+ ##
+ ## Determine whether openvpn can
+ ## read generic user home content files.
+@@ -26,6 +33,9 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -51007,7 +51032,7 @@ index 3270ff9..67da060 100644
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
-@@ -43,7 +46,7 @@ files_pid_file(openvpn_var_run_t)
+@@ -43,7 +53,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
@@ -51016,7 +51041,7 @@ index 3270ff9..67da060 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +65,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,6 +72,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
@@ -51026,7 +51051,7 @@ index 3270ff9..67da060 100644
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +89,6 @@ kernel_request_load_module(openvpn_t)
+@@ -83,7 +96,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -51034,7 +51059,7 @@ index 3270ff9..67da060 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -105,11 +110,12 @@ corenet_tcp_bind_http_port(openvpn_t)
+@@ -105,11 +117,12 @@ corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_sendrecv_http_port(openvpn_t)
@@ -51048,7 +51073,7 @@ index 3270ff9..67da060 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +127,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +134,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
@@ -51076,7 +51101,7 @@ index 3270ff9..67da060 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -155,3 +167,7 @@ optional_policy(`
+@@ -155,3 +174,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -51084,11 +51109,31 @@ index 3270ff9..67da060 100644
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
++
++type openvpn_unconfined_script_t;
++type openvpn_unconfined_script_exec_t;
++domain_type(openvpn_unconfined_script_t)
++domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t)
++corecmd_shell_entry_type(openvpn_unconfined_script_t)
++role system_r types openvpn_unconfined_script_t;
++
++allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms;
++allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl;
++
++optional_policy(`
++ unconfined_domain(openvpn_unconfined_script_t)
++')
++
++tunable_policy(`openvpn_run_unconfined',`
++ domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t)
++',`
++ can_exec(openvpn_t, openvpn_unconfined_script_exec_t)
++')
diff --git a/openvswitch.fc b/openvswitch.fc
-index 45d7cc5..baf8d21 100644
+index 45d7cc5..c5b9607 100644
--- a/openvswitch.fc
+++ b/openvswitch.fc
-@@ -1,12 +1,15 @@
+@@ -1,12 +1,16 @@
-/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0)
+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
@@ -51098,6 +51143,7 @@ index 45d7cc5..baf8d21 100644
+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
@@ -52389,7 +52435,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..c1035d4 100644
+index 7bcf327..04b62f4 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -52638,7 +52684,7 @@ index 7bcf327..c1035d4 100644
')
optional_policy(`
-@@ -151,16 +247,23 @@ optional_policy(`
+@@ -151,16 +247,24 @@ optional_policy(`
')
optional_policy(`
@@ -52655,6 +52701,7 @@ index 7bcf327..c1035d4 100644
- seutil_sigchld_newrole(pegasus_t)
- seutil_dontaudit_read_config(pegasus_t)
+ rpc_read_exports(pegasus_t)
++ rpc_read_nfs_state_data(pegasus_t)
+')
+
+optional_policy(`
@@ -52666,7 +52713,7 @@ index 7bcf327..c1035d4 100644
')
optional_policy(`
-@@ -168,7 +271,7 @@ optional_policy(`
+@@ -168,7 +272,7 @@ optional_policy(`
')
optional_policy(`
@@ -55187,7 +55234,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 49694e8..d14cc7d 100644
+index 49694e8..ad46f29 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
@@ -55219,7 +55266,7 @@ index 49694e8..d14cc7d 100644
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
-@@ -42,63 +37,66 @@ files_pid_file(policykit_var_run_t)
+@@ -42,63 +37,68 @@ files_pid_file(policykit_var_run_t)
#######################################
#
@@ -55291,6 +55338,8 @@ index 49694e8..d14cc7d 100644
auth_use_nsswitch(policykit_t)
++init_list_pid_dirs(policykit_t)
++
+logging_send_syslog_msg(policykit_t)
+
userdom_getattr_all_users(policykit_t)
@@ -55305,7 +55354,7 @@ index 49694e8..d14cc7d 100644
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
-@@ -109,29 +107,43 @@ optional_policy(`
+@@ -109,29 +109,43 @@ optional_policy(`
')
optional_policy(`
@@ -55357,7 +55406,7 @@ index 49694e8..d14cc7d 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,9 +157,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -55367,7 +55416,7 @@ index 49694e8..d14cc7d 100644
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
-@@ -157,53 +166,64 @@ files_search_home(policykit_auth_t)
+@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t)
@@ -55442,7 +55491,7 @@ index 49694e8..d14cc7d 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +231,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -55469,7 +55518,7 @@ index 49694e8..d14cc7d 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +252,28 @@ optional_policy(`
+@@ -235,26 +254,28 @@ optional_policy(`
########################################
#
@@ -55504,7 +55553,7 @@ index 49694e8..d14cc7d 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +285,7 @@ optional_policy(`
+@@ -266,6 +287,7 @@ optional_policy(`
')
optional_policy(`
@@ -65420,10 +65469,20 @@ index b31f2d7..046f5b8 100644
userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc
-index 5806046..01ca7cb 100644
+index 5806046..5578653 100644
--- a/raid.fc
+++ b/raid.fc
-@@ -16,6 +16,7 @@
+@@ -3,6 +3,9 @@
+
+ /etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
++/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
++
+ /sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+@@ -16,6 +19,7 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -65432,7 +65491,7 @@ index 5806046..01ca7cb 100644
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index 951db7f..6d6ec1d 100644
+index 951db7f..7736755 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
@@ -65447,7 +65506,7 @@ index 951db7f..6d6ec1d 100644
##
##
##
-@@ -22,34 +21,33 @@ interface(`raid_domtrans_mdadm',`
+@@ -22,82 +21,115 @@ interface(`raid_domtrans_mdadm',`
######################################
##
@@ -65482,35 +65541,62 @@ index 951db7f..6d6ec1d 100644
- roleattribute $1 mdadm_roles;
')
- ########################################
+-########################################
++######################################
##
-## Create, read, write, and delete
-## mdadm pid files.
-+## read the mdadm pid files.
++## Execute mdadm server in the mdadm domain.
##
##
##
-@@ -57,47 +55,58 @@ interface(`raid_run_mdadm',`
+-## Domain allowed access.
++## Domain allowed to transition.
##
##
#
-interface(`raid_manage_mdadm_pid',`
-+interface(`raid_read_mdadm_pid',`
++interface(`mdadm_systemctl',`
gen_require(`
- type mdadm_var_run_t;
+- type mdadm_var_run_t;
++ type mdadm_t;
++ type mdadm_unit_file_t;
')
- files_search_pids($1)
- allow $1 mdadm_var_run_t:file manage_file_perms;
-+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
++ systemd_exec_systemctl($1)
++ allow $1 mdadm_unit_file_t:file read_file_perms;
++ allow $1 mdadm_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, mdadm_t)
')
########################################
##
-## All of the rules required to
-## administrate an mdadm environment.
-+## Create, read, write, and delete the mdadm pid files.
++## read the mdadm pid files.
##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`raid_read_mdadm_pid',`
++ gen_require(`
++ type mdadm_var_run_t;
++ ')
++
++ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
++')
++
++########################################
++##
++## Create, read, write, and delete the mdadm pid files.
++##
+##
+##
+## Create, read, write, and delete the mdadm pid files.
@@ -65519,16 +65605,12 @@ index 951db7f..6d6ec1d 100644
+## Added for use in the init module.
+##
+##
- ##
++##
##
- ## Domain allowed access.
+-## Role allowed access.
++## Domain allowed access.
##
##
--##
--##
--## Role allowed access.
--##
--##
-##
#
-interface(`raid_admin_mdadm',`
@@ -65573,20 +65655,23 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..e9c20b8 100644
+index 2c1730b..f60c494 100644
--- a/raid.te
+++ b/raid.te
-@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
+@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
++type mdadm_unit_file_t;
++systemd_unit_file(mdadm_unit_file_t)
++
+type mdadm_tmp_t;
+files_tmpfs_file(mdadm_tmp_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,23 +28,31 @@ dev_associate(mdadm_var_run_t)
+@@ -25,23 +31,31 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -65622,7 +65707,7 @@ index 2c1730b..e9c20b8 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +60,25 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +63,25 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -65650,7 +65735,7 @@ index 2c1730b..e9c20b8 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +87,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +90,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -65671,6 +65756,24 @@ index 2c1730b..e9c20b8 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
+@@ -97,9 +121,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mdadm_systemctl(mdadm_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(mdadm_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(mdadm_t)
+ ')
++
++optional_policy(`
++ xserver_dontaudit_search_log(mdadm_t)
++')
diff --git a/razor.fc b/razor.fc
index 6723f4d..6e26673 100644
--- a/razor.fc
@@ -85096,10 +85199,11 @@ index 0000000..dda7934
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
-index 0000000..601aea3
+index 0000000..92b6843
--- /dev/null
+++ b/thumb.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,18 @@
++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
@@ -89728,7 +89832,7 @@ index 9dec06c..378880d 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..7a305c4 100644
+index 1f22fba..99dd3a5 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -90873,7 +90977,7 @@ index 1f22fba..7a305c4 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +826,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +826,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -90889,6 +90993,7 @@ index 1f22fba..7a305c4 100644
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
++filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-can_exec(virsh_t, virsh_exec_t)
-
@@ -90903,7 +91008,7 @@ index 1f22fba..7a305c4 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +846,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -90930,7 +91035,7 @@ index 1f22fba..7a305c4 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +866,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -90962,7 +91067,7 @@ index 1f22fba..7a305c4 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +898,20 @@ optional_policy(`
+@@ -847,14 +899,20 @@ optional_policy(`
')
optional_policy(`
@@ -90984,7 +91089,7 @@ index 1f22fba..7a305c4 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +936,44 @@ optional_policy(`
+@@ -879,34 +937,45 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -91035,10 +91140,11 @@ index 1f22fba..7a305c4 100644
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
++filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +983,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +985,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -91056,7 +91162,7 @@ index 1f22fba..7a305c4 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1005,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1007,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -91067,7 +91173,7 @@ index 1f22fba..7a305c4 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1014,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1016,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -91075,7 +91181,7 @@ index 1f22fba..7a305c4 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1026,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1028,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -91094,7 +91200,7 @@ index 1f22fba..7a305c4 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1040,40 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1042,40 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -91143,7 +91249,7 @@ index 1f22fba..7a305c4 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1083,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -91170,7 +91276,7 @@ index 1f22fba..7a305c4 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1101,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91189,7 +91295,7 @@ index 1f22fba..7a305c4 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1120,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -91216,7 +91322,7 @@ index 1f22fba..7a305c4 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1143,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1145,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -91355,7 +91461,7 @@ index 1f22fba..7a305c4 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1241,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1243,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -91370,7 +91476,7 @@ index 1f22fba..7a305c4 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1259,8 @@ optional_policy(`
+@@ -1183,9 +1261,8 @@ optional_policy(`
########################################
#
@@ -91381,7 +91487,7 @@ index 1f22fba..7a305c4 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1273,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1275,114 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7ecc0d1..1d8f15b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 62%{?dist}
+Release: 63%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jul 11 2013 Miroslav Grepl 3.12.1-63
+- Add mdadm fixes
+
* Tue Jul 9 2013 Miroslav Grepl 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled