* Mon Jun 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-132

- Rename xodbc-connect port to xodbc_connect
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
- Dontaudit chrome to read passwd file. BZ(1204307)
- Allow firewalld exec ldconfig. BZ(1232748)
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Rename xodbc-connect port to xodbc_connect
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
- Label tcp port 6640 as ovsdb port. BZ (1179809)

policy-rawhide-base.patch

@@ -5565,7 +5565,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..a60bc60 100644
+index b191055..3812e33 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5791,7 +5791,7 @@ index b191055..a60bc60 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,95 +234,116 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +234,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5815,6 +5815,7 @@ index b191055..a60bc60 100644
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 +network_port(openvswitch, tcp,6634,s0)
 +network_port(osapi_compute, tcp, 8774, s0)
++network_port(ovsdb, tcp, 6640, s0)
  network_port(pdps, tcp,1314,s0, udp,1314,s0)
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
@@ -5926,7 +5927,14 @@ index b191055..a60bc60 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +357,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+ network_port(xdmcp, udp,177,s0, tcp,177,s0)
+ network_port(xen, tcp,8002,s0)
+ network_port(xfs, tcp,7100,s0)
++network_port(xodbc_connect, tcp,6632,s0)
+ network_port(xserver, tcp,6000-6020,s0)
+ network_port(zarafa, tcp,236,s0, tcp,237,s0)
+ network_port(zabbix, tcp,10051,s0)
+@@ -288,19 +359,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -5953,7 +5961,7 @@ index b191055..a60bc60 100644
  
  ########################################
  #
-@@ -333,6 +406,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +408,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5962,7 +5970,7 @@ index b191055..a60bc60 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -345,9 +420,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +422,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;

policy-rawhide-contrib.patch

@@ -5173,7 +5173,7 @@ index f6eb485..164501c 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..d888ffb 100644
+index 6649962..44258d7 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -6549,7 +6549,7 @@ index 6649962..d888ffb 100644
  ')
  
  optional_policy(`
-@@ -863,19 +1082,35 @@ optional_policy(`
+@@ -863,16 +1082,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6572,20 +6572,18 @@ index 6649962..d888ffb 100644
  ')
  
  optional_policy(`
+-	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+-	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 +	files_dontaudit_rw_usr_dirs(httpd_t)
- 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
- 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
- ')
- 
- optional_policy(`
-+    thin_stream_connect(httpd_t)
++    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
 +')
 +
 +optional_policy(`
- 	udev_read_db(httpd_t)
++    thin_stream_connect(httpd_t)
  ')
  
-@@ -883,65 +1118,189 @@ optional_policy(`
+ optional_policy(`
+@@ -883,65 +1117,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6797,7 +6795,7 @@ index 6649962..d888ffb 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1309,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6952,7 +6950,7 @@ index 6649962..d888ffb 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1393,107 @@ optional_policy(`
+@@ -1083,172 +1392,107 @@ optional_policy(`
  	')
  ')
  
@@ -7190,7 +7188,7 @@ index 6649962..d888ffb 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1501,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7287,7 +7285,7 @@ index 6649962..d888ffb 100644
  
  ########################################
  #
-@@ -1321,8 +1576,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7304,7 +7302,7 @@ index 6649962..d888ffb 100644
  ')
  
  ########################################
-@@ -1330,49 +1592,38 @@ optional_policy(`
+@@ -1330,49 +1591,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7369,7 +7367,7 @@ index 6649962..d888ffb 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1633,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1632,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -12419,10 +12417,10 @@ index 0000000..aa308eb
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..41effe4
+index 0000000..5955ff0
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,254 @@
+@@ -0,0 +1,256 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -12485,6 +12483,8 @@ index 0000000..41effe4
 +kernel_read_system_state(chrome_sandbox_t)
 +kernel_read_kernel_sysctls(chrome_sandbox_t)
 +
++auth_dontaudit_read_passwd(chrome_sandbox_t)
++
 +fs_manage_cgroup_dirs(chrome_sandbox_t)
 +fs_manage_cgroup_files(chrome_sandbox_t)
 +fs_read_dos_files(chrome_sandbox_t)
@@ -25117,10 +25117,10 @@ index 0000000..457d4dd
 +')
 diff --git a/dnssec.te b/dnssec.te
 new file mode 100644
-index 0000000..dd2545b
+index 0000000..1e0a31f
 --- /dev/null
 +++ b/dnssec.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,74 @@
 +policy_module(dnssec, 1.0.0)
 +
 +########################################
@@ -25193,6 +25193,7 @@ index 0000000..dd2545b
 +    networkmanager_sigchld(dnssec_trigger_t)
 +    networkmanager_sigkill(dnssec_trigger_t)
 +    networkmanager_signull(dnssec_trigger_t)
++    networkmanager_read_conf(dnssec_trigger_t)
 +')
 diff --git a/dnssectrigger.te b/dnssectrigger.te
 index c7bb4e7..e6fe2f40 100644
@@ -27828,7 +27829,7 @@ index c62c567..6460877 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..e91b89f 100644
+index 98072a3..a0c36b3 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -27870,7 +27871,7 @@ index 98072a3..e91b89f 100644
  
  kernel_read_network_state(firewalld_t)
  kernel_read_system_state(firewalld_t)
-@@ -63,20 +76,17 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +76,19 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -27883,10 +27884,11 @@ index 98072a3..e91b89f 100644
 +fs_dontaudit_all_access_check(firewalld_t)
  
 -logging_send_syslog_msg(firewalld_t)
--
--miscfiles_read_localization(firewalld_t)
 +auth_use_nsswitch(firewalld_t)
  
+-miscfiles_read_localization(firewalld_t)
++libs_exec_ldconfig(firewalld_t)
+ 
 -seutil_exec_setfiles(firewalld_t)
 -seutil_read_file_contexts(firewalld_t)
 +logging_send_syslog_msg(firewalld_t)
@@ -27896,7 +27898,7 @@ index 98072a3..e91b89f 100644
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +105,10 @@ optional_policy(`
+@@ -95,6 +107,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36856,7 +36858,7 @@ index 1a35420..8101022 100644
  	logging_search_logs($1)
  	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index ca020fa..e20fb2f 100644
+index ca020fa..d4ed777 100644
 --- a/iscsi.te
 +++ b/iscsi.te
 @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -36915,7 +36917,7 @@ index ca020fa..e20fb2f 100644
  corenet_all_recvfrom_netlabel(iscsid_t)
  corenet_tcp_sendrecv_generic_if(iscsid_t)
  corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,21 +89,33 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,22 +89,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
  corenet_tcp_connect_isns_port(iscsid_t)
  corenet_tcp_sendrecv_isns_port(iscsid_t)
  
@@ -36952,6 +36954,11 @@ index ca020fa..e20fb2f 100644
  
  optional_policy(`
  	tgtd_manage_semaphores(iscsid_t)
+ ')
++
++optional_policy(`
++	kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
++')
 diff --git a/isns.te b/isns.te
 index bc11034..07e6310 100644
 --- a/isns.te
@@ -48754,7 +48761,7 @@ index 6194b80..e27c53d 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..01cc431 100644
+index 11ac8e4..cee5091 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -49218,7 +49225,7 @@ index 11ac8e4..01cc431 100644
 -dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
 -allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
 -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
-+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
++dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config };
 +dontaudit mozilla_plugin_t self:capability2 block_suspend;
 +
 +allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
@@ -55194,7 +55201,7 @@ index 94b9734..448a7e8 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..68f7cb1 100644
+index 86dc29d..7380935 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
 @@ -2,7 +2,7 @@
@@ -55364,7 +55371,7 @@ index 86dc29d..68f7cb1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -211,9 +259,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -211,9 +259,30 @@ interface(`networkmanager_read_lib_files',`
  	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
  ')
  
@@ -55381,10 +55388,12 @@ index 86dc29d..68f7cb1 100644
 +interface(`networkmanager_read_conf',`
 +    gen_require(`
 +        type NetworkManager_etc_t;
++        type NetworkManager_etc_rw_t;
 +    ')
 +
 +	allow $1 NetworkManager_etc_t:dir list_dir_perms;
 +	read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
++	read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t)
 +')
 +
  ########################################
@@ -55394,7 +55403,7 @@ index 86dc29d..68f7cb1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -221,19 +288,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -221,19 +290,18 @@ interface(`networkmanager_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -55419,7 +55428,7 @@ index 86dc29d..68f7cb1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -241,13 +307,66 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +309,66 @@ interface(`networkmanager_append_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -55488,7 +55497,7 @@ index 86dc29d..68f7cb1 100644
  ')
  
  ####################################
-@@ -272,14 +391,33 @@ interface(`networkmanager_stream_connect',`
+@@ -272,14 +393,33 @@ interface(`networkmanager_stream_connect',`
  
  ########################################
  ## <summary>
@@ -55524,7 +55533,7 @@ index 86dc29d..68f7cb1 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -287,33 +425,189 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +427,189 @@ interface(`networkmanager_stream_connect',`
  ## </param>
  ## <rolecap/>
  #
@@ -63325,7 +63334,7 @@ index 9b15730..cb00f20 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..c343cd3 100644
+index 44dbc99..ac08330 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
 @@ -9,11 +9,8 @@ type openvswitch_t;
@@ -63390,7 +63399,7 @@ index 44dbc99..c343cd3 100644
  manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
  logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
  
-@@ -65,33 +68,43 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +68,45 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
  manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
  
@@ -63405,6 +63414,8 @@ index 44dbc99..c343cd3 100644
 -corenet_all_recvfrom_netlabel(openvswitch_t)
 -corenet_raw_sendrecv_generic_if(openvswitch_t)
 -corenet_raw_sendrecv_generic_node(openvswitch_t)
++corenet_tcp_connect_xodbc_connect_port(openvswitch_t)
++corenet_tcp_connect_ovsdb_port(openvswitch_t)
 +corenet_tcp_connect_openflow_port(openvswitch_t)
 +corenet_tcp_bind_generic_node(openvswitch_t)
 +corenet_tcp_bind_openvswitch_port(openvswitch_t)
@@ -95922,7 +95933,7 @@ index 2f0a2f2..1569e33 100644
 +/var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
  /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 diff --git a/snmp.if b/snmp.if
-index 7a9cc9d..d55da32 100644
+index 7a9cc9d..2b9cae3 100644
 --- a/snmp.if
 +++ b/snmp.if
 @@ -57,8 +57,7 @@ interface(`snmp_udp_chat',`
@@ -96006,7 +96017,7 @@ index 7a9cc9d..d55da32 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -106,14 +144,14 @@ interface(`snmp_manage_var_lib_files',`
+@@ -106,14 +144,35 @@ interface(`snmp_manage_var_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -96021,10 +96032,31 @@ index 7a9cc9d..d55da32 100644
 -	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
 -	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
 +	manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to manage
++##	snmpd lib content.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`snmp_dontaudit_manage_snmp_var_lib_files',`
++	gen_require(`
++		type snmpd_var_lib_t;
++	')
++
++	dontaudit $1 snmpd_var_lib_t:dir manage_dir_perms;
++	dontaudit $1 snmpd_var_lib_t:file manage_file_perms;
++	dontaudit $1 snmpd_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
  
  ########################################
-@@ -179,8 +217,12 @@ interface(`snmp_admin',`
+@@ -179,8 +238,12 @@ interface(`snmp_admin',`
  		type snmpd_var_lib_t, snmpd_var_run_t;
  	')
  

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 131%{?dist}
+Release: 132%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,24 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Jun 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-132
+- Rename xodbc-connect port to xodbc_connect
+- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
+- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
+- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
+- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
+- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
+- Dontaudit chrome to read passwd file. BZ(1204307)
+- Allow firewalld exec ldconfig. BZ(1232748)
+- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
+- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
+- Allow NetworkManager write to sysfs. BZ(1234086)
+- Fix bogus line in logrotate.fc.
+- Add dontaudit interface for kdumpctl_tmp_t
+- Rename xodbc-connect port to xodbc_connect
+- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
+- Label tcp port 6640 as ovsdb port. BZ (1179809)
+
 * Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
 - Allow NetworkManager write to sysfs. BZ(1234086)
 - Fix bogus line in logrotate.fc.