From d043b4c8083e5d7449987b9dbc147e6d7a5f7651 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Mar 20 2014 14:58:23 +0000
Subject: * Thu Mar 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.22

- Allow couchdb to listen on port 6984
- Added kernel_dontaudit_access_check_proc interface
- Added modutils_signal_insmod interface
- Add xserver_manage_xkb_libs interface
- Fixed ftp_home_dir boolean
- Added policy for bumblebee

---

diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 2f5cbbb..756c54a 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -5428,7 +5428,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..0402154 100644
+index 4edc40d..c38f0a6 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5530,9 +5530,10 @@ index 4edc40d..0402154 100644
  network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
  network_port(comsat, udp,512,s0)
  network_port(condor, tcp,9618,s0, udp,9618,s0)
- network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
 -network_port(cslistener, tcp,9000,s0, udp,9000,s0)
 -network_port(ctdb, tcp,4379,s0, udp,4397,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
 +network_port(ctdb, tcp,4379,s0, udp,4379,s0)
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
@@ -14145,7 +14146,7 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..d47750f 100644
+index 649e458..bb7d1a2 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14223,7 +14224,33 @@ index 649e458..d47750f 100644
  ')
  
  ########################################
-@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to check the 
++##	access on generic proc entries.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`kernel_dontaudit_access_check_proc',`
++	gen_require(`
++		type proc_t;
++	')
++
++	dontaudit $1 proc_t:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts by caller to
+ ##	read system state information in proc.
+ ## </summary>
+@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',`
  
  ########################################
  ## <summary>
@@ -14248,7 +14275,7 @@ index 649e458..d47750f 100644
  ##	Do not audit attempts by caller to search
  ##	the base directory of sysctls.
  ## </summary>
-@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -14257,7 +14284,7 @@ index 649e458..d47750f 100644
  ')
  
  ########################################
-@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',`
  
  ########################################
  ## <summary>
@@ -14283,7 +14310,7 @@ index 649e458..d47750f 100644
  ##	Read the process state (/proc/pid) of all unlabeled_t.
  ## </summary>
  ## <param name="domain">
-@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -14292,7 +14319,7 @@ index 649e458..d47750f 100644
  ##	</summary>
  ## </param>
  #
-@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
@@ -14317,7 +14344,7 @@ index 649e458..d47750f 100644
  ##	Do not audit attempts by caller to get attributes for
  ##	unlabeled character devices.
  ## </summary>
-@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
  
  ########################################
  ## <summary>
@@ -14342,7 +14369,7 @@ index 649e458..d47750f 100644
  ##	Allow caller to relabel unlabeled files.
  ## </summary>
  ## <param name="domain">
-@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2757,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
  	allow $1 unlabeled_t:association { sendto recvfrom };
  
  	# temporary hack until labeling on packets is supported
@@ -14351,7 +14378,7 @@ index 649e458..d47750f 100644
  ')
  
  ########################################
-@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2795,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -14376,7 +14403,7 @@ index 649e458..d47750f 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2840,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -14402,7 +14429,7 @@ index 649e458..d47750f 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2968,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -14436,7 +14463,7 @@ index 649e458..d47750f 100644
  
  ########################################
  ## <summary>
-@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3150,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -14461,7 +14488,7 @@ index 649e458..d47750f 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3182,300 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -21254,7 +21281,7 @@ index d1f64a0..9a5dab5 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..307cefc 100644
+index 6bf0ecc..97e9162 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -18,100 +18,37 @@
@@ -21982,10 +22009,30 @@ index 6bf0ecc..307cefc 100644
  ')
  
  ########################################
-@@ -1004,6 +1229,64 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1229,84 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
++##	Manage X keyboard extension libraries.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_manage_xkb_libs',`
++	gen_require(`
++		type xkb_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	allow $1 xkb_var_lib_t:dir list_dir_perms;
++	manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++')
++
++########################################
++## <summary>
 +##	dontaudit access checks X keyboard extension libraries.
 +## </summary>
 +## <param name="domain">
@@ -22047,7 +22094,7 @@ index 6bf0ecc..307cefc 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -1017,7 +1300,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1320,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -22056,7 +22103,7 @@ index 6bf0ecc..307cefc 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1079,6 +1362,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1382,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -22099,7 +22146,7 @@ index 6bf0ecc..307cefc 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1093,7 +1412,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1432,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -22108,7 +22155,7 @@ index 6bf0ecc..307cefc 100644
  ')
  
  ########################################
-@@ -1111,8 +1430,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1450,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -22120,7 +22167,7 @@ index 6bf0ecc..307cefc 100644
  ')
  
  ########################################
-@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1551,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -22146,7 +22193,7 @@ index 6bf0ecc..307cefc 100644
  ##	Connect to the X server over a unix domain
  ##	stream socket.
  ## </summary>
-@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1586,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22173,7 +22220,7 @@ index 6bf0ecc..307cefc 100644
  ')
  
  ########################################
-@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1631,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -22182,7 +22229,7 @@ index 6bf0ecc..307cefc 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1641,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -22207,7 +22254,7 @@ index 6bf0ecc..307cefc 100644
  ')
  
  ########################################
-@@ -1284,10 +1654,623 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1674,623 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -32369,7 +32416,7 @@ index 9933677..ca14c17 100644
 +
 +/var/run/tmpfiles.d/kmod.conf --	gen_context(system_u:object_r:insmod_var_run_t,s0)
 diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..6375786 100644
+index 7449974..4f4ac3a 100644
 --- a/policy/modules/system/modutils.if
 +++ b/policy/modules/system/modutils.if
 @@ -12,7 +12,7 @@
@@ -32426,7 +32473,32 @@ index 7449974..6375786 100644
  ##	Read the configuration options used when
  ##	loading modules.
  ## </summary>
-@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+ 
+ ########################################
+ ## <summary>
++##	Allow send signal to insmod.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`modutils_signal_insmod',`
++	gen_require(`
++		type insmod_t;
++	')
++
++    allow $1 insmod_t:process signal;
++')
++
++########################################
++## <summary>
+ ##	Execute insmod in the insmod domain, and
+ ##	allow the specified role the insmod domain,
+ ##	and use the caller's terminal.  Has a sigchld
+@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
  #
  interface(`modutils_run_update_mods',`
  	gen_require(`
@@ -32447,7 +32519,7 @@ index 7449974..6375786 100644
  ')
  
  ########################################
-@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
  	corecmd_search_bin($1)
  	can_exec($1, update_modules_exec_t)
  ')
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index e7d435f..e9bfd72 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -9669,6 +9669,212 @@ index 41f8251..57f094e 100644
  optional_policy(`
  	mta_send_mail(httpd_bugzilla_script_t)
  ')
+diff --git a/bumblebee.fc b/bumblebee.fc
+new file mode 100644
+index 0000000..b5ee23b
+--- /dev/null
++++ b/bumblebee.fc
+@@ -0,0 +1,7 @@
++/etc/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/lib/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/sbin/bumblebeed		--	gen_context(system_u:object_r:bumblebee_exec_t,s0)
++
++/var/run/bumblebee.*			gen_context(system_u:object_r:bumblebee_var_run_t,s0)
+diff --git a/bumblebee.if b/bumblebee.if
+new file mode 100644
+index 0000000..de66654
+--- /dev/null
++++ b/bumblebee.if
+@@ -0,0 +1,121 @@
++## <summary>policy for bumblebee</summary>
++
++########################################
++## <summary>
++##	Execute bumblebee in the bumblebee domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bumblebee_domtrans',`
++	gen_require(`
++		type bumblebee_t, bumblebee_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
++')
++
++########################################
++## <summary>
++##	Read bumblebee PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bumblebee_read_pid_files',`
++	gen_require(`
++		type bumblebee_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute bumblebee server in the bumblebee domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`bumblebee_systemctl',`
++	gen_require(`
++		type bumblebee_t;
++		type bumblebee_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 bumblebee_unit_file_t:file read_file_perms;
++	allow $1 bumblebee_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, bumblebee_t)
++')
++
++########################################
++## <summary>
++##	Connect to bumblebee over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bumblebee_stream_connect',`
++	gen_require(`
++		type bumblebee_t, bumblebee_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an bumblebee environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`bumblebee_admin',`
++	gen_require(`
++		type bumblebee_t;
++		type bumblebee_var_run_t;
++		type bumblebee_unit_file_t;
++	')
++
++	allow $1 bumblebee_t:process { signal_perms };
++	ps_process_pattern($1, bumblebee_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 bumblebee_t:process ptrace;
++    ')
++
++	files_search_pids($1)
++	admin_pattern($1, bumblebee_var_run_t)
++
++	bumblebee_systemctl($1)
++	admin_pattern($1, bumblebee_unit_file_t)
++	allow $1 bumblebee_unit_file_t:service all_service_perms;
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/bumblebee.te b/bumblebee.te
+new file mode 100644
+index 0000000..1076e6a
+--- /dev/null
++++ b/bumblebee.te
+@@ -0,0 +1,60 @@
++policy_module(bumblebee, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bumblebee_t;
++type bumblebee_exec_t;
++init_daemon_domain(bumblebee_t, bumblebee_exec_t)
++
++type bumblebee_var_run_t;
++files_pid_file(bumblebee_var_run_t)
++
++type bumblebee_unit_file_t;
++systemd_unit_file(bumblebee_unit_file_t)
++
++########################################
++#
++# bumblebee local policy
++#
++
++allow bumblebee_t self:capability { setgid };
++allow bumblebee_t self:process { fork signal_perms };
++allow bumblebee_t self:fifo_file rw_fifo_file_perms;
++allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(bumblebee_t)
++kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_manage_debugfs(bumblebee_t)
++
++corecmd_exec_shell(bumblebee_t)
++corecmd_exec_bin(bumblebee_t)
++
++dev_read_sysfs(bumblebee_t)
++
++auth_read_passwd(bumblebee_t)
++
++logging_send_syslog_msg(bumblebee_t)
++
++modutils_domtrans_insmod(bumblebee_t)
++modutils_signal_insmod(bumblebee_t)
++
++sysnet_dns_name_resolve(bumblebee_t)
++
++xserver_domtrans(bumblebee_t)
++xserver_signal(bumblebee_t)
++xserver_stream_connect(bumblebee_t)
++xserver_manage_xkb_libs(bumblebee_t)
++corenet_tcp_connect_xserver_port(bumblebee_t)
++
++optional_policy(`
++    apm_stream_connect(bumblebee_t)
++')
 diff --git a/cachefilesd.fc b/cachefilesd.fc
 index 648c790..aa03fc8 100644
 --- a/cachefilesd.fc
@@ -10820,10 +11026,10 @@ index 0000000..5977d96
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..25f2d55
+index 0000000..307b083
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,238 @@
+@@ -0,0 +1,242 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -11003,6 +11209,10 @@ index 0000000..25f2d55
 +	sandbox_use_ptys(chrome_sandbox_t)
 +')
 +
++optional_policy(`
++    bumblebee_stream_connect(chrome_sandbox_t)
++')
++
 +
 +########################################
 +#
@@ -24750,7 +24960,7 @@ index d062080..97fb494 100644
  	ftp_run_ftpdctl($1, $2)
  ')
 diff --git a/ftp.te b/ftp.te
-index e50f33c..6edd471 100644
+index e50f33c..38584c5 100644
 --- a/ftp.te
 +++ b/ftp.te
 @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -24854,11 +25064,9 @@ index e50f33c..6edd471 100644
  miscfiles_read_public_files(ftpd_t)
  
  seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
- 
+@@ -255,31 +269,47 @@ sysnet_use_ldap(ftpd_t)
  userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
  userdom_dontaudit_search_user_home_dirs(ftpd_t)
-+userdom_filetrans_home_content(ftpd_t)
  
 -tunable_policy(`allow_ftpd_anon_write',`
 +tunable_policy(`ftpd_anon_write',`
@@ -24911,7 +25119,7 @@ index e50f33c..6edd471 100644
  ')
  
  tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,22 +329,20 @@ tunable_policy(`ftpd_connect_db',`
  	corenet_sendrecv_mssql_client_packets(ftpd_t)
  	corenet_tcp_connect_mssql_port(ftpd_t)
  	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -24925,10 +25133,12 @@ index e50f33c..6edd471 100644
  
  tunable_policy(`ftp_home_dir',`
  	allow ftpd_t self:capability { dac_override dac_read_search };
- 
+-
 -	userdom_manage_user_home_content_dirs(ftpd_t)
 -	userdom_manage_user_home_content_files(ftpd_t)
 -	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
++	
++	files_list_home(ftpd_t)
 +    userdom_manage_all_user_home_type_dirs(ftpd_t)
 +    userdom_manage_all_user_home_type_files(ftpd_t)
  	userdom_manage_user_tmp_dirs(ftpd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9ca4b71..2b0c97f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 74.21%{?dist}
+Release: 74.22%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -542,7 +542,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
-* Mon Mar 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.21
+* Thu Mar 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.22
+- Allow couchdb to listen on port 6984
+- Added kernel_dontaudit_access_check_proc interface
+- Added modutils_signal_insmod interface
+- Add xserver_manage_xkb_libs interface
+- Fixed ftp_home_dir boolean
+- Added policy for bumblebee
+
+* Mon Mar 17 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.21
 - Added sysnet_domtrans_ifconfig in neutron policy
 
 * Mon Mar 17 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.20
@@ -665,7 +673,7 @@ SELinux Reference policy mls base module.
 - Allow to su_domain to read init states
 - Update labeling for /dev/cdc-wdm
 
-* Thu Oct 08 2013 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.9
+* Tue Oct 08 2013 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.9
 - Allow systemd domains to read /dev/urand
 - Remove duplicated interfaces
 - Fix port definition for ctdb ports