From 46a2445aafa9988ac1f5576c8db511c6695543e3 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Mon, 27 May 2019 16:47:47 +0200
Subject: [PATCH] * Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> -
 3.14.4-19 - Fix bind_read_cache() interface to allow only read perms to
 caller domains - [speech-dispatcher.if] m4 macro names can not have - in them
 - Grant varnishlog_t access to varnishd_etc_t - Allow nrpe_t domain to read
 process state of systemd_logind_t - Allow mongod_t domain to connect on https
 port BZ(1711922) - Allow chronyc_t domain to create own tmpfiles and allow
 communicate send data over unix dgram sockets - Dontaudit spamd_update_t
 domain to read all domains states BZ(1711799) - Allow pcp_pmie_t domain to
 use sys_ptrace usernamespace cap BZ(1705871) - Allow userdomains to send data
 over dgram sockets to userdomains dbus services BZ(1710119) - Revert "Allow
 userdomains to send data over dgram sockets to userdomains dbus services
 BZ(1710119)" - Make boinc_var_lib_t mountpoint BZ(1711682) - Allow
 wireshark_t domain to create fifo temp files - All NetworkManager_ssh_t rules
 have to be in same optional block with ssh_basic_client_template(), fixing
 this bug in NetworkManager policy - Allow dbus chat between NetworkManager_t
 and NetworkManager_ssh_t domains. BZ(1677484) - Fix typo in gpg SELinux
 module - Update gpg policy to make ti working with confined users - Add
 domain transition that systemd labeled as init_t can execute
 spamd_update_exec_t binary to run newly created process as spamd_update_t -
 Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files - Label
 /var/run/user/*/dbus-1 as session_dbusd_tmp_t - Add dac_override capability
 to namespace_init_t domain - Label /usr/sbin/corosync-qdevice as
 cluster_exec_t - Allow NetworkManager_ssh_t domain to open communication
 channel with system dbus. BZ(1677484) - Label /usr/libexec/dnf-utils as
 debuginfo_exec_t - Alow nrpe_t to send signull to sssd domain when
 nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt
 - Add interface sssd_signull() - Build in parallel on Travis - Fix parallel
 build of the policy - Revert "Make able deply overcloud via neutron_t to
 label nsfs as fs_t" - Add interface systemd_logind_read_state() - Fix find
 commands in Makefiles - Allow systemd-timesyncd to read network state
 BZ(1694272) - Update userdomains to allow confined users to create gpg keys -
 Allow associate all filesystem_types with fs_t - Dontaudit syslogd_t using
 kill in unamespaces BZ(1711122) - Allow init_t to manage session_dbusd_tmp_t
 dirs - Allow systemd_gpt_generator_t to read/write to clearance - Allow
 su_domain_type to getattr to /dev/gpmctl - Update
 userdom_login_user_template() template to make working systemd user session
 for guest and xguest SELinux users

---
 .gitignore          |  2 ++
 selinux-policy.spec | 47 ++++++++++++++++++++++++++++++++++++++++++---
 sources             |  6 +++---
 3 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/.gitignore b/.gitignore
index aa37052c..9e89a6d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -375,3 +375,5 @@ serefpolicy*
 /selinux-policy-62e78cf.tar.gz
 /selinux-policy-contrib-ebaeade.tar.gz
 /selinux-policy-78cbf0a.tar.gz
+/selinux-policy-contrib-efd9524.tar.gz
+/selinux-policy-50e97b7.tar.gz
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 46556489..9ba2a8dd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 78cbf0a9d74895e255a68ae92688fb6b5288f363
+%global commit0 50e97b781ea7a501c06f8a86e94cbbdfe5a86720
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 ebaeade60f7b8f2f0697fc0d6c2be7132c6bb531
+%global commit1 efd95248a3e798cde8f7ed2e5667561add118588
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.4
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -787,6 +787,47 @@ exit 0
 %endif
 
 %changelog
+* Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-19
+- Fix bind_read_cache() interface to allow only read perms to caller domains
+- [speech-dispatcher.if] m4 macro names can not have - in them
+- Grant varnishlog_t access to varnishd_etc_t
+- Allow nrpe_t domain to read process state of systemd_logind_t
+- Allow mongod_t domain to connect on https port BZ(1711922)
+- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets
+- Dontaudit spamd_update_t domain to read all domains states BZ(1711799)
+- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871)
+- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
+- Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)"
+- Make boinc_var_lib_t mountpoint BZ(1711682)
+- Allow wireshark_t domain to create fifo temp files
+- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy
+- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484)
+- Fix typo in gpg SELinux module
+- Update gpg policy to make ti working with confined users
+- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
+- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
+- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
+- Add dac_override capability to namespace_init_t domain
+- Label /usr/sbin/corosync-qdevice as cluster_exec_t
+- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
+- Label /usr/libexec/dnf-utils as debuginfo_exec_t
+- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
+- Allow nrpe_t domain to be dbus cliennt
+- Add interface sssd_signull()
+- Build in parallel on Travis
+- Fix parallel build of the policy
+- Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t"
+- Add interface systemd_logind_read_state()
+- Fix find commands in Makefiles
+- Allow systemd-timesyncd to read network state BZ(1694272)
+- Update userdomains to allow confined users to create gpg keys
+- Allow associate all filesystem_types with fs_t
+- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
+- Allow init_t to manage session_dbusd_tmp_t dirs
+- Allow systemd_gpt_generator_t to read/write to clearance
+- Allow su_domain_type to getattr to /dev/gpmctl
+- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
+
 * Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-18
 - Fix typo in gpg SELinux module
 - Update gpg policy to make ti working with confined users
diff --git a/sources b/sources
index 43f652e4..c2ef661b 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
-SHA512 (selinux-policy-contrib-ebaeade.tar.gz) = f82aed1e88afe629509250be6f7a94fdc50edf1d57c321c0375e243836c1ef44cfbba4b8871330adac31e81197cbe5a7baeb500585166193af1d0d06afcc4c2e
-SHA512 (selinux-policy-78cbf0a.tar.gz) = 034614016fbc1d592b70f2c4cacf491f230752d7ecd79638e2992ce7ddd5062c5c27c5ea48cbc3c9fcc29f31609e950578d86444c2c11f4de8a91a2def80e416
-SHA512 (container-selinux.tgz) = d4522b4eca9a2ea02cb84a69d155700c063f1121fbedabe3dde42d24541bf84b520440f8545c2c664999933c1ce64d529dab043940b718403d1212701e722b14
+SHA512 (selinux-policy-contrib-efd9524.tar.gz) = 4ab58df002e0c604c98d86c9ece13597fd1ce181b2665df900a8a7b5076f6fe85a8ec0c7df59d15859e4fd91897405b902b9cf2ce14e4f9d3a0c3ac4ac2283a9
+SHA512 (selinux-policy-50e97b7.tar.gz) = 519ef4dda2fb4f3e72f885043c893d54adccd6ca6edca6b87d3601fa79cfece787b8cfc1493aaa524d438132560007ef246e0427f1ad738e8af8aaa7b5c200f0
+SHA512 (container-selinux.tgz) = 6bf3a9a88a7557a88953049900322ba6f0913e5e9c0ac56c1a184d49bf3a5e5bc2374ac49793f2a0faba3573a24edf8cbf21d526a10be67378c8d5f4a279eca1
 SHA512 (macro-expander) = b4f26e7ed6c32b3d7b3f1244e549a0e68cb387ab5276c4f4e832a9a6b74b08bea2234e8064549d47d1b272dbd22ef0f7c6b94cd307cc31ab872f9b68206021b2