* Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186

- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
- Revert "Add new permissions stop/start to class system. rhbz#1324453"
- Fix typo in module compilation message

policy-rawhide-base.patch

@@ -46,9 +46,18 @@ index ec7b5cb..a027110 100644
  ifndef LOCAL_ROOT
  	rm -f $(fcsort)
 diff --git a/Rules.modular b/Rules.modular
-index 313d837..ef3c532 100644
+index 313d837..4f261a9 100644
 --- a/Rules.modular
 +++ b/Rules.modular
+@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
+ # Build module packages
+ #
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+-	@echo "Compliling $(NAME) $(@F) module"
++	@echo "Compiling $(NAME) $(@F) module"
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+ 	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 @@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs)
  	@echo "Validating policy linking."
  	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
@@ -868,7 +877,7 @@ index 3a45f23..ee7d7b3 100644
  constrain socket_class_set { create relabelto relabelfrom } 
  (
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..d0a8a5b 100644
+index a94b169..2e137e6 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
 @@ -329,6 +329,7 @@ class process
@@ -879,7 +888,7 @@ index a94b169..d0a8a5b 100644
  }
  
  
-@@ -393,6 +394,15 @@ class system
+@@ -393,6 +394,13 @@ class system
  	syslog_mod
  	syslog_console
  	module_request
@@ -890,12 +899,10 @@ index a94b169..d0a8a5b 100644
 +    enable
 +    disable
 +    reload
-+	stop
-+	start
  }
  
  #
-@@ -443,10 +453,13 @@ class capability
+@@ -443,10 +451,13 @@ class capability
  class capability2 
  {
  	mac_override	# unused by SELinux
@@ -910,7 +917,7 @@ index a94b169..d0a8a5b 100644
  }
  
  #
-@@ -690,6 +703,8 @@ class nscd
+@@ -690,6 +701,8 @@ class nscd
  	shmemhost
  	getserv
  	shmemserv
@@ -919,7 +926,7 @@ index a94b169..d0a8a5b 100644
  }
  
  # Define the access vector interpretation for controlling
-@@ -831,6 +846,38 @@ inherits socket
+@@ -831,6 +844,38 @@ inherits socket
  	attach_queue
  }
  
@@ -958,7 +965,7 @@ index a94b169..d0a8a5b 100644
  class x_pointer
  inherits x_device
  
-@@ -865,3 +912,18 @@ inherits database
+@@ -865,3 +910,18 @@ inherits database
  	implement
  	execute
  }

policy-rawhide-contrib.patch

@@ -9425,10 +9425,10 @@ index c3fd7b1..e189593 100644
 -
 -miscfiles_read_localization(bcfg2_t)
 diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..750788c 100644
+index 2b9a3a1..49accb6 100644
 --- a/bind.fc
 +++ b/bind.fc
-@@ -1,54 +1,76 @@
+@@ -1,54 +1,77 @@
 -/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -9463,6 +9463,7 @@ index 2b9a3a1..750788c 100644
 -/usr/sbin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
 +/usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
 +/usr/sbin/named-sdb	--	gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-pkcs11	--	gen_context(system_u:object_r:named_exec_t,s0)
 +/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 +/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
  /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
@@ -99864,10 +99865,10 @@ index 0000000..88490d5
 +
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..3984dba
+index 0000000..939b8be
 --- /dev/null
 +++ b/snapper.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,83 @@
 +policy_module(snapper, 1.0.0)
 +
 +########################################
@@ -99893,7 +99894,8 @@ index 0000000..3984dba
 +# snapperd local policy
 +#
 +
-+allow snapperd_t self:capability dac_override;
++allow snapperd_t self:capability { dac_override sys_admin };
++allow snapperd_t self:process setsched;
 +
 +allow snapperd_t self:fifo_file rw_fifo_file_perms;
 +allow snapperd_t self:unix_stream_socket create_stream_socket_perms;

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 185%{?dist}
+Release: 186%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -653,6 +653,12 @@ exit 0
 %endif
 
 %changelog
+* Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186
+- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
+- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
+- Revert "Add new permissions stop/start to class system. rhbz#1324453"
+- Fix typo in module compilation message
+
 * Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185
 - Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
 - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)