* Mon Jul 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262

- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service
- Allow iptables to read container runtime files

policy-rawhide-base.patch

@@ -38430,7 +38430,7 @@ index c42fbc3..bf211db 100644
 +	files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
 +')
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..fc9fd0a 100644
+index be8ed1e..91d1296 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
@@ -38543,9 +38543,14 @@ index be8ed1e..fc9fd0a 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -102,6 +123,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -101,7 +122,14 @@ ifdef(`hide_broken_symptoms',`
+ ')
  
  optional_policy(`
++	container_read_state(iptables_t)
++')
++
++optional_policy(`
  	fail2ban_append_log(iptables_t)
 +    fail2ban_read_log(iptables_t)
 +	fail2ban_dontaudit_leaks(iptables_t)
@@ -38553,7 +38558,7 @@ index be8ed1e..fc9fd0a 100644
  ')
  
  optional_policy(`
-@@ -110,7 +134,15 @@ optional_policy(`
+@@ -110,7 +138,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38569,7 +38574,7 @@ index be8ed1e..fc9fd0a 100644
  ')
  
  optional_policy(`
-@@ -119,11 +151,25 @@ optional_policy(`
+@@ -119,11 +155,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38595,7 +38600,7 @@ index be8ed1e..fc9fd0a 100644
  ')
  
  optional_policy(`
-@@ -135,9 +181,9 @@ optional_policy(`
+@@ -135,9 +185,9 @@ optional_policy(`
  ')
  
  optional_policy(`

policy-rawhide-contrib.patch

@@ -33050,10 +33050,10 @@ index 0000000..4501460
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..ce9dd75
+index 0000000..d474c09
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,312 @@
+@@ -0,0 +1,313 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@@ -33306,6 +33306,7 @@ index 0000000..ce9dd75
 +
 +optional_policy(`
 +    ganesha_systemctl(glusterd_t)
++    ganesha_dbus_chat(glusterd_t)
 +')
 +
 +optional_policy(`
@@ -88942,7 +88943,7 @@ index c8bdea2..beb2872 100644
 +	allow $1 haproxy_unit_file_t:service {status start};
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..5279416 100644
+index 6cf79c4..5e106cf 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -88981,7 +88982,7 @@ index 6cf79c4..5279416 100644
  attribute cluster_domain;
  attribute cluster_log;
  attribute cluster_pid;
-@@ -44,34 +73,288 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,291 @@ type foghorn_initrc_exec_t;
  init_script_file(foghorn_initrc_exec_t)
  
  rhcs_domain_template(gfs_controld)
@@ -89180,6 +89181,9 @@ index 6cf79c4..5279416 100644
 +    fstools_domtrans(cluster_t)
 +')
 +
++optional_policy(`
++    ganesha_dbus_chat(cluster_t)
++')
 +
 +optional_policy(`
 +    hostname_exec(cluster_t)
@@ -89274,7 +89278,7 @@ index 6cf79c4..5279416 100644
  ')
  
  #####################################
-@@ -79,13 +362,14 @@ optional_policy(`
+@@ -79,13 +365,14 @@ optional_policy(`
  # dlm_controld local policy
  #
  
@@ -89291,7 +89295,7 @@ index 6cf79c4..5279416 100644
  kernel_rw_net_sysctls(dlm_controld_t)
  
  corecmd_exec_bin(dlm_controld_t)
-@@ -98,16 +382,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +385,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -89325,7 +89329,7 @@ index 6cf79c4..5279416 100644
  manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
  files_lock_filetrans(fenced_t, fenced_lock_t, file)
  
-@@ -118,9 +416,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +419,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -89337,7 +89341,7 @@ index 6cf79c4..5279416 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -140,6 +437,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +440,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
  
  corenet_sendrecv_zented_server_packets(fenced_t)
  corenet_tcp_bind_zented_port(fenced_t)
@@ -89346,7 +89350,7 @@ index 6cf79c4..5279416 100644
  corenet_tcp_sendrecv_zented_port(fenced_t)
  
  corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +447,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +450,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -89358,7 +89362,7 @@ index 6cf79c4..5279416 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +458,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +461,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -89367,7 +89371,7 @@ index 6cf79c4..5279416 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +480,8 @@ optional_policy(`
+@@ -182,7 +483,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -89377,7 +89381,7 @@ index 6cf79c4..5279416 100644
  ')
  
  optional_policy(`
-@@ -190,12 +489,17 @@ optional_policy(`
+@@ -190,12 +492,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -89396,7 +89400,7 @@ index 6cf79c4..5279416 100644
  ')
  
  optional_policy(`
-@@ -203,6 +507,21 @@ optional_policy(`
+@@ -203,6 +510,21 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -89418,7 +89422,7 @@ index 6cf79c4..5279416 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +540,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +543,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -89443,7 +89447,7 @@ index 6cf79c4..5279416 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -247,16 +572,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +575,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
  stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
  stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -89465,7 +89469,7 @@ index 6cf79c4..5279416 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +604,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +607,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -89525,7 +89529,7 @@ index 6cf79c4..5279416 100644
  ######################################
  #
  # qdiskd local policy
-@@ -292,7 +668,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +671,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
  
@@ -89533,7 +89537,7 @@ index 6cf79c4..5279416 100644
  kernel_read_software_raid_state(qdiskd_t)
  kernel_getattr_core_if(qdiskd_t)
  
-@@ -321,6 +696,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +699,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 261%{?dist}
+Release: 262%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -690,6 +690,10 @@ exit 0
 %endif
 
 %changelog
+* Mon Jul 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262
+- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service
+- Allow iptables to read container runtime files
+
 * Fri Jun 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261
 - Allow boinc_t nsswitch
 - Dontaudit firewalld to write to lib_t dirs