* Mon Jul 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-203

- Allow hypervkvp domain to run restorecon. - Allow firewalld to manage net_conf_t files - Remove double graphite-web context declaration - Fix typo in rhsmcertd SELinux policy - Allow logrotate read logs inside containers. - Allow sssd to getattr on fs_t - Allow opendnssec domain to manage bind chace files - Allow systemd to get status of systemd-logind daemon - Label more ndctl devices not just ndctl0
2016-07-18 12:32:16 +02:00 · 2016-07-18 12:32:16 +02:00 · 5b18dd6042
commit 5b18dd6042
parent 3015848555
4 changed files with 116 additions and 81 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -6416,7 +6416,7 @@ index 3f6e168..340e49f 100644
 ')
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..ab7c054 100644
+index b31c054..891ace5 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@ -6475,16 +6475,18 @@ index b31c054..ab7c054 100644
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
-@@ -80,6 +93,8 @@
+@@ -80,7 +93,10 @@
 /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 +/dev/nvme.*     -c  gen_context(system_u:object_r:nvme_device_t,s0)
 +/dev/nvme.*     -b  gen_context(system_u:object_r:nvme_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 +/dev/ndctl[0-9]		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -90,6 +105,7 @@
+ /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
@@ -90,6 +106,7 @@
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/pps.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
@ -6492,7 +6494,7 @@ index b31c054..ab7c054 100644
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
-@@ -106,6 +122,7 @@
+@@ -106,6 +123,7 @@
 /dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@ -6500,7 +6502,7 @@ index b31c054..ab7c054 100644
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +135,12 @@
+@@ -118,6 +136,12 @@
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
@ -6513,7 +6515,7 @@ index b31c054..ab7c054 100644
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +152,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +153,14 @@ ifdef(`distro_suse', `
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@ -6528,7 +6530,7 @@ index b31c054..ab7c054 100644
 /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,15 +197,21 @@ ifdef(`distro_suse', `
+@@ -172,15 +198,21 @@ ifdef(`distro_suse', `
 /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
@ -6550,7 +6552,7 @@ index b31c054..ab7c054 100644
 ifdef(`distro_debian',`
 # this is a static /dev dir "backup mount"
-@@ -198,12 +229,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +230,27 @@ ifdef(`distro_debian',`
 /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
@ -37011,7 +37013,7 @@ index 79a45f6..9926eaf 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..0a4a187 100644
+index 17eda24..28999af 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -37310,7 +37312,7 @@ index 17eda24..0a4a187 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +326,258 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +326,259 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -37500,6 +37502,7 @@ index 17eda24..0a4a187 100644
 +systemd_manage_unit_symlinks(initrc_t)
 +systemd_config_all_services(initrc_t)
 +systemd_read_unit_files(initrc_t)
 +systemd_login_status(init_t)
 +
 +create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
 +
@ -37578,7 +37581,7 @@ index 17eda24..0a4a187 100644
 ')
 optional_policy(`
-@@ -216,7 +585,30 @@ optional_policy(`
+@@ -216,7 +586,30 @@ optional_policy(`
 ')
 optional_policy(`
@ -37610,7 +37613,7 @@ index 17eda24..0a4a187 100644
 ')
 ########################################
-@@ -225,9 +617,9 @@ optional_policy(`
+@@ -225,9 +618,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -37622,7 +37625,7 @@ index 17eda24..0a4a187 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +650,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +651,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -37639,7 +37642,7 @@ index 17eda24..0a4a187 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +675,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +676,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -37682,7 +37685,7 @@ index 17eda24..0a4a187 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +712,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +713,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -37694,7 +37697,7 @@ index 17eda24..0a4a187 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +724,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +725,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -37705,7 +37708,7 @@ index 17eda24..0a4a187 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +735,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +736,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -37715,7 +37718,7 @@ index 17eda24..0a4a187 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +744,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +745,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -37723,7 +37726,7 @@ index 17eda24..0a4a187 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +751,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +752,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -37731,7 +37734,7 @@ index 17eda24..0a4a187 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +759,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +760,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -37749,7 +37752,7 @@ index 17eda24..0a4a187 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +777,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +778,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -37763,7 +37766,7 @@ index 17eda24..0a4a187 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +792,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +793,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -37777,7 +37780,7 @@ index 17eda24..0a4a187 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +805,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +806,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -37788,7 +37791,7 @@ index 17eda24..0a4a187 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +818,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +819,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -37796,7 +37799,7 @@ index 17eda24..0a4a187 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +837,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +838,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -37820,7 +37823,7 @@ index 17eda24..0a4a187 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +870,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +871,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -37828,7 +37831,7 @@ index 17eda24..0a4a187 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +904,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +905,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -37839,7 +37842,7 @@ index 17eda24..0a4a187 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +928,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +929,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -37848,7 +37851,7 @@ index 17eda24..0a4a187 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +943,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +944,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -37856,7 +37859,7 @@ index 17eda24..0a4a187 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +964,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +965,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -37864,7 +37867,7 @@ index 17eda24..0a4a187 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +974,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +975,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -37909,7 +37912,7 @@ index 17eda24..0a4a187 100644
 	')
 	optional_policy(`
-@@ -559,14 +1019,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1020,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -37941,7 +37944,7 @@ index 17eda24..0a4a187 100644
 	')
 ')
-@@ -577,6 +1054,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1055,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -37981,7 +37984,7 @@ index 17eda24..0a4a187 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1099,8 @@ optional_policy(`
+@@ -589,6 +1100,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -37990,7 +37993,7 @@ index 17eda24..0a4a187 100644
 ')
 optional_policy(`
-@@ -610,6 +1122,7 @@ optional_policy(`
+@@ -610,6 +1123,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -37998,7 +38001,7 @@ index 17eda24..0a4a187 100644
 ')
 optional_policy(`
-@@ -626,6 +1139,17 @@ optional_policy(`
+@@ -626,6 +1140,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -38016,7 +38019,7 @@ index 17eda24..0a4a187 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1166,13 @@ optional_policy(`
+@@ -642,9 +1167,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -38030,7 +38033,7 @@ index 17eda24..0a4a187 100644
 	')
 	optional_policy(`
-@@ -657,15 +1185,11 @@ optional_policy(`
+@@ -657,15 +1186,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -38048,7 +38051,7 @@ index 17eda24..0a4a187 100644
 ')
 optional_policy(`
-@@ -686,6 +1210,15 @@ optional_policy(`
+@@ -686,6 +1211,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -38064,7 +38067,7 @@ index 17eda24..0a4a187 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1259,7 @@ optional_policy(`
+@@ -726,6 +1260,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -38072,7 +38075,7 @@ index 17eda24..0a4a187 100644
 ')
 optional_policy(`
-@@ -743,7 +1277,13 @@ optional_policy(`
+@@ -743,7 +1278,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -38087,7 +38090,7 @@ index 17eda24..0a4a187 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1306,10 @@ optional_policy(`
+@@ -766,6 +1307,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38098,7 +38101,7 @@ index 17eda24..0a4a187 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1319,20 @@ optional_policy(`
+@@ -775,10 +1320,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -38119,7 +38122,7 @@ index 17eda24..0a4a187 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1341,10 @@ optional_policy(`
+@@ -787,6 +1342,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38130,7 +38133,7 @@ index 17eda24..0a4a187 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1366,6 @@ optional_policy(`
+@@ -808,8 +1367,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -38139,7 +38142,7 @@ index 17eda24..0a4a187 100644
 ')
 optional_policy(`
-@@ -818,6 +1374,10 @@ optional_policy(`
+@@ -818,6 +1375,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38150,7 +38153,7 @@ index 17eda24..0a4a187 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1387,12 @@ optional_policy(`
+@@ -827,10 +1388,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -38163,7 +38166,7 @@ index 17eda24..0a4a187 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1419,62 @@ optional_policy(`
+@@ -857,21 +1420,62 @@ optional_policy(`
 ')
 optional_policy(`
@ -38227,7 +38230,7 @@ index 17eda24..0a4a187 100644
 ')
 optional_policy(`
-@@ -887,6 +1490,10 @@ optional_policy(`
+@@ -887,6 +1491,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38238,7 +38241,7 @@ index 17eda24..0a4a187 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1504,218 @@ optional_policy(`
+@@ -897,3 +1505,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -28825,7 +28825,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
 ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..50e7985 100644
+index 98072a3..73c5573 100644
 --- a/firewalld.te
 +++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@ -28894,7 +28894,7 @@ index 98072a3..50e7985 100644
 -sysnet_read_config(firewalld_t)
 +sysnet_dns_name_resolve(firewalld_t)
 +sysnet_manage_config_dirs(firewalld_t)
-+sysnet_create_config(firewalld_t)
+sysnet_manage_config(firewalld_t)
 optional_policy(`
 	dbus_system_domain(firewalld_t, firewalld_exec_t)
@ -45847,10 +45847,10 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..5160f96 100644
+index be0ab84..6f475e4 100644
 --- a/logrotate.te
 +++ b/logrotate.te
-@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
+@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
 # Declarations
 #
@ -45862,6 +45862,13 @@ index be0ab84..5160f96 100644
 +## </p>
 +## </desc>
 +gen_tunable(logrotate_use_nfs, false)
 +
 +## <desc>
 +## <p>
 +## Allow logrotate to read logs inside 
 +## </p>
 +## </desc>
 +gen_tunable(logrotate_read_inside_containers, false)
 +
 type logrotate_t;
@ -45877,7 +45884,7 @@ index be0ab84..5160f96 100644
 type logrotate_lock_t;
 files_lock_file(logrotate_lock_t)
-@@ -25,21 +31,30 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +38,30 @@ files_tmp_file(logrotate_tmp_t)
 type logrotate_var_lib_t;
 files_type(logrotate_var_lib_t)
@ -45914,7 +45921,7 @@ index be0ab84..5160f96 100644
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +63,52 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +70,52 @@ allow logrotate_t self:msg { send receive };
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@ -45972,7 +45979,7 @@ index be0ab84..5160f96 100644
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +126,55 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +133,55 @@ mls_process_write_to_clearance(logrotate_t)
 selinux_get_fs_mount(logrotate_t)
 selinux_get_enforce_mode(logrotate_t)
@ -45990,8 +45997,7 @@ index be0ab84..5160f96 100644
 +# cjp: why is this needed?
 logging_exec_all_logs(logrotate_t)
 +logging_systemctl_syslogd(logrotate_t)
- 
+
 -miscfiles_read_localization(logrotate_t)
 +systemd_exec_systemctl(logrotate_t)
 +systemd_getattr_unit_files(logrotate_t)
 +systemd_start_all_unit_files(logrotate_t)
@ -46000,12 +46006,13 @@ index be0ab84..5160f96 100644
 +systemd_dbus_chat_logind(logrotate_t)
 +init_stream_connect(logrotate_t)
-seutil_dontaudit_read_config(logrotate_t)
+-miscfiles_read_localization(logrotate_t)
 +miscfiles_read_hwdata(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+-seutil_dontaudit_read_config(logrotate_t)
 +term_dontaudit_use_unallocated_ttys(logrotate_t)
-+
+ 
 -userdom_use_user_terminals(logrotate_t)
 +userdom_use_inherited_user_terminals(logrotate_t)
 userdom_list_user_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
@ -46034,7 +46041,7 @@ index be0ab84..5160f96 100644
 ')
 optional_policy(`
-@@ -135,16 +189,17 @@ optional_policy(`
+@@ -135,16 +196,17 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -46054,7 +46061,7 @@ index be0ab84..5160f96 100644
 ')
 optional_policy(`
-@@ -170,6 +225,11 @@ optional_policy(`
+@@ -170,6 +232,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -46066,7 +46073,7 @@ index be0ab84..5160f96 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
-@@ -178,7 +238,7 @@ optional_policy(`
+@@ -178,7 +245,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -46075,7 +46082,7 @@ index be0ab84..5160f96 100644
 ')
 optional_policy(`
-@@ -198,17 +258,18 @@ optional_policy(`
+@@ -198,17 +265,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -46097,7 +46104,7 @@ index be0ab84..5160f96 100644
 ')
 optional_policy(`
-@@ -216,6 +277,14 @@ optional_policy(`
+@@ -216,6 +284,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -46112,7 +46119,7 @@ index be0ab84..5160f96 100644
 	samba_exec_log(logrotate_t)
 ')
-@@ -228,26 +297,43 @@ optional_policy(`
+@@ -228,26 +304,50 @@ optional_policy(`
 ')
 optional_policy(`
@ -46145,6 +46152,13 @@ index be0ab84..5160f96 100644
 +optional_policy(`
 +	virt_manage_cache(logrotate_t)
 +')
 +
 +
 +optional_policy(`
 +	tunable_policy(`logrotate_read_inside_containers',`
 +		virt_read_sandbox_files(logrotate_t)
 +	')
 +')
 +
 #######################################
 #
@ -49799,10 +49813,10 @@ index 0000000..f5b98e6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..66c45cb
+index 0000000..2d4fb00
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,285 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@ -49935,6 +49949,7 @@ index 0000000..66c45cb
 +selinux_get_enforce_mode(mock_t)
 +
 +term_search_ptys(mock_t)
 +term_use_generic_ptys(mock_t)
 +term_mount_pty_fs(mock_t)
 +term_unmount_pty_fs(mock_t)
 +term_use_ptmx(mock_t)
@ -64088,10 +64103,10 @@ index 0000000..eac3932
 +')
 diff --git a/opendnssec.te b/opendnssec.te
 new file mode 100644
-index 0000000..a0e817d
+index 0000000..83507cf
 --- /dev/null
 +++ b/opendnssec.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,59 @@
 +policy_module(opendnssec, 1.0.0)
 +
 +########################################
@ -64122,7 +64137,7 @@ index 0000000..a0e817d
 +allow opendnssec_t self:capability { chown setgid setuid sys_chroot };
 +allow opendnssec_t self:process { fork signal_perms };
 +allow opendnssec_t self:fifo_file rw_fifo_file_perms;
-+allow opendnssec_t self:unix_stream_socket create_stream_socket_perms;
+allow opendnssec_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
 +manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
 +manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
@ -64144,6 +64159,10 @@ index 0000000..a0e817d
 +logging_send_syslog_msg(opendnssec_t)
 +
 +optional_policy(`
 +	bind_manage_cache(opendnssec_t)
 +')
 +
 +optional_policy(`
 +    ipa_manage_lib(opendnssec_t)
 +')
 +
@ -66940,7 +66959,7 @@ index 9b15730..cb00f20 100644
 +	')
 ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..370dd38 100644
+index 44dbc99..34682ff 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@ -67006,7 +67025,7 @@ index 44dbc99..370dd38 100644
 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
 logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -63,35 +67,51 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+@@ -63,35 +67,52 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
@ -67028,6 +67047,7 @@ index 44dbc99..370dd38 100644
 +corenet_tcp_connect_xodbc_connect_port(openvswitch_t)
 +corenet_tcp_connect_ovsdb_port(openvswitch_t)
 +corenet_tcp_connect_openflow_port(openvswitch_t)
 +corenet_tcp_connect_openvswitch_port(openvswitch_t)
 +corenet_tcp_bind_generic_node(openvswitch_t)
 +corenet_tcp_bind_openvswitch_port(openvswitch_t)
@ -88496,7 +88516,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
 ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..cb5f49c 100644
+index d32e1a2..1271bf3 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@ -88539,7 +88559,7 @@ index d32e1a2..cb5f49c 100644
 files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
 kernel_read_network_state(rhsmcertd_t)
-+kernel_read_sysctl(rhsmcertd_t)
+kernel_read_net_sysctls(rhsmcertd_t)
 kernel_read_system_state(rhsmcertd_t)
 +kernel_read_sysctl(rhsmcertd_t)
 +
@ -104299,7 +104319,7 @@ index a240455..04419ae 100644
 -	admin_pattern($1, sssd_log_t)
 ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..c420309 100644
+index 2d8db1f..864ea2f 100644
 --- a/sssd.te
 +++ b/sssd.te
@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
@ -104367,7 +104387,7 @@ index 2d8db1f..c420309 100644
 corecmd_exec_bin(sssd_t)
-@@ -83,28 +86,35 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +86,36 @@ domain_read_all_domains_state(sssd_t)
 domain_obj_id_change_exemption(sssd_t)
 files_list_tmp(sssd_t)
@ -104377,6 +104397,7 @@ index 2d8db1f..c420309 100644
 files_list_var_lib(sssd_t)
 fs_list_inotifyfs(sssd_t)
 +fs_getattr_xattr_fs(sssd_t)
 selinux_validate_context(sssd_t)
 +seutil_read_config(sssd_t)
@ -104407,7 +104428,7 @@ index 2d8db1f..c420309 100644
 init_read_utmp(sssd_t)
-@@ -112,18 +122,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +123,64 @@ logging_send_syslog_msg(sssd_t)
 logging_send_audit_msgs(sssd_t)
 miscfiles_read_generic_certs(sssd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 202%{?dist}
+Release: 203%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -648,6 +648,17 @@ exit 0
 %endif
 %changelog
 * Mon Jul 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-203
 - Allow hypervkvp domain to run restorecon.
 - Allow firewalld to manage net_conf_t files
 - Remove double graphite-web context declaration
 - Fix typo in rhsmcertd SELinux policy
 - Allow logrotate read logs inside containers.
 - Allow sssd to getattr on fs_t
 - Allow opendnssec domain to manage bind chace files
 - Allow systemd to get status of systemd-logind daemon
 - Label more ndctl devices not just ndctl0
 * Wed Jul 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-202
 - Allow systemd_logind_t to start init_t BZ(1355861)
 - Add init_start() interface