* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307

- Allow crond_t to read pcp lib files BZ(1525420) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) - Allow certwatch_t to mmap generic certs. BZ(1527173) - Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) - Add interface userdom_map_user_home_files() - Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) - Allow xdm_t dbus chat with modemmanager_t BZ(1526722) - All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
2017-12-19 16:18:46 +01:00 · 2017-12-19 16:18:46 +01:00 · 73d7285c92
parent 270b6479cd
commit 73d7285c92
4 changed files with 408 additions and 272 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -12792,10 +12792,10 @@ index 550b287ce..73104ec93 100644
 +	')
 +')
 diff --git a/certwatch.te b/certwatch.te
-index 171fafb99..38614a0e9 100644
+index 171fafb99..6cf8b7957 100644
 --- a/certwatch.te
 +++ b/certwatch.te
-@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t;
+@@ -18,35 +18,48 @@ role certwatch_roles types certwatch_t;
 # Local policy
 #
 
@ -12827,6 +12827,7 @@ index 171fafb99..38614a0e9 100644
 miscfiles_read_all_certs(certwatch_t)
 -miscfiles_read_localization(certwatch_t)
 +miscfiles_manage_generic_cert_dirs(certwatch_t)
+miscfiles_map_generic_certs(certwatch_t)
 +
 +sysnet_read_config(certwatch_t)
 
@ -20020,7 +20021,7 @@ index 1303b3036..f5bd4aee8 100644
 +    logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
 ')
 diff --git a/cron.te b/cron.te
-index 7de385956..46400791a 100644
+index 7de385956..31053c2a9 100644
 --- a/cron.te
 +++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@ -20439,7 +20440,7 @@ index 7de385956..46400791a 100644
 ')
 
 optional_policy(`
-@@ -354,103 +314,141 @@ optional_policy(`
+@@ -354,103 +314,145 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20448,22 +20449,20 @@ index 7de385956..46400791a 100644
 -	optional_policy(`
 -		hal_dbus_chat(crond_t)
 -	')
-
+	djbdns_search_tinydns_keys(crond_t)
+	djbdns_link_tinydns_keys(crond_t)
+')
+ 
 -	optional_policy(`
 -		unconfined_dbus_send(crond_t)
 -	')
-+	djbdns_search_tinydns_keys(crond_t)
-+	djbdns_link_tinydns_keys(crond_t)
- ')
- 
- optional_policy(`
-	amanda_search_var_lib(crond_t)
+optional_policy(`
 +	locallogin_search_keys(crond_t)
 +	locallogin_link_keys(crond_t)
 ')
 
 optional_policy(`
-	amavis_search_lib(crond_t)
+-	amanda_search_var_lib(crond_t)
 +	# these should probably be unconfined_crond_t
 +	dbus_system_bus_client(crond_t)
 +	init_dbus_send_script(crond_t)
@ -20471,28 +20470,32 @@ index 7de385956..46400791a 100644
 ')
 
 optional_policy(`
-	djbdns_search_tinydns_keys(crond_t)
-	djbdns_link_tinydns_keys(crond_t)
+-	amavis_search_lib(crond_t)
 +	amanda_search_var_lib(crond_t)
 ')
 
 optional_policy(`
-	hal_write_log(crond_t)
+-	djbdns_search_tinydns_keys(crond_t)
+-	djbdns_link_tinydns_keys(crond_t)
 +	antivirus_search_db(crond_t)
 ')
 
+ optional_policy(`
+	hal_dbus_chat(crond_t)
+ 	hal_write_log(crond_t)
+	hal_dbus_chat(system_cronjob_t)
+ ')
+ 
 optional_policy(`
 -	locallogin_search_keys(crond_t)
 -	locallogin_link_keys(crond_t)
-+	hal_dbus_chat(crond_t)
-+	hal_write_log(crond_t)
-+	hal_dbus_chat(system_cronjob_t)
+	# cjp: why?
+	munin_search_lib(crond_t)
 ')
 
 optional_policy(`
 -	mta_send_mail(crond_t)
-+	# cjp: why?
-+	munin_search_lib(crond_t)
+    pcp_read_lib_files(crond_t)
 ')
 
 optional_policy(`
@ -20613,7 +20616,7 @@ index 7de385956..46400791a 100644
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
-@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -461,11 +463,11 @@ kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
@ -20626,7 +20629,7 @@ index 7de385956..46400791a 100644
 corenet_all_recvfrom_netlabel(system_cronjob_t)
 corenet_tcp_sendrecv_generic_if(system_cronjob_t)
 corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +487,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
 fs_getattr_all_pipes(system_cronjob_t)
 fs_getattr_all_sockets(system_cronjob_t)
 
@ -20634,7 +20637,7 @@ index 7de385956..46400791a 100644
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
 
 files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +498,22 @@ files_getattr_all_files(system_cronjob_t)
 files_getattr_all_symlinks(system_cronjob_t)
 files_getattr_all_pipes(system_cronjob_t)
 files_getattr_all_sockets(system_cronjob_t)
@ -20659,7 +20662,7 @@ index 7de385956..46400791a 100644
 
 auth_use_nsswitch(system_cronjob_t)
 
-@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +524,28 @@ logging_read_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
@ -20690,7 +20693,7 @@ index 7de385956..46400791a 100644
 	selinux_validate_context(system_cronjob_t)
 	selinux_compute_access_vector(system_cronjob_t)
 	selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +555,26 @@ tunable_policy(`cron_can_relabel',`
 ')
 
 optional_policy(`
@ -20717,7 +20720,7 @@ index 7de385956..46400791a 100644
 ')
 
 optional_policy(`
-@@ -551,10 +579,6 @@ optional_policy(`
+@@ -551,10 +583,6 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_bus_client(system_cronjob_t)
@ -20728,7 +20731,7 @@ index 7de385956..46400791a 100644
 ')
 
 optional_policy(`
-@@ -567,6 +591,10 @@ optional_policy(`
+@@ -567,6 +595,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20739,7 +20742,7 @@ index 7de385956..46400791a 100644
 	ftp_read_log(system_cronjob_t)
 ')
 
-@@ -591,6 +619,8 @@ optional_policy(`
+@@ -591,6 +623,8 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(system_cronjob_t)
 	mta_send_mail(system_cronjob_t)
@ -20748,7 +20751,7 @@ index 7de385956..46400791a 100644
 ')
 
 optional_policy(`
-@@ -598,7 +628,31 @@ optional_policy(`
+@@ -598,7 +632,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20780,7 +20783,7 @@ index 7de385956..46400791a 100644
 ')
 
 optional_policy(`
-@@ -607,7 +661,12 @@ optional_policy(`
+@@ -607,7 +665,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20793,7 +20796,7 @@ index 7de385956..46400791a 100644
 ')
 
 optional_policy(`
-@@ -615,12 +674,27 @@ optional_policy(`
+@@ -615,12 +678,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20823,7 +20826,7 @@ index 7de385956..46400791a 100644
 #
 
 allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +706,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
 
@ -20857,7 +20860,7 @@ index 7de385956..46400791a 100644
 corenet_all_recvfrom_netlabel(cronjob_t)
 corenet_tcp_sendrecv_generic_if(cronjob_t)
 corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +739,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
 corenet_udp_sendrecv_generic_node(cronjob_t)
 corenet_tcp_sendrecv_all_ports(cronjob_t)
 corenet_udp_sendrecv_all_ports(cronjob_t)
@ -23031,7 +23034,7 @@ index dda905b9c..60806a524 100644
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb46..c0c2ed47d 100644
+index 62d22cb46..d9c0343da 100644
 --- a/dbus.if
 +++ b/dbus.if
@@ -1,4 +1,4 @@
@ -23109,7 +23112,7 @@ index 62d22cb46..c0c2ed47d 100644
 -	
 -	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 +	# For connecting to the bus
-+	allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
+	allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms create };
 +	allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt  read write };
 
 -	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
@ -23561,7 +23564,7 @@ index 62d22cb46..c0c2ed47d 100644
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
-@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',`
+@@ -397,199 +410,251 @@ interface(`dbus_manage_lib_files',`
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
@ -23881,6 +23884,7 @@ index 62d22cb46..c0c2ed47d 100644
 
 -	allow $1 system_dbusd_t:fd use;
 +	dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
+	dontaudit $1 system_dbusd_t:sock_file write;
 ')
 
 ########################################
@ -23892,7 +23896,7 @@ index 62d22cb46..c0c2ed47d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +662,68 @@ interface(`dbus_use_system_bus_fds',`
 ##	</summary>
 ## </param>
 #
@ -23970,7 +23974,7 @@ index 62d22cb46..c0c2ed47d 100644
 +	manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
 ')
 diff --git a/dbus.te b/dbus.te
-index c9998c80d..328aa81d2 100644
+index c9998c80d..5a9dfdf1e 100644
 --- a/dbus.te
 +++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@ -24004,7 +24008,15 @@ index c9998c80d..328aa81d2 100644
 type session_dbusd_tmp_t;
 typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
 typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
-@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
+@@ -36,12 +31,16 @@ init_system_domain(system_dbusd_t, dbusd_exec_t)
+ type system_dbusd_tmp_t;
+ files_tmp_file(system_dbusd_tmp_t)
+ 
+type system_dbusd_tmpfs_t;
+files_tmpfs_file(system_dbusd_tmpfs_t)
+
+ type system_dbusd_var_lib_t;
+ files_type(system_dbusd_var_lib_t)
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
@ -24014,7 +24026,7 @@ index c9998c80d..328aa81d2 100644
 
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
+@@ -51,59 +50,69 @@ ifdef(`enable_mls',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
 ')
 
@ -24050,6 +24062,11 @@ index c9998c80d..328aa81d2 100644
 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
 -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
 +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
+manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
+fs_tmpfs_filetrans(system_dbusd_t, system_dbusd_tmpfs_t, { dir file })
+allow system_dbusd_t system_dbusd_tmpfs_t:file map;
 
 read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 
@ -24097,7 +24114,7 @@ index c9998c80d..328aa81d2 100644
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +132,177 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
@ -24175,14 +24192,14 @@ index c9998c80d..328aa81d2 100644
 +
 +optional_policy(`
 +    snapper_read_inherited_pipe(system_dbusd_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_dhcpc(system_dbusd_t)
 ')
 
 optional_policy(`
 -	seutil_sigchld_newrole(system_dbusd_t)
-+	sysnet_domtrans_dhcpc(system_dbusd_t)
-+')
-+
-+optional_policy(`
 +	systemd_use_fds_logind(system_dbusd_t)
 +	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
 +	systemd_write_inhibit_pipes(system_dbusd_t)
@ -24216,7 +24233,7 @@ index c9998c80d..328aa81d2 100644
 #
 +role system_r types system_bus_type;
 +dontaudit system_bus_type self:capability net_admin;
-+
+ 
 +allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
 +
 +fs_search_all(system_bus_type)
@ -24250,7 +24267,7 @@ index c9998c80d..328aa81d2 100644
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
 +')
- 
+
 +########################################
 +#
 +# session_bus_type rules
@ -24289,7 +24306,7 @@ index c9998c80d..328aa81d2 100644
 kernel_read_kernel_sysctls(session_bus_type)
 
 corecmd_list_bin(session_bus_type)
-@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +311,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
 
@ -24314,7 +24331,7 @@ index c9998c80d..328aa81d2 100644
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
-@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +330,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
 
@ -24322,7 +24339,7 @@ index c9998c80d..328aa81d2 100644
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
-@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +339,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 
 logging_send_audit_msgs(session_bus_type)
@ -24364,7 +24381,7 @@ index c9998c80d..328aa81d2 100644
 ')
 
 ########################################
-@@ -244,5 +368,9 @@ optional_policy(`
+@@ -244,5 +376,9 @@ optional_policy(`
 # Unconfined access to this module
 #
 
@ -28598,7 +28615,7 @@ index 18f245250..a446210f0 100644
 +
 ')
 diff --git a/dspam.te b/dspam.te
-index ef6236335..084171673 100644
+index ef6236335..25dcb975a 100644
 --- a/dspam.te
 +++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@ -28624,7 +28641,7 @@ index ef6236335..084171673 100644
 
 files_search_spool(dspam_t)
 
-@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
+@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t)
 
 logging_send_syslog_msg(dspam_t)
 
@ -28634,6 +28651,9 @@ index ef6236335..084171673 100644
 	apache_content_template(dspam)
 +	apache_content_alias_template(dspam, dspam)
 +
+    manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
+    manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
+
 +	read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
 +
 +    auth_read_passwd(dspam_script_t)
@ -28641,14 +28661,14 @@ index ef6236335..084171673 100644
 +	files_search_var_lib(dspam_script_t)
 +
 +	domain_dontaudit_read_all_domains_state(dspam_script_t)
-+
-+	term_dontaudit_search_ptys(dspam_script_t)
-+	term_dontaudit_getattr_all_ttys(dspam_script_t)
-+	term_dontaudit_getattr_all_ptys(dspam_script_t)
 
 -	list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
 -	manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
 -	manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+	term_dontaudit_search_ptys(dspam_script_t)
+	term_dontaudit_getattr_all_ttys(dspam_script_t)
+	term_dontaudit_getattr_all_ptys(dspam_script_t)
+
 +	init_read_utmp(dspam_script_t)
 +
 +	logging_send_syslog_msg(dspam_script_t)
@ -28662,7 +28682,7 @@ index ef6236335..084171673 100644
 ')
 
 optional_policy(`
-@@ -87,3 +114,12 @@ optional_policy(`
+@@ -87,3 +117,12 @@ optional_policy(`
 
 	postgresql_tcp_connect(dspam_t)
 ')
@ -50810,7 +50830,7 @@ index 1d4eb19b8..650014e0f 100644
 	admin_pattern($1, memcached_var_run_t)
 ')
 diff --git a/memcached.te b/memcached.te
-index 29b752160..8c41e59db 100644
+index 29b752160..5000dd91c 100644
 --- a/memcached.te
 +++ b/memcached.te
@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
@ -50830,7 +50850,16 @@ index 29b752160..8c41e59db 100644
 dontaudit memcached_t self:capability sys_tty_config;
 allow memcached_t self:process { setrlimit signal_perms };
 allow memcached_t self:tcp_socket { accept listen };
-@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen };
+ allow memcached_t self:fifo_file rw_fifo_file_perms;
+ allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+ 
+allow memcached_t memcached_exec_t:file map;
+
+ manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+ manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+ manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+@@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t)
 
 auth_use_nsswitch(memcached_t)
 
@ -54082,7 +54111,7 @@ index 6194b806b..e27c53d6e 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..bb6533dae 100644
+index 11ac8e4fc..7e6607cab 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@ -54536,7 +54565,7 @@ index 11ac8e4fc..bb6533dae 100644
 ')
 
 optional_policy(`
-@@ -300,259 +340,265 @@ optional_policy(`
+@@ -300,259 +340,266 @@ optional_policy(`
 
 ########################################
 #
@ -54833,6 +54862,7 @@ index 11ac8e4fc..bb6533dae 100644
 +userdom_read_user_tmp_symlinks(mozilla_plugin_t)
 +userdom_stream_connect(mozilla_plugin_t)
 +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
+userdom_map_user_home_files(mozilla_plugin_t)
 
 -ifndef(`enable_mls',`
 -	fs_list_dos(mozilla_plugin_t)
@ -54948,7 +54978,7 @@ index 11ac8e4fc..bb6533dae 100644
 ')
 
 optional_policy(`
-@@ -560,7 +606,11 @@ optional_policy(`
+@@ -560,7 +607,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -54961,7 +54991,7 @@ index 11ac8e4fc..bb6533dae 100644
 ')
 
 optional_policy(`
-@@ -568,108 +618,144 @@ optional_policy(`
+@@ -568,108 +619,144 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 306%{?dist}
+Release: 307%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -717,6 +717,16 @@ exit 0
 %endif

 %changelog
+* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
+- Allow crond_t to read pcp lib files BZ(1525420)
+- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
+- Allow certwatch_t to mmap generic certs. BZ(1527173)
+- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
+- Add interface userdom_map_user_home_files()
+- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
+- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
+- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
+
 * Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306
 - Allow thumb_t domain to dosfs_t BZ(1517720)
 - Allow gssd_t to read realmd_var_lib_t files BZ(1521125)