diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ab46f09..d3c0391 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -17459,7 +17459,7 @@ index 7be4ddf..71e675a 100644
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..a4648ed 100644
+index e100d88..227ae89 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -17648,7 +17648,7 @@ index e100d88..a4648ed 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
##
-@@ -1458,6 +1564,24 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1564,25 @@ interface(`kernel_list_all_proc',`
########################################
##
@@ -17666,6 +17666,7 @@ index e100d88..a4648ed 100644
+ ')
+
+ allow $1 proc_type:dir mounton;
++ allow $1 proc_type:file mounton;
+')
+
+########################################
@@ -17673,7 +17674,7 @@ index e100d88..a4648ed 100644
## Do not audit attempts to list all proc directories.
##
##
-@@ -1477,6 +1601,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -17698,7 +17699,7 @@ index e100d88..a4648ed 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -1672,7 +1814,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17707,7 +17708,7 @@ index e100d88..a4648ed 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1835,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17716,7 +17717,7 @@ index e100d88..a4648ed 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1857,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -17724,7 +17725,7 @@ index e100d88..a4648ed 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1750,16 +1891,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1892,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
##
##
@@ -17742,7 +17743,7 @@ index e100d88..a4648ed 100644
')
########################################
-@@ -1771,16 +1905,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1906,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -17760,7 +17761,7 @@ index e100d88..a4648ed 100644
')
########################################
-@@ -1792,16 +1919,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1920,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -17778,7 +17779,7 @@ index e100d88..a4648ed 100644
')
########################################
-@@ -1813,16 +1933,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1934,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
##
##
@@ -17796,7 +17797,7 @@ index e100d88..a4648ed 100644
')
########################################
-@@ -2085,9 +2198,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2199,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -17826,7 +17827,7 @@ index e100d88..a4648ed 100644
########################################
##
## Allow caller to read all sysctls.
-@@ -2282,6 +2414,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2415,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -17852,7 +17853,7 @@ index e100d88..a4648ed 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2457,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2458,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -17861,7 +17862,7 @@ index e100d88..a4648ed 100644
##
##
#
-@@ -2488,6 +2639,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2640,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -17886,7 +17887,7 @@ index e100d88..a4648ed 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2525,6 +2694,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2695,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -17911,7 +17912,7 @@ index e100d88..a4648ed 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2667,6 +2854,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2855,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -17936,7 +17937,7 @@ index e100d88..a4648ed 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2694,6 +2899,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2900,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -17962,7 +17963,7 @@ index e100d88..a4648ed 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2803,20 +3027,47 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,20 +3028,47 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -18017,7 +18018,7 @@ index e100d88..a4648ed 100644
##
##
##
-@@ -2958,6 +3209,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3210,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -18042,7 +18043,7 @@ index e100d88..a4648ed 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3241,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3242,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 556ffe5..d3c91fc 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1594,7 +1594,7 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 03831e6..cfc9115 100644
+index 03831e6..94a723f 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1605,12 +1605,13 @@ index 03831e6..cfc9115 100644
role aide_roles types aide_t;
type aide_log_t;
-@@ -23,22 +24,30 @@ files_type(aide_db_t)
+@@ -23,22 +24,34 @@ files_type(aide_db_t)
# Local policy
#
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
++allow aide_t self:process signal;
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
@@ -1621,6 +1622,9 @@ index 03831e6..cfc9115 100644
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
++dev_read_rand(aide_t)
++dev_read_urand(aide_t)
++
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
@@ -2365,15 +2369,16 @@ index 16d0d66..60abfd0 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
-index b098089..358c9f9 100644
+index b098089..37d428c 100644
--- a/anaconda.fc
+++ b/anaconda.fc
-@@ -1 +1,11 @@
+@@ -1 +1,12 @@
# No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0)
+
++/usr/bin/initial-setup -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+
@@ -69388,7 +69393,7 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index d616ca3..fd72341 100644
+index d616ca3..979a6e0 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -69544,11 +69549,12 @@ index d616ca3..fd72341 100644
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_generic_if(pppd_t)
corenet_raw_sendrecv_generic_if(pppd_t)
-@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t)
+@@ -135,9 +145,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
corenet_udp_sendrecv_generic_node(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
-
++corenet_tcp_connect_http_port(pppd_t)
+# Access /dev/ppp.
corenet_rw_ppp_dev(pppd_t)
@@ -69567,7 +69573,7 @@ index d616ca3..fd72341 100644
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)
-@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t)
+@@ -147,36 +170,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
@@ -69613,7 +69619,7 @@ index d616ca3..fd72341 100644
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
-@@ -186,11 +203,13 @@ optional_policy(`
+@@ -186,11 +204,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t)
@@ -69628,7 +69634,7 @@ index d616ca3..fd72341 100644
')
')
-@@ -218,16 +237,19 @@ optional_policy(`
+@@ -218,16 +238,19 @@ optional_policy(`
########################################
#
@@ -69651,7 +69657,7 @@ index d616ca3..fd72341 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +259,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -69708,7 +69714,7 @@ index d616ca3..fd72341 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +303,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@@ -69723,7 +69729,7 @@ index d616ca3..fd72341 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +319,10 @@ optional_policy(`
+@@ -299,6 +320,10 @@ optional_policy(`
')
optional_policy(`
@@ -95540,7 +95546,7 @@ index a240455..16a04bf 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..1f205fe 100644
+index 2d8db1f..e1c568a 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -95631,7 +95637,7 @@ index 2d8db1f..1f205fe 100644
init_read_utmp(sssd_t)
-@@ -112,18 +109,35 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +109,36 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -95656,6 +95662,7 @@ index 2d8db1f..1f205fe 100644
- kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
+ kerberos_read_home_content(sssd_t)
++ kerberos_rw_config(sssd_t)
+')
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1f04f86..9fee25c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 76%{?dist}
+Release: 77%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 28 2014 Lukas Vrabec 3.13.1-77
+- Allow aide to read random number generator
+- Allow pppd to connect to http port. (#1128947)
+- sssd needs to be able write krb5.conf.
+- Labeli initial-setup as install_exec_t.
+- Allow domains to are allowed to mounton proc to mount on files as well as dirs
+
* Tue Aug 26 2014 Lukas Vrabec 3.13.1-76
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
- Add a port definition for shellinaboxd