##
## Allow the specified domain to
@@ -19573,7 +19989,7 @@ index 8416beb43..b5b7a0ae8 100644
## Example attributes:
##
##
-@@ -4596,6 +6328,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6329,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -19600,7 +20016,7 @@ index 8416beb43..b5b7a0ae8 100644
## Get the quotas of all filesystems.
##
##
-@@ -4671,6 +6423,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6424,25 @@ interface(`fs_getattr_all_dirs',`
########################################
##
@@ -19626,7 +20042,7 @@ index 8416beb43..b5b7a0ae8 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6683,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6684,176 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -27098,7 +27514,7 @@ index 9d2f31168..2d782e051 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 03061349c..bb5f3dd51 100644
+index 03061349c..e30703d3c 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -27182,7 +27598,15 @@ index 03061349c..bb5f3dd51 100644
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
-@@ -299,12 +311,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
+@@ -291,6 +303,7 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
++allow postgresql_t postgresql_tmp_t:file map;
+ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+ manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+@@ -299,12 +312,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
kernel_read_kernel_sysctls(postgresql_t)
@@ -27196,7 +27620,7 @@ index 03061349c..bb5f3dd51 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +354,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +355,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -27206,7 +27630,7 @@ index 03061349c..bb5f3dd51 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-@@ -354,20 +365,28 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +366,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
@@ -27238,7 +27662,7 @@ index 03061349c..bb5f3dd51 100644
allow postgresql_t self:process execmem;
')
-@@ -485,10 +504,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +505,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@@ -27295,7 +27719,7 @@ index 03061349c..bb5f3dd51 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +597,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +598,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -27304,7 +27728,7 @@ index 03061349c..bb5f3dd51 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +650,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +651,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -41373,7 +41797,7 @@ index 6b917403e..772411608 100644
+
+/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f22..842ce28c4 100644
+index 58bc27f22..90f567300 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -1,5 +1,41 @@
@@ -41609,7 +42033,7 @@ index 58bc27f22..842ce28c4 100644
+ type lvm_var_run_t;
+ ')
+
-+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 lvm_var_run_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
@@ -43812,7 +44236,7 @@ index d43f3b194..c5053dbbd 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 38220721d..0395f4810 100644
+index 38220721d..abac74231 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -44364,7 +44788,7 @@ index 38220721d..0395f4810 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1407,105 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1407,125 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -44453,6 +44877,26 @@ index 38220721d..0395f4810 100644
+ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
++########################################
++##
++## Dontaudit read selinux module store
++## module store.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dontaudit_read_module_store',`
++ gen_require(`
++ type semanage_store_t;
++ ')
++
++dontaudit $1 semanage_store_t:dir list_dir_perms;
++dontaudit $1 semanage_store_t:file read_file_perms;
++')
++
+#######################################
+##
+## Dontaudit access check on module store
@@ -44472,7 +44916,7 @@ index 38220721d..0395f4810 100644
')
########################################
-@@ -1041,9 +1525,15 @@ interface(`seutil_manage_module_store',`
+@@ -1041,9 +1545,15 @@ interface(`seutil_manage_module_store',`
')
files_search_etc($1)
@@ -44488,7 +44932,7 @@ index 38220721d..0395f4810 100644
')
#######################################
-@@ -1067,6 +1557,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1577,24 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
##
@@ -44513,7 +44957,7 @@ index 38220721d..0395f4810 100644
## Get trans lock on module store
##
##
-@@ -1137,3 +1645,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1665,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 62951782..b27035ab 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -108616,10 +108616,10 @@ index 000000000..a6e216c73
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
-index 000000000..4cc8557fc
+index 000000000..681ec9f67
--- /dev/null
+++ b/targetd.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,101 @@
+policy_module(targetd, 1.0.0)
+
+########################################
@@ -108646,7 +108646,7 @@ index 000000000..4cc8557fc
+allow targetd_t self:fifo_file rw_fifo_file_perms;
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
+allow targetd_t self:unix_dgram_socket create_socket_perms;
-+allow targetd_t self:tcp_socket listen;
++allow targetd_t self:tcp_socket { accept listen };
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
+allow targetd_t self:process { setfscreate setsched };
+
@@ -108654,6 +108654,8 @@ index 000000000..4cc8557fc
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+
++files_rw_isid_type_dirs(targetd_t)
++
+fs_getattr_xattr_fs(targetd_t)
+fs_manage_configfs_files(targetd_t)
+fs_manage_configfs_lnk_files(targetd_t)
@@ -108665,6 +108667,8 @@ index 000000000..4cc8557fc
+kernel_read_system_state(targetd_t)
+kernel_read_network_state(targetd_t)
+kernel_load_module(targetd_t)
++kernel_request_load_module(targetd_t)
++kernel_dgram_send(targetd_t)
+
+rpc_read_exports(targetd_t)
+
@@ -108685,6 +108689,8 @@ index 000000000..4cc8557fc
+
+libs_exec_ldconfig(targetd_t)
+
++seutil_dontaudit_read_module_store(targetd_t)
++
+storage_raw_read_fixed_disk(targetd_t)
+storage_raw_read_removable_device(targetd_t)
+
@@ -108708,6 +108714,10 @@ index 000000000..4cc8557fc
+')
+
+optional_policy(`
++ rpm_dontaudit_read_db(targetd_t)
++')
++
++optional_policy(`
+ udev_read_pid_files(targetd_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8445df78..56debaba 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 275%{?dist}
+Release: 276%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,9 @@ exit 0
%endif
%changelog
+* Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276
+- Allow couple map rules
+
* Wed Aug 23 2017 Lukas Vrabec - 3.13.1-275
- Make confined users working
- Allow ipmievd_t domain to load kernel modules