* Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145

- Allow watchdog execute fenced python script.
- Added inferface watchdog_unconfined_exec_read_lnk_files()
- Allow pmweb daemon to exec shell. BZ(1256127)
- Allow pmweb daemon to read system state. BZ(#1256128)
- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
- Revert "Revert default_range change in targeted policy"
- Allow dhcpc_t domain transition to chronyd_t

policy-rawhide-base.patch

@@ -1052,10 +1052,17 @@ index 4705ab6..b82865c 100644
 +## </desc>
 +gen_tunable(mount_anyfile, false)
 diff --git a/policy/mcs b/policy/mcs
-index 216b3d1..78e56ed 100644
+index 216b3d1..064ec83 100644
 --- a/policy/mcs
 +++ b/policy/mcs
-@@ -69,53 +69,56 @@ gen_levels(1,mcs_num_cats)
+@@ -1,4 +1,6 @@
+ ifdef(`enable_mcs',`
++default_range dir_file_class_set target low;
++
+ #
+ # Define sensitivities 
+ #
+@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
  #  - /proc/pid operations are not constrained.
  
  mlsconstrain file { read ioctl lock execute execute_no_trans }
@@ -1132,7 +1139,7 @@ index 216b3d1..78e56ed 100644
  
  mlsconstrain process { signal }
  	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-@@ -135,6 +138,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
+@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
  mlsconstrain { db_tuple } { insert relabelto }
  	(( h1 dom h2 ) and ( l2 eq h2 ));
  
@@ -1142,7 +1149,7 @@ index 216b3d1..78e56ed 100644
  # Access control for any database objects based on MCS rules.
  mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
  	( h1 dom h2 );
-@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
  mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
  	( h1 dom h2 );
  
@@ -42578,7 +42585,7 @@ index 2cea692..57c9025 100644
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..77ee719 100644
+index a392fc4..bf8b888 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -42720,13 +42727,14 @@ index a392fc4..77ee719 100644
  
  modutils_run_insmod(dhcpc_t, dhcpc_roles)
  
-@@ -161,7 +185,14 @@ ifdef(`distro_ubuntu',`
+@@ -161,7 +185,15 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
 -	consoletype_run(dhcpc_t, dhcpc_roles)
 +	chronyd_initrc_domtrans(dhcpc_t)
 +	chronyd_systemctl(dhcpc_t)
++	chronyd_domtrans(dhcpc_t)
 +	chronyd_read_keys(dhcpc_t)
 +')
 +
@@ -42736,7 +42744,7 @@ index a392fc4..77ee719 100644
  ')
  
  optional_policy(`
-@@ -179,10 +210,6 @@ optional_policy(`
+@@ -179,10 +211,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42747,7 +42755,7 @@ index a392fc4..77ee719 100644
  	hotplug_getattr_config_dirs(dhcpc_t)
  	hotplug_search_config(dhcpc_t)
  
-@@ -195,23 +222,31 @@ optional_policy(`
+@@ -195,23 +223,31 @@ optional_policy(`
  optional_policy(`
  	netutils_run_ping(dhcpc_t, dhcpc_roles)
  	netutils_run(dhcpc_t, dhcpc_roles)
@@ -42782,7 +42790,7 @@ index a392fc4..77ee719 100644
  ')
  
  optional_policy(`
-@@ -221,7 +256,11 @@ optional_policy(`
+@@ -221,7 +257,11 @@ optional_policy(`
  
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
@@ -42795,7 +42803,7 @@ index a392fc4..77ee719 100644
  ')
  
  optional_policy(`
-@@ -233,6 +272,10 @@ optional_policy(`
+@@ -233,6 +273,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42806,7 +42814,7 @@ index a392fc4..77ee719 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -264,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +308,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -42831,7 +42839,7 @@ index a392fc4..77ee719 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -279,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +335,32 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -42864,7 +42872,7 @@ index a392fc4..77ee719 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +373,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -42922,7 +42930,7 @@ index a392fc4..77ee719 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -336,7 +427,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +428,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -42935,7 +42943,7 @@ index a392fc4..77ee719 100644
  ')
  
  optional_policy(`
-@@ -350,7 +445,16 @@ optional_policy(`
+@@ -350,7 +446,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42953,7 +42961,7 @@ index a392fc4..77ee719 100644
  ')
  
  optional_policy(`
-@@ -371,3 +475,13 @@ optional_policy(`
+@@ -371,3 +476,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')

policy-rawhide-contrib.patch

@@ -11947,7 +11947,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..fc5b086 100644
+index 550b287..943af3b 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -12036,7 +12036,7 @@ index 550b287..fc5b086 100644
  ')
  
  optional_policy(`
-@@ -92,11 +109,57 @@ optional_policy(`
+@@ -92,11 +109,58 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12050,6 +12050,7 @@ index 550b287..fc5b086 100644
 +optional_policy(`
 +    ipa_manage_lib(certmonger_t)
 +    ipa_manage_pid_files(certmonger_t)
++    ipa_filetrans_pid(certmonger_t,"renewal.lock")
 +')
 +
 +optional_policy(`
@@ -37061,10 +37062,10 @@ index 0000000..db194ec
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..71bde7d
+index 0000000..904782d
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,178 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@@ -37220,6 +37221,29 @@ index 0000000..71bde7d
 +    manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t)
 +')
 +
++########################################
++## <summary>
++##	Create specified objects in generic
++##	pid directories with the ipa pid file type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`ipa_filetrans_pid',`
++	gen_require(`
++		type ipa_var_run_t;
++	')
++
++	files_pid_filetrans($1, ipa_var_run_t, file, $2)
++')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
 index 0000000..694c092
@@ -66020,10 +66044,10 @@ index 0000000..80246e6
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..684f7b0
+index 0000000..5b5747f
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,260 @@
+@@ -0,0 +1,264 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -66217,6 +66241,10 @@ index 0000000..684f7b0
 +# pcp_pmwebd local  policy
 +#
 +
++kernel_read_system_state(pcp_pmwebd_t)
++
++corecmd_exec_shell(pcp_pmwebd_t)
++
 +corenet_tcp_bind_generic_node(pcp_pmwebd_t)
 +
 +optional_policy(`
@@ -83184,10 +83212,10 @@ index c8a1e16..2d409bf 100644
  	xen_domtrans_xm(rgmanager_t)
  ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..eb08783 100644
+index 47de2d6..9ecda11 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,93 @@
+@@ -1,31 +1,95 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -83277,6 +83305,8 @@ index 47de2d6..eb08783 100644
 +
 +/usr/share/corosync/corosync    --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
++/usr/share/cluster/fence_scsi_check.*   --  gen_context(system_u:object_r:fenced_exec_t,s0)
++
 +/usr/lib/pcsd/pcsd          --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
 +/usr/lib/heartbeat(/.*)?			gen_context(system_u:object_r:cluster_var_lib_t,s0)
@@ -84152,7 +84182,7 @@ index c8bdea2..29df561 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..448a0c5 100644
+index 6cf79c4..9d253c3 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -84582,24 +84612,26 @@ index 6cf79c4..448a0c5 100644
  ')
  
  optional_policy(`
-@@ -190,12 +484,13 @@ optional_policy(`
+@@ -190,12 +484,17 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	gnome_read_generic_home_content(fenced_t)
-+	lvm_domtrans(fenced_t)
-+	lvm_read_config(fenced_t)
-+    lvm_stream_connect(fenced_t)
++    libs_exec_ldconfig(fenced_t)
  ')
  
  optional_policy(`
--	lvm_domtrans(fenced_t)
--	lvm_read_config(fenced_t)
+ 	lvm_domtrans(fenced_t)
+ 	lvm_read_config(fenced_t)
++    lvm_stream_connect(fenced_t)
++')
++
++optional_policy(`
 +    sanlock_domtrans(fenced_t)
  ')
  
  optional_policy(`
-@@ -203,6 +498,13 @@ optional_policy(`
+@@ -203,6 +502,17 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -84609,11 +84641,15 @@ index 6cf79c4..448a0c5 100644
 +	virt_read_pid_files(fenced_t)
 +	virt_stream_connect(fenced_t)
 +')
++
++optional_policy(`
++	watchdog_unconfined_exec_read_lnk_files(fenced_t)
++')
 +
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +523,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +531,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -84634,7 +84670,7 @@ index 6cf79c4..448a0c5 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -247,16 +551,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +559,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
  stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
  stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -84656,7 +84692,7 @@ index 6cf79c4..448a0c5 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +583,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +591,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -84716,7 +84752,7 @@ index 6cf79c4..448a0c5 100644
  ######################################
  #
  # qdiskd local policy
-@@ -292,7 +647,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +655,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
  
@@ -84724,7 +84760,7 @@ index 6cf79c4..448a0c5 100644
  kernel_read_software_raid_state(qdiskd_t)
  kernel_getattr_core_if(qdiskd_t)
  
-@@ -321,6 +675,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +683,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -112151,11 +112187,37 @@ index eecd0e0..8df2e8c 100644
  /var/log/watchdog.*	gen_context(system_u:object_r:watchdog_log_t,s0)
  
  /var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)
+diff --git a/watchdog.if b/watchdog.if
+index 6461a77..146852e 100644
+--- a/watchdog.if
++++ b/watchdog.if
+@@ -37,3 +37,21 @@ interface(`watchdog_admin',`
+ 	files_search_pids($1)
+ 	admin_pattern($1, watchdog_var_run_t)
+ ')
++
++#######################################
++## <summary>
++##  Allow read watchdog_unconfined_t lnk files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`watchdog_unconfined_exec_read_lnk_files',`
++	gen_require(`
++		type watchdog_unconfined_exec_t;
++	')
++
++	allow $1 watchdog_unconfined_exec_t:lnk_file read_lnk_file_perms;
++')
 diff --git a/watchdog.te b/watchdog.te
-index 3548317..a6d1675 100644
+index 3548317..fc3da17 100644
 --- a/watchdog.te
 +++ b/watchdog.te
-@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+@@ -12,34 +12,47 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
  type watchdog_initrc_exec_t;
  init_script_file(watchdog_initrc_exec_t)
  
@@ -112183,12 +112245,12 @@ index 3548317..a6d1675 100644
  allow watchdog_t self:fifo_file rw_fifo_file_perms;
  allow watchdog_t self:tcp_socket { accept listen };
 +allow watchdog_t self:rawip_socket create_socket_perms;
-+
-+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
-+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
  
 -allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 -logging_log_filetrans(watchdog_t, watchdog_log_t, file)
++manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
++manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
++
 +manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
 +manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
 +logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
@@ -112200,7 +112262,13 @@ index 3548317..a6d1675 100644
  kernel_read_system_state(watchdog_t)
  kernel_read_kernel_sysctls(watchdog_t)
  kernel_unmount_proc(watchdog_t)
-@@ -63,7 +75,6 @@ domain_signull_all_domains(watchdog_t)
+ 
+ corecmd_exec_shell(watchdog_t)
++corecmd_exec_bin(watchdog_t)
+ 
+ corenet_all_recvfrom_unlabeled(watchdog_t)
+ corenet_all_recvfrom_netlabel(watchdog_t)
+@@ -63,7 +76,6 @@ domain_signull_all_domains(watchdog_t)
  domain_signal_all_domains(watchdog_t)
  domain_kill_all_domains(watchdog_t)
  
@@ -112208,7 +112276,7 @@ index 3548317..a6d1675 100644
  files_manage_etc_runtime_files(watchdog_t)
  files_etc_filetrans_etc_runtime(watchdog_t, file)
  
-@@ -72,17 +83,20 @@ fs_getattr_all_fs(watchdog_t)
+@@ -72,17 +84,20 @@ fs_getattr_all_fs(watchdog_t)
  fs_search_auto_mountpoints(watchdog_t)
  
  auth_append_login_records(watchdog_t)
@@ -112231,11 +112299,25 @@ index 3548317..a6d1675 100644
  	mta_send_mail(watchdog_t)
  ')
  
-@@ -97,3 +111,28 @@ optional_policy(`
+@@ -91,9 +106,42 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    rhcs_domtrans_fenced(watchdog_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(watchdog_t)
+ ')
+ 
  optional_policy(`
  	udev_read_db(watchdog_t)
  ')
 +
++optional_policy(`
++	watchdog_unconfined_exec_read_lnk_files(watchdog_t)
++')
++
 +########################################
 +#
 +# watchdog_unconfined_script_t local policy

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 144%{?dist}
+Release: 145%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,15 @@ exit 0
 %endif
 
 %changelog
+* Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
+- Allow watchdog execute fenced python script.
+- Added inferface watchdog_unconfined_exec_read_lnk_files()
+- Allow pmweb daemon to exec shell. BZ(1256127)
+- Allow pmweb daemon to read system state. BZ(#1256128)
+- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
+- Revert "Revert default_range change in targeted policy"
+- Allow dhcpc_t domain transition to chronyd_t
+
 * Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
 - Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
 - Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)