selinux-policy package update

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>
2018-12-16 15:17:02 +01:00 · 2018-12-16 15:17:02 +01:00 · aad537eb28
parent 1251a0545c
commit aad537eb28
6 changed files with 21744 additions and 21149 deletions
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@ -2545,6 +2545,13 @@ sbd = module
 #
 opendnssec = module

+# Layer: contrib
+# Module: ganesha
+#
+# ganesha
+#
+ganesha = module
+
 # Layer: contrib
 # Module: tlp
 #
--- a/SOURCES/policy-rhel-7.6-base.patch
+++ b/SOURCES/policy-rhel-7.6-base.patch
--- a/SOURCES/policy-rhel-7.6-contrib.patch
+++ b/SOURCES/policy-rhel-7.6-contrib.patch
--- a/SOURCES/policy-rhel-7.6.z-base.patch
+++ b/SOURCES/policy-rhel-7.6.z-base.patch
@ -0,0 +1,36 @@
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index b6debf340..329eb3922 100644
+--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
+@@ -55,6 +55,7 @@ template(`sudo_role_template',`
+ 	files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
+ 
+ 	allow $1_sudo_t $3:dir search_dir_perms;;
+	allow $1_sudo_t $3:file read_file_perms;;
+ 	allow $1_sudo_t $3:key search;
+ 
+ 	# Enter this derived domain from the user domain
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index c03a52c04..8569b19db 100644
+--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
+@@ -55,6 +55,7 @@ storage_read_scsi_generic(staff_t)
+ storage_write_scsi_generic(staff_t)
+ 
+ term_use_unallocated_ttys(staff_t)
+term_use_generic_ptys(staff_t)
+ 
+ auth_domtrans_pam_console(staff_t)
+ 
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index cceb511fc..f5139efd2 100644
+--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
+@@ -381,6 +381,7 @@ dontaudit confined_admindomain self:socket create;
+ 
+ allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
+ term_create_pty(confined_admindomain, user_devpts_t)
+term_use_generic_ptys(confined_admindomain)
+ # avoid annoying messages on terminal hangup on role change
+ dontaudit confined_admindomain user_devpts_t:chr_file ioctl;
+ 
--- a/SOURCES/policy-rhel-7.6.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.6.z-contrib.patch
@ -0,0 +1,525 @@
+diff --git a/cinder.te b/cinder.te
+index 488a7a659..a05691d8f 100644
+--- a/cinder.te
+++ b/cinder.te
+@@ -159,6 +159,8 @@ kernel_read_kernel_sysctls(cinder_volume_t)
+ 
+ logging_send_syslog_msg(cinder_volume_t)
+ 
+systemd_dbus_chat_logind(cinder_volume_t)
+
+ optional_policy(`
+ 	lvm_domtrans(cinder_volume_t)
+ ')
+diff --git a/ganesha.fc b/ganesha.fc
+new file mode 100644
+index 000000000..c723bfb97
+--- /dev/null
+++ b/ganesha.fc
+@@ -0,0 +1,12 @@
+/usr/bin/ganesha.nfsd		--	gen_context(system_u:object_r:ganesha_exec_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/var/log/ganesha.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
+/var/log/ganesha-gfapi.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
+
+/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)
+diff --git a/ganesha.if b/ganesha.if
+new file mode 100644
+index 000000000..4c347e5cc
+--- /dev/null
+++ b/ganesha.if
+@@ -0,0 +1,146 @@
+## <summary>policy for ganesha</summary>
+
+########################################
+## <summary>
+##	Execute ganesha_exec_t in the ganesha domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ganesha_domtrans',`
+	gen_require(`
+		type ganesha_t, ganesha_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ganesha_exec_t, ganesha_t)
+')
+
+######################################
+## <summary>
+##	Execute ganesha in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_exec',`
+	gen_require(`
+		type ganesha_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ganesha_exec_t)
+')
+########################################
+## <summary>
+##	Read ganesha PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_read_pid_files',`
+	gen_require(`
+		type ganesha_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute ganesha server in the ganesha domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ganesha_systemctl',`
+	gen_require(`
+		type ganesha_t;
+		type ganesha_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 ganesha_unit_file_t:file read_file_perms;
+	allow $1 ganesha_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ganesha_t)
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	ganesha over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_dbus_chat',`
+	gen_require(`
+		type ganesha_t;
+		class dbus send_msg;
+	')
+
+	allow $1 ganesha_t:dbus send_msg;
+	allow ganesha_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ganesha environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ganesha_admin',`
+	gen_require(`
+		type ganesha_t;
+		type ganesha_var_run_t;
+	type ganesha_unit_file_t;
+	')
+
+	allow $1 ganesha_t:process { signal_perms };
+	ps_process_pattern($1, ganesha_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ganesha_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, ganesha_var_run_t)
+
+	ganesha_systemctl($1)
+	admin_pattern($1, ganesha_unit_file_t)
+	allow $1 ganesha_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+diff --git a/ganesha.te b/ganesha.te
+new file mode 100644
+index 000000000..f25a3f34d
+--- /dev/null
+++ b/ganesha.te
+@@ -0,0 +1,111 @@
+policy_module(ganesha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow ganesha to read/write fuse files
+## </p>
+## </desc>
+gen_tunable(ganesha_use_fusefs, false)
+
+type ganesha_t;
+type ganesha_exec_t;
+init_daemon_domain(ganesha_t, ganesha_exec_t)
+
+type ganesha_var_log_t;
+logging_log_file(ganesha_var_log_t)
+
+type ganesha_var_run_t;
+files_pid_file(ganesha_var_run_t)
+
+type ganesha_tmp_t;
+files_tmp_file(ganesha_tmp_t)
+
+type ganesha_unit_file_t;
+systemd_unit_file(ganesha_unit_file_t)
+
+########################################
+#
+# ganesha local policy
+#
+dontaudit ganesha_t self:capability net_admin;
+
+allow ganesha_t self:capability { dac_read_search dac_override };
+allow ganesha_t self:capability2 block_suspend;
+allow ganesha_t self:process { setcap setrlimit };
+allow ganesha_t self:fifo_file rw_fifo_file_perms;
+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
+allow ganesha_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
+
+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
+
+kernel_read_system_state(ganesha_t)
+kernel_search_network_sysctl(ganesha_t)
+kernel_read_net_sysctls(ganesha_t)
+
+auth_use_nsswitch(ganesha_t)
+
+corenet_tcp_bind_nfs_port(ganesha_t)
+corenet_tcp_connect_generic_port(ganesha_t)
+corenet_tcp_connect_gluster_port(ganesha_t)
+corenet_udp_bind_dey_keyneg_port(ganesha_t)
+corenet_tcp_bind_dey_keyneg_port(ganesha_t)
+corenet_udp_bind_nfs_port(ganesha_t)
+corenet_udp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_mountd_port(ganesha_t)
+corenet_udp_bind_mountd_port(ganesha_t)
+corenet_tcp_connect_virt_migration_port(ganesha_t)
+corenet_tcp_connect_all_rpc_ports(ganesha_t)
+
+dev_rw_infiniband_dev(ganesha_t)
+dev_read_gpfs(ganesha_t)
+dev_read_rand(ganesha_t)
+
+logging_send_syslog_msg(ganesha_t)
+
+sysnet_dns_name_resolve(ganesha_t)
+
+optional_policy(`
+	dbus_system_bus_client(ganesha_t)
+	dbus_connect_system_bus(ganesha_t)
+    unconfined_dbus_chat(ganesha_t)
+')
+
+optional_policy(`
+    glusterd_read_conf(ganesha_t)
+    glusterd_read_lib_files(ganesha_t)
+    glusterd_manage_pid(ganesha_t)
+')
+
+optional_policy(`
+    kerberos_read_keytab(ganesha_t)
+')
+
+optional_policy(`
+	rpc_manage_nfs_state_data_dir(ganesha_t)
+    rpc_read_nfs_state_data(ganesha_t)
+	rpcbind_stream_connect(ganesha_t)
+')
+
+tunable_policy(`ganesha_use_fusefs',`
+    fs_manage_fusefs_dirs(ganesha_t)
+    fs_manage_fusefs_files(ganesha_t)
+    fs_read_fusefs_symlinks(ganesha_t)
+    fs_getattr_fusefs(ganesha_t)
+')
+diff --git a/glusterd.fc b/glusterd.fc
+index e42e81f5f..9806f50ae 100644
+--- a/glusterd.fc
+++ b/glusterd.fc
+@@ -23,8 +23,3 @@
+ /var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+ /var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+ /var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+-
+-/var/log/ganesha(/.*)?      gen_context(system_u:object_r:glusterd_log_t,s0)
+-/var/log/ganesha.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
+-/var/log/ganesha-gfapi.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
+-
+diff --git a/glusterd.if b/glusterd.if
+index a62e355ac..291191f17 100644
+--- a/glusterd.if
+++ b/glusterd.if
+@@ -135,7 +135,6 @@ interface(`glusterd_manage_log',`
+ 	manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+ 	manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+ 	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+-    logging_log_named_filetrans($1, glusterd_log_t, file, "ganesha.log")
+ ')
+ 
+ ######################################
+diff --git a/glusterd.te b/glusterd.te
+index 7804cbaf4..2bcedd014 100644
+--- a/glusterd.te
+++ b/glusterd.te
+@@ -64,8 +64,6 @@ files_type(glusterd_var_lib_t)
+ type glusterd_brick_t;
+ files_type(glusterd_brick_t)
+ 
+-typealias glusterd_log_t alias ganesha_var_log_t;
+-
+ ########################################
+ #
+ # Local policy
+@@ -270,6 +268,11 @@ optional_policy(`
+     ')
+ ')
+ 
+optional_policy(`
+    ganesha_systemctl(glusterd_t)
+    ganesha_dbus_chat(glusterd_t)
+')
+
+ optional_policy(`
+     hostname_exec(glusterd_t)
+ ')
+@@ -310,8 +313,8 @@ optional_policy(`
+ optional_policy(`
+     rpc_systemctl_nfsd(glusterd_t)
+     rpc_systemctl_rpcd(glusterd_t)
+
+     rpc_domtrans_nfsd(glusterd_t)
+-    rpc_dbus_chat_nfsd(glusterd_t)
+     rpc_domtrans_rpcd(glusterd_t)
+     rpc_manage_nfs_state_data(glusterd_t)
+ 	rpc_manage_nfs_state_data_dir(glusterd_t)
+diff --git a/nova.te b/nova.te
+index 2259a5192..af8dd5527 100644
+--- a/nova.te
+++ b/nova.te
+@@ -124,6 +124,7 @@ corenet_sendrecv_dns_server_packets(nova_domain)
+ corenet_sendrecv_dhcpd_server_packets(nova_domain)
+ 
+ auth_use_nsswitch(nova_t)
+auth_use_pam(nova_t)
+ auth_read_passwd(nova_domain)
+ 
+ dev_read_sysfs(nova_domain)
+@@ -132,7 +133,7 @@ dev_read_rand(nova_domain)
+ 
+ fs_getattr_all_fs(nova_domain)
+ 
+-init_read_utmp(nova_domain)
+init_rw_utmp(nova_domain)
+ 
+ libs_exec_ldconfig(nova_domain)
+ 
+diff --git a/rhcs.te b/rhcs.te
+index 0e8b031bb..c029ccd71 100644
+--- a/rhcs.te
+++ b/rhcs.te
+@@ -265,7 +265,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-    rpc_dbus_chat_nfsd(cluster_t)
+    ganesha_dbus_chat(cluster_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/rpc.fc b/rpc.fc
+index b08ec8d2d..38a2f0911 100644
+--- a/rpc.fc
+++ b/rpc.fc
+@@ -1,5 +1,3 @@
+-
+-
+ #
+ # /etc
+ #
+@@ -11,10 +9,6 @@
+ /usr/lib/systemd/system/nfs.* 		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+ /usr/lib/systemd/system/rpc.* 		--	gen_context(system_u:object_r:rpcd_unit_file_t,s0)
+ 
+-/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+-/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+-/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+-
+ #
+ # /sbin
+ #
+@@ -33,15 +27,12 @@
+ /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
+ /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+ 
+-/usr/bin/ganesha\.nfsd		--	gen_context(system_u:object_r:nfsd_exec_t,s0)
+-
+ #
+ # /var
+ #
+ /var/lib/nfs(/.*)?		gen_context(system_u:object_r:var_lib_nfs_t,s0)
+ 
+ /var/run/sm-notify.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)
+-/var/run/ganesha.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ /var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ 
+diff --git a/rpc.if b/rpc.if
+index 2ee527f2a..79a2a9c48 100644
+--- a/rpc.if
+++ b/rpc.if
+@@ -530,24 +530,3 @@ interface(`rpc_gssd_noatsecure',`
+ 
+     allow $1 gssd_t:process { noatsecure rlimitinh };
+ ')
+-
+-########################################
+-## <summary>
+-##	Send and receive messages from
+-##	ganesha over dbus.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`rpc_dbus_chat_nfsd',`
+-	gen_require(`
+-		type nfsd_t;
+-		class dbus send_msg;
+-	')
+-
+-	allow $1 nfsd_t:dbus send_msg;
+-	allow nfsd_t $1:dbus send_msg;
+-')
+diff --git a/rpc.te b/rpc.te
+index f4df4fda2..f585a7fb5 100644
+--- a/rpc.te
+++ b/rpc.te
+@@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t)
+ type var_lib_nfs_t;
+ files_mountpoint(var_lib_nfs_t)
+ 
+-type nfsd_tmp_t;
+-files_tmp_file(nfsd_tmp_t)
+-
+-typealias nfsd_t alias ganesha_t;
+-typealias nfsd_exec_t alias ganesha_exec_t;
+-typealias nfsd_unit_file_t alias ganesha_unit_file_t;
+-
+ ########################################
+ #
+ # Common rpc domain local policy
+@@ -234,17 +227,8 @@ optional_policy(`
+ 
+ allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource };
+ 
+-allow nfsd_t self:process { setcap };
+-
+ allow nfsd_t exports_t:file read_file_perms;
+ 
+-manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
+-manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
+-files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir })
+-
+-manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t)
+-files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file })
+-
+ # for /proc/fs/nfs/exports - should we have a new type?
+ kernel_read_system_state(nfsd_t)
+ kernel_read_network_state(nfsd_t)
+@@ -318,16 +302,6 @@ tunable_policy(`nfs_export_all_ro',`
+ 	files_read_non_security_files(nfsd_t)
+ ')
+ 
+-optional_policy(`
+-    glusterd_manage_log(nfsd_t)
+-    glusterd_manage_pid(nfsd_t)
+-')
+-
+-optional_policy(`
+-    dbus_system_bus_client(nfsd_t)
+-    dbus_acquire_svc_system_dbusd(nfsd_t)
+-')
+-
+ optional_policy(`
+ 	mount_exec(nfsd_t)
+ 	mount_manage_pid_files(nfsd_t)
+diff --git a/sysstat.te b/sysstat.te
+index a2690e315..efb2f855c 100644
+--- a/sysstat.te
+++ b/sysstat.te
+@@ -44,6 +44,7 @@ dev_read_urand(sysstat_t)
+ 
+ files_search_var(sysstat_t)
+ files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
+ 
+ fs_getattr_all_fs(sysstat_t)
+ fs_list_inotifyfs(sysstat_t)
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -20,12 +20,14 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 229%{?dist}
+Release: 229%{?dist}.6
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch0: policy-rhel-7.6-base.patch
+patch3: policy-rhel-7.6.z-base.patch
 patch1: policy-rhel-7.6-contrib.patch
+patch2: policy-rhel-7.6.z-contrib.patch
 Source1: modules-targeted-base.conf
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@ -274,9 +276,6 @@ fi; \

 %define preInstall() \
 if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
-     if [ -d %{_sysconfdir}/selinux/%1/active/modules/100/ganesha ]; then \
-       %{_sbindir}/semodule -n -d ganesha; \
-     fi; \
     . %{_sysconfdir}/selinux/config; \
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
@ -343,9 +342,11 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
 %patch1 -p1
+%patch2 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch0 -p1
+%patch3 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@ -656,6 +657,32 @@ fi
 %endif

 %changelog
+* Fri Nov 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.6
+- Allow nova_t domain to use pam
+Resolves: rhbz:#1645270
+- sysstat: grant sysstat_t the search_dir_perms set
+Resolves: rhbz#1645271
+
+* Fri Oct 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.5
+- Remove disabling ganesha module in pre install phase of installation new selinux-policy package where ganesha is again standalone module
+Resolves: rhbz#1638257
+
+* Thu Oct 11 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.4
+- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature 'io logging'
+Resolves: rhbz#1638427
+
+* Thu Oct 11 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.3
+- Run ganesha as ganesha_t domain again, revert changes where ganesha is running as nfsd_t
+Resolves: rhbz#1638257
+
+* Wed Oct 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.2
+- Fix missing patch in spec file
+Resolves: rhbz#1635704
+
+* Fri Oct 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.1
+- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domain
+Resolves: rhbz#1635704
+
 * Wed Sep 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229
 - Allow neutron domain to read/write /var/run/utmp
 Resolves: rhbz#1630318
@ -1008,7 +1035,7 @@ Resolves: rhbz#1452444
 Resolves: rhbz#1595667

 * Tue Jun 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-205
- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t
+- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t 
 Resolves: rhbz#1591191
 - Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
 Resolves: rhbz#1452595
@ -1211,7 +1238,7 @@ Resolves: rhbz#1588884
 Resolves: rhbz#1548350

 * Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-202
- Update ctdb domain to support gNFS setup
+- Update ctdb domain to support gNFS setup 
 Resolves: rhbz#1576818
 - Allow authconfig_t dbus chat with policykit
 Resolves: rhbz#1551241
@ -1334,7 +1361,7 @@ Resolves:rhbz#1510412

 * Wed Apr 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-195
 - Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
+- Allow virtd_t domain to relabel virt_var_lib_t files 
 Resolves: rhbz#1558121
 - Allow logrotate_t domain to stop services via systemd
 Resolves: rhbz#1527522
@ -1362,7 +1389,7 @@ Resolves: rhbz#1377915
 Resolves: rhbz#1550700
 - Allow usbmuxd to access /run/udev/data/+usb:*.
 Resolves: rhbz#1521054
- Allow abrt_t domain to manage kdump crash files
+- Allow abrt_t domain to manage kdump crash files 
 Resolves: rhbz#1491585
 - Allow systemd to use virtio console
 Resolves: rhbz#1558121