From af7820fd90f44e71abd66450c3de161498449522 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jun 18 2014 09:38:06 +0000
Subject: * Wed Jun 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-170

- Add labels for swapon and xfs_growfs
- Add mozilla_plugin_use_bluejeans boolean
- apcupsd will send a wall message to all terminals telling the system
is about to go down
- Additional policy required for geard.
- Allow geard to transition to passwd and useradd

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 70354c1..741c176 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -29594,7 +29594,7 @@ index 3694bfe..7fcd27a 100644
  ')
  
 diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..bf726c3 100644
+index a97a096..ce0abe6 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
 @@ -1,4 +1,3 @@
@@ -29610,7 +29610,7 @@ index a97a096..bf726c3 100644
  /sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -35,13 +33,53 @@
+@@ -35,13 +33,55 @@
  /sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -29658,8 +29658,10 @@ index a97a096..bf726c3 100644
 +/usr/sbin/scsi_info	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/sfdisk	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/swapon.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/tune2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/xfs_growfs    --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  
  /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
 +
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index c6010de..ee269bc 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -7361,7 +7361,7 @@ index f3c0aba..cbe3d4a 100644
 +	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..5206035 100644
+index b236327..a813b6c 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7408,7 +7408,7 @@ index b236327..5206035 100644
  
  corenet_udp_bind_snmp_port(apcupsd_t)
  corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +82,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,24 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
@@ -7418,8 +7418,8 @@ index b236327..5206035 100644
  files_manage_etc_runtime_files(apcupsd_t)
  files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
  
- term_use_unallocated_ttys(apcupsd_t)
-+term_use_usb_ttys(apcupsd_t)
+-term_use_unallocated_ttys(apcupsd_t)
++term_use_all_terms(apcupsd_t)
  
 -logging_send_syslog_msg(apcupsd_t)
 +#apcupsd runs shutdown, probably need a shutdown domain
@@ -7438,7 +7438,7 @@ index b236327..5206035 100644
  
  optional_policy(`
  	hostname_exec(apcupsd_t)
-@@ -101,6 +115,11 @@ optional_policy(`
+@@ -101,6 +114,11 @@ optional_policy(`
  	shutdown_domtrans(apcupsd_t)
  ')
  
@@ -7450,7 +7450,7 @@ index b236327..5206035 100644
  ########################################
  #
  # CGI local policy
-@@ -112,7 +131,6 @@ optional_policy(`
+@@ -112,7 +130,6 @@ optional_policy(`
  	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
  
@@ -28254,10 +28254,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..cb68ca9
+index 0000000..9d55eae
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,131 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@@ -28357,7 +28357,10 @@ index 0000000..cb68ca9
 +
 +mount_domtrans(gear_t)
 +
++selinux_validate_context(gear_t)
++
 +seutil_read_default_contexts(gear_t)
++seutil_read_config(gear_t)
 +
 +sysnet_dns_name_resolve(gear_t)
 +
@@ -28366,6 +28369,9 @@ index 0000000..cb68ca9
 +
 +systemd_manage_all_unit_files(gear_t)
 +
++usermanage_domtrans_useradd(gear_t)
++usermanage_domtrans_passwd(gear_t)
++
 +optional_policy(`
 +	hostname_exec(gear_t)
 +')
@@ -45541,7 +45547,7 @@ index 6194b80..7490fe3 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..44a39ff 100644
+index 6a306ee..6c2d2fa 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -45550,7 +45556,7 @@ index 6a306ee..44a39ff 100644
  
  ########################################
  #
-@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,48 @@ policy_module(mozilla, 2.7.4)
  #
  
  ## <desc>
@@ -45581,6 +45587,13 @@ index 6a306ee..44a39ff 100644
 +
 +## <desc>
 +## <p>
++## Allow mozilla plugin to use Bluejeans.
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_use_bluejeans, false)
++
++## <desc>
++## <p>
 +## Allow confined web browsers to read home directory content
 +## </p>
 +## </desc>
@@ -45597,7 +45610,7 @@ index 6a306ee..44a39ff 100644
  type mozilla_t;
  type mozilla_exec_t;
  typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +55,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
  userdom_user_application_domain(mozilla_t, mozilla_exec_t)
  role mozilla_roles types mozilla_t;
  
@@ -45607,7 +45620,7 @@ index 6a306ee..44a39ff 100644
  type mozilla_home_t;
  typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
  typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,28 +65,24 @@ userdom_user_home_content(mozilla_home_t)
  
  type mozilla_plugin_t;
  type mozilla_plugin_exec_t;
@@ -45641,7 +45654,7 @@ index 6a306ee..44a39ff 100644
  role mozilla_plugin_config_roles types mozilla_plugin_config_t;
  
  type mozilla_tmp_t;
-@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +93,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
  typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
  userdom_user_tmpfs_file(mozilla_tmpfs_t)
  
@@ -45652,7 +45665,7 @@ index 6a306ee..44a39ff 100644
  ########################################
  #
  # Local policy
-@@ -75,27 +94,30 @@ optional_policy(`
+@@ -75,27 +101,30 @@ optional_policy(`
  allow mozilla_t self:capability { sys_nice setgid setuid };
  allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
  allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -45696,7 +45709,7 @@ index 6a306ee..44a39ff 100644
  
  manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +132,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
  
@@ -45804,7 +45817,7 @@ index 6a306ee..44a39ff 100644
  
  term_dontaudit_getattr_pty_dirs(mozilla_t)
  
-@@ -181,57 +196,76 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,57 +203,76 @@ auth_use_nsswitch(mozilla_t)
  logging_send_syslog_msg(mozilla_t)
  
  miscfiles_read_fonts(mozilla_t)
@@ -45812,11 +45825,11 @@ index 6a306ee..44a39ff 100644
  miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
  
 -userdom_use_user_ptys(mozilla_t)
--
--userdom_manage_user_tmp_dirs(mozilla_t)
--userdom_manage_user_tmp_files(mozilla_t)
 +userdom_use_inherited_user_ptys(mozilla_t)
  
+-userdom_manage_user_tmp_dirs(mozilla_t)
+-userdom_manage_user_tmp_files(mozilla_t)
+-
 -userdom_manage_user_home_content_dirs(mozilla_t)
 -userdom_manage_user_home_content_files(mozilla_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@@ -45917,7 +45930,7 @@ index 6a306ee..44a39ff 100644
  
  optional_policy(`
  	apache_read_user_scripts(mozilla_t)
-@@ -244,19 +278,12 @@ optional_policy(`
+@@ -244,19 +285,12 @@ optional_policy(`
  
  optional_policy(`
  	cups_read_rw_config(mozilla_t)
@@ -45939,7 +45952,7 @@ index 6a306ee..44a39ff 100644
  
  	optional_policy(`
  		networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +292,32 @@ optional_policy(`
+@@ -265,33 +299,32 @@ optional_policy(`
  
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
@@ -45952,34 +45965,34 @@ index 6a306ee..44a39ff 100644
 -	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
 +	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+	java_domtrans(mozilla_t)
  ')
  
  optional_policy(`
 -	java_exec(mozilla_t)
 -	java_manage_generic_home_content(mozilla_t)
 -	java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+	lpd_domtrans_lpr(mozilla_t)
++	java_domtrans(mozilla_t)
  ')
  
  optional_policy(`
 -	lpd_run_lpr(mozilla_t, mozilla_roles)
-+	mplayer_domtrans(mozilla_t)
-+	mplayer_read_user_home_files(mozilla_t)
++	lpd_domtrans_lpr(mozilla_t)
  ')
  
  optional_policy(`
 -	mplayer_exec(mozilla_t)
 -	mplayer_manage_generic_home_content(mozilla_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+	nscd_socket_use(mozilla_t)
++	mplayer_domtrans(mozilla_t)
++	mplayer_read_user_home_files(mozilla_t)
  ')
  
  optional_policy(`
 -	pulseaudio_run(mozilla_t, mozilla_roles)
++	nscd_socket_use(mozilla_t)
++')
++
++optional_policy(`
 +	#pulseaudio_role(mozilla_roles, mozilla_t)
 +	pulseaudio_exec(mozilla_t)
 +	pulseaudio_stream_connect(mozilla_t)
@@ -45987,7 +46000,7 @@ index 6a306ee..44a39ff 100644
  ')
  
  optional_policy(`
-@@ -300,259 +326,256 @@ optional_policy(`
+@@ -300,259 +333,256 @@ optional_policy(`
  
  ########################################
  #
@@ -46254,12 +46267,12 @@ index 6a306ee..44a39ff 100644
  
 -userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 -userdom_manage_user_tmp_files(mozilla_plugin_t)
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+ 
 -userdom_manage_user_home_content_dirs(mozilla_plugin_t)
 -userdom_manage_user_home_content_files(mozilla_plugin_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
- 
+-
 -userdom_write_user_tmp_sockets(mozilla_plugin_t)
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
@@ -46390,7 +46403,7 @@ index 6a306ee..44a39ff 100644
  ')
  
  optional_policy(`
-@@ -560,7 +583,11 @@ optional_policy(`
+@@ -560,7 +590,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46403,7 +46416,7 @@ index 6a306ee..44a39ff 100644
  ')
  
  optional_policy(`
-@@ -568,108 +595,131 @@ optional_policy(`
+@@ -568,108 +602,136 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46436,19 +46449,17 @@ index 6a306ee..44a39ff 100644
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
- 
+-
 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
 -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
 -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+ 
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
- 
+-
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
@@ -46457,20 +46468,22 @@ index 6a306ee..44a39ff 100644
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
  
 -filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+ 
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
 +dev_read_sysfs(mozilla_plugin_config_t)
 +dev_read_urand(mozilla_plugin_config_t)
 +dev_dontaudit_read_rand(mozilla_plugin_config_t)
 +dev_dontaudit_rw_dri(mozilla_plugin_config_t)
  
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
 +fs_search_auto_mountpoints(mozilla_plugin_config_t)
 +fs_list_inotifyfs(mozilla_plugin_config_t)
  
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
--
 -kernel_read_system_state(mozilla_plugin_config_t)
 -kernel_request_load_module(mozilla_plugin_config_t)
 +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
@@ -46542,18 +46555,14 @@ index 6a306ee..44a39ff 100644
 -	allow mozilla_plugin_config_t self:process execmem;
 +optional_policy(`
 +	gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
- ')
- 
--tunable_policy(`mozilla_execstack',`
--	allow mozilla_plugin_config_t self:process { execmem execstack };
++')
++
 +optional_policy(`
 +	xserver_use_user_fonts(mozilla_plugin_config_t)
  ')
  
--tunable_policy(`use_nfs_home_dirs',`
--	fs_manage_nfs_dirs(mozilla_plugin_config_t)
--	fs_manage_nfs_files(mozilla_plugin_config_t)
--	fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`mozilla_execstack',`
+-	allow mozilla_plugin_config_t self:process { execmem execstack };
 +ifdef(`distro_redhat',`
 +	typealias mozilla_plugin_t  alias nsplugin_t;
 +	typealias mozilla_plugin_exec_t  alias nsplugin_exec_t;
@@ -46564,10 +46573,10 @@ index 6a306ee..44a39ff 100644
 +	typealias mozilla_plugin_config_exec_t  alias nsplugin_config_exec_t;
  ')
  
--tunable_policy(`use_samba_home_dirs',`
--	fs_manage_cifs_dirs(mozilla_plugin_config_t)
--	fs_manage_cifs_files(mozilla_plugin_config_t)
--	fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mozilla_plugin_config_t)
+-	fs_manage_nfs_files(mozilla_plugin_config_t)
+-	fs_manage_nfs_symlinks(mozilla_plugin_config_t)
 +#tunable_policy(`mozilla_plugin_enable_homedirs',`
 +#	userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
 +#', `
@@ -46580,8 +46589,10 @@ index 6a306ee..44a39ff 100644
 +	userdom_execmod_user_home_files(mozilla_plugin_t)
  ')
  
--optional_policy(`
--	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mozilla_plugin_config_t)
+-	fs_manage_cifs_files(mozilla_plugin_config_t)
+-	fs_manage_cifs_symlinks(mozilla_plugin_config_t)
 +tunable_policy(`mozilla_plugin_use_spice',`
 +	dev_rw_generic_usb_dev(mozilla_plugin_t)
 +	dev_setattr_generic_usb_dev(mozilla_plugin_t)
@@ -46589,11 +46600,18 @@ index 6a306ee..44a39ff 100644
  ')
  
 -optional_policy(`
--	xserver_use_user_fonts(mozilla_plugin_config_t)
+-	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
 +tunable_policy(`mozilla_plugin_use_gps',`
 +    fs_manage_dos_dirs(mozilla_plugin_t)
 +    fs_manage_dos_files(mozilla_plugin_t)
  ')
+ 
+-optional_policy(`
+-	xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_use_bluejeans',`
++    corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
++    corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+ ')
 diff --git a/mpd.fc b/mpd.fc
 index 313ce52..ae93e07 100644
 --- a/mpd.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f9ab584..298fa91 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 169%{?dist}
+Release: 170%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Jun 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-170
+- Add labels for swapon and xfs_growfs
+- Add mozilla_plugin_use_bluejeans boolean
+- apcupsd will send a wall message to all terminals telling the system is about to go down
+- Additional policy required for geard.
+- Allow geard to transition to passwd and useradd
+
 * Tue Jun 17 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-169
 - Allow unpriv users to manage games data files. Needed by nethack.
 - add games_manage_data_files() interface