* Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-5

- Allow bluetooth_t domain to create alg_socket BZ(1554410)
- Allow tor_t domain to execute bin_t files BZ(1496274)
- Allow iscsid_t domain to mmap kernel modules BZ(1553759)
- Update minidlna SELinux policy BZ(1554087)
- Allow motion_t domain to read sysfs_t files BZ(1554142)
- Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738)
- Allow l2tp_t domain to read ipsec config files BZ(1545348)
- Allow colord_t to mmap home user files BZ(1551033)
- Dontaudit httpd_t creating kobject uevent sockets BZ(1552536)
- Allow ipmievd_t to mmap kernel modules BZ(1552535)
- Allow boinc_t domain to read cgroup files BZ(1468381)
- Backport allow rules from refpolicy upstream repo
- Allow gpg_t domain to bind on all unereserved udp ports
- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164)
- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)
- Allow xdm_t domain to sys_ptrace BZ(1554150)
- Allow application_domain_type also mmap inherited user temp files BZ(1552765)
- Update ipsec_read_config() interface
- Fix broken sysadm SELinux module
- Allow ipsec_t to search for bind cache BZ(1542746)
- Allow staff_t to send sigkill to mount_t domain BZ(1544272)
- Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545)
- Label ip6tables.init as iptables_exec_t BZ(1551463)
- Allow hostname_t to use usb ttys BZ(1542903)
- Add fsetid capability to updpwd_t domain BZ(1543375)
- Allow systemd machined send signal to all domains BZ(1372644)
- Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876)
- Allow sysadm_t to create netlink generic sockets BZ(1547874)
- Allow passwd_t domain chroot
- Dontaudit confined unpriviliged users setuid capability

.gitignore

@@ -256,3 +256,5 @@ serefpolicy*
 /selinux-policy-contrib-9facb1c.tar.gz
 /selinux-policy-contrib-f564072.tar.gz
 /selinux-policy-bd7ad92.tar.gz
+/selinux-policy-9bd65d3.tar.gz
+/selinux-policy-contrib-fbc0290.tar.gz

selinux-policy.spec

@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 bd7ad92fc722388928f9441892a078018914cb7b
+%global commit0 9bd65d321e20805535392f3ea1bad8ac093bf7b5
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 f5640723a5d5982bde2a85b6003c12d2fbf976b6
+%global commit1 fbc029066ded32b6ddafb04023743ec25ebc6197
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.2
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -714,6 +714,38 @@ exit 0
 %endif
 
 %changelog
+* Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-5
+- Allow bluetooth_t domain to create alg_socket BZ(1554410)
+- Allow tor_t domain to execute bin_t files BZ(1496274)
+- Allow iscsid_t domain to mmap kernel modules BZ(1553759)
+- Update minidlna SELinux policy BZ(1554087)
+- Allow motion_t domain to read sysfs_t files BZ(1554142)
+- Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738)
+- Allow l2tp_t domain to read ipsec config files BZ(1545348)
+- Allow colord_t to mmap home user files BZ(1551033)
+- Dontaudit httpd_t creating kobject uevent sockets BZ(1552536)
+- Allow ipmievd_t to mmap kernel modules BZ(1552535)
+- Allow boinc_t domain to read cgroup files BZ(1468381)
+- Backport allow rules from refpolicy upstream repo
+- Allow gpg_t domain to bind on all unereserved udp ports
+- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164)
+- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)
+- Allow xdm_t domain to sys_ptrace BZ(1554150)
+- Allow application_domain_type also mmap inherited user temp files BZ(1552765)
+- Update ipsec_read_config() interface
+- Fix broken sysadm SELinux module
+- Allow ipsec_t to search for bind cache BZ(1542746)
+- Allow staff_t to send sigkill to mount_t domain BZ(1544272)
+- Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545)
+- Label ip6tables.init as iptables_exec_t BZ(1551463)
+- Allow hostname_t to use usb ttys BZ(1542903)
+- Add fsetid capability to updpwd_t domain BZ(1543375)
+- Allow systemd machined send signal to all domains BZ(1372644)
+- Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876)
+- Allow sysadm_t to create netlink generic sockets BZ(1547874)
+- Allow passwd_t domain chroot
+- Dontaudit confined unpriviliged users setuid capability
+
 * Tue Mar 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-4
 - Allow l2tpd_t domain to create pppox sockets
 - Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)

sources

@@ -1,3 +1,3 @@
-SHA512 (container-selinux.tgz) = 034b1fe897360274159e54b0f872919a275522abf8017bf5d2fae4c43e5475367b850e1448edbeee0281ac8a1f208a21da0ee96bf86cba995008c597f8e06c58
-SHA512 (selinux-policy-contrib-f564072.tar.gz) = 35587369042238f95d80f8591fc6159fecb4b08c1a72f4ea09dc4cb14198353f2cfb20db11b51cf20244656e408fd119abcaf02c1784455dd33b31c35f11f809
-SHA512 (selinux-policy-bd7ad92.tar.gz) = 36239c76258f147d432de05a75cf26111671953f60a124cfab01bc8eb66be45e34c52357c0e0e864f30db045e8a7da75a75c16a2c0116716c26bedfb52485d6b
+SHA512 (selinux-policy-9bd65d3.tar.gz) = b9b0b072c1dafa8486bbb0c382d255dcbd4abace88f2fc11da7f589434f84f0a431ed291eac97154a824c5189b7fc15cc97be261b3d3c8459303a807ac5c89a3
+SHA512 (selinux-policy-contrib-fbc0290.tar.gz) = 7c0ff61e5a1ed83892f2c71d319dcc9bd1ba0a99b3417bee3fa777ed5e01f5da69a702b8002e0243680416a46125491df60c4896dcac2fdfef1c994132aa640c
+SHA512 (container-selinux.tgz) = 4964b40739da515351520f35d3d3164cd0746acc4db53ad26e260dfe210d2a0b9d7cab6c7159033392ed146cdadc357b6c9e870ab05bf3220372776cda1fee37