selinux-policy update to 7.5

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>

SOURCES/permissivedomains.cil

@@ -1,25 +1 @@
 (roleattributeset cil_gen_require system_r)
-(optional permissivedomains_optional_2
-    (typeattributeset cil_gen_require blkmapd_t)
-    (typepermissive blkmapd_t)
-)
-(optional permissivedomains_optional_3
-    (typeattributeset cil_gen_require hsqldb_t)
-    (typepermissive hsqldb_t)
-)
-(optional permissivedomains_optional_4
-    (typeattributeset cil_gen_require ipmievd_t)
-    (typepermissive ipmievd_t)
-)
-(optional permissivedomains_optional_5
-    (typeattributeset cil_gen_require targetd_t)
-    (typepermissive targetd_t)
-)
-(optional permissivedomains_optional_6
-    (typeattributeset cil_gen_require systemd_hwdb_t)
-    (typepermissive systemd_hwdb_t)
-)
-(optional permissivedomains_optional_7
-    (typeattributeset cil_gen_require sanlk_resetd_t)
-    (typepermissive sanlk_resetd_t)
-)

SOURCES/policy-rhel-7.2.z-base.patch

@@ -0,0 +1,29 @@
+diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
+index 2afd2f6..2fc80d1 100644
+--- a/policy/modules/kernel/filesystem.if
++++ b/policy/modules/kernel/filesystem.if
+@@ -2633,6 +2633,24 @@ interface(`fs_rw_hugetlbfs_files',`
+ 
+ ########################################
+ ## <summary>
++##	Manage  hugetlbfs files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_hugetlbfs_files',`
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
++	manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
+ ##	Execute hugetlbfs files.
+ ## </summary>
+ ## <param name="domain">

SOURCES/policy-rhel-7.2.z-contrib.patch

@@ -0,0 +1,222 @@
+diff --git a/ctdb.if b/ctdb.if
+index 6b7d687..06895f3 100644
+--- a/ctdb.if
++++ b/ctdb.if
+@@ -55,6 +55,23 @@ interface(`ctdbd_signal',`
+         allow $1 ctdbd_t:process signal;
+ ')
+ 
++#######################################
++## <summary>
++##  Allow domain to sigchld ctdbd.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`ctdbd_sigchld',`
++    gen_require(`
++        type ctdbd_t;
++    ')
++        allow $1 ctdbd_t:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read ctdbd's log files.
+diff --git a/glusterd.fc b/glusterd.fc
+index 8c8c6c9..52b4110 100644
+--- a/glusterd.fc
++++ b/glusterd.fc
+@@ -6,13 +6,17 @@
+ /usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+ /usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+ 
++/usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
+ /opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+ 
+ /var/lib/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+ 
+ /var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
++/var/log/ganesha.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
+ 
+ /var/run/gluster(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+ /var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+ /var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+ /var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/ganesha.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+diff --git a/glusterd.te b/glusterd.te
+index b974353..0c149cd 100644
+--- a/glusterd.te
++++ b/glusterd.te
+@@ -62,7 +62,7 @@ files_type(glusterd_brick_t)
+ allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
+ 
+ allow glusterd_t self:capability2 block_suspend;
+-allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
++allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
+ allow glusterd_t self:sem create_sem_perms;
+ allow glusterd_t self:fifo_file rw_fifo_file_perms;
+ allow glusterd_t self:tcp_socket { accept listen };
+@@ -81,10 +81,8 @@ files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+ allow glusterd_t glusterd_tmp_t:dir mounton;
+ 
+ manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
++manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
+ 
+ manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+ manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+@@ -240,12 +238,21 @@ optional_policy(`
+     optional_policy(`
+         policykit_dbus_chat(glusterd_t)
+     ')
++
++    optional_policy(`
++        unconfined_dbus_chat(glusterd_t)
++    ')
+ ')
+ 
+ optional_policy(`
+     hostname_exec(glusterd_t)
+ ')
+ 
++
++optional_policy(`
++    kerberos_read_keytab(glusterd_t)
++')
++
+ optional_policy(`
+     lvm_domtrans(glusterd_t)
+ ')
+@@ -281,6 +288,7 @@ optional_policy(`
+     rpc_domtrans_nfsd(glusterd_t)
+     rpc_domtrans_rpcd(glusterd_t)
+     rpc_manage_nfs_state_data(glusterd_t)
++	rpcbind_stream_connect(glusterd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/openvswitch.te b/openvswitch.te
+index 1b606d8..2d00be4 100644
+--- a/openvswitch.te
++++ b/openvswitch.te
+@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t)
+ # openvswitch local policy
+ #
+ 
+-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource };
+ allow openvswitch_t self:capability2 block_suspend;
+ allow openvswitch_t self:process { fork setsched setrlimit signal };
+ allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+@@ -92,6 +92,8 @@ files_read_kernel_modules(openvswitch_t)
+ 
+ fs_getattr_all_fs(openvswitch_t)
+ fs_search_cgroup_dirs(openvswitch_t)
++fs_manage_hugetlbfs_files(openvswitch_t)
++fs_manage_hugetlbfs_dirs(openvswitch_t)
+ 
+ auth_use_nsswitch(openvswitch_t)
+ 
+diff --git a/rhcs.te b/rhcs.te
+index 2c7b543..e55c17b 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -319,6 +319,7 @@ optional_policy(`
+     rpc_domtrans_nfsd(cluster_t)
+     rpc_domtrans_rpcd(cluster_t)
+     rpc_manage_nfs_state_data(cluster_t)
++	rpc_filetrans_var_lib_nfs_content(cluster_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/rpc.if b/rpc.if
+index 50f25de..4f3c2b9 100644
+--- a/rpc.if
++++ b/rpc.if
+@@ -424,6 +424,24 @@ interface(`rpc_rw_gssd_keys',`
+ 	allow $1 gssd_t:key { read search setattr view write };
+ ')
+ 
++########################################
++## <summary>
++##	Transition to alsa named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpc_filetrans_var_lib_nfs_content',`
++	gen_require(`
++		type var_lib_nfs_t;
++	')
++
++	files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs")
++')
++
+ #######################################
+ ## <summary>
+ ##  All of the rules required to
+diff --git a/rpc.te b/rpc.te
+index 876a4e7..7f491b0 100644
+--- a/rpc.te
++++ b/rpc.te
+@@ -21,6 +21,13 @@ gen_tunable(gssd_read_tmp, true)
+ ## </desc>
+ gen_tunable(nfsd_anon_write, false)
+ 
++## <desc>
++## <p>
++## Allow rpcd_t  to manage fuse files
++## </p>
++## </desc>
++gen_tunable(rpcd_use_fusefs, false)
++
+ attribute rpc_domain;
+ 
+ type exports_t;
+@@ -135,6 +142,8 @@ manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+ manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+ files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
+ 
++read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
++
+ # rpc.statd executes sm-notify
+ can_exec(rpcd_t, rpcd_exec_t)
+ 
+@@ -171,6 +180,13 @@ miscfiles_read_generic_certs(rpcd_t)
+ userdom_signal_unpriv_users(rpcd_t)
+ userdom_read_user_home_content_files(rpcd_t)
+ 
++tunable_policy(`rpcd_use_fusefs',`
++	fs_manage_fusefs_dirs(rpcd_t)
++	fs_manage_fusefs_files(rpcd_t)
++	fs_read_fusefs_symlinks(rpcd_t)
++	fs_getattr_fusefs(rpcd_t)
++')
++
+ ifdef(`distro_debian',`
+ 	term_dontaudit_use_unallocated_ttys(rpcd_t)
+ ')
+diff --git a/samba.te b/samba.te
+index bf7a710..aac4015 100644
+--- a/samba.te
++++ b/samba.te
+@@ -726,6 +726,7 @@ userdom_use_inherited_user_terminals(smbcontrol_t)
+ 
+ optional_policy(`
+ 	ctdbd_stream_connect(smbcontrol_t)
++	ctdbd_sigchld(smbcontrol_t)
+ ')
+ 
+ ########################################

SOURCES/policy-rhel-7.3.z-base.patch

@@ -0,0 +1,13 @@
+diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
+index 9d2c142..1c0ed36 100644
+--- a/policy/modules/kernel/corenetwork.te.in
++++ b/policy/modules/kernel/corenetwork.te.in
+@@ -172,7 +172,7 @@ network_port(giftd, tcp,1213,s0)
+ network_port(git, tcp,9418,s0, udp,9418,s0)
+ network_port(glance, tcp,9292,s0, udp,9292,s0)
+ network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
+-network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
++network_port(gluster, tcp,24007-24027,s0, udp,24007-24027,s0, tcp, 38465-38469,s0)
+ network_port(gopher, tcp,70,s0, udp,70,s0)
+ network_port(gpsd, tcp,2947,s0)
+ network_port(hadoop_datanode, tcp,50010,s0)

SOURCES/policy-rhel-7.3.z-contrib.patch

@@ -0,0 +1,198 @@
+diff --git a/ctdb.te b/ctdb.te
+index 47199aa..ac0508e 100644
+--- a/ctdb.te
++++ b/ctdb.te
+@@ -97,9 +97,12 @@ corenet_udp_bind_ctdb_port(ctdbd_t)
+ corenet_tcp_bind_smbd_port(ctdbd_t)
+ corenet_tcp_connect_ctdb_port(ctdbd_t)
+ corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
++corenet_tcp_connect_gluster_port(ctdbd_t)
++corenet_tcp_connect_nfs_port(ctdbd_t)
+ 
+ corecmd_exec_bin(ctdbd_t)
+ corecmd_exec_shell(ctdbd_t)
++corecmd_getattr_all_executables(ctdbd_t)
+ 
+ dev_read_sysfs(ctdbd_t)
+ dev_read_urand(ctdbd_t)
+@@ -131,6 +134,12 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    rpc_domtrans_rpcd(ctdbd_t)
++    rpc_manage_nfs_state_data_dir(ctdbd_t)
++    rpc_read_nfs_state_data(ctdbd_t)
++')
++
++optional_policy(`
+     samba_signull_smbd(ctdbd_t)
+ 	samba_initrc_domtrans(ctdbd_t)
+ 	samba_domtrans_net(ctdbd_t)
+diff --git a/glusterd.fc b/glusterd.fc
+index 52b4110..a3633cd 100644
+--- a/glusterd.fc
++++ b/glusterd.fc
+@@ -6,6 +6,13 @@
+ /usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+ /usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+ 
++/usr/sbin/glustereventsd   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++/usr/sbin/gluster-eventsapi   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++
++/usr/libexec/glusterfs/peer_eventsapi.py    -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++/usr/libexec/glusterfs/events/glustereventsd.py   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
+ /usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+ 
+ /opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+diff --git a/glusterd.te b/glusterd.te
+index 48811e2..a8877f7 100644
+--- a/glusterd.te
++++ b/glusterd.te
+@@ -59,7 +59,7 @@ files_type(glusterd_brick_t)
+ # Local policy
+ #
+ 
+-allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
+ 
+ allow glusterd_t self:capability2 block_suspend;
+ allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
+@@ -132,6 +132,7 @@ corenet_raw_bind_generic_node(glusterd_t)
+ 
+ corenet_tcp_connect_gluster_port(glusterd_t)
+ corenet_tcp_bind_gluster_port(glusterd_t)
++corenet_udp_bind_gluster_port(glusterd_t)
+ 
+ # replacement for rpc.mountd
+ corenet_sendrecv_all_server_packets(glusterd_t)
+@@ -155,6 +156,7 @@ corenet_tcp_connect_all_ports(glusterd_t)
+ dev_read_sysfs(glusterd_t)
+ dev_read_urand(glusterd_t)
+ dev_read_rand(glusterd_t)
++dev_rw_infiniband_dev(glusterd_t)
+ 
+ domain_read_all_domains_state(glusterd_t)
+ domain_getattr_all_sockets(glusterd_t)
+@@ -164,6 +166,7 @@ domain_use_interactive_fds(glusterd_t)
+ fs_mount_all_fs(glusterd_t)
+ fs_unmount_all_fs(glusterd_t)
+ fs_getattr_all_fs(glusterd_t)
++fs_getattr_all_dirs(glusterd_t)
+ 
+ files_mounton_non_security(glusterd_t)
+ 
+@@ -185,6 +188,7 @@ init_read_script_state(glusterd_t)
+ init_rw_script_tmp_files(glusterd_t)
+ init_manage_script_status_files(glusterd_t)
+ init_status(glusterd_t)
++init_stop_transient_unit(glusterd_t)
+ 
+ systemd_config_systemd_services(glusterd_t)
+ systemd_signal_passwd_agent(glusterd_t)
+@@ -203,6 +207,7 @@ userdom_read_user_tmp_files(glusterd_t)
+ userdom_delete_user_tmp_files(glusterd_t)
+ userdom_rw_user_tmp_files(glusterd_t)
+ userdom_kill_all_users(glusterd_t)
++userdom_signal_unpriv_users(glusterd_t)
+ 
+ mount_domtrans(glusterd_t)
+ 
+diff --git a/openvswitch.te b/openvswitch.te
+index ed109d3..42cb208 100644
+--- a/openvswitch.te
++++ b/openvswitch.te
+@@ -100,6 +100,8 @@ auth_use_nsswitch(openvswitch_t)
+ 
+ logging_send_syslog_msg(openvswitch_t)
+ 
++init_read_script_state(openvswitch_t)
++
+ modutils_exec_insmod(openvswitch_t)
+ modutils_list_module_config(openvswitch_t)
+ modutils_read_module_config(openvswitch_t)
+@@ -108,6 +110,10 @@ modutils_read_module_deps(openvswitch_t)
+ sysnet_dns_name_resolve(openvswitch_t)
+ 
+ optional_policy(`
++    hostname_exec(openvswitch_t)
++')
++
++optional_policy(`
+ 	iptables_domtrans(openvswitch_t)
+ ')
+ 
+diff --git a/puppet.te b/puppet.te
+index b80cb1e..46a4b5d 100644
+--- a/puppet.te
++++ b/puppet.te
+@@ -354,6 +354,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    systemd_dbus_chat_timedated(puppetagent_t)
+ 	systemd_dbus_chat_timedated(puppetmaster_t)
+ ')
+ 
+diff --git a/rhcs.te b/rhcs.te
+index ce1ca24..4c9f2b6 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -275,6 +275,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    fprintd_dbus_chat(cluster_t)
++')
++
++optional_policy(`
+     ldap_systemctl(cluster_t)
+ ')
+ 
+diff --git a/sssd.te b/sssd.te
+index 87e70a6..6130385 100644
+--- a/sssd.te
++++ b/sssd.te
+@@ -43,7 +43,7 @@ role system_r types sssd_selinux_manager_t;
+ 
+ allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
+ allow sssd_t self:capability2 block_suspend;
+-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
++allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid};
+ allow sssd_t self:fifo_file rw_fifo_file_perms;
+ allow sssd_t self:key manage_key_perms;
+ allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+diff --git a/virt.if b/virt.if
+index 2397aeb..17156a6 100644
+--- a/virt.if
++++ b/virt.if
+@@ -1408,6 +1408,8 @@ interface(`virt_transition_svirt_sandbox',`
+ 	role $2 types svirt_sandbox_domain;
+ 	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+ 
++	allow svirt_sandbox_domain $1:fd use;
++
+ 	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
+ 	allow svirt_sandbox_domain $1:process sigchld;
+ 	ps_process_pattern($1, svirt_sandbox_domain)
+diff --git a/virt.te b/virt.te
+index 69333cf..6dd64f3 100644
+--- a/virt.te
++++ b/virt.te
+@@ -1316,6 +1316,7 @@ kernel_list_all_proc(svirt_sandbox_domain)
+ kernel_read_all_proc(svirt_sandbox_domain)
+ kernel_read_all_sysctls(svirt_sandbox_domain)
+ kernel_read_net_sysctls(svirt_sandbox_domain)
++kernel_rw_unix_sysctls(svirt_sandbox_domain)
+ kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+ kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+ kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
+@@ -1470,6 +1471,7 @@ allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+ 
+ kernel_read_irq_sysctls(svirt_lxc_net_t)
+ kernel_read_messages(svirt_lxc_net_t)
++kernel_rw_usermodehelper_state(svirt_lxc_net_t)
+ 
+ dev_read_sysfs(svirt_lxc_net_t)
+ dev_read_mtrr(svirt_lxc_net_t)

SOURCES/policy-rhel-7.5.z-contrib.patch

@@ -0,0 +1,35 @@
+diff --git a/snapper.te b/snapper.te
+index faf4fc9fca..fda6e0b289 100644
+--- a/snapper.te
++++ b/snapper.te
+@@ -22,6 +22,8 @@ files_type(snapperd_data_t)
+ #
+ # snapperd local policy
+ #
++allow snapperd_t self:capability { dac_read_search fowner sys_admin };
++allow snapperd_t self:process setsched;
+ 
+ allow snapperd_t self:fifo_file rw_fifo_file_perms;
+ allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -36,8 +38,12 @@ manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
+ manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+ manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+ manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++allow snapperd_t snapperd_data_t:file relabelfrom;
++allow snapperd_t snapperd_data_t:dir { relabelfrom relabelto mounton };
+ snapper_filetrans_named_content(snapperd_t)
+ 
++kernel_setsched(snapperd_t)
++
+ domain_read_all_domains_state(snapperd_t)
+ 
+ corecmd_exec_shell(snapperd_t)
+@@ -51,6 +57,8 @@ files_read_all_files(snapperd_t)
+ files_list_all(snapperd_t)
+ 
+ fs_getattr_all_fs(snapperd_t)
++fs_mount_xattr_fs(snapperd_t)
++fs_unmount_xattr_fs(snapperd_t)
+ 
+ storage_raw_read_fixed_disk(snapperd_t)
+ 

SOURCES/rpm.macros

@@ -1,4 +1,7 @@
-# Copyright (C) 2016  Petr Lautrbach
+# Copyright (C) 2017 Red Hat, Inc. All rights reserved.
+#
+#   Author: Petr Lautrbach <plautrba@redhat.com>
+#   Author: Lukáš Vrabec <lvrabec@redhat.com>
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -23,28 +26,28 @@
 %_file_custom_defined_booleans %{_sysconfdir}/selinux/${_policytype}/rpmbooleans.custom
 %_file_custom_defined_booleans_tmp %{_sysconfdir}/selinux/${_policytype}/rpmbooleans.custom.tmp
 
-# %selinux_modules_install [-s <policytype>] module [module]...
-%selinux_modules_install("s:") \
+# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
+%selinux_modules_install("s:p:") \
 . /etc/selinux/config \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
-%{_sbindir}/semodule -n -s ${_policytype} -X 200 -i %* \
+%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
 if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
   %{_sbindir}/load_policy \
 fi \
 %{nil}
 
-# %selinux_modules_uninstall [-s <policytype>] module [module]...
-%selinux_modules_uninstall("s:") \
+# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
+%selinux_modules_uninstall("s:p:") \
 . /etc/selinux/config \
 _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ $1 -eq 0 ]; then \
-  %{_sbindir}/semodule -n -X 200 -r %* &> /dev/null || : \
+  %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -r %* &> /dev/null || : \
   if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
     %{_sbindir}/load_policy \
   fi \
@@ -71,7 +74,7 @@ _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
-if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    if [ -f %{_file_context_file_pre} ]; then \
      %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore \
      rm -f %{_file_context_file_pre} \
@@ -88,7 +91,7 @@ if [ -z "${_policytype}" ]; then \
 fi \
 LOCAL_MODIFICATIONS=$(semanage boolean -E) \
 if [ ! -f %_file_custom_defined_booleans ]; then \
-    echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
+    /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
 fi \
 semanage_import='' \
 for boolean in %*; do \
@@ -109,10 +112,10 @@ for boolean in %*; do \
         /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
     fi \
 done; \
-if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
     /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
 else \
-    echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
+    /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
 fi \
 %{nil}
 
@@ -134,9 +137,9 @@ for boolean in %*; do \
         fi \
     fi \
 done; \
-if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
     /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
 else \
-    echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
+    /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
 fi \
 %{nil}

SPECS/selinux-policy.spec

@@ -1,4 +1,4 @@
-%define distro powerel
+%define distro redhat
 %define polyinstatiate n
 %define monolithic n
 %if %{?BUILD_DOC:0}%{!?BUILD_DOC:1}
@@ -13,24 +13,22 @@
 %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
 %define BUILD_MLS 1
 %endif
-%define POLICYVER 30
-%define POLICYCOREUTILSVER 2.5
+%define POLICYVER 31
+%define POLICYCOREUTILSVER 2.5-18
 %define CHECKPOLICYVER 2.5
 %define LIBSEMANAGEVER 2.5
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 167%{?dist}
+Release: 192%{?dist}.3
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
-patch: policy-rhel-7.1-base.patch
-patch1: policy-rhel-7.1-contrib.patch
-patch2: policy-rhel-7.4-base.patch
-patch3: policy-rhel-7.4-contrib.patch
-patch4: policy-rhel-7.4.z-base.patch
-patch5: policy-rhel-7.4.z-contrib.patch
-Source1: modules-targeted-base.conf 
+patch0: policy-rhel-7.5-base.patch
+patch1: policy-rhel-7.5-contrib.patch
+patch2: policy-rhel-7.5.z-base.patch
+patch3: policy-rhel-7.5.z-contrib.patch
+Source1: modules-targeted-base.conf
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -87,6 +85,7 @@ Requires: libsemanage >= %{LIBSEMANAGEVER}
 Summary: SELinux policy sandbox
 Group: System Environment/Base
 Requires(pre): selinux-policy-base = %{version}-%{release}
+Requires(pre): selinux-policy-targeted = %{version}-%{release}
 
 %description sandbox
 SELinux sandbox policy used for the policycoreutils-sandbox package
@@ -135,6 +134,7 @@ SELinux policy development and man page package
 %{_usr}/share/selinux/devel/Makefile
 %{_usr}/share/selinux/devel/example.*
 %{_usr}/share/selinux/devel/policy.*
+%ghost %{_sharedstatedir}/sepolgen/interface_info
 
 %post devel
 selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null 
@@ -258,6 +258,7 @@ rm -f %{buildroot}%{_sysconfdir}/selinux/%1/active/*.linked \
 %ghost %{_sysconfdir}/selinux/%1/active/policy.linked \
 %ghost %{_sysconfdir}/selinux/%1/active/seusers.linked \
 %ghost %{_sysconfdir}/selinux/%1/active/users_extra.linked \
+%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/file_contexts.homedirs \
 %nil
 
 
@@ -340,12 +341,12 @@ Based off of reference policy: Checked out revision  2.20091117
 
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
+%patch1 -p1
 %patch3 -p1
-%patch5 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
+%patch0 -p1
 %patch2 -p1
-%patch4 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@@ -655,43 +656,459 @@ fi
 %endif
 
 %changelog
-* Wed Feb 21 2018 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.9
-- Update openvswitch policy from Fedora
-Resolves: rhbz#1538936
-
-* Fri Jan 26 2018 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.8
+* Wed Mar 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.3
+- Allow snapperd_t domain to unmount fs_t filesystems
+Resolves: rhbz#1561424
+
+* Mon Mar 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.2
+- Allow snapperd_t to set priority for kernel processes
+Resolves: rhbz#1558656
+
+* Wed Mar 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.1
+- Backport several changes for snapperdfrom Fedora Rawhide
+Resolves: rhbz#1558656
+
+* Tue Feb 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192
+- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper  as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled.
+Resolves: rhbz#1546721
+
+* Mon Feb 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-191
+- Allow openvswitch_t stream connect svirt_t
+Resolves: rhbz#1540702
+
+* Fri Feb 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-190
+- Allow openvswitch domain to manage svirt_tmp_t sock files
+Resolves: rhbz#1540702
+- Fix broken systemd_tmpfiles_run() interface
+
+* Wed Feb 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-189
+- Allow dirsrv_t domain to create tmp link files
+Resolves: rhbz#1536011
+- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t
+Resolves: rhbz#1428568
+- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries
+- Allow ipsec_mgmt_t nnp domain transition to ifconfig_t
+Resolves: rhbz#1539416
+
+* Wed Feb 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-188
+- Allow svirt_domain to create socket files in /tmp with label svirt_tmp_t
+Resolves: rhbz#1540702
+- Allow keepalived_t domain getattr proc filesystem
+Resolves: rhbz#1477542
+- Rename svirt_sandbox_file_t to container_file_t and svirt_lxc_net_t to container_t
+Resolves: rhbz#1538544
+- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t
+Resolves: rhbz:#1539416
+- Allow systemd_logind_t domain to bind on dhcpd_port_t,pki_ca_port_t,flash_port_t
+Resolves: rhbz#1479350
+
+* Tue Feb 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-187
+- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets
+Resolves: rhbz#1535196
+- Add new interface ppp_filetrans_named_content()
+Resolves: rhbz#1530601
+- Allow keepalived_t read sysctl_net_t files
+Resolves: rhbz#1477542
+- Allow puppetmaster_t domtran to puppetagent_t
+Resolves: rhbz#1376893
+- Allow kdump_t domain to read kernel ring buffer
+Resolves: rhbz#1540004
+- Allow ipsec_t domain to exec ifconfig_exec_t binaries.
+Resolves: rhbz#1539416
+- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock
+Resolves: rhbz#1530601
+- Allow updpwd_t domain to create files in /etc with shadow_t label
+Resolves: rhbz#1412838
+- Allow iptables sysctl load list support with SELinux enforced
+Resolves: rhbz#1535572
+
+* Wed Jan 17 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-186
+- Allow virt_domains to acces infiniband pkeys.
+Resolves: rhbz#1533183
+- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t
+Resolves: rhbz#1535133
+- Allow audisp_remote_t domain write to files on all levels
+Resolves: rhbz#1534924
+
+* Thu Jan 11 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-185
+- Allow vmtools_t domain creating vmware_log_t files
+Resolves: rhbz#1507048
+- Allow openvswitch_t domain to acces infiniband devices
+Resolves: rhbz#1532705
+
+* Wed Jan 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-184
+- Allow chronyc_t domain to manage chronyd_keys_t files.
+Resolves: rhbz#1530525
+- Make virtlog_t domain system dbus client
+Resolves: rhbz#1481109
 - Update openvswitch SELinux module
-Resolves: rhbz#1538936
-
-* Thu Nov 16 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.7
+Resolves: rhbz#1482682
+- Allow virtd_t to create also sock_files with label virt_var_run_t
+Resolves: rhbz#1484075
+
+* Mon Dec 11 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-183
+- Allow domains that manage logfiles to man logdirs
+Resolves: rhbz#1523811
+
+* Thu Dec 07 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-182
+- Label /dev/drm_dp_aux* as xserver_misc_device_t
+Resolves: rhbz#1520897
+- Allow sysadm_t to run puppet_exec_t binaries as puppet_t
+Resolves: rhbz#1255745
+
+* Mon Dec 04 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-181
+- Allow tomcat_t to manage pki_tomcat pid files
+Resolves: rhbz#1478371
+- networkmanager: allow talking to openvswitch
+Resolves: rhbz#1517247
+- Allow networkmanager_t and opensm_t to manage subned endports for IPoIB VLANs
+Resolves: rhbz#1517895
+- Allow domains networkmanager_t and opensm_t to control IPoIB VLANs
+Resolves: rhbz#1517744
+- Fix typo in guest interface file
+Resolves: rhbz#1468254
+- Allow isnsd_t domain to accept tcp connections.
+Resolves: rhbz#1390208
+
+* Mon Nov 20 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-180
+- Allow getty to use usbttys
+Resolves: rhbz#1514235
+
+* Mon Nov 13 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-179
+- Allow ldap_t domain to manage also slapd_tmp_t lnk files
+Resolves: rhbz#1510883
 - Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t
-Resolves: rhbz:#1513075
-
-* Wed Oct 11 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.6
-- Allow tomcat domain to connect to mssql port
-Resolves: rhbz#1500697
+Resolves: rhbz:#1508360
+- Add dac_read_search and dac_override capabilities to ganesha
+Resolves: rhbz#1483451
+
+* Wed Nov 08 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-178
+- Add dependency for policycoreutils-2.5.18 becuase of new cgroup_seclabel policy capability
+Resolves: rhbz#1510145
+
+* Mon Nov 06 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-177
+- Allow jabber domains to connect to postgresql ports
+Resolves: rhbz#1438489
+- Dontaudit accountsd domain creating dirs in /root
+Resolves: rhbz#1456760 
+- Dontaudit slapd_t to block suspend system
+Resolves: rhbz: #1479759 
+- Allow spamc_t to stream connect to cyrus.
+Resolves: rhbz#1382955 
+- allow imapd to read /proc/net/unix file
+Resolves: rhbz#1393030 
+- Allow passenger to connect to mysqld_port_t
+Resolves: rhbz#1433464 
+
+* Mon Nov 06 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-176
+- Allow chronyc_t domain to use user_ptys
+Resolves: rhbz#1470150
+- allow ptp4l to read /proc/net/unix file
+- Allow conmand to use usb ttys.
+Resolves: rhbz#1505121
+- Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst
+Resolves: rhbz#1505845
+- Allow chronyd daemon to execute chronyc.
+Resolves: rhbz#1508486
+- Allow firewalld exec ldconfig.
+Resolves: rhbz#1375576
+- Allow mozilla_plugin_t domain to dbus chat with devicekit
+Resolves: rhbz#1460477
+- Dontaudit leaked logwatch pipes
+Resolves: rhbz#1450119
+- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
+Resolves: rhbz#1507048
+- Allow httpd_t domain to execute hugetlbfs_t files
+Resolves: rhbz#1507682
+- Allow nfsd_t domain to read configfs_t files/dirs
+Resolves: rhbz#1439442
+- Hide all allow rules with ptrace inside deny_ptrace boolean
+Resolves: rhbz#1421075
+- Allow tgtd_t domain to read generic certs
+Resolves: rhbz#1438532
+- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
+Resolves: rhbz#1429853
+- Allow dirsrv_snmp_t to use inherited user ptys and read system state
+Resolves: rhbz#1428568
+- Allow glusterd_t domain to create own tmpfs dirs/files
+Resolves: rhbz#1411310
+- Allow keepalived stream connect to snmp
+Resolves: rhbz#1401556
+- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
+Resolves: rhbz#1507089
+
+* Fri Oct 27 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-175
+- Allow pegasus_openlmi_services_t to read generic certs
+Resolves: rhbz#1462292
+- Allow ganesha_t domain to read random device
+Resolves: rhbz#1494382
+- Allow zabbix_t domain to change its resource limits
+Resolves: rhbz:#1504074
+- Add new boolean nagios_use_nfs
+Resolves: rhbz#1504826
+- Allow system_mail_t to search network sysctls
+Resolves: rhbz#1505779
+- Add samba_manage_var_dirs() interface
+- Fix typo bug in virt filecontext file
+- Allow nagios_script_t to read nagios_spool_t files
+Resolves: rhbz#1426824
+- Allow samba to manage var dirs/files
+Resolves: rhbz#1415088
+- Allow sbd_t to create own sbd_tmpfs_t dirs/files
+Resolves: rhbz#1380795
+- Allow firewalld and networkmanager to chat with hypervkvp via dbus
+Resolves: rhbz#1377276
+- Allow dmidecode to read rhsmcert_log_t files
+Resolves: rhbz#1300799
+- Allow mail system to connect mariadb sockets.
+Resolves: rhbz#1368642
+- Allow logrotate_t to change passwd and reloead services
+Resolves: rhbz#1450789
+- Allow mail system to connect mariadb sockets.
+Resolves: rhbz#1368642
+- Allow logrotate_t to change passwd and reloead services
+Resolves: rhbz#1450789
+- Allow pegasus_openlmi_services_t to read generic certs
+Resolves: rhbz#1462292
+- Allow ganesha_t domain to read random device
+Resolves: rhbz#1494382
+- Allow zabbix_t domain to change its resource limits
+Resolves: rhbz:#1504074
+- Add new boolean nagios_use_nfs
+Resolves: rhbz#1504826
+- Allow system_mail_t to search network sysctls
+Resolves: rhbz#1505779
+- Add samba_manage_var_dirs() interface
+- Fix typo bug in virt filecontext file
+- Allow nagios_script_t to read nagios_spool_t files
+Resolves: rhbz#1426824
+- Allow samba to manage var dirs/files
+Resolves: rhbz#1415088
+- Allow sbd_t to create own sbd_tmpfs_t dirs/files
+Resolves: rhbz#1380795
+- Allow firewalld and networkmanager to chat with hypervkvp via dbus
+Resolves: rhbz#1377276
+- Allow dmidecode to read rhsmcert_log_t files
+Resolves: rhbz#1300799
+- Allow mail system to connect mariadb sockets.
+Resolves: rhbz#1368642
+- Allow logrotate_t to change passwd and reloead services
+Resolves: rhbz#1450789
+- Allow chronyd_t do request kernel module and block_suspend capability
+Resolves: rhbz#1350765
+- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label
+Resolves: rhbz#1447278
+- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables
+Resolves: rhbz#1491994
+- Allow svnserve to use kerberos
+Resolves: rhbz#1475271
+- Allow conman to use ptmx. Add conman_use_nfs boolean
+Resolves: rhbz#1377915
+- Add nnp transition for services using: NoNewPrivileges systemd security feature
+Resolves: rhbz#1311430
+- Add SELinux support for chronyc
+Resolves: rhbz#1470150
+- Add dac_read_search capability to openvswitch_t domain
+Resolves: rhbz#1501336
+- Allow svnserve to manage own svnserve_log_t files/dirs
+Resolves: rhbz#1480741
+- Allow keepalived_t to search network sysctls
+Resolves: rhbz#1477542
+- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain
+Resolves: rhbz#1446777
+- Add dccp_socket into socker_class_set subset
+Resolves: rhbz#1459941
+- Allow iptables_t to run setfiles to restore context on system
+Resolves: rhbz#1489118
+- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t
+Resolves: rhbz:#1411400
+- Make nnp transition Active
+Resolves: rhbz#1480518
+- Label tcp 51954 as isns_port_t
+Resolves: rhbz#1390208
+- Add dac_read_search capability chkpwd_t
+Resolves: rhbz#1376991
+- Add support for running certbot(letsencrypt) in crontab
+Resolves: rhbz#1447278
+- Add init_nnp_daemon_domain interface
+- Allow xdm_t to gettattr /dev/loop-control device
+Resolves: rhbz#1462925
+- Allow nnp trasintion for unconfined_service_t
+Resolves: rhbz#1311430
+- Allow unpriv user domains and unconfined_service_t to use chronyc
+Resolves: rhbz#1470150
+- Allow iptables to exec plymouth.
+Resolves: rhbz#1480374
+- Fix typo in fs_unmount_tracefs interface.
+Resolves: rhbz#1371057
+- Label postgresql-check-db-dir as postgresql_exec_t
+Resolves: rhbz#1490956
+
+* Tue Sep 26 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-174
+- We should not ship selinux-policy with permissivedomains enabled.
+Resolves: rhbz#1494172
+- Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandbox
+Resolves: rhbz#1492606
+
+* Tue Sep 19 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-173
+- Allow tomcat to setsched 
+Resolves: rhbz#1492730
+- Fix rules blocking ipa-server upgrade process
+Resolves: rhbz#1478371
+- Add new boolean tomcat_read_rpm_db()
+Resolves: rhbz#1477887
+- Allow tomcat to connect on mysqld tcp ports
+- Add ctdbd_t domain sys_source capability and allow setrlimit
+Resolves: rhbz#1491235
+- Fix keepalived SELinux module
+- Allow automount domain to manage mount pid files
+Resolves: rhbz#1482381
+- Allow stunnel_t domain setsched
+Resolves: rhbz#1479383
 - Add keepalived domain setpgid capability
-Resolves: rhbz#1500813
-
-* Wed Aug 30 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.5
+Resolves: rhbz#1486638
+- Allow tomcat domain to connect to mssql port
+Resolves: rhbz#1484572
+- Remove snapperd_t from unconfined domaines
+Resolves: rhbz#1365555
+- Fix typo bug in apache module
+Resolves: rhbz#1397311
+- Dontaudit that system_mail_t is trying to read /root/ files
+Resolves: rhbz#1147945
+- Make working webadm_t userdomain
+Resolves: rhbz#1323792
+- Allow redis domain to execute shell scripts.
+Resolves: rhbz#1421326
+- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
+Resolves: rhbz#1473303
+- Add couple capabilities to keepalived domain and allow get attributes of all domains
+Resolves: rhbz#1429327
+- Allow dmidecode read rhsmcertd lock files
+Resolves: rhbz#1300799
+- Add new interface rhsmcertd_rw_lock_files()
+Resolves: rhbz#1300799
+- Label all plymouthd archives as plymouthd_var_log_t
+Resolves: rhbz#1478323
+- Allow cloud_init_t to dbus chat with systemd_timedated_t
+Resolves: rhbz#1440730
+- Allow logrotate_t to write to kmsg
+Resolves: rhbz#1397744
+- Add capability kill to rhsmcertd_t
+Resolves: rhbz#1398338
+- Disable mysqld_safe_t secure mode environment cleansing.
+Resolves: rhbz#1464063
+- Allow winbind to manage smbd_tmp_t files
+Resolves: rhbz#1475566
+- Dontaudit that system_mail_t is trying to read /root/ files
+Resolves: rhbz#1147945
+- Make working webadm_t userdomain
+Resolves: rhbz#1323792
+- Allow redis domain to execute shell scripts.
+Resolves: rhbz#1421326
+- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
+Resolves: rhbz#1473303
+- Add couple capabilities to keepalived domain and allow get attributes of all domains
+Resolves: rhbz#1429327
+- Allow dmidecode read rhsmcertd lock files
+Resolves: rhbz#1300799
+- Add new interface rhsmcertd_rw_lock_files()
+Resolves: rhbz#1300799
+- Label all plymouthd archives as plymouthd_var_log_t
+Resolves: rhbz#1478323 
+- Allow cloud_init_t to dbus chat with systemd_timedated_t
+Resolves: rhbz#1440730
+- Allow logrotate_t to write to kmsg
+Resolves: rhbz#1397744
+- Add capability kill to rhsmcertd_t
+Resolves: rhbz#1398338
+- Disable mysqld_safe_t secure mode environment cleansing.
+Resolves: rhbz#1464063
+- Allow winbind to manage smbd_tmp_t files
+Resolves: rhbz#1475566
+- Add interface systemd_tmpfiles_run
+- End of file cannot be in comment
+- Allow systemd-logind to use ypbind
+Resolves: rhbz#1479350
+- Add creating opasswd file with shadow_t SELinux label in auth_manage_shadow() interface
+Resolves: rhbz#1412838
+- Allow sysctl_irq_t assciate with proc_t
+Resolves: rhbz#1485909
+- Enable cgourp sec labeling
+Resolves: rhbz#1485947
+- Add cgroup_seclabel policycap.
+Resolves: rhbz#1485947
+- Allow sshd_t domain to send signull to xdm_t processes
+Resolves: rhbz#1448959
+- Allow updpwd_t domain auth file name trans
+Resolves: rhbz#1412838
+- Allow sysadm user to run systemd-tmpfiles
+Resolves: rbhz#1325364
+- Add support labeling for vmci and vsock device
+Resolves: rhbz#1451358
+- Add userdom_dontaudit_manage_admin_files() interface
+Resolves: rhbz#1323792
+- Allow iptables_t domain to read files with modules_conf_t label
+Resolves: rhbz#1373220
+- init: Add NoNewPerms support for systemd.
+Resolves: rhbz#1480518
+- Add nnp_nosuid_transition policycap and related class/perm definitions.
+Resolves: rhbz#1480518
+- refpolicy: Infiniband pkeys and endports
+Resolves: rhbz#1464484
+
+* Tue Aug 29 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-172
 - Allow certmonger using systemctl on pki_tomcat unit files
-Resolves: rhbz#1486552
+Resolves: rhbz#1481388
 
-* Sat Aug 26 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.4
-- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
-Resolves: rhbz#1485308
-
-* Thu Aug 10 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.3
-- Fixing wrong NVR
-Resolves: rhbz#1479767
+* Tue Aug 29 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-171
+- Allow targetd_t to create own tmp files.
+- Dontaudit targetd_t to exec rpm binary file.
+Resolves: rhbz#1373860
+Resolves: rhbz#1424621
 
-* Thu Aug 10 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.2
-- Increase NVR
-Resolves: rhbz#1479767
+* Thu Aug 24 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-170
+- Add few rules to make working targetd daemon with SELinux
+Resolves: rhbz#1373860
+- Allow ipmievd_t domain to load kernel modules
+Resolves: rhbz#1441081
+- Allow logrotate to reload transient systemd unit
+Resolves: rhbz#1440515
+- Add certwatch_t domain dac_override and dac_read_search capabilities
+Resolves: rhbz#1422000
+- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain
+Resolves: rhbz#1412072
+- Allow nscd_t domain to search network sysctls
+Resolves: rhbz#1432361
+- Allow iscsid_t domain to read mount pid files
+Resolves: rhbz#1482097
+- Allow ksmtuned_t domain manage sysfs_t files/dirs
+Resolves: rhbz#1413865
+- Allow keepalived_t domain domtrans into iptables_t
+Resolves: rhbz#1477719
+- Allow rshd_t domain reads net sysctls
+Resolves: rhbz#1477908
+- Add interface seutil_dontaudit_read_module_store()
+- Update interface lvm_rw_pipes() by adding also open permission
+- Label /dev/clp device as vfio_device_t
+Resolves: rhbz#1477624
+- Allow ifconfig_t domain unmount fs_t
+Resolves: rhbz#1477445
+- Label /dev/gpiochip* devices as gpio_device_t
+Resolves: rhbz#1477618
+- Add interface  dev_manage_sysfs()
+Resolves: rhbz#1474989
+
+* Mon Aug 14 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-169
+- Label /usr/libexec/sudo/sesh as shell_exec_t
+Resolves: rhbz#1480791
+
+* Fri Aug 11 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-168
+- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
+Resolves: rhbz#1470735
 
-* Wed Aug 09 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.1
+* Wed Aug 09 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-167
 - Allow llpdad send dgram to libvirt
-Resolves: rhbz#1479767
+Resolves: rhbz#1472722
 
 * Mon Jul 10 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166
 - Add new boolean gluster_use_execmem