From 7a1df1e3707e66d1d918de9ef3912c3d100a2706 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Fri, 29 Apr 2016 16:08:26 +0200
Subject: [PATCH] * Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com>
 3.13.1-186 - Allow snapperd sys_admin capability Allow snapperd to set
 scheduler. BZ(1323732) - Label named-pkcs11 binary as named_exec_t.
 BZ(1331316) - Revert "Add new permissions stop/start to class system.
 rhbz#1324453" - Fix typo in module compilation message

---
 docker-selinux.tgz           | Bin 4313 -> 4316 bytes
 policy-rawhide-base.patch    |  25 ++++++++++++++++---------
 policy-rawhide-contrib.patch |  12 +++++++-----
 selinux-policy.spec          |   8 +++++++-
 4 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 9b3e5aec4618851a3d1913905b0a86bb1637104d..b94176b52f607f8aeb2b15ca5b71d905fea70885 100644
GIT binary patch
delta 3187
zcmV-(42<*HA>1K<ABzY89cm+200Zq@>yO(u63<uruMm;~**zrt$TlsoX?r-d_u)Pq
zP+a@5fGSJ0t*%}tQtR~v`QLAbFHsb!$J(20?<^p(EzbN%4oAb8;b@aGz9aQTx_<F=
z*A-mfeDgJaUVr=k%KU`u-TRxHn-|ybzP$#b_g6RXUtC>(zk7dm^&+@>!ZGQqp)9I{
z;6-*{M=KJ0>Bidsq}TG*tKd7@<at!@fB1Dvg0dpTTUs`COoFJYvNVoZS{6ZE7A#5&
zQU|2iz~{wxmx^r(Ak(f+Z}4OB_XiR;j06c+!yqjJw$;CqGKU^7IMb!U6?|7kb(9B1
zl#}mY3aXcXKlHGF;tfHRW#x_}0V@MmM+HrBIxf&ljtbwGX~9Unj$(55yBJCcop9#Y
zZ+>4cHlzq^^6w_Cfnd2<uzjV*9I`j+8-b~X?89>L`h2-u#AQw5JP9d@>UbNj(&Fr^
z>+|J80f$w@pi{hSA?Tm%e2Gv;mURsBd0w){X^+Z(d75<NsNj@+sU9fHUwB7Klv%n8
z5*TI7$~q-<h7=b=QjFr5P>!~kAwDSs7}KZ_@1q*&S~>EbgRic81h+7~KqAA}up)I%
zfoq*+gsLtjH5dIcHT7AEm#fd`5w1&nHPeA2{uhZ7Q@(s5zpP|y7!scwAIp6CdUbKZ
zkwvqA!^~=+ClxZ?Mm2dhV&<cnC}=@DLCjf787i<-$`Zx?J-Rw0d|7e#2;S+d+FR4V
z@uwJfPFj&TU8f|Gn<wsiq-(i&hlyBqWIk}ueJXQyfHt^n)FZ^~5cEHzBHEB=W}|XG
zsHd?~68mv>N^uW94^L<5`iu2!Hf&?b&^A4P!HW4z-qVTuN3eZhWy;kbAY+QIe57O#
zU3BEXNBUjLwm}3`4Fi#~G!FQTTOS>47t%$BQLF0o9y>wG&$xmXvK&Q-qj2D3#LA~q
zuDN9u5<yEGa}mwyO7Mnp7E$WyinsOqS`pb@GN(WM|0TrRDE}z?{w1p$-xQJ5>UKqc
z(qc2ITgNk@?ANrI*7-zuqgF%fzj_D%Zs6b7M|7lq{>M+xVJG0;N0lZs_JO)7JXQs8
z=u}sgqxA0_H{_zEzCS!4Gbr|6j$l@hyQhrgG0VmiG9RoPO_4G#;dU(qS|Xhx1uYgN
zMe>?tC3?*ul@yePw*>N1%yQ+{r2wygz*6iITpNL7M}NjJZt)|~E3f0fAr?85KyE?u
zr(#_$D$t+0M8$UL(NO}Ms7Qico%X!loaC_WeBq~a2O`NQDTgyQM*-)7Kv6=SAu(HE
zL10PDc&aM4pS#Bf7Pwbr!JNEXLqUJop4&21?5^OHx|`xl$bH2qN)cO7KKN;W%TiI@
z#@jj+s=f=M^Wz8>FA<ZqQJB~jm4GpGO$s(gym<Ay84xpPm@eve1I5mhP!16#KT-6?
zp6qJYQ5rUMR6Z*=T<u+ea)WXKZp)n53oW-Pxd-z3cs46+e-peE4Hv-i@_Z%&g*#yv
z25-&A0k>Eqyp6LIq%JW)FdJ}xsknfgC|q(1A$y2BeXI5G_OAi~qkjWniZ^8^HKa5^
zch>3Vf)w}1!P}OU(c?jJFZU>DHKAp8e}VHo5Kt@v?(7l>OkWKKAdHecErhOPBG$Q>
z;z>{-7kViV3+T$CkimqsS|$2lQ2=}XLqHiAw46T!gni-D1wIrsSUBE)8OLE$9pG*U
zGo9e0IXK38{POdU?cpbVw(C;Glh+1m(WJu1)Kw9;x$hFfK)I<E)25bt%fW9^JZe0G
zE|9}w<*W_gnSfQHaNWSD0y#e(QSb*ig^pqW=LwBMJx^dC)4DA3S)RZXEEFH%{HVp9
zOHxZW5a3vwKkTB8yPN)hO|h*EdB`%p2tI-fTf-Csnr@0H6JA~L>BEE|1Yo(vb+oGf
zhcj?qb|cf~Rq8=z8B|-$D8MmpA!KA#E`?^^jPuGV+i~s)pRwj6v8D<f@hR>_jVc)x
zR%MpPd#;u$zLfzjM4JUuDgSe$eI)*UebfX+7&UAwkMg@&3f}U6oXQ#aNGI2iaO(CU
zH>P<=C5Zvky?5AIm}5;2Eh~8ni>oF-P56(mEHT)RkzYYEDjQ1~&-br!do{d~FYa=P
z!(<%Xh`XWW>DdxE&9QxGp^(qiVdKg&)0?)8LzOkKy&TcAwgJZ*<{J^m!gbQiJnOJ3
zn<Amyh~O#5ajdz2IH=L^bM1ILuIXt-V=k%*w&lYeVA$QGVy`geHYnx?9xrUr^}Z@$
z3c^uNsg&U7Q+W7Zml=tp>e5qppvO3?)UW5-h(?h?Z!x)qzjSHspW>3aG)A7VkCFQC
zZ{IoUzprmj_1~Z45{`bDmkGquXF?m^1lJc=7gw`v)bdpV@Dr2r1}*`QlOYEg0Vb0>
z2TcL!lZgkVAGhG~M5{DQ**^Ff#M^RL1a~Qzu{C@Hgf%5BO@jQclT8R$4E0#nCh4(`
z^0e#tE|ahbRS1tbaDE&beA1H*2^t5}x&1(!JhziB2}Ta~_?ftsSvK=m#|-WLu#<ub
zH321)xCvVUNs|-`AOYQzH3}vH2a{Y1JOS5}nF=8S@(`1}3PS-qk_#9H1Nae1O7D{%
z3tRz1lY0v-BkcxVgF=)Ub&0~mkyZ>3R_3tapAWhhn&i)o@#F91s~~%blgkTf4RobM
z1AOX)^Exq``*D*&3?hH06+FJhx^%fc|859nA%91(bCPNh$pMBrs25mehhL>A91fI&
z!t0(j1$Rlo*7JIZ&M9J#r1xO!QmiF-pyuXcI%-A>3<DDh)N1C2ssZH0)sWqDtHA2g
zhQ&AT5V3zdE6d8y<VKX6v>IzlAx1!Pxc71yj?ATU`w%@c*RFr=rqtp1IH?Y~d!%Bw
zq3ZqQK9p1?B=I&D@Q;$XsZ%3FaUpaEZh1ap1Mc}J(9#tCwwn0b2FI_3Bwa0g4efTP
zE2d+*@PR8%e{3xU_t|Fpa{LeFY#Y$aY}NJIcwC6?n2rY6-XzfN70Vy&`%2G&r#occ
zDhKUpRq|{KG`W8<{!xLDb^BhTX#-EFbqBy6Qn+ckL;QSK_<Vfz^vQ0=scPwJ7V2N>
z1#1IQokn@R2~8k8WN(##L8>E5ywQ&<TQVWC7Sf)ElTu~gClOi->hh^JRlBzE9p45R
z^}~`?Lshl_zlv8KO~+9bg7CI&)Nc_BBg)>f;vZMh9Or-Fy8;>(4_(sECg38<qj;MZ
zoy}L&PrCY8r#0EZ+9mG6zxIlx(fd!wgZ5Du+*2>aCK+{d3ua?m;yI3apVrJ1M~F7t
z=jS)QitlO;DeSqc^1%tM8hhF)NK{^LkVq+Thl;PLN%|^Smo@tLlB<1vBBWx})-d1b
z;wC*BX_0@-j*Ko|2`YFfA`CSo5f((GywKDbjP1jk1CWdBsH70bDT@wqTVdMbFZgQ9
z8Z^Dwve~FbQ?J##axkuRg-P2@l0-3o@6Juy$tk&T=hYrVl!mVyI4fVcr-*@><zHKe
z8o{T2dG1g-Tkl1do+qzQYoxC_&S9k1C6BEX{I!3@HvIDjc#ansdcLz0TZTlABLfJG
z%sjF@GMGLiTPmW60Yl|1+P`$0q5&gpyo=%6SU5wwyNs~(Oer{)Jn9<Z8@3$kEmmzd
zW-GRo8-Gh=sI*HIM$WE%GTCMpK<T*Dg=Hi~bOl*kmE_(n)O#932S_7tmv|e7&y)^E
z^&fvT9SrR~d3rqZz+u!V==j0Z_&JJR=)3Nbkex5kblwE8rZ94>s*b7;Ga(tPX-86~
zitbC7#{XYjLgp9ir+l$t`2CNon|C+g*zbRQ{q5=R|9_V25;NnMzsZtK{vMV*0y&dA
zYjZ3AFk*cxA5dBCN%0Ml%ZApMtF*Y30E>Uc+qctD<m<?YVu8FZ%KI{Fa`IN#$my8o
zd(Ijdyd(+i!+$J%i!a?N`6>Ikkm-!+<2Q=nyW@A_+w;)<J+`~$B^Y=Kes+2Bm-D|a
zrUB^!T7d$4nj!UBNUdAT=dY0N8VIh~F_5Gt+^?xb8wTqJiyc`ZBJA9cou%0H_1J$}
zq~GulWKGwZ5iE2d0E`|1O#Z#B<IVI^=q;Uv*z=nVodb%?>>-|oCu^upl+7bReA<7B
z*|b?$DvoohZTsp!AYSr6)%7H(=$9P<7|?`i_znL)*?hb&y*r++({;K|*XcT4r|Wc`
ZuG4k8PS@!=UH==`e*xYkJ8l4Y007SzA58!N

delta 3223
zcmV;I3~2M*A=x2+ABzY8sIMSb00Zq@>yO(u63<uruMm;~**zq?n>Vm&dpNZHa32mR
zuKid*l_lC%SFeiHdVN9u_nYBM6h-Q>_9ojq3rK8>Ge45U(Qsxs+N6wcNPUs6pFG@k
z1=sucZ}Ichhj&-zCtR=Jy?OKI$*b2NUR}X|@85oS0-x`Hu3kS0t{!kq`f4bP>L7TM
z-PX~H#9q3w_P^-0eD*B(mNt1F)%)*%-IAcJNb!=EO&yaUs;VrFBbJs$5SImu(t^|h
zDK_wV@$IEzTLQ?mtJ53&Sp0NH;)anR;c6J9MZmWDS5oHC;{|8BG`NCqtEi6hpontv
z-BUsJ^!pxv_K&<Fh_bBQktASc!0M==DNe@)ddX4Y`!X#Usn=0V&VCm|3853t{QSl5
z%f*HiVNL#Q(i#Ysiv`<PYRn;fp}rBATF5>w7tha^%SBw)B+iqNlBkZi;VLc8zIk=N
zTqxkMiWqc?cP#|{lbtUS>d3N=K|YU5);R4^IZu;+ZX6YyvM<#GW%&#5NQp8_S3v@!
zj9FQygwBxSVn~Wn923gX7Bj>rWdLIu72<7FBV8*;-gEHHs~*8MOfQhg@HMPRom1di
zrx~HDOG(W|e@sn%RO038^JRqV(q7GUposrXqQsOhU&ya3*&2q#=f=k}U%p;lTySL3
z>@c%`8t6fVOt(=@9*vm!XeJ6;&`uC@mQsca?3A)Zv44-Q&In&t+}wkA`l|NU^dI~w
z#+{Q^Bu>{UN#y2<yB_IUF5Y1xRvnoS+;bnwoE@MIE*o_ZF*^kPuc(MN<dNB^oDb?@
ztdzvQpPf?NgU`dmS-SpWJ(>;MSTeLt53pi?K9l!w;{E|_A6S`k^#{n9qAMRM*+Ul{
z`R|c_m$GdT0ae35q%4gCKI7I$2it{okzv%TI=#hCkn#(zpoJ_)5#lHu_!zPBsg!GO
zS%pN<631LbbGj0|VVp&jdb;9m{k~R2c9+cQ5C4A(@ixjo%D#Kb>c%%kB(=I-k+j%<
zOzPJ0Oep&`Ev9uo5#FfP(E4v)!@oE1@9hyCsh|J(<73zfxc5<|$&7uVZVHc80USEj
zRpluCJI4*VD5-A`&&Ldky_X}H73A(IBYDiS@r2Ar>qb+gj7zv(3xSqMXGlSd1xb;-
zCRvGIGe{)`W#KJ>ycDxsxpgVPE3g!Qy9C!p;MmchF^p^c2=vP9_-}|s4keIVko>7w
zmx~JYr!G;kU3zqsz$Pk^U{|L-Z#O47Y&&21>D+-x@=40!jLlKNc_2`fP-jTY7FZBi
z5;LBvitXp_v4I8d6<IJR@77SzAGYVV3>CX8IHm5U_!4qkF^W>e7L*Tu+OkxCRM+vg
z4uz`kLg@TBg2hY3WNj2Cc10y%%v_U#%@HqN{cZ-t%o(POy4^sr^CXl*M9EJSy|E{|
znst<h4IP!w$_-b07ogmrT!7m$C-y?iZA$Ked_JDd3fo@<PesE8a6CPqi9q2_*oDDc
zvvI&J)(9`-ECs1c3=qr)Tq-VqASVi!oI=R%;!fXcJ-q#^K)~qV0GQ%U*+~s44bYu+
zy15|5?Q!t7C1vz@P~6Ks3R+EQncZICd=CT^i-0@31On4ng8>MmBu@*W>zIgjE~a=A
z6v%~M%EJP>vM6LQA+1)4{#O*ho_`lm1_mwX&j4Xx`E-E~1q~LCcgAsl*i;9&+rdmH
z_-GD}u^zwt{6l;ANgwUHRPp4sL0UAa@G*5&#BJ`ogfLKUYQ?mv<=%4eYZQ+fkDv?W
zuvj^3!*?cNRVZ9HFseY#k4F^z0ZyS~*#CJ#qfpNi*vGUki+q+R@Bj<NM>s!fap#iM
z(hUSS*5(hpsN?RYe^YFKD?=W#j4y&u;KJ50#ek-pBFcnU7kvIWAqW9jZgCy0s{i2(
zoR{6mw0V_!kXZ)R7BdQPj9Um9S(QtnnK$FSa>{m`JHltI`ADp(0!Ms`dr_lGMuk<G
zrSYDtrHXH5Knu}k!Boos+-M((f1e*UK@mm`+sdQ-ZkB?#Jf?Dg20qfs^&_0ReaMYz
z9#TnSz;y2&b{6JXlS9i&9>U_P$xjph{VPih_G9E%P>jmPQpWTBYusK9Z{(}H9O5t;
z2RGtwD0zCe1Wt2oA6h8nBX!ugvdr|RE#pvS4Qww*^sH^b@rL<E#IbOl^fJ#ntjeZH
zC^sT_%5fZPE)HscH2hpU-i~W}TG5z`YJzR~a0eK6_o&z_Ot}q;`GLm^8+5&|N|=Ih
zlv64t_~jHHzSm_&;;6dx)E($C&MNimxi+FvWYAkoF5$0TTKku{WG;=72kc{{{`<pg
zNB#G!cc=RAFL4P+Kg`PnV(BxX4KIRM7grZovuxDzS@0v1^ad^)4?hQ0Su=f}QAtxH
zpwV!!rifO0^m>B>3;80GJqJwz?30TJr61Se@kFaMOW8j76vW$dR|GdHn6Wi{1B5jt
zEKP#^rjt(yR}6Ju)+Xt(j`FnY_&Sra2vrDAIB<R(8hqB14+$Cv^SS*%n>^Q(FbPHu
zcK?~Um033PSH}$P{kW5a2{i#Gle!680a=q43LpW^lQ#+`0R@v@3OoVTlbZ@50&*9V
zz6wJh8;d|5=SCephWnj<JDpNi)@WbrXczKC%^mm=NlI^%APZapU6XwaEhFv*U4ufD
z8Fh)m!;w}D4_4-|;GYk=6`JJFjq&5}<+C8Wi<8X@X$^9vL<4;4g!4KvoBL^#LkuE+
zrWHKC#kzF4J%2WYvXH+c*f~ixh~xmn9MlV}vcs=Z6b=W<LE&}Jnu5EeVC#83MCTN-
zN78$+bt%>oJWz9UF&#Cd1%`o%1Zp*NL)8Fs;%dllxm93wX~W_hcZk@(ot0(fXL2LT
zO<IjLr4S>aINW==3`gctxqXNpnQK>ncT?(ce4JE=+&xmU+fem>avw^n5|Vfu3;0J#
z+|;QNqPP&c1GhXMu>tq|6KH7)e_Ks_ZG+?2LXxhQy@qzX(-qS(U3kY8r$4rqg8OVU
zeL4Pza<&cVWwz@2Y&<SRcT7hEY;O|i_KM|q_I;)2z|$QvZ<T}gv?_Tv1)AJ{82_k1
z$hv(m(X@dl)Vc#;4=LQV+#!CxD||k_dirFy<5abDH4F7G^@6p5s7|B2-h?I)9<sMe
zz#!F;CEn=Al`WYNSqo`T!%3+!?~@2E1$FsUo2p$~_>OM_jQU~8s-Y@dfM3O{j;7-%
z3PE_=HtM&Cg%M@%Sn-dmXpVD#@Ld57i-#_0XA^J{<x#v%i_YdN>L*=&tkat8VC@q3
z;GcU%(&+uC<3anV3+|~GVv~$IxdpSaE%6-3yiIH7i6cat?ep`SUd4AchZOeQRe9%x
zR*gOF6eKFIH%O!uxI@KP)Fgcttjikxd&$+lJ`qweYHOG;ba9g&jkHLAW=BRB&jb}b
z6cL6Rk_ZbTQeJ3k4950h%>l^8byQM_<CH~*xUDd4@fUoxWeu8MY}stoqN&&FT{#$6
zy27OGCP|{0zjx;*?c|hPxbtd{Axgtn4xE)Q+*8EB%<`|TLyh2bzdU!SoUQjFOV5+n
zr!~@79p^Ao>ypP-3jW%EVjKQ>13bqI3_ai3i7i7S$B_X9MrIya9vMuZku4Qb#DJl4
z7VV$9P0@f6Hr~bXZ7iIj-CagldZrW{OCEKN@C{oI^%ko(8?zN#%8kDzGE~|n3L|IN
zKACJY3!rpd>cTRTBD#XCtx9t57V15Xp#!9mw@bVY!)Hndqxz43nGS~bo;=+jdEhW=
z6m<MxYWy5UFZ50KNXX6?XgY5KSW_4|R#ivUhnbL!)wCliQ$_c+OXL49E+O-a^+Uec
zF#P_<)tlFE-rMhgy!~+c`~P3$y2Q-*<!`cNlfQ>0k3i1k&e~kdKa5yk%Li0eds2Ku
z<g%gl<ti;MCBR~T@$%&~6!|(bqF5j=i}JS2nw-28HgY<q`JS@|1}{kh`|$4z-{MPm
zN`A_IE@V1m`uL3^`0n_f`1U+>fA{Tfc?kwyf}dSp{O$bji)lc*fL5Tuo@PjW7E<fh
z^7$*In+Ad_b_^t`3Abx1(T2gg!D2^NhzL9PeP<~)eLc2*7U?(q16k8`W&{fz2mqr;
z0F!?&>v%K06naZ%A@=+xL+60vGP{ds;mI0m6J>J`5TEv6Vm56SmWtzCYTLg04~Uoi
zPjx*AD*9zd00uN+8h*pSPc|R#YwwPy>vWy2({;K|*XcT4r|Wc`uG4k8PS^j&^<NU$
J$mIZd005UyGkE|2

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ddf081b8..1c19c4dc 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -46,9 +46,18 @@ index ec7b5cb..a027110 100644
  ifndef LOCAL_ROOT
  	rm -f $(fcsort)
 diff --git a/Rules.modular b/Rules.modular
-index 313d837..ef3c532 100644
+index 313d837..4f261a9 100644
 --- a/Rules.modular
 +++ b/Rules.modular
+@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
+ # Build module packages
+ #
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+-	@echo "Compliling $(NAME) $(@F) module"
++	@echo "Compiling $(NAME) $(@F) module"
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+ 	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 @@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs)
  	@echo "Validating policy linking."
  	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
@@ -868,7 +877,7 @@ index 3a45f23..ee7d7b3 100644
  constrain socket_class_set { create relabelto relabelfrom } 
  (
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..d0a8a5b 100644
+index a94b169..2e137e6 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
 @@ -329,6 +329,7 @@ class process
@@ -879,7 +888,7 @@ index a94b169..d0a8a5b 100644
  }
  
  
-@@ -393,6 +394,15 @@ class system
+@@ -393,6 +394,13 @@ class system
  	syslog_mod
  	syslog_console
  	module_request
@@ -890,12 +899,10 @@ index a94b169..d0a8a5b 100644
 +    enable
 +    disable
 +    reload
-+	stop
-+	start
  }
  
  #
-@@ -443,10 +453,13 @@ class capability
+@@ -443,10 +451,13 @@ class capability
  class capability2 
  {
  	mac_override	# unused by SELinux
@@ -910,7 +917,7 @@ index a94b169..d0a8a5b 100644
  }
  
  #
-@@ -690,6 +703,8 @@ class nscd
+@@ -690,6 +701,8 @@ class nscd
  	shmemhost
  	getserv
  	shmemserv
@@ -919,7 +926,7 @@ index a94b169..d0a8a5b 100644
  }
  
  # Define the access vector interpretation for controlling
-@@ -831,6 +846,38 @@ inherits socket
+@@ -831,6 +844,38 @@ inherits socket
  	attach_queue
  }
  
@@ -958,7 +965,7 @@ index a94b169..d0a8a5b 100644
  class x_pointer
  inherits x_device
  
-@@ -865,3 +912,18 @@ inherits database
+@@ -865,3 +910,18 @@ inherits database
  	implement
  	execute
  }
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2d560ab5..b3d2b386 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9425,10 +9425,10 @@ index c3fd7b1..e189593 100644
 -
 -miscfiles_read_localization(bcfg2_t)
 diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..750788c 100644
+index 2b9a3a1..49accb6 100644
 --- a/bind.fc
 +++ b/bind.fc
-@@ -1,54 +1,76 @@
+@@ -1,54 +1,77 @@
 -/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -9463,6 +9463,7 @@ index 2b9a3a1..750788c 100644
 -/usr/sbin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
 +/usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
 +/usr/sbin/named-sdb	--	gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-pkcs11	--	gen_context(system_u:object_r:named_exec_t,s0)
 +/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 +/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
  /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
@@ -99864,10 +99865,10 @@ index 0000000..88490d5
 +
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..3984dba
+index 0000000..939b8be
 --- /dev/null
 +++ b/snapper.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,83 @@
 +policy_module(snapper, 1.0.0)
 +
 +########################################
@@ -99893,7 +99894,8 @@ index 0000000..3984dba
 +# snapperd local policy
 +#
 +
-+allow snapperd_t self:capability dac_override;
++allow snapperd_t self:capability { dac_override sys_admin };
++allow snapperd_t self:process setsched;
 +
 +allow snapperd_t self:fifo_file rw_fifo_file_perms;
 +allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 94b2f6cf..fe4b6609 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 185%{?dist}
+Release: 186%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -653,6 +653,12 @@ exit 0
 %endif
 
 %changelog
+* Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186
+- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
+- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
+- Revert "Add new permissions stop/start to class system. rhbz#1324453"
+- Fix typo in module compilation message
+
 * Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185
 - Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
 - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)