File systemd-tmpfiles.patch of Package selinux-policy.2274

Index: serefpolicy-3.12.1/policy/modules/kernel/devices.if
===================================================================
--- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.if	2013-11-21 11:53:52.857807940 +0100
+++ serefpolicy-3.12.1/policy/modules/kernel/devices.if	2013-11-21 11:53:52.923808669 +0100
@@ -6506,3 +6506,25 @@ interface(`dev_filetrans_xserver_named_d
 	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
 	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 ')
+
+
+########################################
+## <summary>
+##	Allow full relabeling (to and from) of all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_create_all_dev_nodes',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	allow $1 device_node {create};
+')
+
Index: serefpolicy-3.12.1/policy/modules/kernel/devices.te
===================================================================
--- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.te	2013-11-21 11:53:52.857807940 +0100
+++ serefpolicy-3.12.1/policy/modules/kernel/devices.te	2013-11-21 11:53:52.923808669 +0100
@@ -334,3 +334,4 @@ files_associate_tmp(device_node)
 allow devices_unconfined_type self:capability sys_rawio;
 allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
 allow devices_unconfined_type mtrr_device_t:file *;
+
Index: serefpolicy-3.12.1/policy/modules/system/systemd.te
===================================================================
--- serefpolicy-3.12.1.orig/policy/modules/system/systemd.te	2013-11-21 11:53:52.874808128 +0100
+++ serefpolicy-3.12.1/policy/modules/system/systemd.te	2013-11-21 11:55:29.271873271 +0100
@@ -274,6 +274,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
 dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
 
+# allow tmpfiles to create files/dirs in /dev
+systemd_tmpfiles_xconsole_create(systemd_tmpfiles_t)
+dev_getattr_autofs_dev(systemd_tmpfiles_t);
+dev_getattr_lvm_control(systemd_tmpfiles_t);
+dev_create_generic_dirs(systemd_tmpfiles_t);
 domain_obj_id_change_exemption(systemd_tmpfiles_t)
 
 # systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
@@ -606,7 +611,7 @@ optional_policy(`
 #
 # systemd_sysctl domains local policy
 #
-allow systemd_sysctl_t self:capability net_admin;
+allow systemd_sysctl_t self:capability { net_admin sys_admin };
 allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
 
 kernel_dgram_send(systemd_sysctl_t)
Index: serefpolicy-3.12.1/policy/modules/system/systemd.if
===================================================================
--- serefpolicy-3.12.1.orig/policy/modules/system/systemd.if	2013-11-21 11:53:52.874808128 +0100
+++ serefpolicy-3.12.1/policy/modules/system/systemd.if	2013-11-21 11:53:52.923808669 +0100
@@ -1398,3 +1398,22 @@ interface(`systemd_dontaudit_dbus_chat',
 
 	dontaudit $1 systemd_domain:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Allow systemd-tmpfiles to create xconsole_device_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`systemd_tmpfiles_xconsole_create',`
+	gen_require(`
+		type device_t, xconsole_device_t;
+	')
+
+	create_fifo_files_pattern($1, device_t, xconsole_device_t);
+')
+
Places

File systemd-tmpfiles.patch of Package selinux-policy.2274

Places
