* Thu Feb 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-238

- Allow shiftfs to use xattr SELinux labels
- Fix ssh_server_template by add sshd_t to require section.

policy-rawhide-base.patch

@@ -21474,10 +21474,10 @@ index 8416beb..b38387e 100644
 +	allow $1 tracefs_t:filesystem unmount;
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..59c1cb8 100644
+index e7d1738..b3e6523 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+@@ -26,14 +26,20 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
@@ -21494,10 +21494,11 @@ index e7d1738..59c1cb8 100644
 +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
 +fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr shiftfs gen_context(system_u:object_r:fs_t,s0);
  
  # Use the allocating task SID to label inodes in the following filesystem
  # types, and label the filesystem itself with the specified context.
-@@ -53,6 +58,7 @@ type anon_inodefs_t;
+@@ -53,6 +59,7 @@ type anon_inodefs_t;
  fs_type(anon_inodefs_t)
  files_mountpoint(anon_inodefs_t)
  genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -21505,7 +21506,7 @@ index e7d1738..59c1cb8 100644
  
  type bdev_t;
  fs_type(bdev_t)
-@@ -63,16 +69,28 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,16 +70,28 @@ fs_type(binfmt_misc_fs_t)
  files_mountpoint(binfmt_misc_fs_t)
  genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
  
@@ -21535,7 +21536,7 @@ index e7d1738..59c1cb8 100644
  
  type configfs_t;
  fs_type(configfs_t)
-@@ -88,6 +106,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -88,6 +107,11 @@ fs_noxattr_type(ecryptfs_t)
  files_mountpoint(ecryptfs_t)
  genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
  
@@ -21547,7 +21548,7 @@ index e7d1738..59c1cb8 100644
  type futexfs_t;
  fs_type(futexfs_t)
  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +119,7 @@ type hugetlbfs_t;
+@@ -96,6 +120,7 @@ type hugetlbfs_t;
  fs_type(hugetlbfs_t)
  files_mountpoint(hugetlbfs_t)
  fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -21555,7 +21556,7 @@ index e7d1738..59c1cb8 100644
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-@@ -111,6 +135,12 @@ type inotifyfs_t;
+@@ -111,6 +136,12 @@ type inotifyfs_t;
  fs_type(inotifyfs_t)
  genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
  
@@ -21568,7 +21569,7 @@ index e7d1738..59c1cb8 100644
  type mvfs_t;
  fs_noxattr_type(mvfs_t)
  allow mvfs_t self:filesystem associate;
-@@ -118,13 +148,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +149,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -21593,7 +21594,7 @@ index e7d1738..59c1cb8 100644
  fs_type(pstore_t)
  files_mountpoint(pstore_t)
  dev_associate_sysfs(pstore_t)
-@@ -150,17 +190,16 @@ fs_type(spufs_t)
+@@ -150,17 +191,16 @@ fs_type(spufs_t)
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -21615,7 +21616,7 @@ index e7d1738..59c1cb8 100644
  type vmblock_t;
  fs_noxattr_type(vmblock_t)
  files_mountpoint(vmblock_t)
-@@ -172,6 +211,8 @@ type vxfs_t;
+@@ -172,6 +212,8 @@ type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
  genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -21624,7 +21625,7 @@ index e7d1738..59c1cb8 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +223,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +224,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -21633,7 +21634,7 @@ index e7d1738..59c1cb8 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +304,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +305,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -21642,7 +21643,7 @@ index e7d1738..59c1cb8 100644
  files_mountpoint(removable_t)
  
  #
-@@ -280,6 +325,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +326,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -21650,7 +21651,7 @@ index e7d1738..59c1cb8 100644
  
  ########################################
  #
-@@ -301,9 +347,10 @@ fs_associate_noxattr(noxattrfs)
+@@ -301,9 +348,10 @@ fs_associate_noxattr(noxattrfs)
  # Unconfined access to this module
  #
  
@@ -28793,7 +28794,7 @@ index 76d9f66..7528851 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..d55811f 100644
+index fe0c682..5f4da9d 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -28906,16 +28907,20 @@ index fe0c682..d55811f 100644
  #######################################
  ## <summary>
  ##	The template to define a ssh server.
-@@ -168,7 +192,7 @@ template(`ssh_basic_client_template',`
+@@ -168,7 +192,11 @@ template(`ssh_basic_client_template',`
  ##	</summary>
  ## </param>
  #
 -template(`ssh_server_template', `
 +template(`ssh_server_template',`
++    gen_require(`
++        type sshd_t;
++    ')
++
  	type $1_t, ssh_server;
  	auth_login_pgm_domain($1_t)
  
-@@ -181,20 +205,22 @@ template(`ssh_server_template', `
+@@ -181,20 +209,22 @@ template(`ssh_server_template', `
  	type $1_var_run_t;
  	files_pid_file($1_var_run_t)
  
@@ -28943,7 +28948,7 @@ index fe0c682..d55811f 100644
  
  	allow $1_t $1_var_run_t:file manage_file_perms;
  	files_pid_filetrans($1_t, $1_var_run_t, file)
-@@ -206,6 +232,7 @@ template(`ssh_server_template', `
+@@ -206,6 +236,7 @@ template(`ssh_server_template', `
  
  	kernel_read_kernel_sysctls($1_t)
  	kernel_read_network_state($1_t)
@@ -28951,7 +28956,7 @@ index fe0c682..d55811f 100644
  
  	corenet_all_recvfrom_unlabeled($1_t)
  	corenet_all_recvfrom_netlabel($1_t)
-@@ -220,10 +247,13 @@ template(`ssh_server_template', `
+@@ -220,10 +251,13 @@ template(`ssh_server_template', `
  	corenet_tcp_bind_generic_node($1_t)
  	corenet_udp_bind_generic_node($1_t)
  	corenet_tcp_bind_ssh_port($1_t)
@@ -28967,7 +28972,7 @@ index fe0c682..d55811f 100644
  
  	auth_rw_login_records($1_t)
  	auth_rw_faillog($1_t)
-@@ -233,7 +263,10 @@ template(`ssh_server_template', `
+@@ -233,7 +267,10 @@ template(`ssh_server_template', `
  	# for sshd subsystems, such as sftp-server.
  	corecmd_getattr_bin_files($1_t)
  
@@ -28978,7 +28983,7 @@ index fe0c682..d55811f 100644
  
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
-@@ -241,35 +274,33 @@ template(`ssh_server_template', `
+@@ -241,35 +278,33 @@ template(`ssh_server_template', `
  
  	logging_search_logs($1_t)
  
@@ -29025,7 +29030,7 @@ index fe0c682..d55811f 100644
  ')
  
  ########################################
-@@ -292,14 +323,15 @@ template(`ssh_server_template', `
+@@ -292,14 +327,15 @@ template(`ssh_server_template', `
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -29042,7 +29047,7 @@ index fe0c682..d55811f 100644
  	')
  
  	##############################
-@@ -328,103 +360,56 @@ template(`ssh_role_template',`
+@@ -328,103 +364,56 @@ template(`ssh_role_template',`
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -29156,7 +29161,7 @@ index fe0c682..d55811f 100644
  ')
  
  ########################################
-@@ -496,8 +481,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +485,27 @@ interface(`ssh_read_pipes',`
  		type sshd_t;
  	')
  
@@ -29185,7 +29190,7 @@ index fe0c682..d55811f 100644
  ########################################
  ## <summary>
  ##	Read and write a ssh server unnamed pipe.
-@@ -513,7 +517,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +521,7 @@ interface(`ssh_rw_pipes',`
  		type sshd_t;
  	')
  
@@ -29194,7 +29199,7 @@ index fe0c682..d55811f 100644
  ')
  
  ########################################
-@@ -605,6 +609,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +613,24 @@ interface(`ssh_domtrans',`
  
  ########################################
  ## <summary>
@@ -29219,7 +29224,7 @@ index fe0c682..d55811f 100644
  ##	Execute the ssh client in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -637,7 +659,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +663,7 @@ interface(`ssh_setattr_key_files',`
  		type sshd_key_t;
  	')
  
@@ -29228,7 +29233,7 @@ index fe0c682..d55811f 100644
  	files_search_pids($1)
  ')
  
-@@ -662,6 +684,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +688,42 @@ interface(`ssh_agent_exec',`
  
  ########################################
  ## <summary>
@@ -29271,7 +29276,7 @@ index fe0c682..d55811f 100644
  ##	Read ssh home directory content
  ## </summary>
  ## <param name="domain">
-@@ -701,6 +759,68 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +763,68 @@ interface(`ssh_domtrans_keygen',`
  
  ########################################
  ## <summary>
@@ -29340,7 +29345,7 @@ index fe0c682..d55811f 100644
  ##	Read ssh server keys
  ## </summary>
  ## <param name="domain">
-@@ -714,7 +834,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +838,26 @@ interface(`ssh_dontaudit_read_server_keys',`
  		type sshd_key_t;
  	')
  
@@ -29368,7 +29373,7 @@ index fe0c682..d55811f 100644
  ')
  
  ######################################
-@@ -754,3 +893,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +897,151 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')

policy-rawhide-contrib.patch

@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..d53d1e0 100644
+index eb50f07..def23ab 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1048,7 +1048,7 @@ index eb50f07..d53d1e0 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +470,79 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +470,80 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1100,6 +1100,7 @@ index eb50f07..d53d1e0 100644
 +auth_read_passwd(abrt_dump_oops_t)
 +
 +corecmd_getattr_all_executables(abrt_dump_oops_t)
++corecmd_exec_bin(abrt_dump_oops_t)
 +
 +dev_read_urand(abrt_dump_oops_t)
 +dev_read_rand(abrt_dump_oops_t)
@@ -1132,7 +1133,7 @@ index eb50f07..d53d1e0 100644
  
  #######################################
  #
-@@ -404,25 +550,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +551,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1195,7 +1196,7 @@ index eb50f07..d53d1e0 100644
  ')
  
  #######################################
-@@ -430,10 +611,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +612,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 237%{?dist}
+Release: 238%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Feb 09 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-238
+- Allow shiftfs to use xattr SELinux labels
+- Fix ssh_server_template by add sshd_t to require section.
+
 * Wed Feb 08 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-237
 - Merge pull request #187 from rhatdan/container-selinux
 - Allow rhsmcertd domain signull kernel.