* Mon Apr 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249

- Merge pull request #4 from lslebodn/sssd_socket_activated - Remove /proc <<none>> from fedora policy, it's no longer necessary - Allow iptables get list of kernel modules - Allow unconfined_domain_type to enable/disable transient unit - Add interfaces init_enable_transient_unit() and init_disable_transient_unit - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" - Label sysroot dir under ostree as root_t
2017-04-03 12:05:44 +02:00 · 2017-04-03 12:05:44 +02:00 · 0d1055a787
commit 0d1055a787
parent f993349d77
4 changed files with 594 additions and 396 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -10252,7 +10252,7 @@ index 6a1e4d1..4b87be8 100644
 +	allow $1 domain:process rlimitinh;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..3c25609 100644
+index cf04cb5..1de3267 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
@ -10420,7 +10420,7 @@ index cf04cb5..3c25609 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +249,386 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,388 @@ allow unconfined_domain_type domain:msg { send receive };
 
 # For /proc/pid
 allow unconfined_domain_type domain:dir list_dir_perms;
@ -10496,6 +10496,8 @@ index cf04cb5..3c25609 100644
 +    init_stop_transient_unit(unconfined_domain_type)
 +    init_status_transient_unit(unconfined_domain_type)
 +    init_reload_transient_unit(unconfined_domain_type)
+    init_enable_transient_unit(unconfined_domain_type)
+    init_disable_transient_unit(unconfined_domain_type)
 +')
 +
 +optional_policy(`
@ -10809,7 +10811,7 @@ index cf04cb5..3c25609 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..3690ce4 100644
+index b876c48..2e591a5 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -10929,7 +10931,7 @@ index b876c48..3690ce4 100644
 /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /mnt/[^/]*/.*			<<none>>
 
-@@ -150,10 +162,10 @@ ifdef(`distro_debian',`
+@@ -150,17 +162,22 @@ ifdef(`distro_debian',`
 #
 # /opt
 #
@ -10942,8 +10944,8 @@ index b876c48..3690ce4 100644
 
 #
 # /proc
-@@ -161,6 +173,12 @@ ifdef(`distro_debian',`
- /proc			-d	<<none>>
+ #
+-/proc			-d	<<none>>
 /proc/.*			<<none>>
 
 +ifdef(`distro_redhat',`
@ -10955,7 +10957,7 @@ index b876c48..3690ce4 100644
 #
 # /run
 #
-@@ -169,6 +187,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +186,7 @@ ifdef(`distro_debian',`
 /run/.*\.*pid			<<none>>
 /run/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
 
@ -10963,7 +10965,7 @@ index b876c48..3690ce4 100644
 #
 # /selinux
 #
-@@ -178,13 +197,14 @@ ifdef(`distro_debian',`
+@@ -178,13 +196,14 @@ ifdef(`distro_debian',`
 #
 # /srv
 #
@ -10980,7 +10982,7 @@ index b876c48..3690ce4 100644
 /tmp/.*				<<none>>
 /tmp/\.journal			<<none>>
 
-@@ -194,9 +214,11 @@ ifdef(`distro_debian',`
+@@ -194,9 +213,11 @@ ifdef(`distro_debian',`
 #
 # /usr
 #
@ -10993,7 +10995,7 @@ index b876c48..3690ce4 100644
 
 /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
-@@ -204,15 +226,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +225,9 @@ ifdef(`distro_debian',`
 
 /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
@ -11010,7 +11012,7 @@ index b876c48..3690ce4 100644
 
 /usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
 
-@@ -220,8 +236,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +235,6 @@ ifdef(`distro_debian',`
 /usr/tmp/.*			<<none>>
 
 ifndef(`distro_redhat',`
@ -11019,7 +11021,7 @@ index b876c48..3690ce4 100644
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 ')
-@@ -229,19 +243,33 @@ ifndef(`distro_redhat',`
+@@ -229,19 +242,33 @@ ifndef(`distro_redhat',`
 #
 # /var
 #
@ -11056,7 +11058,7 @@ index b876c48..3690ce4 100644
 
 /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/log/lost\+found/.*		<<none>>
-@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +283,14 @@ ifndef(`distro_redhat',`
 /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*\.*pid		<<none>>
@ -11071,12 +11073,14 @@ index b876c48..3690ce4 100644
 /var/tmp/.*			<<none>>
 /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*		<<none>>
-@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +300,7 @@ ifdef(`distro_debian',`
 /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
+
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?           gen_context(system_u:object_r:root_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
 index f962f76..b64717f 100644
 --- a/policy/modules/kernel/files.if
@ -15467,7 +15471,7 @@ index d7c11a0..f521a50 100644
 /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..f1ebb1b 100644
+index 8416beb..d651a7d 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -18631,7 +18635,7 @@ index 8416beb..f1ebb1b 100644
 ##	Search all directories with a filesystem type.
 ## </summary>
 ## <param name="domain">
-@@ -4912,3 +6589,175 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6589,176 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -18714,6 +18718,7 @@ index 8416beb..f1ebb1b 100644
 +	')
 +
 +	rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
+    allow $1 onload_fs_t:sock_file ioctl;
 +')
 +
 +########################################
@ -23097,7 +23102,7 @@ index 234a940..a92415a 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..bfeb102 100644
+index 0fef1fc..93ad99f 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@ -23174,7 +23179,7 @@ index 0fef1fc..bfeb102 100644
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
-@@ -23,11 +84,119 @@ optional_policy(`
+@@ -23,11 +84,127 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23208,6 +23213,14 @@ index 0fef1fc..bfeb102 100644
 +')
 +
 +optional_policy(`
+    dirsrv_stream_connect(staff_t)
+    dirsrv_manage_log(staff_t)
+    dirsrv_manage_var_lib(staff_t)
+    dirsrv_manage_var_run(staff_t)
+    dirsrv_manage_config(staff_t)
+')
+
+optional_policy(`
 +	dnsmasq_read_pid_files(staff_t)
 +')
 +
@ -23295,7 +23308,7 @@ index 0fef1fc..bfeb102 100644
 ')
 
 optional_policy(`
-@@ -35,15 +204,31 @@ optional_policy(`
+@@ -35,15 +212,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23329,7 +23342,7 @@ index 0fef1fc..bfeb102 100644
 ')
 
 optional_policy(`
-@@ -52,11 +237,61 @@ optional_policy(`
+@@ -52,11 +245,61 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23392,7 +23405,7 @@ index 0fef1fc..bfeb102 100644
 ')
 
 ifndef(`distro_redhat',`
-@@ -65,10 +300,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +308,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -23403,7 +23416,7 @@ index 0fef1fc..bfeb102 100644
 		cdrecord_role(staff_r, staff_t)
 	')
 
-@@ -78,10 +309,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +317,6 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
@ -23414,7 +23427,7 @@ index 0fef1fc..bfeb102 100644
 	')
 
 	optional_policy(`
-@@ -101,10 +328,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +336,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -23425,7 +23438,7 @@ index 0fef1fc..bfeb102 100644
 		java_role(staff_r, staff_t)
 	')
 
-@@ -125,10 +348,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +356,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -23436,7 +23449,7 @@ index 0fef1fc..bfeb102 100644
 		pyzor_role(staff_r, staff_t)
 	')
 
-@@ -141,10 +360,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +368,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -23447,7 +23460,7 @@ index 0fef1fc..bfeb102 100644
 		spamassassin_role(staff_r, staff_t)
 	')
 
-@@ -176,3 +391,23 @@ ifndef(`distro_redhat',`
+@@ -176,3 +399,23 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
@ -23500,10 +23513,10 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..47b6d44 100644
+index 2522ca6..020ae3f 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,92 @@ policy_module(sysadm, 2.6.1)
+@@ -5,39 +5,101 @@ policy_module(sysadm, 2.6.1)
 # Declarations
 #
 
@ -23600,13 +23613,22 @@ index 2522ca6..47b6d44 100644
 +')
 +
 +optional_policy(`
+    dirsrv_domtrans(sysadm_t)
+    dirsrv_stream_connect(sysadm_t)
+    dirsrv_manage_log(sysadm_t)
+    dirsrv_manage_var_lib(sysadm_t)
+    dirsrv_manage_var_run(sysadm_t)
+    dirsrv_manage_config(sysadm_t)
+')
+
+optional_policy(`
 +	ssh_filetrans_admin_home_content(sysadm_t)
 +	ssh_filetrans_keys(sysadm_t)
 +')
 
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
-@@ -55,13 +108,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +117,7 @@ ifdef(`distro_gentoo',`
 	init_exec_rc(sysadm_t)
 ')
 
@ -23621,7 +23643,7 @@ index 2522ca6..47b6d44 100644
 	domain_ptrace_all_domains(sysadm_t)
 ')
 
-@@ -71,9 +118,9 @@ optional_policy(`
+@@ -71,9 +127,9 @@ optional_policy(`
 
 optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
@ -23632,7 +23654,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -87,6 +134,7 @@ optional_policy(`
+@@ -87,6 +143,7 @@ optional_policy(`
 
 optional_policy(`
 	asterisk_stream_connect(sysadm_t)
@ -23640,7 +23662,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -110,11 +158,17 @@ optional_policy(`
+@@ -110,11 +167,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23658,20 +23680,20 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -122,11 +176,27 @@ optional_policy(`
+@@ -122,11 +185,27 @@ optional_policy(`
 ')
 
 optional_policy(`
 -	consoletype_run(sysadm_t, sysadm_r)
 +	cron_admin_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
-+	consoletype_exec(sysadm_t)
 ')
 
 optional_policy(`
 -	cvs_exec(sysadm_t)
+	consoletype_exec(sysadm_t)
+')
+
+optional_policy(`
 +    daemonstools_run_start(sysadm_t, sysadm_r)
 +')
 +
@ -23688,7 +23710,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -140,6 +210,10 @@ optional_policy(`
+@@ -140,6 +219,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23699,7 +23721,7 @@ index 2522ca6..47b6d44 100644
 	dmesg_exec(sysadm_t)
 ')
 
-@@ -156,6 +230,10 @@ optional_policy(`
+@@ -156,6 +239,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23710,7 +23732,7 @@ index 2522ca6..47b6d44 100644
 	fstools_run(sysadm_t, sysadm_r)
 ')
 
-@@ -164,6 +242,11 @@ optional_policy(`
+@@ -164,6 +251,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23722,7 +23744,7 @@ index 2522ca6..47b6d44 100644
 	hadoop_role(sysadm_r, sysadm_t)
 ')
 
-@@ -172,13 +255,31 @@ optional_policy(`
+@@ -172,13 +264,31 @@ optional_policy(`
 	# at things (e.g., ipsec auto --status)
 	# probably should create an ipsec_admin role for this kind of thing
 	ipsec_exec_mgmt(sysadm_t)
@ -23754,7 +23776,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -190,11 +291,12 @@ optional_policy(`
+@@ -190,11 +300,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23769,7 +23791,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -210,22 +312,21 @@ optional_policy(`
+@@ -210,22 +321,21 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
@ -23799,7 +23821,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -237,14 +338,32 @@ optional_policy(`
+@@ -237,14 +347,32 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23832,7 +23854,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -252,10 +371,20 @@ optional_policy(`
+@@ -252,10 +380,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23853,7 +23875,7 @@ index 2522ca6..47b6d44 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +395,46 @@ optional_policy(`
+@@ -266,35 +404,46 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23885,18 +23907,18 @@ index 2522ca6..47b6d44 100644
 optional_policy(`
 -	rpm_run(sysadm_t, sysadm_r)
 +	quota_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	rssh_role(sysadm_r, sysadm_t)
 +	raid_domtrans_mdadm(sysadm_t)
 +')
 +
 +optional_policy(`
 +	rpc_domtrans_nfsd(sysadm_t)
- ')
- 
- optional_policy(`
-	rssh_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 +	rpm_run(sysadm_t, sysadm_r)
 +	rpm_dbus_chat(sysadm_t, sysadm_r)
 ')
@ -23907,7 +23929,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -308,6 +448,7 @@ optional_policy(`
+@@ -308,6 +457,7 @@ optional_policy(`
 
 optional_policy(`
 	screen_role_template(sysadm, sysadm_r, sysadm_t)
@ -23915,7 +23937,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -315,12 +456,20 @@ optional_policy(`
+@@ -315,12 +465,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23937,7 +23959,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -345,30 +494,38 @@ optional_policy(`
+@@ -345,30 +503,38 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23985,7 +24007,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -380,10 +537,6 @@ optional_policy(`
+@@ -380,10 +546,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23996,7 +24018,7 @@ index 2522ca6..47b6d44 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +544,9 @@ optional_policy(`
+@@ -391,6 +553,9 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -24006,7 +24028,7 @@ index 2522ca6..47b6d44 100644
 ')
 
 optional_policy(`
-@@ -398,31 +554,34 @@ optional_policy(`
+@@ -398,31 +563,34 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24047,7 +24069,7 @@ index 2522ca6..47b6d44 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
 
-@@ -435,10 +594,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +603,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -24058,7 +24080,7 @@ index 2522ca6..47b6d44 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 
 		optional_policy(`
-@@ -459,15 +614,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +623,79 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -25326,7 +25348,7 @@ index 3835596..fbca2be 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..20657b8 100644
+index 6d77e81..74de333 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@ -25342,7 +25364,7 @@ index 6d77e81..20657b8 100644
 # this module should be named user, but that is
 # a compile error since user is a keyword.
 
-@@ -12,12 +19,103 @@ role user_r;
+@@ -12,12 +19,107 @@ role user_r;
 
 userdom_unpriv_user_template(user)
 
@ -25390,6 +25412,10 @@ index 6d77e81..20657b8 100644
 +')
 +
 +optional_policy(`
+    dirsrv_stream_connect(user_t)
+')
+
+optional_policy(`
 +	journalctl_role(user_r, user_t)
 +')
 +
@ -25447,7 +25473,7 @@ index 6d77e81..20657b8 100644
 ')
 
 optional_policy(`
-@@ -25,11 +123,19 @@ optional_policy(`
+@@ -25,11 +127,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25469,7 +25495,7 @@ index 6d77e81..20657b8 100644
 ')
 
 ifndef(`distro_redhat',`
-@@ -102,10 +208,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +212,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -25480,7 +25506,7 @@ index 6d77e81..20657b8 100644
 		postgresql_role(user_r, user_t)
 	')
 
-@@ -128,7 +230,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +234,6 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		ssh_role_template(user, user_r, user_t)
 	')
@ -25488,7 +25514,7 @@ index 6d77e81..20657b8 100644
 	optional_policy(`
 		su_role_template(user, user_r, user_t)
 	')
-@@ -160,4 +261,24 @@ ifndef(`distro_redhat',`
+@@ -160,4 +265,24 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		wireshark_role(user_r, user_t)
 	')
@ -26183,7 +26209,7 @@ index 76d9f66..7528851 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..5f4da9d 100644
+index fe0c682..20f3ba4 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@ -26309,15 +26335,16 @@ index fe0c682..5f4da9d 100644
 	type $1_t, ssh_server;
 	auth_login_pgm_domain($1_t)
 
-@@ -181,20 +209,22 @@ template(`ssh_server_template', `
+@@ -181,20 +209,23 @@ template(`ssh_server_template', `
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
 
 -	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+	allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+	allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
 -	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+	allow $1_t self:process { setcap getcap signal getsched setsched setrlimit setexec };
+	allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
+	allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
 +	allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
@ -26337,7 +26364,7 @@ index fe0c682..5f4da9d 100644
 
 	allow $1_t $1_var_run_t:file manage_file_perms;
 	files_pid_filetrans($1_t, $1_var_run_t, file)
-@@ -206,6 +236,7 @@ template(`ssh_server_template', `
+@@ -206,6 +237,7 @@ template(`ssh_server_template', `
 
 	kernel_read_kernel_sysctls($1_t)
 	kernel_read_network_state($1_t)
@ -26345,7 +26372,7 @@ index fe0c682..5f4da9d 100644
 
 	corenet_all_recvfrom_unlabeled($1_t)
 	corenet_all_recvfrom_netlabel($1_t)
-@@ -220,10 +251,13 @@ template(`ssh_server_template', `
+@@ -220,10 +252,13 @@ template(`ssh_server_template', `
 	corenet_tcp_bind_generic_node($1_t)
 	corenet_udp_bind_generic_node($1_t)
 	corenet_tcp_bind_ssh_port($1_t)
@ -26361,7 +26388,7 @@ index fe0c682..5f4da9d 100644
 
 	auth_rw_login_records($1_t)
 	auth_rw_faillog($1_t)
-@@ -233,7 +267,10 @@ template(`ssh_server_template', `
+@@ -233,7 +268,10 @@ template(`ssh_server_template', `
 	# for sshd subsystems, such as sftp-server.
 	corecmd_getattr_bin_files($1_t)
 
@ -26372,7 +26399,7 @@ index fe0c682..5f4da9d 100644
 
 	files_read_etc_files($1_t)
 	files_read_etc_runtime_files($1_t)
-@@ -241,35 +278,33 @@ template(`ssh_server_template', `
+@@ -241,35 +279,33 @@ template(`ssh_server_template', `
 
 	logging_search_logs($1_t)
 
@ -26419,7 +26446,7 @@ index fe0c682..5f4da9d 100644
 ')
 
 ########################################
-@@ -292,14 +327,15 @@ template(`ssh_server_template', `
+@@ -292,14 +328,15 @@ template(`ssh_server_template', `
 ##	User domain for the role
 ##	</summary>
 ## </param>
@ -26436,7 +26463,7 @@ index fe0c682..5f4da9d 100644
 	')
 
 	##############################
-@@ -328,103 +364,56 @@ template(`ssh_role_template',`
+@@ -328,103 +365,56 @@ template(`ssh_role_template',`
 
 	# allow ps to show ssh
 	ps_process_pattern($3, ssh_t)
@ -26550,7 +26577,7 @@ index fe0c682..5f4da9d 100644
 ')
 
 ########################################
-@@ -496,8 +485,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +486,27 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')
 
@ -26579,7 +26606,7 @@ index fe0c682..5f4da9d 100644
 ########################################
 ## <summary>
 ##	Read and write a ssh server unnamed pipe.
-@@ -513,7 +521,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +522,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')
 
@ -26588,7 +26615,7 @@ index fe0c682..5f4da9d 100644
 ')
 
 ########################################
-@@ -605,6 +613,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +614,24 @@ interface(`ssh_domtrans',`
 
 ########################################
 ## <summary>
@ -26613,7 +26640,7 @@ index fe0c682..5f4da9d 100644
 ##	Execute the ssh client in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -637,7 +663,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +664,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')
 
@ -26622,7 +26649,7 @@ index fe0c682..5f4da9d 100644
 	files_search_pids($1)
 ')
 
-@@ -662,6 +688,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +689,42 @@ interface(`ssh_agent_exec',`
 
 ########################################
 ## <summary>
@ -26665,7 +26692,7 @@ index fe0c682..5f4da9d 100644
 ##	Read ssh home directory content
 ## </summary>
 ## <param name="domain">
-@@ -701,6 +763,68 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +764,68 @@ interface(`ssh_domtrans_keygen',`
 
 ########################################
 ## <summary>
@ -26734,7 +26761,7 @@ index fe0c682..5f4da9d 100644
 ##	Read ssh server keys
 ## </summary>
 ## <param name="domain">
-@@ -714,7 +838,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +839,26 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
 
@ -26762,7 +26789,7 @@ index fe0c682..5f4da9d 100644
 ')
 
 ######################################
-@@ -754,3 +897,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +898,151 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
@ -33441,7 +33468,7 @@ index bc0ffc8..37b8ea5 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..6126f21 100644
+index 79a45f6..e90f7a4 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -34503,7 +34530,7 @@ index 79a45f6..6126f21 100644
 ')
 
 ########################################
-@@ -1806,37 +2313,708 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2313,744 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
@ -35106,6 +35133,42 @@ index 79a45f6..6126f21 100644
 +##	</summary>
 +## </param>
 +#
+interface(`init_enable_transient_unit',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:service enable;
+')
+
+########################################
+## <summary>
+##	Tell init to do an unknown access.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_disable_transient_unit',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:service disable;
+')
+
+########################################
+## <summary>
+##	Tell init to do an unknown access.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`init_stop_transient_unit',`
 +	gen_require(`
 +		type init_t;
@ -37497,7 +37560,7 @@ index c42fbc3..bf211db 100644
 +	files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
 +')
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..aa38f90 100644
+index be8ed1e..2cf6f42 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
@ -37565,7 +37628,7 @@ index be8ed1e..aa38f90 100644
 kernel_use_fds(iptables_t)
 
 # needed by ipvsadm
-@@ -64,19 +81,23 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,19 +81,24 @@ corenet_relabelto_all_packets(iptables_t)
 corenet_dontaudit_rw_tun_tap_dev(iptables_t)
 
 dev_read_sysfs(iptables_t)
@ -37588,10 +37651,11 @@ index be8ed1e..aa38f90 100644
 -files_read_etc_runtime_files(iptables_t)
 +files_rw_etc_runtime_files(iptables_t)
 +files_rw_inherited_tmp_file(iptables_t)
+files_read_kernel_modules(iptables_t)
 
 auth_use_nsswitch(iptables_t)
 
-@@ -85,15 +106,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +107,14 @@ init_use_script_ptys(iptables_t)
 # to allow rules to be saved on reboot:
 init_rw_script_tmp_files(iptables_t)
 init_rw_script_stream_sockets(iptables_t)
@ -37609,7 +37673,7 @@ index be8ed1e..aa38f90 100644
 userdom_use_all_users_fds(iptables_t)
 
 ifdef(`hide_broken_symptoms',`
-@@ -102,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +123,9 @@ ifdef(`hide_broken_symptoms',`
 
 optional_policy(`
 	fail2ban_append_log(iptables_t)
@ -37619,7 +37683,7 @@ index be8ed1e..aa38f90 100644
 ')
 
 optional_policy(`
-@@ -110,6 +133,13 @@ optional_policy(`
+@@ -110,7 +134,16 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37631,9 +37695,12 @@ index be8ed1e..aa38f90 100644
 +
 +optional_policy(`
 	modutils_run_insmod(iptables_t, iptables_roles)
+    modutils_list_module_config(iptables_t)
+')
 ')
 
-@@ -119,11 +149,25 @@ optional_policy(`
+ optional_policy(`
+@@ -119,11 +152,25 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37659,7 +37726,7 @@ index be8ed1e..aa38f90 100644
 ')
 
 optional_policy(`
-@@ -135,9 +179,9 @@ optional_policy(`
+@@ -135,9 +182,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46979,10 +47046,10 @@ index 0000000..86e3d01
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..c9d14fd
+index 0000000..746fc9d
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1017 @@
+@@ -0,0 +1,1018 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -47413,6 +47480,7 @@ index 0000000..c9d14fd
 +
 +optional_policy(`
 +	unconfined_dbus_acquire_svc(systemd_networkd_t)
+    unconfined_dbus_send(systemd_networkd_t)
 +')
 +
 +#######################################
@ -49416,7 +49484,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..4b0a3ed 100644
+index 9dc60c6..d5e8f38 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -50432,7 +50500,7 @@ index 9dc60c6..4b0a3ed 100644
 +	allow $1_t self:process ~{ ptrace execmem execstack execheap };
 +
 +	tunable_policy(`selinuxuser_use_ssh_chroot',`
-+		allow $1_t self:capability { sys_chroot };
+		allow $1_t self:capability { setuid setgid sys_chroot };
 +	')
 
 -	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 248%{?dist}
+Release: 249%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -682,6 +682,15 @@ exit 0
 %endif

 %changelog
+* Mon Apr 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249
+- Merge pull request #4 from lslebodn/sssd_socket_activated
+- Remove /proc <<none>> from fedora policy, it's no longer necessary
+- Allow iptables get list of kernel modules
+- Allow unconfined_domain_type to enable/disable transient unit
+- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
+- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
+- Label sysroot dir under ostree as root_t
+
 * Mon Mar 27 2017 Adam Williamson <awilliam@redhat.com> - 3.13.1-248
 - Put tomcat_t back in unconfined domains for now. BZ(1436434)