* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289

- Allow tlp_t domain stream connect to sssd_t domain
- Add missing dac_override capability
- Add systemd_tmpfiles_t dac_override capability

policy-rawhide-base.patch

@@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..9823c5a68 100644
+index 1d732f1e7..ae2fa67f8 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3376,7 +3376,7 @@ index 1d732f1e7..9823c5a68 100644
  #
  
 -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
-+allow passwd_t self:capability { chown dac_read_search dac_read_search  ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
++allow passwd_t self:capability { chown dac_read_search dac_override  ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
  dontaudit passwd_t self:capability sys_tty_config;
  allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow passwd_t self:process { setrlimit setfscreate };
@@ -35722,7 +35722,7 @@ index e4376aa98..2c98c5647 100644
 +	allow $1 getty_unit_file_t:service start;
 +')
 diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea19..abcc39a8c 100644
+index f6743ea19..8c64a7e19 100644
 --- a/policy/modules/system/getty.te
 +++ b/policy/modules/system/getty.te
 @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@@ -35747,7 +35747,7 @@ index f6743ea19..abcc39a8c 100644
  
  # Use capabilities.
 -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
-+allow getty_t self:capability { dac_read_search  chown setgid sys_resource sys_tty_config fowner fsetid };
++allow getty_t self:capability { dac_read_search  dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
  dontaudit getty_t self:capability sys_tty_config;
  allow getty_t self:process { getpgid setpgid getsession signal_perms };
  allow getty_t self:fifo_file rw_fifo_file_perms;
@@ -41173,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644
 +	userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
 +')
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa9908..a0d1b1ff7 100644
+index 446fa9908..31ffd73ab 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -41208,7 +41208,7 @@ index 446fa9908..a0d1b1ff7 100644
 -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 -allow local_login_t self:process { setrlimit setexec };
-+allow local_login_t self:capability { dac_read_search  chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
 +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
  allow local_login_t self:fd use;
  allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -50091,10 +50091,10 @@ index 000000000..634d9596a
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..3660fe1c4
+index 000000000..e83a61cca
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1025 @@
+@@ -0,0 +1,1027 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -50582,7 +50582,7 @@ index 000000000..3660fe1c4
 +# Local policy
 +#
 +
-+allow systemd_tmpfiles_t self:capability { chown dac_read_search  fsetid fowner mknod sys_admin };
++allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
 +allow systemd_tmpfiles_t self:process { setfscreate };
 +
 +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -51029,6 +51029,8 @@ index 000000000..3660fe1c4
 +dev_read_sysfs(systemd_resolved_t)
 +
 +sysnet_manage_config(systemd_resolved_t)
++sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
++sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
 +
 +userdom_dbus_send_all_users(systemd_resolved_t)
 +

policy-rawhide-contrib.patch

@@ -111760,10 +111760,10 @@ index 000000000..368e18842
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 000000000..761cc35b0
+index 000000000..1ef713150
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,84 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@@ -111844,6 +111844,10 @@ index 000000000..761cc35b0
 +optional_policy(`
 +    mount_domtrans(tlp_t)
 +')
++
++optional_policy(`
++    sssd_stream_connect(tlp_t)
++')
 diff --git a/tmpreaper.te b/tmpreaper.te
 index 585a77f95..9858c8b8d 100644
 --- a/tmpreaper.te

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 288%{?dist}
+Release: 289%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
+- Allow tlp_t domain stream connect to sssd_t domain
+- Add missing dac_override capability
+- Add systemd_tmpfiles_t dac_override capability
+
 * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
 - Remove all unnecessary dac_override capability in SELinux modules