selinux-policy package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/customizable_types

@@ -1,3 +1,4 @@
+container_file_t
 sandbox_file_t
 svirt_image_t
 svirt_home_t

SOURCES/file_contexts.subs_dist

@@ -12,5 +12,7 @@
 /var/named/chroot/usr/lib64 /usr/lib
 /var/named/chroot/lib64 /usr/lib
 /var/home            /home
+/home/home-inst            /home
+/home-inst            /home
 /var/roothome        /root
 /sbin                /usr/sbin

SOURCES/modules-targeted-contrib.conf

@@ -2546,8 +2546,15 @@ sbd = module
 opendnssec = module
 
 # Layer: contrib
-# Module: ganesha
+# Module: tlp
 #
-# opendnssec
+# tlp
+#
+tlp = module
+
+# Layer: contrib
+# Module: tangd
+#
+# tangd
 #
-ganesha = module
+tangd = module

SOURCES/rpm.macros

@@ -20,11 +20,30 @@
 
 %_selinux_policy_version SELINUXPOLICYVERSION
 
+%_selinux_store_path SELINUXSTOREPATH
+
 %_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
 %_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre
 
-%_file_custom_defined_booleans %{_sysconfdir}/selinux/${_policytype}/rpmbooleans.custom
-%_file_custom_defined_booleans_tmp %{_sysconfdir}/selinux/${_policytype}/rpmbooleans.custom.tmp
+%_file_custom_defined_booleans %{_selinux_store_path}/${_policytype}/rpmbooleans.custom
+%_file_custom_defined_booleans_tmp %{_selinux_store_path}/${_policytype}/rpmbooleans.custom.tmp
+
+# %selinux_requires
+%selinux_requires \
+Requires: selinux-policy >= %{_selinux_policy_version} \
+BuildRequires: git \
+BuildRequires: pkgconfig(systemd) \
+BuildRequires: selinux-policy \
+BuildRequires: selinux-policy-devel \
+Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
+Requires(post): libselinux-utils \
+Requires(post): policycoreutils \
+%if 0%{?fedora} \
+Requires(post): policycoreutils-python-utils \
+%else \
+Requires(post): policycoreutils-python \
+%endif \
+%{nil}
 
 # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
 %selinux_modules_install("s:p:") \
@@ -47,7 +66,7 @@ if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ $1 -eq 0 ]; then \
-  %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -r %* &> /dev/null || : \
+  %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
   if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
     %{_sbindir}/load_policy \
   fi \
@@ -76,7 +95,7 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    if [ -f %{_file_context_file_pre} ]; then \
-     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore \
+     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
      rm -f %{_file_context_file_pre} \
    fi \
 fi \

SPECS/selinux-policy.spec

@@ -14,20 +14,18 @@
 %define BUILD_MLS 1
 %endif
 %define POLICYVER 31
-%define POLICYCOREUTILSVER 2.5-18
-%define CHECKPOLICYVER 2.5
-%define LIBSEMANAGEVER 2.5
+%define POLICYCOREUTILSVER 2.5-24
+%define CHECKPOLICYVER 2.5-8
+%define LIBSEMANAGEVER 2.5-13
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 193%{?dist}
+Release: 229%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
-patch0: policy-rhel-7.5-base.patch
-patch1: policy-rhel-7.5-contrib.patch
-patch2: policy-rhel-7.5.z-base.patch
-patch3: policy-rhel-7.5.z-contrib.patch
+patch0: policy-rhel-7.6-base.patch
+patch1: policy-rhel-7.6-contrib.patch
 Source1: modules-targeted-base.conf
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@@ -267,7 +265,7 @@ rm -f %{buildroot}%{_sysconfdir}/selinux/%1/active/*.linked \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
 /usr/sbin/selinuxenabled; \
 if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
-     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
+     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null; \
      rm -f ${FILE_CONTEXT}.pre; \
 fi; \
 if /sbin/restorecon -e /run/media -R /root /var/log /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
@@ -276,6 +274,9 @@ fi; \
 
 %define preInstall() \
 if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
+     if [ -d %{_sysconfdir}/selinux/%1/active/modules/100/ganesha ]; then \
+       %{_sbindir}/semodule -n -d ganesha; \
+     fi; \
      . %{_sysconfdir}/selinux/config; \
      FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
      if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
@@ -342,11 +343,9 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
 %patch1 -p1
-%patch3 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch0 -p1
-%patch2 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@@ -439,6 +438,7 @@ mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinu
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
+sed -i 's@SELINUXSTOREPATH@%{_sysconfdir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 
 
 rm -rf selinux_config
@@ -457,7 +457,7 @@ echo "
 #     permissive - SELinux prints warnings instead of enforcing.
 #     disabled - No SELinux policy is loaded.
 SELINUX=enforcing
-# SELINUXTYPE= can take one of three two values:
+# SELINUXTYPE= can take one of three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected. 
 #     mls - Multi Level Security protection.
@@ -656,17 +656,751 @@ fi
 %endif
 
 %changelog
-* Wed Mar 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.3
-- Allow snapperd_t domain to unmount fs_t filesystems
-Resolves: rhbz#1561424
-
-* Mon Mar 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.2
-- Allow snapperd_t to set priority for kernel processes
-Resolves: rhbz#1558656
-
-* Wed Mar 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.1
+* Wed Sep 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229
+- Allow neutron domain to read/write /var/run/utmp
+Resolves: rhbz#1630318
+
+* Tue Sep 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-228
+- Allow tomcat_domain to read /dev/random
+Resolves: rhbz#1631666
+- Allow neutron_t domain to use pam
+Resolves: rhbz#1630318
+
+* Mon Sep 17 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227
+- Add interface apache_read_tmp_dirs()
+- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs
+Resolves: rhbz#1622602
+
+* Sat Sep 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226
+- Allow tomcat servers to manage usr_t files
+Resolves: rhbz#1625678
+- Dontaudit tomcat serves to append to /dev/random device
+Resolves: rhbz#1625678
+- Allow sys_nice capability to mysqld_t domain
+- Allow dirsrvadmin_script_t domain to read httpd tmp files
+Resolves: rhbz#1622602
+- Allow syslogd_t domain to manage cert_t files
+Resolves: rhbz#1615995
+
+* Wed Sep 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-225
+- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs
+Resolves: rhbz#1627114
+- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t
+Resolves: rhbz#1567753
+
+* Tue Sep 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224
+- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.
+Resolves: rhbz#1625678
+- Allow chronyd_t domain to read virt_var_lib_t files
+- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
+Resolves: rhbz#1625613
+- Allow tomcat services create link file in /tmp
+Resolves: rhbz#1624289
+- Add boolean: domain_can_mmap_files.
+Resolves: rhbz#1460322
+
+* Tue Sep 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223
+- Make working SELinux sandbox with Wayland.
+Resolves: rhbz#1624308
+- Allow svirt_t domain to mmap svirt_image_t block files
+Resolves: rhbz#1624224
+- Add caps dac_read_search and dav_override to pesign_t domain
+- Allow iscsid_t domain to mmap userio chr files
+Resolves: rhbz#1623589
+- Add boolean: domain_can_mmap_files.
+Resolves: rhbz#1460322
+- Add execute_no_trans permission to mmap_exec_file_perms pattern
+- Allow sudodomain to search caller domain proc info
+- Allow xdm_t domain to mmap and read cert_t files
+- Replace optional policy blocks to make dbus interfaces effective
+Resolves: rhbz#1624414
+- Add interface dev_map_userio_dev()
+
+* Wed Aug 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-222
+- Allow readhead_t domain to mmap own pid files
+Resolves: rhbz#1614169
+
+* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-221
+- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
+- Allow httpd_t domain to mmap tmp files
+Resolves: rhbz#1608355
+- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files
+- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks
+- Label /dev/tpmrm[0-9]* as tpm_device_t
+- Allow semanage_t domain mmap usr_t files
+Resolves: rhbz#1622607
+- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t
+
+* Fri Aug 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-220
+- Allow nagios_script_t domain to mmap nagios_log_t files
+Resolves: rhbz#1620013
+- Allow nagios_script_t domain to mmap nagios_spool_t files
+Resolves: rhbz#1620013
+- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl
+Resolves: rhbz#1622197
+- Update selinux_validate_context() interface to allow caller domain to mmap security_t files
+Resolves: rhbz#1622061
+
+* Wed Aug 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-219
+- Allow virtd_t domain to create netlink_socket
+- Allow rpm_t domain to write to audit
+- Allow rpm domain to mmap rpm_var_lib_t files
+Resolves: rhbz#1619785
+- Allow nagios_script_t domain to mmap nagios_etc_t files
+Resolves: rhbz#1620013
+- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t
+Resolves: rhbz#1460715
+- Allow secadm_t domain to mmap audit config and log files
+- Allow insmod_t domain to read iptables pid files
+- Allow systemd to mounton /etc
+Resolves: rhbz#1619785
+
+* Tue Aug 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-218
+- Allow kdumpctl_t domain to getattr fixed disk device in mls
+Resolves: rhbz#1615342
+- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry
+Resolves: rhbz#1615342
+
+* Tue Aug 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-217
+- Allow virtlogd to execute itself
+Resolves: rhbz#1598392
+
+* Mon Aug 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-216
+- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files
+Resolves: rhbz#1615342
+- Allow kdumpctl to write to files on all levels
+Resolves: rhbz#1615342
+- Fix typo in radius policy
+Resolves: rhbz#1619197
+- Allow httpd_t domain to mmap httpd_config_t files
+Resolves: rhbz#1615894
+- Add interface dbus_acquire_svc_system_dbusd()
+- Allow sanlock_t domain to connectto to unix_stream_socket
+Resolves: rhbz#1614965
+- Update nfsd_t policy because of ganesha features
+Resolves: rhbz#1511489
+- Allow conman to getattr devpts_t
+Resolves: rhbz#1377915
+- Allow tomcat_domain to connect to smtp ports
+Resolves: rhbz#1253502
+- Allow tomcat_t domain to mmap tomcat_var_lib_t files
+Resolves: rhbz#1618519
+- Allow slapd_t domain to mmap slapd_var_run_t files
+Resolves: rhbz#1615319
+- Allow nagios_t domain to mmap nagios_log_t files
+Resolves: rhbz#1618675
+- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)
+- Allow nagios to mmap nagios config files BZ(1559683)
+- Allow kpropd_t domain to mmap krb5kdc_principal_t files
+Resolves: rhbz#1619252
+- Update syslogd policy to make working elasticsearch
+- Label tcp and udp ports 9200 as wap_wsp_port
+- Allow few domains to rw inherited kdumpctl tmp pipes
+Resolves: rhbz#1615342
+
+* Fri Aug 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-215
+- Allow systemd_dbusd_t domain read/write to nvme devices
+Resolves: rhbz#1614236
+- Allow mysqld_safe_t do execute itself
+- Allow smbd_t domain to chat via dbus with avahi daemon
+Resolves: rhbz#1600157
+- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
+Resolves: rhbz#1452595
+- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
+Resolves: rhbz#1452444
+- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
+Resolves: rhbz#1384769
+- Add alias httpd__script_t to _script_t to make sepolicy generate working
+Resolves: rhbz#1271324
+- Allow kprop_t domain to read network state
+Resolves: rhbz#1600705
+- Allow sysadm_t domain to accept socket
+Resolves: rhbz#1557299
+- Allow sshd_t domain to mmap user_tmp_t files
+Resolves: rhbz#1613437
+
+* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-214
+- Allow sshd_t domain to mmap user_tmp_t files
+Resolves: rhbz#1613437
+
+* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-213
+- Allow kprop_t domain to read network state
+Resolves: rhbz#1600705
+
+* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-212
+- Allow kpropd domain to exec itself
+Resolves: rhbz#1600705
+- Allow ipmievd_t to mmap kernel modules BZ(1552535)
+- Allow hsqldb_t domain to mmap own temp files
+Resolves: rhbz#1612143
+- Allow hsqldb_t domain to read cgroup files
+Resolves: rhbz#1612143
+- Allow rngd_t domain to read generic certs
+Resolves: rhbz#1612456
+- Allow innd_t domain to mmap own var_lib_t files
+Resolves: rhbz#1600591
+- Update screen_role_temaplate interface
+Resolves: rhbz#1384769
+- Allow cupsd_t to create cupsd_etc_t dirs
+Resolves: rhbz#1452595
+- Allow chronyd_t domain to mmap own tmpfs files
+Resolves: rhbz#1596563
+- Allow cyrus domain to mmap own var_lib_t and var_run files
+Resolves: rhbz#1610374
+- Allow sysadm_t domain to create rawip sockets
+Resolves: rhbz#1571591
+- Allow sysadm_t domain to listen on socket
+Resolves: rhbz#1557299
+- Update sudo_role_template() to allow caller domain also setattr generic ptys
+Resolves: rhbz#1564470
+- Allow netutils_t domain to create bluetooth sockets
+Resolves: rhbz#1600586
+
+* Fri Aug 03 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-211
+- Allow innd_t domain to mmap own var_lib_t files
+Resolves: rhbz#1600591
+- Update screen_role_temaplate interface
+Resolves: rhbz#1384769
+- Allow cupsd_t to create cupsd_etc_t dirs
+Resolves: rhbz#1452595
+- Allow chronyd_t domain to mmap own tmpfs files
+Resolves: rhbz#1596563
+- Allow cyrus domain to mmap own var_lib_t and var_run files
+Resolves: rhbz#1610374
+- Allow sysadm_t domain to create rawip sockets
+Resolves: rhbz#1571591
+- Allow sysadm_t domain to listen on socket
+Resolves: rhbz#1557299
+- Update sudo_role_template() to allow caller domain also setattr generic ptys
+Resolves: rhbz#1564470
+- Allow netutils_t domain to create bluetooth sockets
+Resolves: rhbz#1600586
+
+* Tue Jul 31 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-210
+- Allow virtlogd_t domain to chat via dbus with systemd_logind
+Resolves: rhbz#1593740
+
+* Sun Jul 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-209
+- Allow sblim_sfcbd_t domain to mmap own tmpfs files
+Resolves: rhbz#1609384
+- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
+Resolves: rhbz#1592028
+
+* Thu Jul 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-208
+- Dontaudit oracleasm_t domain to request sys_admin capability
+- Allow iscsid_t domain to load kernel module
+Resolves: rhbz#1589295
+- Update rhcs contexts to reflects the latest fenced changes
+- Allow httpd_t domain to rw user_tmp_t files
+Resolves: rhbz#1608355
+- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t
+Resolves: rhbz#1521063
+- Allow tangd_t dac_read_search
+Resolves: rhbz#1607810
+- Allow glusterd_t domain to mmap user_tmp_t files
+- Allow mongodb_t domain to mmap own var_lib_t files
+Resolves: rhbz#1607729
+- Allow iscsid_t domain to mmap sysfs_t files
+Resolves: rhbz#1602508
+- Allow tomcat_domain to search cgroup dirs
+Resolves: rhbz#1600188
+- Allow httpd_t domain to mmap own cache files
+Resolves: rhbz#1603505
+- Allow cupsd_t domain to mmap cupsd_etc_t files
+Resolves: rhbz#1599694
+- Allow kadmind_t domain to mmap krb5kdc_principal_t
+Resolves: rhbz#1601004
+- Allow virtlogd_t domain to read virt_etc_t link files
+Resolves: rhbz#1598593
+- Allow dirsrv_t domain to read crack db
+Resolves: rhbz#1599726
+- Dontaudit pegasus_t to require sys_admin capability
+Resolves: rhbz#1374570
+- Allow mysqld_t domain to exec mysqld_exec_t binary files
+- Allow abrt_t odmain to read rhsmcertd lib files
+Resolves: rhbz#1601389
+- Allow winbind_t domain to request kernel module loads
+Resolves: rhbz#1599236
+- Allow gpsd_t domain to getsession and mmap own tmpfs files
+Resolves: rhbz#1598388
+- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)
+Resolves: rhbz#1600157
+- Allow tomcat_domain to read cgroup_t files
+Resolves: rhbz#1601151
+- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
+Resolves: rhbz#1600704
+- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
+Resolves: rhbz#1600692
+- Fix ntp SELinux module
+- Allow innd_t domain to mmap news_spool_t files
+Resolves: rhbz#1600591
+- Allow haproxy daemon to reexec itself. BZ(1447800)
+Resolves: rhbz#1600578
+- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
+Resolves: rhbz#1559859
+- Allow pkcs_slotd_t domain to mmap own tmpfs files
+Resolves: rhbz#1600434
+- Allow fenced_t domain to reboot
+Resolves: rhbz#1293384
+- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)
+Resolves: rhbz#1557299
+- Allow lircd to use nsswitch. BZ(1401375)
+- Allow targetd_t domain mmap lvm config files
+Resolves: rhbz#1546671
+- Allow amanda_t domain to read network system state
+Resolves: rhbz#1452444
+- Allow abrt_t domain to read rhsmcertd logs
+Resolves: rhbz#1492059
+- Allow application_domain_type also mmap inherited user temp files BZ(1552765)
+Resolves: rhbz#1608421
+- Allow ipsec_t domain to read l2tpd pid files
+Resolves: rhbz#1607994
+- Allow systemd_tmpfiles_t do mmap system db files
+- Improve domain_transition_pattern to allow mmap entrypoint bin file.
+Resolves: rhbz#1460322
+- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655)
+Resolves: rhbz#1600528
+- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled
+Resolves: rhbz#1601928
+- Allow ipsec_t can exec ipsec_exec_t
+Resolves: rhbz#1600684
+- Allow netutils_t domain to mmap usmmon device
+Resolves: rhbz#1600586
+- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)
+- Allow userdomain sudo domains to use generic ptys
+Resolves: rhbz#1564470
+- Allow traceroute to create icmp packets
+Resolves: rhbz#1548350
+- Allow systemd domain to mmap lvm config files BZ(1594584)
+- Add new interface lvm_map_config
+- refpolicy: Update for kernel sctp support Resolves: rhbz#1597111 Add additional entries to support the kernel SCTP implementation introduced in kernel 4.16
+
+* Fri Jun 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-207
+- Update oddjob_domtrans_mkhomedir() interface to allow caller domain also mmap oddjob_mkhomedir_exec_t files
+Resolves: rhbz#1596306
+- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
+Resolves: rhbz#1589257
+- Allow radiusd_t domain to read network sysctls
+Resolves: rhbz#1516233
+- Allow chronyc_t domain to use nscd shm
+Resolves: rhbz#1596563
+- Label /var/lib/tomcats dir as tomcat_var_lib_t
+Resolves: rhbz#1596367
+- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files
+Resolves: rhbz#bea0c8174
+- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t
+Resolves: rhbz#1596509
+- Update seutil_exec_loadpolicy() interface to allow caller domain to mmap load_policy_exec_t files
+Resolves: rhbz#1596072
+- Allow xdm_t to read systemd hwdb
+Resolves: rhbz#1596720
+- Allow dhcpc_t domain to mmap files labeled as ping_exec_t
+Resolves: rhbz#1596065
+
+* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-206
+- Allow tangd_t domain to create tcp sockets
+Resolves: rhbz#1595775
+- Update postfix policy to allow postfix_master_t domain to mmap all postfix* binaries
+Resolves: rhbz#1595328
+- Allow amanda_t domain to have setgid capability
+Resolves: rhbz#1452444
+- Update usermanage_domtrans_useradd() to allow caller domain to mmap useradd_exec_t files
+Resolves: rhbz#1595667
+
+* Tue Jun 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-205
+- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t
+Resolves: rhbz#1591191
+- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
+Resolves: rhbz#1452595
+- Allow abrt_t domain to write to rhsmcertd pid files
+Resolves: rhbz#1492059
+- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
+Resolves: rhbz#1463470
+- Add vhostmd_t domain to read/write to svirt images
+Resolves: rhbz#1465276
+- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
+Resolves: rhbz#1460715
+- Update openvswitch policy
+Resolves: rhbz#1594729
+- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
+Resolves: rhbz#1583084
+- Allow sssd_t and slpad_t domains to mmap generic certs
+Resolves: rhbz#1592016
+Resolves: rhbz#1592019
+- Allow oddjob_t domain to mmap binary files as oddjob_mkhomedir_exec_t files
+Resolves: rhbz#1592022
+- Update dbus_system_domain() interface to allow system_dbusd_t domain to mmap binary file from second parameter
+Resolves: rhbz#1583080
+- Allow chronyc_t domain use inherited user ttys
+Resolves: rhbz#1593267
+- Allow stapserver_t domain to mmap own tmp files
+Resolves: rhbz#1593122
+- Allow sssd_t domain to mmap files labeled as sssd_selinux_manager_exec_t
+Resolves: rhbz#1592026
+- Update policy for ypserv_t domain
+Resolves: rhbz#1592032
+- Allow abrt_dump_oops_t domain to mmap all non security files
+Resolves: rhbz#1593728
+- Allow svirt_t domain mmap svirt_image_t files
+Resolves: rhbz#1592688
+- Allow virtlogd_t domain to write inhibit systemd pipes.
+Resolves: rhbz#1593740
+- Allow sysadm_t and staff_t domains to use sudo io logging
+Resolves: rhbz#1564470
+- Allow sysadm_t domain create sctp sockets
+Resolves: rhbz#1571591
+- Update mount_domtrans() interface to allow caller domain mmap mount_exec_t
+Resolves: rhbz#1592025
+- Allow dhcpc_t to mmap all binaries with label hostname_exec_t, ifconfig_exec_t and netutils_exec_t
+Resolves: rhbz#1594661
+
+* Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-204
+- Fix typo in logwatch interface file
+- Allow spamd_t to manage logwatch_cache_t files/dirs
+- Allow dnsmasw_t domain to create own tmp files and manage mnt files
+- Allow fail2ban_client_t to inherit rlimit information from parent process
+Resolves: rhbz#1513100
+- Allow nscd_t to read kernel sysctls
+Resolves: rhbz#1512852
+- Label /var/log/conman.d as conman_log_t
+Resolves: rhbz#1538363
+- Add dac_override capability to tor_t domain
+Resolves: rhbz#1540711
+- Allow certmonger_t to readwrite to user_tmp_t dirs
+Resolves: rhbz#1543382
+- Allow abrt_upload_watch_t domain to read general certs
+Resolves: rhbz#1545098
+- Update postfix_domtrans_master() interface to allow caller domain also mmap postfix_master_exec_t binary
+Resolves: rhbz#1583087
+- Allow postfix_domain to mmap postfix_qmgr_exec_t binaries
+Resolves: rhbz#1583088
+- Allow postfix_domain to mmap postfix_pickup_exec_t binaries
+Resolves: rhbz#1583091
+- Allow chornyd_t read phc2sys_t shared memory
+Resolves: rhbz#1578883
+- Allow virt_qemu_ga_t read utmp
+Resolves: rhbz#1571202
+- Add several allow rules for pesign policy: Resolves: rhbz#1468744 - Allow pesign domain to read /dev/random - Allow pesign domain to create netlink_kobject_uevent_t sockets - Allow pesign domain create own tmp files
+- Add setgid and setuid capabilities to mysqlfd_safe_t domain
+Resolves: rhbz#1474440
+- Add tomcat_can_network_connect_db boolean
+Resolves: rhbz#1477948
+- Update virt_use_sanlock() boolean to read sanlock state
+Resolves: rhbz#1448799
+- Add sanlock_read_state() interface
+- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
+Resolves: rhbz#1563423
+- Update abrt_domtrans and abrt_exec() interfaces to allow caller domain to mmap binary file
+Resolves:rhbz#1583080
+- Update nscd_domtrans and nscd_exec interfaces to allow caller domain also mmap nscd binaries
+Resolves: rhbz#1583086
+- Update snapperd_domtrans() interface to allow caller domain to mmap snapperd_exec_t file
+Resolves: rhbz#1583802
+- Allow zoneminder_t to getattr of fs_t
+Resolves: rhbz#1585328
+- Fix denials during ipa-server-install process on F27+
+Resolves: rhbz#1586029
+- Allow ipa_dnskey_t to exec ipa_dnskey_exec_t files
+Resolves: rhbz#1586033
+- Allow rhsmcertd_t domain to send signull to postgresql_t domain
+Resolves: rhbz#1588119
+- Allow policykit_t domain to dbus chat with dhcpc_t
+Resolves: rhbz#1364513
+- Adding new boolean keepalived_connect_any()
+Resolves: rhbz#1443473
+- Allow amanda to create own amanda_tmpfs_t files
+Resolves: rhbz#1452444
+- Add amanda_tmpfs_t label. BZ(1243752)
+- Allow gdomap_t domain to connect to qdomap_port_t
+Resolves: rhbz#1551944
+- Fix typos in sge
+- Fix typo in openvswitch policy
+- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
+- Allow sshd_keygen_t to execute plymouthd
+Resolves: rhbz#1583531
+- Update seutil_domtrans_setfiles() interface to allow caller domain to do mmap on setfiles_exec_t binary
+Resolves: rhbz#1583090
+- Allow systemd_networkd_t create and relabel tun sockets
+Resolves: rhbz#1583830
+- Allow map audisp_exec_t files fordomains executing this binary
+Resolves: rhbz#1586042
+- Add new interface postgresql_signull()
+- Add fs_read_xenfs_files() interface.
+
+* Mon Jun 11 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-203
+- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
+- Allow dac override capability to mandb_t domain BZ(1529399)
+Resolves: rhbz#1423361
+- Allow inetd_child process to chat via dbus with abrt
+Resolves: rhbz#1428805
+- Allow zabbix_agent_t domain to connect to redis_port_t
+Resolves: rhbz#1418860
+- Allow rhsmcertd_t domain to read xenfs_t files
+Resolves: rhbz#1405870
+- Allow zabbix_agent_t to run zabbix scripts
+Resolves: rhbz#1380697
+- Allow rabbitmq_t domain to create own tmp files/dirs
+Resolves: rhbz#1546897
+- Allow policykit_t mmap policykit_auth_exec_t files
+Resolves: rhbz#1583082
+- Allow ipmievd_t domain to read general certs
+Resolves: rhbz#1514591
+- Add sys_ptrace capability to pcp_pmie_t domain
+- Allow squid domain to exec ldconfig
+Resolves: rhbz#1532017
+- Make working gpg agent in gpg_agent_t domain
+Resolves: rhbz#1535109
+- Update gpg SELinux policy module
+- Allow kexec to read kernel module files in /usr/lib/modules.
+Resolves: rhbz#1536690
+- Allow mailman_domain to read system network state
+Resolves: rhbz#1413510
+- Allow mailman_mail_t domain to search for apache configs
+Resolves: rhbz#1413510
+- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
+Resolves: rhbz#1499208
+- Allow antivirus_domain to read all domain system state
+Resolves: rhbz#1560986
+- Allow targetd_t domain to red gconf_home_t files/dirs
+Resolves: rhbz#1546671
+- Allow freeipmi domain to map sysfs_t files
+Resolves: rhbz#1575918
+- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
+Resolves: rhbz#1351750
+- Update rhcs SELinux module
+Resolves: rhbz#1589257
+- Allow iscsid_t domain mmap kernel modules
+Resolves: rhbz#1589295
+- Allow iscsid_t domain mmap own tmp files
+Resolves: rhbz#1589295
+- Update iscsid_domtrans() interface to allow mmap iscsid_exec_t binary
+Resolves: rhbz#1589295
+- Update nscd_socket_use interface to allow caller domain also mmap nscd_var_run_t files.
+Resolves: rhbz#1589271
+- Allow nscd_t domain to mmap system_db_t files
+Resolves: rhbz#1589271
+- Add interface nagios_unconfined_signull()
+- Allow lircd_t domain read sssd public files Add setgid capability to lircd_t domain
+Resolves: rhbz#1550700
+- Add missing requires
+- Allow tomcat domain sends email
+Resolves: rhbz#1585184
+- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)
+Resolves: rhbz#1585714
+- Allow kdump_t domain to map /boot files
+Resolves: rhbz#1588884
+- Fix typo in netutils policy
+- Allow confined users get AFS tokens
+Resolves: rhbz#1417671
+- Allow sysadm_t domain to chat via dbus
+Resolves: rhbz#1582146
+- Associate sysctl_kernel_t type with filesystem attribute
+- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets
+Resolves: rhbz#1557299
+- Allow user_t and staff_t domains create netlink tcpdiag sockets
+Resolves: rhbz#1557281
+- Add interface dev_map_sysfs
+- Allow xdm_t domain to execute xdm_var_lib_t files
+Resolves: rhbz#1589139
+- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
+Resolves: rhbz#1569344
+- Label /dev/vhost-vsock char device as vhost_device_t
+- Add files_map_boot_files() interface
+Resolves: rhbz#1588884
+- Update traceroute_t domain to allow create dccp sockets
+Resolves: rhbz#1548350
+
+* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-202
+- Update ctdb domain to support gNFS setup
+Resolves: rhbz#1576818
+- Allow authconfig_t dbus chat with policykit
+Resolves: rhbz#1551241
+- Allow lircd_t domain to read passwd_file_t
+Resolves: rhbz:#1550700
+- Allow lircd_t domain to read system state
+Resolves: rhbz#1550700
+- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)
+Resolves: rhbz#1574521
+- Allow tangd_t domain read certs
+Resolves: rhbz#1509055
+- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db  is turned on
+Resolves: rhbz:#1579219
+- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
+Resolves: rhbz#1574418
+- Allow ctdb_t domain modify ctdb_exec_t files
+Resolves: rhbz#1572584
+- Allow chrome_sandbox_t to mmap tmp files
+Resolves: rhbz#1574392
+- Allow ulogd_t to create netlink_netfilter sockets.
+Resolves: rhbz#1575924
+- Update ulogd SELinux security policy
+- Allow rhsmcertd_t domain send signull to apache processes
+Resolves: rhbz#1576555
+- Allow freeipmi domain to read sysfs_t files
+Resolves: rhbz#1575918
+- Allow smbcontrol_t to create dirs with samba_var_t label
+Resolves: rhbz#1574521
+- Allow swnserve_t domain to stream connect to sasl domain
+Resolves: rhbz#1574537
+- Allow SELinux users (except guest and xguest) to using bluetooth sockets
+Resolves: rhbz#1557299
+- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets
+Resolves: rhbz#1557299
+- Fix broken sysadm SELinux module
+Resolves: rhbz#1557311
+- Allow user_t and staff_t domains create netlink tcpdiag sockets
+Resolves: rhbz#1557281
+- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
+Resolves: rhbz#1583089
+- Allow systemd_networkd_t to read/write tun tap devices
+Resolves: rhbz#1583830
+- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
+Resolves: rhbz#1583771
+- Allow audisp_t domain to mmap audisp_exec_t binary
+Resolves: rhbz#1583551
+- Fix duplicates in sysadm.te file
+Resolves: rhbz#1307183
+- Allow sysadm_u use xdm
+Resolves: rhbz#1307183
+- Fix typo in sysnetwork.if file
+Resolves: rhbz#1581551
+
+* Sun May 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-201
+- Fix duplicates in sysadm.te file
+Resolves: rhbz#1307183
+
+* Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-200
+- Allow sysadm_u use xdm
+Resolves: rhbz#1307183
+
+* Fri May 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-199
+- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db  is turned on
+Resolves: rhbz:#1579219
+- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
+Resolves: rhbz#1574418
+- Allow chrome_sandbox_t to mmap tmp files
+Resolves: rhbz#1574392
+- Allow ulogd_t to create netlink_netfilter sockets.
+Resolves: rhbz#1575924
+- Update ulogd SELinux security policy
+- Allow rhsmcertd_t domain send signull to apache processes
+Resolves: rhbz#1576555
+- Allow freeipmi domain to read sysfs_t files
+Resolves: rhbz#1575918
+- Allow smbcontrol_t to create dirs with samba_var_t label
+Resolves: rhbz#1574521
+- Allow swnserve_t domain to stream connect to sasl domain
+Resolves: rhbz#1574537
+- Fix typo in sysnetwork.if file
+Resolves: rhbz#1581551
+
+* Fri May 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-198
+- Fix typo in sysnetwork.if file
+Resolves: rhbz#1581551
+
+* Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-197
+- Improve procmail_domtrans() to allow mmaping procmail_exec_t
+- Allow hypervvssd_t domain to read fixed disk devices
+Resolves: rhbz#1581225
+- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
+Resolves: rhbz#1581551
+- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
+Resolves: rhbz#1581551
+- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
+Resolves: rhbz#1581551
+- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
+Resolves: rhbz#1581551
+- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
+
+* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-196
+- Add dbus_stream_connect_system_dbusd() interface.
+- Allow pegasus_t domain to mount tracefs_t filesystem
+Resolves:rhbz#1374570
+- Allow psad_t domain to read all domains state
+Resolves: rhbz#1558439
+- Add net_raw capability to named_t domain BZ(1545586)
+- Allow tomcat_t domain to connect to mongod_t tcp port
+Resolves:rhbz#1539748
+- Allow dovecot and postfix to connect to systemd stream sockets
+Resolves: rhbz#1368642
+- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
+Resolves:rhbz#1351750
+- Rename tang policy to tangd
+- Add interface systemd_rfkill_domtrans()
+- Allow users staff and sysadm to run wireshark on own domain
+Resolves:rhbz#1546362
+- Allow systemd-bootchart to create own tmpfs files
+Resolves:rhbz#1510412
+
+* Wed Apr 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-195
+- Rename tang policy to tangd
+- Allow virtd_t domain to relabel virt_var_lib_t files
+Resolves: rhbz#1558121
+- Allow logrotate_t domain to stop services via systemd
+Resolves: rhbz#1527522
+- Add tang policy
+Resolves: rhbz#1509055
+- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t
+Resolves: rhbz#1559859
+- Improve snapperd SELinux policy
+Resolves: rhbz#1365555
+- Allow snapperd_t daemon to create unlabeled dirs.
+Resolves: rhbz#1365555
+- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence
+Resolves: rhbz#1271324
+- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
+Resolves: rhbz#1503835
+- Add new Boolean tomcat_use_execmem
+Resolves: rhbz#1565226
+- Allow domain transition from logrotate_t to chronyc_t
+Resolves: rhbz#1568281
+- Allow nfsd_t domain to read/write sysctl fs files
+Resolves: rhbz#1516593
+- Allow conman to read system state
+Resolves: rhbz#1377915
+- Allow lircd_t to exec shell and add capabilities dac_read_search and dac_override
+Resolves: rhbz#1550700
+- Allow usbmuxd to access /run/udev/data/+usb:*.
+Resolves: rhbz#1521054
+- Allow abrt_t domain to manage kdump crash files
+Resolves: rhbz#1491585
+- Allow systemd to use virtio console
+Resolves: rhbz#1558121
+- Allow transition from sysadm role into mdadm_t domain.
+Resolves: rhbz#1551568
+- Label /dev/op_panel and /dev/opal-prd as opal_device_t
+Resolves: rhbz#1537618
+- Label /run/ebtables.lock as iptables_var_run_t
+Resolves: rhbz#1511437
+- Allow udev_t domain to manage udev_rules_t char files.
+Resolves: rhbz#1545094
+- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin.
+Resolves: rhbz#1567753
+- Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t
+Resolves: rhbz#1547700
+- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels
+
+* Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-194
+- Add new boolean redis_enable_notify()
+Resolves: rhbz#1421326
+- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
+Resolves: rhbz#1549514
+- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
+Resolves: rbhz#1463593
+- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
+Resolves: rbhz#1463593
+
+* Thu Apr 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-193
 - Backport several changes for snapperdfrom Fedora Rawhide
-Resolves: rhbz#1558656
+Resolves: rhbz#1556798
+- Allow snapperd_t to set priority for kernel processes
+Resolves: rhbz#1556798
+- Make ganesha nfs server.
+Resolves: rhbz#1511489
+- Allow vxfs filesystem to use SELinux labels
+Resolves: rhbz#1482880
+- Add map permission to selinux-policy
+Resolves: rhbz#1460322
 
 * Tue Feb 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192
 - Label /usr/libexec/dbus-1/dbus-daemon-launch-helper  as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled.