* Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104

- remove duplicate filename transition rules.
- Call proper interface in sosreport.te.
- Allow fetchmail to manage its keyring
- Allow mail munin to create udp_sockets
- Allow couchdb to sendto kernel unix domain sockets

policy-rawhide-base.patch

@@ -3222,7 +3222,7 @@ index 1dc7a85..c6f4da0 100644
 +	corecmd_shell_domtrans($1_seunshare_t, $1_t)
  ')
 diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..85186a9 100644
+index 7590165..d81185e 100644
 --- a/policy/modules/apps/seunshare.te
 +++ b/policy/modules/apps/seunshare.te
 @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
@@ -3240,7 +3240,7 @@ index 7590165..85186a9 100644
  # seunshare local policy
  #
 +allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
-+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
++allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
  
 -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
 -allow seunshare_t self:process { setexec signal getcap setcap };

policy-rawhide-contrib.patch

@@ -16390,7 +16390,7 @@ index 715a826..a1cbdb2 100644
 +	')
  ')
 diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..6238c82 100644
+index ae1c1b1..a3af6c9 100644
 --- a/couchdb.te
 +++ b/couchdb.te
 @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
@@ -16418,7 +16418,7 @@ index ae1c1b1..6238c82 100644
  
  manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
  append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-@@ -56,11 +59,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
+@@ -56,11 +59,13 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
  
  manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
  manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
@@ -16429,10 +16429,11 @@ index ae1c1b1..6238c82 100644
  
  kernel_read_system_state(couchdb_t)
 +kernel_read_fs_sysctls(couchdb_t)
++kernel_dgram_send(couchdb_t)
  
  corecmd_exec_bin(couchdb_t)
  corecmd_exec_shell(couchdb_t)
-@@ -75,14 +79,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +80,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
  corenet_tcp_bind_couchdb_port(couchdb_t)
  corenet_tcp_sendrecv_couchdb_port(couchdb_t)
  
@@ -27906,10 +27907,10 @@ index c3f7916..cab3954 100644
  	admin_pattern($1, fetchmail_etc_t)
  
 diff --git a/fetchmail.te b/fetchmail.te
-index 742559a..a6c5c24 100644
+index 742559a..57711b3 100644
 --- a/fetchmail.te
 +++ b/fetchmail.te
-@@ -32,14 +32,17 @@ files_type(fetchmail_uidl_cache_t)
+@@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t)
  #
  # Local policy
  #
@@ -27918,6 +27919,7 @@ index 742559a..a6c5c24 100644
  dontaudit fetchmail_t self:capability sys_tty_config;
  allow fetchmail_t self:process { signal_perms setrlimit };
  allow fetchmail_t self:unix_stream_socket { accept listen };
++allow fetchmail_t self:key manage_key_perms;
  
  allow fetchmail_t fetchmail_etc_t:file read_file_perms;
  
@@ -27928,7 +27930,7 @@ index 742559a..a6c5c24 100644
  
  manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
  append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
+@@ -63,7 +67,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
  corecmd_exec_bin(fetchmail_t)
  corecmd_exec_shell(fetchmail_t)
  
@@ -27936,7 +27938,7 @@ index 742559a..a6c5c24 100644
  corenet_all_recvfrom_netlabel(fetchmail_t)
  corenet_tcp_sendrecv_generic_if(fetchmail_t)
  corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +87,23 @@ fs_search_auto_mountpoints(fetchmail_t)
  
  domain_use_interactive_fds(fetchmail_t)
  
@@ -47378,7 +47380,7 @@ index 6fcfc31..91adcaf 100644
 +/var/run/mongo.*	                gen_context(system_u:object_r:mongod_var_run_t,s0)
 +/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
 diff --git a/mongodb.te b/mongodb.te
-index 169f236..dec8a95 100644
+index 169f236..907b24c 100644
 --- a/mongodb.te
 +++ b/mongodb.te
 @@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
@@ -47395,7 +47397,7 @@ index 169f236..dec8a95 100644
  
 -allow mongod_t self:process signal;
 +
-+allow mongod_t self:process { setsched signal };
++allow mongod_t self:process { setsched signal execmem };
  allow mongod_t self:fifo_file rw_fifo_file_perms;
  
 -manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
@@ -52207,7 +52209,7 @@ index b744fe3..cb0e2af 100644
 +	admin_pattern($1, munin_content_t)
  ')
 diff --git a/munin.te b/munin.te
-index b708708..aebb4c1 100644
+index b708708..dd6e04b 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@@ -52353,12 +52355,13 @@ index b708708..aebb4c1 100644
  ####################################
  #
  # Mail local policy
-@@ -279,27 +273,38 @@ optional_policy(`
+@@ -279,27 +273,39 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
 +allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
 +allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++allow mail_munin_plugin_t self:udp_socket create_socket_perms;
 +
  rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -52396,7 +52399,7 @@ index b708708..aebb4c1 100644
  ')
  
  optional_policy(`
-@@ -339,7 +344,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t)
  sysnet_read_config(services_munin_plugin_t)
  
  optional_policy(`
@@ -52405,7 +52408,7 @@ index b708708..aebb4c1 100644
  ')
  
  optional_policy(`
-@@ -348,6 +353,10 @@ optional_policy(`
+@@ -348,6 +354,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -52416,7 +52419,7 @@ index b708708..aebb4c1 100644
  	lpd_exec_lpr(services_munin_plugin_t)
  ')
  
-@@ -361,7 +370,11 @@ optional_policy(`
+@@ -361,7 +371,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -52429,7 +52432,7 @@ index b708708..aebb4c1 100644
  ')
  
  optional_policy(`
-@@ -393,6 +406,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
  
  kernel_read_network_state(system_munin_plugin_t)
  kernel_read_all_sysctls(system_munin_plugin_t)
@@ -52437,7 +52440,7 @@ index b708708..aebb4c1 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +435,33 @@ optional_policy(`
+@@ -421,3 +436,33 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 103%{?dist}
+Release: 104%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -605,6 +605,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104
+- remove duplicate filename transition rules.
+- Call proper interface in sosreport.te.
+- Allow fetchmail to manage its keyring
+- Allow mail munin to create udp_sockets
+- Allow couchdb to sendto kernel unix domain sockets
+
 * Sat Jan 3 2015 Dan Walsh <dwalsh@redhat.com> 3.13.1-103
 - Add /etc/selinux/targeted/contexts/openssh_contexts