* Thu May 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255

- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t - Add interface pki_manage_common_files() - Allow rngd domain read sysfs_t - Allow tomcat_t domain to manage pki_common_t files and dirs - Merge pull request #3 from rhatdan/devicekit - Merge pull request #12 from lslebodn/sssd_sockets_fc - Allow certmonger reads httpd_config_t files - Allow keepalived_t domain creating netlink_netfilter_socket. - Use stricter fc rules for sssd sockets in /var/run - Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. - Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/ - Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit - ejabberd small fixes - Update targetd policy to accommodate changes in the service - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit - Dontaudit net_admin capability for useradd_t domain - Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723) - Make able deply overcloud via neutron_t to label nsfs as fs_t - Add fs_manage_configfs_lnk_files() interface
2017-05-18 16:44:30 +02:00 · 2017-05-18 16:44:30 +02:00 · 6c0472a324
parent c1e28f68d8
commit 6c0472a324
4 changed files with 1098 additions and 711 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -12384,7 +12384,7 @@ index 008f8ef..144c074 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..b4565e3 100644
+index 550b287..80de6d3 100644
 --- a/certmonger.te
 +++ b/certmonger.te
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
@ -12475,7 +12475,8 @@ index 550b287..b4565e3 100644
 
 optional_policy(`
 -	apache_initrc_domtrans(certmonger_t)
- 	apache_search_config(certmonger_t)
+-	apache_search_config(certmonger_t)
+	apache_read_config(certmonger_t)
 	apache_signal(certmonger_t)
 	apache_signull(certmonger_t)
 +	apache_systemctl(certmonger_t)
@ -24429,7 +24430,7 @@ index 8ce99ff..1bc5d3a 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
 diff --git a/devicekit.te b/devicekit.te
-index 77a5003..360db40 100644
+index 77a5003..86a7ed2 100644
 --- a/devicekit.te
 +++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@ -24462,20 +24463,22 @@ index 77a5003..360db40 100644
 ########################################
 #
 # Local policy
-@@ -45,11 +49,8 @@ kernel_read_system_state(devicekit_t)
+@@ -44,12 +48,10 @@ kernel_read_system_state(devicekit_t)
+ 
 dev_read_sysfs(devicekit_t)
 dev_read_urand(devicekit_t)
- 
+-
 -files_read_etc_files(devicekit_t)
 -
 -miscfiles_read_localization(devicekit_t)
-
+dev_getattr_all(devicekit_t)
+ 
 optional_policy(`
 +	dbus_system_domain(devicekit_t, devicekit_exec_t)
 	dbus_system_bus_client(devicekit_t)
 
 	allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
-@@ -64,7 +65,8 @@ optional_policy(`
+@@ -64,7 +66,8 @@ optional_policy(`
 # Disk local policy
 #
 
@ -24485,7 +24488,7 @@ index 77a5003..360db40 100644
 allow devicekit_disk_t self:process { getsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,17 +83,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,17 +84,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
 manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@ -24506,7 +24509,7 @@ index 77a5003..360db40 100644
 
 corecmd_exec_bin(devicekit_disk_t)
 corecmd_exec_shell(devicekit_disk_t)
-@@ -99,6 +102,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+@@ -99,6 +103,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
 
 dev_getattr_all_chr_files(devicekit_disk_t)
 dev_getattr_mtrr_dev(devicekit_disk_t)
@ -24515,7 +24518,7 @@ index 77a5003..360db40 100644
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
-@@ -117,8 +122,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -117,8 +123,8 @@ files_getattr_all_pipes(devicekit_disk_t)
 files_manage_boot_dirs(devicekit_disk_t)
 files_manage_isid_type_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
@ -24525,7 +24528,7 @@ index 77a5003..360db40 100644
 
 fs_getattr_all_fs(devicekit_disk_t)
 fs_list_inotifyfs(devicekit_disk_t)
-@@ -135,18 +140,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -135,18 +141,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
 storage_raw_read_removable_device(devicekit_disk_t)
 storage_raw_write_removable_device(devicekit_disk_t)
 
@ -24547,7 +24550,7 @@ index 77a5003..360db40 100644
 	dbus_system_bus_client(devicekit_disk_t)
 
 	allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -170,6 +175,7 @@ optional_policy(`
+@@ -170,6 +176,7 @@ optional_policy(`
 
 optional_policy(`
 	mount_domtrans(devicekit_disk_t)
@ -24555,7 +24558,7 @@ index 77a5003..360db40 100644
 ')
 
 optional_policy(`
-@@ -183,6 +189,11 @@ optional_policy(`
+@@ -183,6 +190,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24567,7 +24570,7 @@ index 77a5003..360db40 100644
 	udev_domtrans(devicekit_disk_t)
 	udev_read_db(devicekit_disk_t)
 	udev_read_pid_files(devicekit_disk_t)
-@@ -192,12 +203,19 @@ optional_policy(`
+@@ -192,12 +204,19 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
 
@ -24588,7 +24591,7 @@ index 77a5003..360db40 100644
 allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -212,9 +230,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -212,9 +231,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
 
@ -24599,7 +24602,7 @@ index 77a5003..360db40 100644
 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
 
 manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -224,12 +240,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
+@@ -224,12 +241,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
 kernel_read_fs_sysctls(devicekit_power_t)
 kernel_read_network_state(devicekit_power_t)
 kernel_read_system_state(devicekit_power_t)
@ -24614,7 +24617,7 @@ index 77a5003..360db40 100644
 
 corecmd_exec_bin(devicekit_power_t)
 corecmd_exec_shell(devicekit_power_t)
-@@ -248,21 +264,18 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -248,21 +265,18 @@ domain_read_all_domains_state(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_runtime_files(devicekit_power_t)
@ -24637,7 +24640,7 @@ index 77a5003..360db40 100644
 sysnet_domtrans_ifconfig(devicekit_power_t)
 sysnet_domtrans_dhcpc(devicekit_power_t)
 
-@@ -277,6 +290,12 @@ optional_policy(`
+@@ -277,6 +291,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24650,7 +24653,7 @@ index 77a5003..360db40 100644
 	dbus_system_bus_client(devicekit_power_t)
 
 	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -307,8 +326,11 @@ optional_policy(`
+@@ -307,8 +327,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24663,7 +24666,7 @@ index 77a5003..360db40 100644
 	hal_manage_pid_dirs(devicekit_power_t)
 	hal_manage_pid_files(devicekit_power_t)
 ')
-@@ -347,3 +369,9 @@ optional_policy(`
+@@ -347,3 +370,9 @@ optional_policy(`
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
@ -42850,10 +42853,10 @@ index 0000000..bd7e7fa
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..82772f2
+index 0000000..c07a3fe
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,94 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@ -42883,6 +42886,7 @@ index 0000000..82772f2
 +allow keepalived_t self:process { signal_perms };
 +allow keepalived_t self:netlink_socket create_socket_perms;
 +allow keepalived_t self:netlink_generic_socket create_socket_perms;
+allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
 +allow keepalived_t self:netlink_route_socket nlmsg_write;
 +allow keepalived_t self:packet_socket create_socket_perms;
 +allow keepalived_t self:rawip_socket create_socket_perms;
@ -72389,10 +72393,10 @@ index 0000000..47cd0f8
 +/usr/lib/systemd/system/pki-tomcat.*	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
 diff --git a/pki.if b/pki.if
 new file mode 100644
-index 0000000..efe3ad3
+index 0000000..d8226f9
 --- /dev/null
 +++ b/pki.if
-@@ -0,0 +1,442 @@
+@@ -0,0 +1,461 @@
 +
 +## <summary>policy for pki</summary>
 +
@ -72818,6 +72822,25 @@ index 0000000..efe3ad3
 +
 +########################################
 +## <summary>
+##	Allow read pki_common_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pki_manage_common_files',`
+	gen_require(`
+		type pki_common_t;
+	')
+
+	manage_files_pattern($1, pki_common_t, pki_common_t)
+	manage_dirs_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+## <summary>
 +##	Connect to pki over an unix
 +##	stream socket.
 +## </summary>
@ -75907,7 +75930,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..9cfa754 100644
+index 5cfb83e..4273d32 100644
 --- a/postfix.te
 +++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@ -76000,7 +76023,7 @@ index 5cfb83e..9cfa754 100644
 type postfix_data_t;
 files_type(postfix_data_t)
 
-@@ -105,109 +106,22 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -105,109 +106,23 @@ mta_mailserver_delivery(postfix_virtual_t)
 
 ########################################
 #
@ -76085,8 +76108,9 @@ index 5cfb83e..9cfa754 100644
 -########################################
 -#
 -# Common postfix user domain local policy
-#
-
+# Postfix master process local policy
+ #
+ 
 -allow postfix_user_domains self:capability dac_override;
 -
 -domain_use_interactive_fds(postfix_user_domains)
@ -76094,10 +76118,10 @@ index 5cfb83e..9cfa754 100644
 -########################################
 -#
 -# Master local policy
-+# Postfix master process local policy
- #
- 
+-#
+-
 -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+dontaudit postfix_master_t self:capability { net_admin };
 +# chown is to set the correct ownership of queue dirs
 +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
 allow postfix_master_t self:capability2 block_suspend;
@ -76117,7 +76141,7 @@ index 5cfb83e..9cfa754 100644
 
 allow postfix_master_t postfix_data_t:dir manage_dir_perms;
 allow postfix_master_t postfix_data_t:file manage_file_perms;
-@@ -216,34 +130,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
+@@ -216,34 +131,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
 
 allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
 
@ -76165,7 +76189,7 @@ index 5cfb83e..9cfa754 100644
 
 create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-@@ -253,16 +165,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
+@@ -253,16 +166,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
 filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
 filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
 
@ -76183,7 +76207,7 @@ index 5cfb83e..9cfa754 100644
 corenet_all_recvfrom_netlabel(postfix_master_t)
 corenet_tcp_sendrecv_generic_if(postfix_master_t)
 corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -270,50 +174,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -270,50 +175,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
 corenet_udp_sendrecv_generic_node(postfix_master_t)
 corenet_tcp_sendrecv_all_ports(postfix_master_t)
 corenet_udp_sendrecv_all_ports(postfix_master_t)
@ -76252,7 +76276,7 @@ index 5cfb83e..9cfa754 100644
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
-@@ -324,14 +222,6 @@ optional_policy(`
+@@ -324,14 +223,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -76267,7 +76291,7 @@ index 5cfb83e..9cfa754 100644
 	postgrey_search_spool(postfix_master_t)
 ')
 
-@@ -341,12 +231,14 @@ optional_policy(`
+@@ -341,12 +232,14 @@ optional_policy(`
 
 ########################################
 #
@ -76284,7 +76308,7 @@ index 5cfb83e..9cfa754 100644
 
 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
 manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -363,37 +255,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -363,37 +256,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
 
 ########################################
 #
@ -76331,7 +76355,7 @@ index 5cfb83e..9cfa754 100644
 
 optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
-@@ -401,36 +290,50 @@ optional_policy(`
+@@ -401,36 +291,50 @@ optional_policy(`
 
 ########################################
 #
@ -76391,7 +76415,7 @@ index 5cfb83e..9cfa754 100644
 ')
 
 optional_policy(`
-@@ -442,16 +345,25 @@ optional_policy(`
+@@ -442,16 +346,25 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -76417,7 +76441,7 @@ index 5cfb83e..9cfa754 100644
 	procmail_domtrans(postfix_local_t)
 ')
 
-@@ -466,15 +378,17 @@ optional_policy(`
+@@ -466,15 +379,17 @@ optional_policy(`
 
 ########################################
 #
@ -76441,7 +76465,7 @@ index 5cfb83e..9cfa754 100644
 
 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
 manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -484,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -484,14 +399,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
 kernel_dontaudit_read_system_state(postfix_map_t)
 
@ -76461,7 +76485,7 @@ index 5cfb83e..9cfa754 100644
 
 corecmd_list_bin(postfix_map_t)
 corecmd_read_bin_symlinks(postfix_map_t)
-@@ -500,7 +415,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -500,7 +416,6 @@ corecmd_read_bin_pipes(postfix_map_t)
 corecmd_read_bin_sockets(postfix_map_t)
 
 files_list_home(postfix_map_t)
@ -76469,7 +76493,7 @@ index 5cfb83e..9cfa754 100644
 files_read_etc_runtime_files(postfix_map_t)
 files_dontaudit_search_var(postfix_map_t)
 
-@@ -508,21 +422,24 @@ auth_use_nsswitch(postfix_map_t)
+@@ -508,21 +423,24 @@ auth_use_nsswitch(postfix_map_t)
 
 logging_send_syslog_msg(postfix_map_t)
 
@ -76497,7 +76521,7 @@ index 5cfb83e..9cfa754 100644
 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
 
 rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -532,21 +449,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -532,21 +450,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
 read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
 delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
 
@ -76523,7 +76547,7 @@ index 5cfb83e..9cfa754 100644
 
 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
 
-@@ -557,6 +474,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+@@ -557,6 +475,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
 corecmd_exec_bin(postfix_pipe_t)
 
 optional_policy(`
@ -76534,7 +76558,7 @@ index 5cfb83e..9cfa754 100644
 	dovecot_domtrans_deliver(postfix_pipe_t)
 ')
 
-@@ -584,19 +505,28 @@ optional_policy(`
+@@ -584,19 +506,28 @@ optional_policy(`
 
 ########################################
 #
@ -76568,7 +76592,7 @@ index 5cfb83e..9cfa754 100644
 
 term_dontaudit_use_all_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -611,10 +541,7 @@ optional_policy(`
+@@ -611,10 +542,7 @@ optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 ')
 
@ -76580,7 +76604,7 @@ index 5cfb83e..9cfa754 100644
 optional_policy(`
 	fstools_read_pipes(postfix_postdrop_t)
 ')
-@@ -629,17 +556,24 @@ optional_policy(`
+@@ -629,17 +557,24 @@ optional_policy(`
 
 #######################################
 #
@ -76608,7 +76632,7 @@ index 5cfb83e..9cfa754 100644
 
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +589,78 @@ optional_policy(`
+@@ -655,69 +590,80 @@ optional_policy(`
 
 ########################################
 #
@ -76619,7 +76643,8 @@ index 5cfb83e..9cfa754 100644
 -allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
 -allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
 -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
-
+dontaudit postfix_qmgr_t self:capability { net_admin };
+ 
 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
 
 rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
@ -76705,7 +76730,7 @@ index 5cfb83e..9cfa754 100644
 ')
 
 optional_policy(`
-@@ -730,28 +673,32 @@ optional_policy(`
+@@ -730,28 +676,32 @@ optional_policy(`
 
 ########################################
 #
@ -76746,7 +76771,7 @@ index 5cfb83e..9cfa754 100644
 
 optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -764,6 +711,7 @@ optional_policy(`
+@@ -764,6 +714,7 @@ optional_policy(`
 
 optional_policy(`
 	milter_stream_connect_all(postfix_smtpd_t)
@ -76754,7 +76779,7 @@ index 5cfb83e..9cfa754 100644
 ')
 
 optional_policy(`
-@@ -774,31 +722,101 @@ optional_policy(`
+@@ -774,31 +725,101 @@ optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
 
@ -91214,7 +91239,7 @@ index 13f788f..10e2033 100644
 +	allow $1 rngd_unit_file_t:service all_service_perms;
 ')
 diff --git a/rngd.te b/rngd.te
-index a7b7717..861aa31 100644
+index a7b7717..41bca3b 100644
 --- a/rngd.te
 +++ b/rngd.te
@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
@ -91227,12 +91252,14 @@ index a7b7717..861aa31 100644
 type rngd_var_run_t;
 files_pid_file(rngd_var_run_t)
 
-@@ -35,8 +38,5 @@ dev_read_urand(rngd_t)
+@@ -34,9 +37,7 @@ dev_read_rand(rngd_t)
+ dev_read_urand(rngd_t)
 dev_rw_tpm(rngd_t)
 dev_write_rand(rngd_t)
- 
-files_read_etc_files(rngd_t)
 -
+-files_read_etc_files(rngd_t)
+dev_read_sysfs(rngd_t)
+ 
 logging_send_syslog_msg(rngd_t)
 
 -miscfiles_read_localization(rngd_t)
@ -105702,7 +105729,7 @@ index 0000000..821e158
 +')
 +
 diff --git a/sssd.fc b/sssd.fc
-index dbb005a..47b49ea 100644
+index dbb005a..2655c75 100644
 --- a/sssd.fc
 +++ b/sssd.fc
@@ -1,15 +1,30 @@
@ -105740,8 +105767,8 @@ index dbb005a..47b49ea 100644
 
 -/var/run/sssd\.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
-+/var/run/secrets.socket		gen_context(system_u:object_r:sssd_var_run_t,s0)
-+/var/run/.heim_org.h5l.kcm-socket	--  	gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/secrets\.socket	-s	gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/\.heim_org\.h5l\.kcm-socket	-s	gen_context(system_u:object_r:sssd_var_run_t,s0)
 diff --git a/sssd.if b/sssd.if
 index a240455..aac2584 100644
 --- a/sssd.if
@ -106240,7 +106267,7 @@ index a240455..aac2584 100644
 -	admin_pattern($1, sssd_log_t)
 ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..f0f3862 100644
+index 2d8db1f..07606ba 100644
 --- a/sssd.te
 +++ b/sssd.te
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
@ -106295,8 +106322,9 @@ index 2d8db1f..f0f3862 100644
 
 manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+-files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
 +manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
- files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file })
 
 kernel_read_network_state(sssd_t)
 kernel_read_system_state(sssd_t)
@ -111022,10 +111050,10 @@ index 0000000..e5cec8f
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 0000000..cc0c5fe
+index 0000000..cf2b1a7
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,99 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@ -111054,7 +111082,7 @@ index 0000000..cc0c5fe
 +    pki_manage_tomcat_etc_rw(tomcat_t)
 +    pki_search_log_dirs(tomcat_t)
 +    pki_manage_tomcat_log(tomcat_t)
-+    pki_read_common_files(tomcat_t)
+    pki_manage_common_files(tomcat_t)
 +    pki_stream_connect(tomcat_t)
 +')
 +
@ -111100,6 +111128,7 @@ index 0000000..cc0c5fe
 +corenet_tcp_connect_http_cache_port(tomcat_domain)
 +corenet_tcp_connect_postgresql_port(tomcat_domain)
 +corenet_tcp_connect_amqp_port(tomcat_domain)
+corenet_tcp_connect_oracle_port(tomcat_domain)
 +
 +dev_read_rand(tomcat_domain)
 +dev_read_urand(tomcat_domain)
@ -111113,8 +111142,17 @@ index 0000000..cc0c5fe
 +sysnet_dns_name_resolve(tomcat_domain)
 +
 +optional_policy(`
+    cobbler_read_lib_files(tomcat_domain)
+')
+
+optional_policy(`
 +	tomcat_search_lib(tomcat_domain)
 +')
+
+optional_policy(`
+    rpm_exec(tomcat_domain)
+    rpm_read_db(tomcat_domain)
+')
 diff --git a/tor.fc b/tor.fc
 index dce42ec..b6b67bf 100644
 --- a/tor.fc
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 254%{?dist}
+Release: 255%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -689,6 +689,28 @@ exit 0
 %endif

 %changelog
+* Thu May 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255
+- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t
+- Add interface pki_manage_common_files()
+- Allow rngd domain read sysfs_t
+- Allow tomcat_t domain to manage pki_common_t files and dirs
+- Merge pull request #3 from rhatdan/devicekit
+- Merge pull request #12 from lslebodn/sssd_sockets_fc
+- Allow certmonger reads httpd_config_t files
+- Allow keepalived_t domain creating netlink_netfilter_socket.
+- Use stricter fc rules for sssd sockets in /var/run
+- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.
+- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/
+- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
+- ejabberd small fixes
+- Update targetd policy to accommodate changes in the service
+- Allow tomcat_domain connect to    * postgresql_port_t    * amqp_port_t Allow tomcat_domain read network sysctls
+- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
+- Dontaudit net_admin capability for useradd_t domain
+- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723)
+- Make able deply overcloud via neutron_t to label nsfs as fs_t
+- Add fs_manage_configfs_lnk_files() interface
+
 * Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254
 - Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
 - ejabberd small fixes