* Tue Aug 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-273

- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170) - Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects. - Label /var/run/agetty.reload as getty_var_run_t - Add missing filecontext for sln binary - Allow systemd to read/write to event_device_t BZ(1471401)
2017-08-22 14:47:56 +02:00 · 2017-08-22 14:47:56 +02:00 · 681ffa2e20
commit 681ffa2e20
parent b2ee09aa09
4 changed files with 77 additions and 62 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -34251,10 +34251,10 @@ index 3f48d300a..cb4f966c0 100644
 	xen_rw_image_files(fsadm_t)
 ')
 diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
-index e1a1848a2..492763873 100644
+index e1a1848a2..130688b95 100644
 --- a/policy/modules/system/getty.fc
 +++ b/policy/modules/system/getty.fc
-@@ -3,8 +3,12 @@
+@@ -3,10 +3,15 @@
 /sbin/.*getty		--	gen_context(system_u:object_r:getty_exec_t,s0)
@ -34268,7 +34268,10 @@ index e1a1848a2..492763873 100644
 +/var/log/vgetty.*\.log.* --	gen_context(system_u:object_r:getty_log_t,s0)
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 +/var/run/agetty\.reload.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 /var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
 /var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
 diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
 index e4376aa98..2c98c5647 100644
 --- a/policy/modules/system/getty.if
@ -36480,7 +36483,7 @@ index 79a45f62e..6ed0c399a 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..055193c5d 100644
+index 17eda2480..c9e91f8e1 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -36661,7 +36664,7 @@ index 17eda2480..055193c5d 100644
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +213,26 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +213,27 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@ -36686,10 +36689,11 @@ index 17eda2480..055193c5d 100644
 dev_rw_generic_chr_files(init_t)
 +dev_filetrans_all_named_dev(init_t)
 +dev_write_watchdog(init_t)
 +dev_rw_inherited_input_dev(init_t)
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
-@@ -139,45 +240,102 @@ domain_signal_all_domains(init_t)
+@@ -139,45 +241,102 @@ domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
@ -36799,7 +36803,7 @@ index 17eda2480..055193c5d 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +344,283 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +345,283 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -37092,7 +37096,7 @@ index 17eda2480..055193c5d 100644
 ')
 optional_policy(`
-@@ -216,7 +628,30 @@ optional_policy(`
+@@ -216,7 +629,30 @@ optional_policy(`
 ')
 optional_policy(`
@ -37124,7 +37128,7 @@ index 17eda2480..055193c5d 100644
 ')
 ########################################
-@@ -225,9 +660,9 @@ optional_policy(`
+@@ -225,9 +661,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -37136,7 +37140,7 @@ index 17eda2480..055193c5d 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +693,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +694,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -37153,7 +37157,7 @@ index 17eda2480..055193c5d 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +718,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +719,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -37196,7 +37200,7 @@ index 17eda2480..055193c5d 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +755,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +756,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -37208,7 +37212,7 @@ index 17eda2480..055193c5d 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +767,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +768,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -37219,7 +37223,7 @@ index 17eda2480..055193c5d 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +778,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +779,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -37229,7 +37233,7 @@ index 17eda2480..055193c5d 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +787,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +788,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -37237,7 +37241,7 @@ index 17eda2480..055193c5d 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +794,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +795,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -37245,7 +37249,7 @@ index 17eda2480..055193c5d 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +802,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +803,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -37263,7 +37267,7 @@ index 17eda2480..055193c5d 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +820,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +821,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -37277,7 +37281,7 @@ index 17eda2480..055193c5d 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +835,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +836,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -37291,7 +37295,7 @@ index 17eda2480..055193c5d 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +848,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +849,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -37302,7 +37306,7 @@ index 17eda2480..055193c5d 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +861,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +862,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -37310,7 +37314,7 @@ index 17eda2480..055193c5d 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +880,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +881,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -37334,7 +37338,7 @@ index 17eda2480..055193c5d 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +913,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +914,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -37342,7 +37346,7 @@ index 17eda2480..055193c5d 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +947,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +948,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -37353,7 +37357,7 @@ index 17eda2480..055193c5d 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +971,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +972,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -37362,7 +37366,7 @@ index 17eda2480..055193c5d 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +986,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +987,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -37370,7 +37374,7 @@ index 17eda2480..055193c5d 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1007,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1008,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -37378,7 +37382,7 @@ index 17eda2480..055193c5d 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1017,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1018,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -37423,7 +37427,7 @@ index 17eda2480..055193c5d 100644
 	')
 	optional_policy(`
-@@ -559,14 +1062,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1063,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -37455,7 +37459,7 @@ index 17eda2480..055193c5d 100644
 	')
 ')
-@@ -577,6 +1097,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1098,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -37495,7 +37499,7 @@ index 17eda2480..055193c5d 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1142,8 @@ optional_policy(`
+@@ -589,6 +1143,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -37504,7 +37508,7 @@ index 17eda2480..055193c5d 100644
 ')
 optional_policy(`
-@@ -610,6 +1165,7 @@ optional_policy(`
+@@ -610,6 +1166,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -37512,7 +37516,7 @@ index 17eda2480..055193c5d 100644
 ')
 optional_policy(`
-@@ -626,6 +1182,17 @@ optional_policy(`
+@@ -626,6 +1183,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -37530,7 +37534,7 @@ index 17eda2480..055193c5d 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1209,13 @@ optional_policy(`
+@@ -642,9 +1210,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -37544,7 +37548,7 @@ index 17eda2480..055193c5d 100644
 	')
 	optional_policy(`
-@@ -657,15 +1228,11 @@ optional_policy(`
+@@ -657,15 +1229,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -37562,7 +37566,7 @@ index 17eda2480..055193c5d 100644
 ')
 optional_policy(`
-@@ -686,6 +1253,15 @@ optional_policy(`
+@@ -686,6 +1254,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -37578,7 +37582,7 @@ index 17eda2480..055193c5d 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1302,7 @@ optional_policy(`
+@@ -726,6 +1303,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -37586,7 +37590,7 @@ index 17eda2480..055193c5d 100644
 ')
 optional_policy(`
-@@ -743,7 +1320,13 @@ optional_policy(`
+@@ -743,7 +1321,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -37601,7 +37605,7 @@ index 17eda2480..055193c5d 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1349,10 @@ optional_policy(`
+@@ -766,6 +1350,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -37612,7 +37616,7 @@ index 17eda2480..055193c5d 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1362,20 @@ optional_policy(`
+@@ -775,10 +1363,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -37633,7 +37637,7 @@ index 17eda2480..055193c5d 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1384,10 @@ optional_policy(`
+@@ -787,6 +1385,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -37644,7 +37648,7 @@ index 17eda2480..055193c5d 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1409,6 @@ optional_policy(`
+@@ -808,8 +1410,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -37653,7 +37657,7 @@ index 17eda2480..055193c5d 100644
 ')
 optional_policy(`
-@@ -818,6 +1417,10 @@ optional_policy(`
+@@ -818,6 +1418,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -37664,7 +37668,7 @@ index 17eda2480..055193c5d 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1430,12 @@ optional_policy(`
+@@ -827,10 +1431,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -37677,7 +37681,7 @@ index 17eda2480..055193c5d 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1462,62 @@ optional_policy(`
+@@ -857,21 +1463,62 @@ optional_policy(`
 ')
 optional_policy(`
@ -37741,7 +37745,7 @@ index 17eda2480..055193c5d 100644
 ')
 optional_policy(`
-@@ -887,6 +1533,10 @@ optional_policy(`
+@@ -887,6 +1534,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -37752,7 +37756,7 @@ index 17eda2480..055193c5d 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1547,218 @@ optional_policy(`
+@@ -897,3 +1548,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -38970,7 +38974,7 @@ index 000000000..c8147952a
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c00c..a70bee5b0 100644
+index 73bb3c00c..4ddc8145a 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -39008,10 +39012,12 @@ index 73bb3c00c..a70bee5b0 100644
 /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
 /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
-@@ -99,10 +102,17 @@ ifdef(`distro_redhat',`
+@@ -98,11 +101,18 @@ ifdef(`distro_redhat',`
 #
 # /sbin
 #
- /sbin/ldconfig				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
+-/sbin/ldconfig				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 +/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 +/sbin/sln				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 #
@ -39148,7 +39154,7 @@ index 73bb3c00c..a70bee5b0 100644
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +315,158 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +315,159 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 #
 /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
@ -39313,6 +39319,7 @@ index 73bb3c00c..a70bee5b0 100644
 +/opt/google/[^/]*/.*\.so	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 +/usr/sbin/sln				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
 index 808ba93eb..b717d9709 100644
 --- a/policy/modules/system/libraries.if
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f070f..53dd1ab4d 100644
+index eb50f070f..3c19e28fc 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -748,10 +748,10 @@ index eb50f070f..53dd1ab4d 100644
 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 +mmap_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
 files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
 +files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
 +allow abrt_t abrt_var_cache_t:file map;
 +# abrt pid files
 manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@ -10666,7 +10666,7 @@ index c723a0ae0..1c29d21e7 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
 ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 851769e55..4bb326132 100644
+index 851769e55..9db73ae8a 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t)
@ -10696,7 +10696,7 @@ index 851769e55..4bb326132 100644
 manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
 manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
-+mmap_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+allow bluetooth_t bluetooth_var_lib_t:file map;
 files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
 manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
@ -25747,10 +25747,10 @@ index 000000000..b3784d85d
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 000000000..03988c910
+index 000000000..cb6af79d7
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,204 @@
+@@ -0,0 +1,205 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@ -25829,6 +25829,7 @@ index 000000000..03988c910
 +manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
 +manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
 +files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
 +allow dirsrv_t dirsrv_var_run_t:file map;
 +
 +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
 +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
@ -106587,7 +106588,7 @@ index dbb005aca..2655c75ab 100644
 +/var/run/secrets\.socket	-s	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/\.heim_org\.h5l\.kcm-socket	-s	gen_context(system_u:object_r:sssd_var_run_t,s0)
 diff --git a/sssd.if b/sssd.if
-index a24045518..8e00992e4 100644
+index a24045518..47530e258 100644
 --- a/sssd.if
 +++ b/sssd.if
@@ -1,21 +1,21 @@
@ -106775,7 +106776,7 @@ index a24045518..8e00992e4 100644
 -	allow $1 sssd_public_t:dir list_dir_perms;
 +	list_dirs_pattern($1, sssd_public_t, sssd_public_t)
 	read_files_pattern($1, sssd_public_t, sssd_public_t)
-+	mmap_files_pattern($1, sssd_public_t, sssd_public_t)
+    allow $1 sssd_public_t:file map;
 ')
 -#######################################
@ -107085,7 +107086,7 @@ index a24045518..8e00992e4 100644
 -	admin_pattern($1, sssd_log_t)
 ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1fa3..b4eaeb4cc 100644
+index 2d8db1fa3..a9de15cf6 100644
 --- a/sssd.te
 +++ b/sssd.te
@@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t)
@ -107124,13 +107125,13 @@ index 2d8db1fa3..b4eaeb4cc 100644
 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
 manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
-+mmap_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+allow sssd_t sssd_public_t:file map;
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-+mmap_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+allow sssd_t sssd_var_lib_t:file map;
 files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
 -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 272%{?dist}
+Release: 273%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -681,6 +681,13 @@ exit 0
 %endif
 %changelog
 * Tue Aug 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-273
 - Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)
 - Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.
 - Label /var/run/agetty.reload as getty_var_run_t
 - Add missing filecontext for sln binary
 - Allow systemd to read/write to event_device_t BZ(1471401)
 * Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
 - Allow sssd_t domain to map sssd_var_lib_t files
 - allow map permission where needed