* Tue Aug 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-206

- collectd: update policy for 5.5 - Allow puppet_t transtition to shorewall_t - Grant certmonger "chown" capability - Boinc updates from Russell Coker. - Allow sshd setcap capability. This is needed due to latest changes in sshd. - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" - Revert "Fix typo in ssh policy" - Get attributes of generic ptys, from Russell Coker.
2016-08-02 10:30:29 +02:00 · 2016-08-02 10:30:29 +02:00 · 4d7576addc
parent 247a84c954
commit 4d7576addc
4 changed files with 157 additions and 97 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -24184,7 +24184,7 @@ index 0ea25b6..37069ae 100644
 +
 +/usr/lib/udev/devices/pts -d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index cbb729b..f118b2a 100644
+index cbb729b..ce0291e 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@ -24340,7 +24340,31 @@ index cbb729b..f118b2a 100644
 ##	Do not audit attempts to read the
 ##	/dev/pts directory.
 ## </summary>
-@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',`
+@@ -519,6 +615,23 @@ interface(`term_dontaudit_manage_pty_dirs',`
 ########################################
 ## <summary>
 +##	Get the attributes of generic pty devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to allow
 +##	</summary>
 +## </param>
 +#
 +interface(`term_getattr_generic_ptys',`
 +	gen_require(`
 +		type devpts_t;
 +	')
 +
 +	allow $1 devpts_t:chr_file getattr;
 +')
 +########################################
 +## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of generic pty devices.
 ## </summary>
@@ -620,7 +733,7 @@ interface(`term_use_generic_ptys',`
 ########################################
 ## <summary>
@ -24349,7 +24373,7 @@ index cbb729b..f118b2a 100644
 ##	write the generic pty type.  This is
 ##	generally only used in the targeted policy.
 ## </summary>
-@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -635,6 +748,7 @@ interface(`term_dontaudit_use_generic_ptys',`
 		type devpts_t;
 	')
@ -24357,7 +24381,7 @@ index cbb729b..f118b2a 100644
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
-@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',`
+@@ -879,6 +993,26 @@ interface(`term_use_all_ptys',`
 ########################################
 ## <summary>
@ -24384,7 +24408,7 @@ index cbb729b..f118b2a 100644
 ##	Do not audit attempts to read or write any ptys.
 ## </summary>
 ## <param name="domain">
-@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -892,7 +1026,7 @@ interface(`term_dontaudit_use_all_ptys',`
 		attribute ptynode;
 	')
@ -24393,7 +24417,7 @@ index cbb729b..f118b2a 100644
 ')
 ########################################
-@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',`
+@@ -912,7 +1046,7 @@ interface(`term_relabel_all_ptys',`
 	')
 	dev_list_all_dev_nodes($1)
@ -24402,7 +24426,7 @@ index cbb729b..f118b2a 100644
 ')
 ########################################
-@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -940,7 +1074,7 @@ interface(`term_getattr_all_user_ptys',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -24411,7 +24435,7 @@ index cbb729b..f118b2a 100644
 ##	</summary>
 ## </param>
 #
-@@ -1067,6 +1184,28 @@ interface(`term_getattr_unallocated_ttys',`
+@@ -1067,6 +1201,28 @@ interface(`term_getattr_unallocated_ttys',`
 ########################################
 ## <summary>
@ -24440,7 +24464,7 @@ index cbb729b..f118b2a 100644
 ##	Do not audit attempts to get the attributes
 ##	of all unallocated tty device nodes.
 ## </summary>
-@@ -1165,6 +1304,25 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1165,6 +1321,25 @@ interface(`term_relabel_unallocated_ttys',`
 ########################################
 ## <summary>
@ -24466,7 +24490,7 @@ index cbb729b..f118b2a 100644
 ##	Relabel from all user tty types to
 ##	the unallocated tty type.
 ## </summary>
-@@ -1259,7 +1417,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1259,7 +1434,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 		type tty_device_t;
 	')
@ -24515,7 +24539,7 @@ index cbb729b..f118b2a 100644
 ')
 ########################################
-@@ -1275,11 +1473,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1490,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 #
 interface(`term_getattr_all_ttys',`
 	gen_require(`
@ -24529,7 +24553,7 @@ index cbb729b..f118b2a 100644
 ')
 ########################################
-@@ -1296,10 +1496,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1513,12 @@ interface(`term_getattr_all_ttys',`
 interface(`term_dontaudit_getattr_all_ttys',`
 	gen_require(`
 		attribute ttynode;
@ -24542,7 +24566,7 @@ index cbb729b..f118b2a 100644
 ')
 ########################################
-@@ -1377,7 +1579,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1596,27 @@ interface(`term_use_all_ttys',`
 	')
 	dev_list_all_dev_nodes($1)
@ -24571,7 +24595,7 @@ index cbb729b..f118b2a 100644
 ')
 ########################################
-@@ -1396,7 +1618,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1635,7 @@ interface(`term_dontaudit_use_all_ttys',`
 		attribute ttynode;
 	')
@ -24580,7 +24604,7 @@ index cbb729b..f118b2a 100644
 ')
 ########################################
-@@ -1504,7 +1726,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1743,7 @@ interface(`term_use_all_user_ttys',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -24589,7 +24613,7 @@ index cbb729b..f118b2a 100644
 ##	</summary>
 ## </param>
 #
-@@ -1513,21 +1735,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1513,21 +1752,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
 	term_dontaudit_use_all_ttys($1)
 ')
@ -28261,7 +28285,7 @@ index 76d9f66..7528851 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..60003bc 100644
+index fe0c682..0ac21a6 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@ -28383,16 +28407,15 @@ index fe0c682..60003bc 100644
 	type $1_t, ssh_server;
 	auth_login_pgm_domain($1_t)
-@@ -181,20 +205,23 @@ template(`ssh_server_template', `
+@@ -181,20 +205,22 @@ template(`ssh_server_template', `
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
 -	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+	allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+	allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
 -	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+	allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
+	allow $1_t self:process { setcap getcap signal getsched setsched setrlimit setexec };
 +	allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
 +	allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
@ -28412,7 +28435,7 @@ index fe0c682..60003bc 100644
 	allow $1_t $1_var_run_t:file manage_file_perms;
 	files_pid_filetrans($1_t, $1_var_run_t, file)
-@@ -206,6 +233,7 @@ template(`ssh_server_template', `
+@@ -206,6 +232,7 @@ template(`ssh_server_template', `
 	kernel_read_kernel_sysctls($1_t)
 	kernel_read_network_state($1_t)
@ -28420,7 +28443,7 @@ index fe0c682..60003bc 100644
 	corenet_all_recvfrom_unlabeled($1_t)
 	corenet_all_recvfrom_netlabel($1_t)
-@@ -220,10 +248,13 @@ template(`ssh_server_template', `
+@@ -220,10 +247,13 @@ template(`ssh_server_template', `
 	corenet_tcp_bind_generic_node($1_t)
 	corenet_udp_bind_generic_node($1_t)
 	corenet_tcp_bind_ssh_port($1_t)
@ -28436,7 +28459,7 @@ index fe0c682..60003bc 100644
 	auth_rw_login_records($1_t)
 	auth_rw_faillog($1_t)
-@@ -234,6 +265,7 @@ template(`ssh_server_template', `
+@@ -234,6 +264,7 @@ template(`ssh_server_template', `
 	corecmd_getattr_bin_files($1_t)
 	domain_interactive_fd($1_t)
@ -28444,7 +28467,7 @@ index fe0c682..60003bc 100644
 	files_read_etc_files($1_t)
 	files_read_etc_runtime_files($1_t)
-@@ -241,35 +273,33 @@ template(`ssh_server_template', `
+@@ -241,35 +272,33 @@ template(`ssh_server_template', `
 	logging_search_logs($1_t)
@ -28491,7 +28514,7 @@ index fe0c682..60003bc 100644
 ')
 ########################################
-@@ -292,14 +322,15 @@ template(`ssh_server_template', `
+@@ -292,14 +321,15 @@ template(`ssh_server_template', `
 ##	User domain for the role
 ##	</summary>
 ## </param>
@ -28508,7 +28531,7 @@ index fe0c682..60003bc 100644
 	')
 	##############################
-@@ -328,103 +359,56 @@ template(`ssh_role_template',`
+@@ -328,103 +358,56 @@ template(`ssh_role_template',`
 	# allow ps to show ssh
 	ps_process_pattern($3, ssh_t)
@ -28622,7 +28645,7 @@ index fe0c682..60003bc 100644
 ')
 ########################################
-@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')
@ -28651,7 +28674,7 @@ index fe0c682..60003bc 100644
 ########################################
 ## <summary>
 ##	Read and write a ssh server unnamed pipe.
-@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')
@ -28660,7 +28683,7 @@ index fe0c682..60003bc 100644
 ')
 ########################################
-@@ -605,6 +608,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +607,24 @@ interface(`ssh_domtrans',`
 ########################################
 ## <summary>
@ -28685,7 +28708,7 @@ index fe0c682..60003bc 100644
 ##	Execute the ssh client in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')
@ -28694,7 +28717,7 @@ index fe0c682..60003bc 100644
 	files_search_pids($1)
 ')
-@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',`
 ########################################
 ## <summary>
@ -28737,7 +28760,7 @@ index fe0c682..60003bc 100644
 ##	Read ssh home directory content
 ## </summary>
 ## <param name="domain">
-@@ -701,6 +758,68 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +757,68 @@ interface(`ssh_domtrans_keygen',`
 ########################################
 ## <summary>
@ -28806,7 +28829,7 @@ index fe0c682..60003bc 100644
 ##	Read ssh server keys
 ## </summary>
 ## <param name="domain">
-@@ -714,7 +833,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +832,26 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
@ -28834,7 +28857,7 @@ index fe0c682..60003bc 100644
 ')
 ######################################
-@@ -754,3 +892,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +891,151 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
@ -28987,7 +29010,7 @@ index fe0c682..60003bc 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..4d56aea 100644
+index cc877c7..b8e6e98 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@ -29074,7 +29097,7 @@ index cc877c7..4d56aea 100644
 type ssh_t;
 type ssh_exec_t;
-@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
 type ssh_tmpfs_t;
 typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
 typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@ -29095,11 +29118,7 @@ index cc877c7..4d56aea 100644
 ##############################
 #
- # SSH client local policy
+@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
 #
 -allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
 +allow ssh_t self:capability { setpcap setuid setgid dac_override dac_read_search };
 allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow ssh_t self:fd use;
 allow ssh_t self:fifo_file rw_fifo_file_perms;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -10560,28 +10560,31 @@ index 851769e..3dc3f36 100644
 term_dontaudit_use_all_ttys(bluetooth_helper_t)
 diff --git a/boinc.fc b/boinc.fc
-index 6d3ccad..bda740a 100644
+index 6d3ccad..9c69f28 100644
 --- a/boinc.fc
 +++ b/boinc.fc
-@@ -1,9 +1,12 @@
+@@ -1,9 +1,15 @@
 -/etc/rc\.d/init\.d/boinc-client	--	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 +/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
 +/etc/rc\.d/init\.d/boinc-client	-- 		gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 -/usr/bin/boinc_client	--	gen_context(system_u:object_r:boinc_exec_t,s0)
-+/etc/rc\.d/init\.d/boinc-client	-- 		gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+/usr/bin/boinc		--	gen_context(system_u:object_r:boinc_exec_t,s0)
 +/usr/bin/boinc_client			--		gen_context(system_u:object_r:boinc_exec_t,s0)
 -/var/lib/boinc(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
 -/var/lib/boinc/projects(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
 -/var/lib/boinc/slots(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+/usr/bin/boinc_client			--		gen_context(system_u:object_r:boinc_exec_t,s0)
+/usr/lib/systemd/system/boinc-client\.service        --  gen_context(system_u:object_r:boinc_unit_file_t,s0)
 -/var/log/boinc\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
 +/usr/lib/systemd/system/boinc-client\.service        --  gen_context(system_u:object_r:boinc_unit_file_t,s0)
 +
 +/var/lib/boinc(/.*)?					gen_context(system_u:object_r:boinc_var_lib_t,s0)
 +/var/lib/boinc-client(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
 +/var/lib/boinc/projects(/.*)?			gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
 +/var/lib/boinc/slots(/.*)?				gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
 +
 +/var/log/boinc\.log.*				--		gen_context(system_u:object_r:boinc_log_t,s0)
 +/var/log/boincerr\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
 diff --git a/boinc.if b/boinc.if
 index 02fefaa..308616e 100644
 --- a/boinc.if
@ -10803,9 +10806,15 @@ index 02fefaa..308616e 100644
 +	')
 ')
 diff --git a/boinc.te b/boinc.te
-index 687d4c4..f668033 100644
+index 687d4c4..bce6267 100644
 --- a/boinc.te
 +++ b/boinc.te
@@ -1,4 +1,4 @@
 -policy_module(boinc, 1.1.1)
 +policy_module(boinc, 1.3.1)
 ########################################
 #
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
 ## </desc>
 gen_tunable(boinc_execmem, true)
@ -10817,7 +10826,7 @@ index 687d4c4..f668033 100644
 type boinc_exec_t;
 init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -28,31 +30,71 @@ files_tmpfs_file(boinc_tmpfs_t)
 type boinc_var_lib_t;
 files_type(boinc_var_lib_t)
@ -10893,10 +10902,12 @@ index 687d4c4..f668033 100644
 allow boinc_t self:shm create_shm_perms;
 -allow boinc_t self:fifo_file rw_fifo_file_perms;
 -allow boinc_t self:sem create_sem_perms;
 +
 +can_exec(boinc_t, boinc_exec_t)
 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
 manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -61,84 +103,62 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
 manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
 fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@ -10918,11 +10929,11 @@ index 687d4c4..f668033 100644
 -create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
 -setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
 -logging_log_filetrans(boinc_t, boinc_log_t, file)
 -
 -can_exec(boinc_t, boinc_var_lib_t)
 +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 -can_exec(boinc_t, boinc_var_lib_t)
 -
 -domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
 +logging_log_filetrans(boinc_t, boinc_log_t, { file })
@ -10994,8 +11005,11 @@ index 687d4c4..f668033 100644
 term_getattr_all_ptys(boinc_t)
 term_getattr_unallocated_ttys(boinc_t)
@@ -137,8 +152,9 @@ init_read_utmp(boinc_t)
 init_read_utmp(boinc_t)
 +libs_exec_lib_files(boinc_t)
 +
 logging_send_syslog_msg(boinc_t)
 -miscfiles_read_fonts(boinc_t)
@ -11006,7 +11020,7 @@ index 687d4c4..f668033 100644
 tunable_policy(`boinc_execmem',`
 	allow boinc_t self:process { execstack execmem };
-@@ -148,48 +164,61 @@ optional_policy(`
+@@ -148,48 +168,69 @@ optional_policy(`
 	mta_send_mail(boinc_t)
 ')
@ -11067,9 +11081,17 @@ index 687d4c4..f668033 100644
 -corenet_sendrecv_boinc_client_packets(boinc_project_t)
 corenet_tcp_connect_boinc_port(boinc_project_t)
 -corenet_tcp_sendrecv_boinc_port(boinc_project_t)
 +
 +dev_getattr_input_dev(boinc_t)
 +dev_getattr_mouse_dev(boinc_t)
 files_dontaudit_search_home(boinc_project_t)
 +term_getattr_ptmx(boinc_t)
 +term_getattr_generic_ptys(boinc_t)
 +
 +userdom_getattr_user_ttys(boinc_t)
 +
 +# needed by java
 +fs_read_hugetlbfs_files(boinc_project_t)
 +
@ -12256,10 +12278,10 @@ index 008f8ef..144c074 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..f37b9b0 100644
+index 550b287..b824421 100644
 --- a/certmonger.te
 +++ b/certmonger.te
-@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
+@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
 type certmonger_var_run_t;
 files_pid_file(certmonger_var_run_t)
@ -12269,8 +12291,10 @@ index 550b287..f37b9b0 100644
 ########################################
 #
 # Local policy
-@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
+ #
- allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+ 
 -allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
 +allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
 dontaudit certmonger_t self:capability sys_tty_config;
 allow certmonger_t self:capability2 block_suspend;
 +
@ -15268,10 +15292,10 @@ index 0000000..77cdd5e
 +	unconfined_domtrans(cockpit_session_t)
 +')
 diff --git a/collectd.fc b/collectd.fc
-index 79a3abe..3237fb0 100644
+index 79a3abe..3ee73d1 100644
 --- a/collectd.fc
 +++ b/collectd.fc
-@@ -1,9 +1,12 @@
+@@ -1,9 +1,13 @@
 /etc/rc\.d/init\.d/collectd	--	gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
 +/usr/lib/systemd/system/collectd.*  -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
@ -15281,6 +15305,7 @@ index 79a3abe..3237fb0 100644
 /var/lib/collectd(/.*)?	gen_context(system_u:object_r:collectd_var_lib_t,s0)
 /var/run/collectd\.pid	--	gen_context(system_u:object_r:collectd_var_run_t,s0)
 +/var/run/collectd(/.*)?		gen_context(system_u:object_r:collectd_var_run_t,s0)
 +/var/run/collectd-unixsock  -s  gen_context(system_u:object_r:collectd_var_run_t,s0)
 -/usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
@ -15469,10 +15494,10 @@ index 954309e..6780142 100644
 ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..de0fd11 100644
+index 6471fa8..b82bae6 100644
 --- a/collectd.te
 +++ b/collectd.te
-@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
+@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
 type collectd_var_run_t;
 files_pid_file(collectd_var_run_t)
@ -15495,6 +15520,7 @@ index 6471fa8..de0fd11 100644
 allow collectd_t self:process { getsched setsched signal };
 allow collectd_t self:fifo_file rw_fifo_file_perms;
 allow collectd_t self:packet_socket create_socket_perms;
 +allow collectd_t self:rawip_socket create_socket_perms;
 allow collectd_t self:unix_stream_socket { accept listen };
 +allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +allow collectd_t self:udp_socket create_socket_perms;
@ -15506,8 +15532,9 @@ index 6471fa8..de0fd11 100644
 manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
 -files_pid_filetrans(collectd_t, collectd_var_run_t, file)
 +manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
 +manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-+files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file })
+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file sock_file})
 -domain_use_interactive_fds(collectd_t)
 +kernel_read_all_sysctls(collectd_t)
@ -15541,7 +15568,7 @@ index 6471fa8..de0fd11 100644
 logging_send_syslog_msg(collectd_t)
-@@ -74,17 +90,45 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -74,17 +92,45 @@ tunable_policy(`collectd_tcp_network_connect',`
 	corenet_tcp_sendrecv_all_ports(collectd_t)
 ')
@ -79180,7 +79207,7 @@ index 7cb8b1f..bef7217 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
 ')
 diff --git a/puppet.te b/puppet.te
-index 618dcfe..67d166c 100644
+index 618dcfe..8e08251 100644
 --- a/puppet.te
 +++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@ -79242,7 +79269,7 @@ index 618dcfe..67d166c 100644
 type puppetmaster_t;
 type puppetmaster_exec_t;
-@@ -56,161 +62,166 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t)
 ########################################
 #
@ -79441,71 +79468,75 @@ index 618dcfe..67d166c 100644
 +
 +optional_policy(`
 +    mysql_stream_connect(puppetagent_t)
 +')
 +
 +optional_policy(`
 +    postgresql_stream_connect(puppetagent_t)
 +')
 +
 +optional_policy(`
 +	cfengine_read_lib_files(puppetagent_t)
 ')
 optional_policy(`
 -	cfengine_read_lib_files(puppet_t)
-+	consoletype_exec(puppetagent_t)
+    postgresql_stream_connect(puppetagent_t)
 ')
 optional_policy(`
 -	consoletype_exec(puppet_t)
-+	hostname_exec(puppetagent_t)
+	cfengine_read_lib_files(puppetagent_t)
 ')
 optional_policy(`
 -	hostname_exec(puppet_t)
-+	mount_domtrans(puppetagent_t)
+	consoletype_exec(puppetagent_t)
 ')
 optional_policy(`
 -	mount_domtrans(puppet_t)
-+	mta_send_mail(puppetagent_t)
+	hostname_exec(puppetagent_t)
 ')
 optional_policy(`
 -	mta_send_mail(puppet_t)
-+        firewalld_dbus_chat(puppetagent_t)
+	mount_domtrans(puppetagent_t)
 ')
 optional_policy(`
 -	portage_domtrans(puppet_t)
 -	portage_domtrans_fetch(puppet_t)
 -	portage_domtrans_gcc_config(puppet_t)
 +	mta_send_mail(puppetagent_t)
 ')
 optional_policy(`
 -	files_rw_var_files(puppet_t)
 +        firewalld_dbus_chat(puppetagent_t)
 +')
 -	rpm_domtrans(puppet_t)
 -	rpm_manage_db(puppet_t)
 -	rpm_manage_log(puppet_t)
 +optional_policy(`
 +	portage_domtrans(puppetagent_t)
 +	portage_domtrans_fetch(puppetagent_t)
 +	portage_domtrans_gcc_config(puppetagent_t)
 ')
 optional_policy(`
-	files_rw_var_files(puppet_t)
+-	unconfined_domain(puppet_t)
 +	files_rw_var_files(puppetagent_t)
- 
+
 -	rpm_domtrans(puppet_t)
 -	rpm_manage_db(puppet_t)
 -	rpm_manage_log(puppet_t)
 +	rpm_domtrans(puppetagent_t)
 +	rpm_manage_db(puppetagent_t)
 +	rpm_manage_log(puppetagent_t)
 ')
 optional_policy(`
 -	unconfined_domain(puppet_t)
 +        shorewall_domtrans(puppetagent_t)
 ')
 optional_policy(`
 -	usermanage_domtrans_groupadd(puppet_t)
 -	usermanage_domtrans_useradd(puppet_t)
 +        shorewall_domtrans(puppetagent_t)
 +')
 +
 +optional_policy(`
 +    unconfined_domain_noaudit(puppetagent_t)
 +')
 +
 +optional_policy(`
 +        shorewall_domtrans(puppet_t)
 ')
 ########################################
@ -79525,7 +79556,7 @@ index 618dcfe..67d166c 100644
 allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
 manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +232,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
 allow puppetca_t puppet_var_run_t:dir search_dir_perms;
 kernel_read_system_state(puppetca_t)
@ -79533,7 +79564,7 @@ index 618dcfe..67d166c 100644
 kernel_read_kernel_sysctls(puppetca_t)
 corecmd_exec_bin(puppetca_t)
-@@ -229,15 +241,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t)
 dev_read_urand(puppetca_t)
 dev_search_sysfs(puppetca_t)
@ -79549,7 +79580,7 @@ index 618dcfe..67d166c 100644
 miscfiles_read_generic_certs(puppetca_t)
 seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +255,48 @@ optional_policy(`
+@@ -246,38 +259,48 @@ optional_policy(`
 	hostname_exec(puppetca_t)
 ')
@ -79614,7 +79645,7 @@ index 618dcfe..67d166c 100644
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +308,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +312,24 @@ corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
 corenet_all_recvfrom_netlabel(puppetmaster_t)
@ -79645,7 +79676,7 @@ index 618dcfe..67d166c 100644
 selinux_validate_context(puppetmaster_t)
-@@ -314,26 +334,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +338,31 @@ auth_use_nsswitch(puppetmaster_t)
 logging_send_syslog_msg(puppetmaster_t)
 miscfiles_read_generic_certs(puppetmaster_t)
@ -79682,7 +79713,7 @@ index 618dcfe..67d166c 100644
 ')
 optional_policy(`
-@@ -342,3 +367,9 @@ optional_policy(`
+@@ -342,3 +371,9 @@ optional_policy(`
 	rpm_exec(puppetmaster_t)
 	rpm_read_db(puppetmaster_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 205%{?dist}
+Release: 206%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -648,6 +648,16 @@ exit 0
 %endif
 %changelog
 * Tue Aug 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-206
 - collectd: update policy for 5.5
 - Allow puppet_t transtition to shorewall_t
 - Grant certmonger "chown" capability
 - Boinc updates from Russell Coker.
 - Allow sshd setcap capability. This is needed due to latest changes in sshd.
 - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
 - Revert "Fix typo in ssh policy"
 - Get attributes of generic ptys, from Russell Coker.
 * Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-205
 - Dontaudit mock_build_t can list all ptys.
 - Allow ftpd_t to mamange userhome data without any boolean.