000
More information about the scm-commits
mailing list