From 4c488a69fac18c9b8173c60e0346a9d92855794a Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 20 Jan 2016 15:56:50 +0100
Subject: [PATCH] * Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com>
 3.13.1-168 - Label virtlogd binary as virtd_exec_t. BZ(1291940) - Allow
 iptables to read nsfs files. BZ(1296826)

---
 docker-selinux.tgz           | Bin 3958 -> 3959 bytes
 policy-rawhide-base.patch    |  18 ++++++++++--------
 policy-rawhide-contrib.patch |   5 +++--
 selinux-policy.spec          |   6 +++++-
 4 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index a53f917f7b547e8bfce80b56a5d99033793b572a..2dada19dbf05deeef89e8d47c07b6666c061c93b 100644
GIT binary patch
delta 1852
zcmV-C2gCUG9`_z3ABzY8_MV?s00Zq@-EZ7B63?smuMnI9SsxOA)pY=;?cvbgkt9HW
z_upOGpHQx^Zg0MOb#;Av^ZxzS`)_Y=UtL~Ze|LTPD!6>XKGmh-B4R=CDt%zlip0Hi
zhwA@N%i{Ix;Co(WS;Y1~{<bASQIh-}FDe$3AS%n0#*v^!9>hg1BAOExkbDE5=igr#
zwgrHUE3MYx$H_k*Nn8mMBvK6nng?QkTmMRm3|c&wOcxec@O>GvC=2o^BR`xfs?#4k
z*gwmPAWG9>N0LAkfnZV2DGtX6dLdEa`-0|zuyquZ<sYgmAv7YH-@N@}ak3$K$jDz6
zWk9evIT8EP^f?r7%{Kx=3&n@U$(ysq;v_B@iL)f+Bx3P4T+w{_&DGiB!~lnXWh9_c
zeCi<7KgHPsp^hx;807PH$r^`!P|o9|8%MdM>`L{SviwyxWJH<LRgge0V^J_l_yj4Q
z3`sGHW5Olc$prCf89<*73h^OgNY}_wwj6wO)gicp;RPBQzJ?`X83(R4O$j$mYHBI^
zV`}PGC0?mMpGUYp?X8)fDdPWskSMX`D<|^HN|r&F<k)0irpvci7f&Rzs`i-K8t6rZ
z%(oFEUyYb$Z$=7Q(T)&vO1VG<_DWf!xW5n1&H=tOzkdSn_*w1D=|AKu#+{RwB&KUh
z61{oiu1DIIOE#FOSx4q)?zt~z&YqzSJ{$D}F?$64?<kKp<SVmLne5bm%UCIm{WLpe
zxCht6%UQbaWPLRowl!sFn_ghX`b^%-iTfw8ePCsZ)t?|^j;?%UWDiZW<iAJy9TnRk
z0;)=YNCk}pIpW4g2it{ok!93MMjx;dr2LFC=pgG}gxCuYK1Qr^D8*V@RwWU%#IY37
zl%^DK7^e~EJx$5FZd)sVqMJ*mw1@wmLcERgkJ2Ab1*`goh@?)lD?;<lsAfHD!q~5I
zF|Bt+^hT|g)_-#if8WC2%@G}`U;g#;*RT^v@1vy2gnfWjd5={A96r`nl_=dO#|^nS
zVGqyG#|(<SlOvcE<nFm3SuE1S37HShgDR&&O1PN|g_dY%$Uv)q386^NNLrxR3{s(>
zEV3rh#W3rcTNetv1WU0?aBdWi8~s_`xWkX2p7}cd8)DI23G^1Ee;U@sNeTMH3RG;L
z9vvmHiSi`aG1~EVGm^o!^MzOE4n&fTQVwryjsngCg<^y{L1M1Jg20iOwW><7pSs5e
z4tTG~f+=~oii7@th`qFBsMu}68FjbCmym~2aFim}pnUMtm8GG&i?=LPs=f=M@#6><
zi;BsbC`|2&M!=Z4Cb^g*UM$^a2E;5G#*4byK(X;8)Llf$j}*PNC;O`FC=DxGDxVe`
zsrEiVy+Qc^w?#(WiPqbc-UH=$dNwPpe;b^tigVyNJ)4Msz~M>QhQUXZalkFE5#Gfq
z1*vNc5X=T#Dk&f@ij<r|NFU=?+h#s`+c$xL)xHHV#+!1J8d@5lJ8QZ*C;7v1@U{gP
z{CH5(%RLGjBfLl-&T+iY1XPoNJG%w~)5pL7gi(^wT<JO{V!e~8R)PUJucz{P0bP;j
zI+)N_t3dyMD+*xGe+;+)gO<rPK*Se5U65TtgN6N_a2z()0d6-i(Fs19gJaFdufP1%
z9Deezc3#SO^xPmVnpF50J1gq3^j$*es5G@|*xYe%CHNhR$Mi?h1-e_JP#gZ!=LU9r
z6AQBnx)taF%8){?U<xgR10XXRxmi$PASo;IY?3Q~@B%X>dpJF8@h6ka+zmuH&h8J}
zsORaX`%vvGLoTuoFoKWZ!!j6R!09HBQsveKpFWI;LI75pTu-fOe>er#%WkFGdbN6x
zSx40lGYaq!w-Pe48lR$O-W=xDLv{n*1ANw;9|$&0<cQ0-6E>P`R9F@%jrUS5O@ON-
zS_n5{b76A+XIA}z0Qk)@VoqH2M(wzeInXtl9Lqv~aWkwA*sya4Ot4v5J*!00NTI#p
z{U7a13-W?(9Jv2=b9;T$x&QU;^?d*9a}>4C!>mYPD_tsWcpF@uU!Gr1TC9uL!OxRA
z1}y>ovuFlF0s)7!s|YIv0b!HZ4TOKX_kS;M=lj2(qg-IB=i+yL2T5L5*EzkV*5~R@
z|Hl~YPHU;YzQpl{@I}Sh#fs(^8sOyQ-Meup`hPcUP{4Xz=p~{*HR!qabH`&__a1cv
zM8q0xd2#-?v%jB=1FEk&DHJervYSspYV0FIIY<}UIBLXEfX2MG;O;Bf^u>P>JN5vv
z&zMfN9h8>n5s_6!Lw?8Cf5*>ca}Zhg&c?z`48Zsi!1UX|lV#TcYT-fE1$dE@fb`8Y
z8)fqZkUmYlz!+r`mRGwpSo5w8AYRD#g<k{}4+xF`3}|W@|Bf$7PsjVL`|(`nGMBl`
qWiE4>%UtF%m$}SkE_0d7T;`Ks4-1oD4+acRDgOg2|3+p2cmM!RU57jX

delta 1851
zcmV-B2gLaI9`+t2ABzY8SPY$300Zq@-EZ7B63?smuMnI9SsxOA)pY@<?cvbekt9HW
z@4vgWKcQS--QIln>gxLT=KJf*+pBNk`PKE!_qVTt%NOiZT`Ddj76h--2NtbJ+)H<;
z{{OTrUcU~0;8m7IZ2!}5TM`r{$=~s!VlfG#vP@|l30mYqT;w96Ibi|GH}HA>!-Zj6
z0LZw~Y7Ksz{PU5-l^{VP)i9uWAhz{?ucXMJ#dFDYVQ~dNlo5-vAdfQg<Ef%L{i%cf
zK~@A&nie~f1fmE8i*inJI6lw|i3;BrG#7-eqnIrJP+bY35y|}K?H`Mi4aq}B{;DVg
zg2l;+*q5fyp?GV)5g1x1-Y-txoGlh7aluHOB_Ssfi?`v5=F4xc&K4&II4mQ70gd8Q
z2ciBc&K3xDWLd``pRY^SIP8OR9w*&6$|Yr2s?U_=ud*Q{%9O5x1bP{Zf>FXJNbzJy
zicuUBF40aVh)>G^`gBl;4-rGUMvk)O;G3%s!5s`Q(8%yLED6gvaII-dxM@;TOVJ-w
zQ@<+lO7;0X!u4ry&GbwW|A$0>i7j6_kzZD_47w!8Ci^m7zP-A5B9T?K$IRA1FDhid
zjTrfA#4LL=QqYQagqTyx1uC#t${NM}eQ<UT@TK|v6L`nZYG+RWAy+Z(oV+A4T~m_i
z%@cP$(zaZ(!9>kEGCy<AeJOMH3~lh)s3(ZoBj|red9)#4nT^V1r(VW?N@?t;*(t+4
zxE@~4(sd{6tJ$!vDMQ=z0yEZU@?K8dKZET9D^slg1Q~O5<s&0|Xrd+mJ<{)}*ai_$
zRRTmRXdK89H$FPpE~JYrqgFEdfQ=yKXPiL?S@$BuUU={^VwFQF*3z;niJ&EprHH09
zrFg?QjX3XVO4fDTS`poUTr#CS{Pz^%ZIpkM{&*@_)i*>Wb(&ofnr}um>sb@VevON1
zy(^+OYPGcfn``*{7XEII=t%wYuMc0tP9VLHk|q=O0aoQbRt0eQSXWh|be|kI<l=-q
zJU<^ZDE3Z{U{a8~=YnLhNDn7u-a8MfoC+!7W-b(3qMacFttNzjA~_>zfnGC6g@Urk
znm`xBtY>arDDV<2#V*0QQ8;e&XLaKaKZ1JZ>-cYoMRz68Taf-~SQjTH=npGUv3+`U
zl)xs+lVHba$J@<F2HVaTUY$D-Nj6G3ys<e7I13bt5$XhqxdICUM`G5hD#d>49ve8|
zy&?;y<lQO``Xly#(w3oOw*_a^-4<U$9!kMcidcj4!B1C~hUzZfvQVk|E`-L9BUmgd
zCTpTFwJRC{W9FLVVv2aNbekCvvt$@A>ShDQ#*<KY5hXuT^wys2tFEIotZ1oxT5P1+
z`vCO@<pbOn8F43CZ&P{?l;i2ytg!xVaH=ZKf#dXSA_9khCt(`~A5F#qx41@l7pD}Y
zt}#F`8*r(lfV?PDat0xNj9YD+`RHxm1Oit37Qh&9%1vr$X@Ksm>E@i|568jV7F_V-
zK}j$7C}@oEB7Hc=@jeq!O#<%h8VF1u0|O97Nk(&}>zIi3PNrH32IRb+%I5`iMV{+m
zLR+l@{jVs0fIa^)-~tR<Cf5KFU-)!Eb_ER<_IJW@*jNX+-M~aA_-GD}H6OqJ@^f?e
z$-mlpDdW*|gS2Q;;bZKqsK?TG38ACX)T&`~$Gw%{cPJjyA4M1FZizx|_)ni3*zHX$
z%qr+spa&>J3b}$Qv<wb_%xL6hL4kp!tjM!TuD}a_%#`fm^svRBOfqvf5aBqxKWw9(
zr<?9WwXY1h$U49XK7tR+V2A;yn><RDTNiwKKOzbNSZQ)SwWj^y6kIR6m1^tN>Op25
zRXfZmz(d?h$jEAZikf+Im{$+k4RjCiS#y3M*ffzNF5^zvXtGgZS)?@HOSLosu8wFS
z+{}ex$@!mI^#=mrH^+!ManT#K<3i>@*JyGq3;o5-usUGF&K)qpW@YuP5=kS4_Ja3+
zv@b2l3$}6K{@2az^^JS~>$|JV`Tp1EC~BRDS&_h2x>VZmHn=*!JinZ@SQoE@50g6v
zEdl?tX$C?90sFJ82rC5vev{Y@gnv5se{X<%zW@6f$_1u+E`HZ{kmO}`ozq)teXj2G
ze~iKIw3h1YOB`<qUsRl3tZ06r0ZvZdy&H$3|98U%1+2$~ULyKagPv<YcRaRr?@>2E
zM6A)47w3OF`}@f_p!%wlLIEQuyZHp9#y%pHgLI*dqedJBXv}L1?!JOeUw<62V-FDf
zjOkR{L1~E|5m{w4<ad1icl=B?2a$E}Y%JWw0E{02Our30S#}Me79LbxfEPIlNZ(Ae
zQ8rHi>C@B;j8P_Gd9_P}HSgL0;)Q%)_(f3hfZzzgfTou5@A#7RbiB{HAJ1hjbD7Ir
p<}#PL%w;Zfnaf<}GMBl`Ws_eI43l6F1q||(@;}gXd1e530021Oe~bVC

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a5c7403b..ab24bc0e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -35886,7 +35886,7 @@ index c42fbc3..bf211db 100644
 +	files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
 +')
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..660ef80 100644
+index be8ed1e..bce6063 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@@ -35947,7 +35947,7 @@ index be8ed1e..660ef80 100644
  kernel_use_fds(iptables_t)
  
  # needed by ipvsadm
-@@ -64,6 +74,8 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t)
  corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
@@ -35956,7 +35956,9 @@ index be8ed1e..660ef80 100644
  
  fs_getattr_xattr_fs(iptables_t)
  fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +84,12 @@ fs_list_inotifyfs(iptables_t)
+ fs_list_inotifyfs(iptables_t)
++fs_read_nsfs_files(iptables_t)
+ 
  mls_file_read_all_levels(iptables_t)
  
  term_dontaudit_use_console(iptables_t)
@@ -35971,7 +35973,7 @@ index be8ed1e..660ef80 100644
  
  auth_use_nsswitch(iptables_t)
  
-@@ -85,15 +98,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -35989,7 +35991,7 @@ index be8ed1e..660ef80 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -102,6 +114,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',`
  
  optional_policy(`
  	fail2ban_append_log(iptables_t)
@@ -35999,7 +36001,7 @@ index be8ed1e..660ef80 100644
  ')
  
  optional_policy(`
-@@ -110,6 +125,12 @@ optional_policy(`
+@@ -110,6 +126,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36012,7 +36014,7 @@ index be8ed1e..660ef80 100644
  	modutils_run_insmod(iptables_t, iptables_roles)
  ')
  
-@@ -124,6 +145,16 @@ optional_policy(`
+@@ -124,6 +146,16 @@ optional_policy(`
  
  optional_policy(`
  	psad_rw_tmp_files(iptables_t)
@@ -36029,7 +36031,7 @@ index be8ed1e..660ef80 100644
  ')
  
  optional_policy(`
-@@ -135,9 +166,9 @@ optional_policy(`
+@@ -135,9 +167,9 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d8d0f0f2..03b15dfd 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -108706,10 +108706,10 @@ index 3d11c6a..b19a117 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index a4f20bc..374e8ef 100644
+index a4f20bc..58f9c69 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,51 +1,101 @@
+@@ -1,51 +1,102 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@@ -108762,6 +108762,7 @@ index a4f20bc..374e8ef 100644
  /usr/sbin/libvirt-qmf	--	gen_context(system_u:object_r:virt_qmf_exec_t,s0)
  /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/sbin/virtlockd --  gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/sbin/virtlogd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/virt-who   --  gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/virsh		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 +/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6ff9647e..ad84a354 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 167%{?dist}
+Release: 168%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,10 @@ exit 0
 %endif
 
 %changelog
+* Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
+- Label virtlogd binary as virtd_exec_t. BZ(1291940)
+- Allow iptables to read nsfs files. BZ(1296826)
+
 * Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
 - Add fwupd policy for daemon to allow session software to update device firmware
 - Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)