* Thu May 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-187

- Allow stunnel create log files. BZ(1333033) - Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574) - Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287) - Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. - Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980) - Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927) - Label /usr/sbin/xrdp* files as bin_t BZ(1258453) - Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318
2016-05-05 10:27:13 +02:00 · 2016-05-05 10:27:13 +02:00 · 7ff0b8badf
commit 7ff0b8badf
parent 7a1df1e370
4 changed files with 226 additions and 125 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -20867,7 +20867,7 @@ index 7be4ddf..9710b33 100644
 +/sys/kernel/debug -d	gen_context(system_u:object_r:debugfs_t,s0)
 +/sys/kernel/debug/.*	<<none>>
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..c652350 100644
+index e100d88..1428581 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@ -20920,6 +20920,15 @@ index e100d88..c652350 100644
 ##	Allows the kernel to share state information with
 ##	the caller.
 ## </summary>
+@@ -268,7 +304,7 @@ interface(`kernel_stream_connect',`
+ 		type kernel_t;
+ 	')
+ 
+-	allow $1 kernel_t:unix_stream_socket connectto;
+	allow $1 kernel_t:unix_stream_socket { getattr connectto };
+ ')
+ 
+ ########################################
@@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
 		type kernel_t;
 	')
@ -25834,7 +25843,7 @@ index 0000000..63bc797
 +logging_stream_connect_syslog(sysadm_t)
 diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
 new file mode 100644
-index 0000000..b680867
+index 0000000..d9efb90
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
@ -25844,8 +25853,8 @@ index 0000000..b680867
 +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
 +#/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 +
-+/usr/sbin/xrdp   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
-+/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
+#/usr/sbin/xrdp   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
+#/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
 new file mode 100644
 index 0000000..03faeac
@ -36636,7 +36645,7 @@ index 79a45f6..e69fa39 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..5559333 100644
+index 17eda24..1522b3c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -36931,7 +36940,7 @@ index 17eda24..5559333 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +323,247 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +323,252 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -36981,17 +36990,21 @@ index 17eda24..5559333 100644
 +')
 +
 +optional_policy(`
-+	iscsi_read_lib_files(init_t)
-+	iscsi_manage_lock(init_t)
+	anaconda_domtrans_install(init_t)
 +')
 +
 +optional_policy(`
+	iscsi_read_lib_files(init_t)
+	iscsi_manage_lock(init_t)
+ ')
+ 
+ optional_policy(`
+-	auth_rw_login_records(init_t)
 +	modutils_domtrans_insmod(init_t)
 +	modutils_list_module_config(init_t)
 ')
 
 optional_policy(`
-	auth_rw_login_records(init_t)
 +	postfix_exec(init_t)
 +	postfix_list_spool(init_t)
 +	mta_read_config(init_t)
@ -37103,6 +37116,7 @@ index 17eda24..5559333 100644
 +systemd_manage_random_seed(init_t)
 +systemd_manage_all_unit_files(init_t)
 +systemd_logger_stream_connect(init_t)
+systemd_login_manage_pid_files(init_t)
 +systemd_config_all_services(init_t)
 +systemd_relabelto_fifo_file_passwd_run(init_t)
 +systemd_relabel_unit_dirs(init_t)
@ -37147,9 +37161,9 @@ index 17eda24..5559333 100644
 +optional_policy(`
 +	lvm_rw_pipes(init_t)
 +	lvm_read_config(init_t)
- ')
- 
- optional_policy(`
+')
+
+optional_policy(`
 +	consolekit_manage_log(init_t)
 +')
 +
@ -37161,18 +37175,18 @@ index 17eda24..5559333 100644
 +	optional_policy(`
 +		devicekit_dbus_chat_power(init_t)
 +	')
- ')
- 
- optional_policy(`
-	nscd_use(init_t)
+')
+
+optional_policy(`
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_use(init_t)
 +	networkmanager_stream_connect(init_t)
 +	networkmanager_stream_connect(initrc_t)
 +')
@ -37188,7 +37202,7 @@ index 17eda24..5559333 100644
 ')
 
 optional_policy(`
-@@ -216,7 +571,30 @@ optional_policy(`
+@@ -216,7 +576,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37220,7 +37234,7 @@ index 17eda24..5559333 100644
 ')
 
 ########################################
-@@ -225,9 +603,9 @@ optional_policy(`
+@@ -225,9 +608,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -37232,7 +37246,7 @@ index 17eda24..5559333 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +636,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +641,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -37249,7 +37263,7 @@ index 17eda24..5559333 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +661,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +666,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -37292,7 +37306,7 @@ index 17eda24..5559333 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +698,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +703,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -37304,7 +37318,7 @@ index 17eda24..5559333 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +710,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +715,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -37315,7 +37329,7 @@ index 17eda24..5559333 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +721,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +726,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -37325,7 +37339,7 @@ index 17eda24..5559333 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +730,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +735,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -37333,7 +37347,7 @@ index 17eda24..5559333 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +737,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +742,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -37341,7 +37355,7 @@ index 17eda24..5559333 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +745,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +750,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -37359,7 +37373,7 @@ index 17eda24..5559333 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +763,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +768,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -37373,7 +37387,7 @@ index 17eda24..5559333 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +778,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +783,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -37387,7 +37401,7 @@ index 17eda24..5559333 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +791,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +796,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -37398,7 +37412,7 @@ index 17eda24..5559333 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +804,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +809,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -37406,7 +37420,7 @@ index 17eda24..5559333 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +823,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +828,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -37430,7 +37444,7 @@ index 17eda24..5559333 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +856,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +861,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -37438,7 +37452,7 @@ index 17eda24..5559333 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +890,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +895,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -37449,7 +37463,7 @@ index 17eda24..5559333 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +914,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +919,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -37458,7 +37472,7 @@ index 17eda24..5559333 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +929,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +934,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -37466,7 +37480,7 @@ index 17eda24..5559333 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +950,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +955,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -37474,7 +37488,7 @@ index 17eda24..5559333 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +960,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +965,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -37519,7 +37533,7 @@ index 17eda24..5559333 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +1005,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1010,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -37551,7 +37565,7 @@ index 17eda24..5559333 100644
 	')
 ')
 
-@@ -577,6 +1040,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1045,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -37591,7 +37605,7 @@ index 17eda24..5559333 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1085,8 @@ optional_policy(`
+@@ -589,6 +1090,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -37600,7 +37614,7 @@ index 17eda24..5559333 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1108,7 @@ optional_policy(`
+@@ -610,6 +1113,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -37608,7 +37622,7 @@ index 17eda24..5559333 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1125,17 @@ optional_policy(`
+@@ -626,6 +1130,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37626,7 +37640,7 @@ index 17eda24..5559333 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1152,13 @@ optional_policy(`
+@@ -642,9 +1157,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -37640,7 +37654,7 @@ index 17eda24..5559333 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1171,11 @@ optional_policy(`
+@@ -657,15 +1176,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37658,7 +37672,7 @@ index 17eda24..5559333 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1196,15 @@ optional_policy(`
+@@ -686,6 +1201,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37674,7 +37688,7 @@ index 17eda24..5559333 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1245,7 @@ optional_policy(`
+@@ -726,6 +1250,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -37682,7 +37696,7 @@ index 17eda24..5559333 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1263,13 @@ optional_policy(`
+@@ -743,7 +1268,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37697,7 +37711,7 @@ index 17eda24..5559333 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1292,10 @@ optional_policy(`
+@@ -766,6 +1297,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37708,7 +37722,7 @@ index 17eda24..5559333 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1305,20 @@ optional_policy(`
+@@ -775,10 +1310,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37729,7 +37743,7 @@ index 17eda24..5559333 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1327,10 @@ optional_policy(`
+@@ -787,6 +1332,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37740,7 +37754,7 @@ index 17eda24..5559333 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1352,6 @@ optional_policy(`
+@@ -808,8 +1357,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -37749,7 +37763,7 @@ index 17eda24..5559333 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1360,10 @@ optional_policy(`
+@@ -818,6 +1365,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37760,7 +37774,7 @@ index 17eda24..5559333 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1373,12 @@ optional_policy(`
+@@ -827,10 +1378,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -37773,7 +37787,7 @@ index 17eda24..5559333 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1405,62 @@ optional_policy(`
+@@ -857,21 +1410,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37837,7 +37851,7 @@ index 17eda24..5559333 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1476,10 @@ optional_policy(`
+@@ -887,6 +1481,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37848,7 +37862,7 @@ index 17eda24..5559333 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1490,218 @@ optional_policy(`
+@@ -897,3 +1495,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -31640,10 +31640,10 @@ index 5cd0909..bd3c3d2 100644
 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
 diff --git a/glusterd.fc b/glusterd.fc
 new file mode 100644
-index 0000000..8c8c6c9
+index 0000000..cbd6aa4
 --- /dev/null
 +++ b/glusterd.fc
-@@ -0,0 +1,18 @@
+@@ -0,0 +1,20 @@
 +/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +
 +/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
@ -31652,6 +31652,8 @@ index 0000000..8c8c6c9
 +/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
+/usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
 +/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
 +/var/lib/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
@ -31913,10 +31915,10 @@ index 0000000..fc9bf19
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..74ec2fd
+index 0000000..8e0f5a7
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,295 @@
+@@ -0,0 +1,296 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@ -32200,6 +32202,7 @@ index 0000000..74ec2fd
 +    rpc_domtrans_nfsd(glusterd_t)
 +    rpc_domtrans_rpcd(glusterd_t)
 +    rpc_manage_nfs_state_data(glusterd_t)
+	rpcbind_stream_connect(glusterd_t)
 +')
 +
 +optional_policy(`
@ -86143,7 +86146,7 @@ index c8bdea2..1574225 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..1fafe47 100644
+index 6cf79c4..1a605f9 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -86182,7 +86185,7 @@ index 6cf79c4..1fafe47 100644
 attribute cluster_domain;
 attribute cluster_log;
 attribute cluster_pid;
-@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,284 @@ type foghorn_initrc_exec_t;
 init_script_file(foghorn_initrc_exec_t)
 
 rhcs_domain_template(gfs_controld)
@ -86436,6 +86439,7 @@ index 6cf79c4..1fafe47 100644
 +    rpc_domtrans_nfsd(cluster_t)
 +    rpc_domtrans_rpcd(cluster_t)
 +    rpc_manage_nfs_state_data(cluster_t)
+	rpc_filetrans_var_lib_nfs_content(cluster_t)
 +')
 +
 +optional_policy(`
@ -86470,7 +86474,7 @@ index 6cf79c4..1fafe47 100644
 ')
 
 #####################################
-@@ -79,13 +357,14 @@ optional_policy(`
+@@ -79,13 +358,14 @@ optional_policy(`
 # dlm_controld local policy
 #
 
@ -86487,7 +86491,7 @@ index 6cf79c4..1fafe47 100644
 kernel_rw_net_sysctls(dlm_controld_t)
 
 corecmd_exec_bin(dlm_controld_t)
-@@ -98,16 +377,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
 
 init_rw_script_tmp_files(dlm_controld_t)
 
@ -86521,7 +86525,7 @@ index 6cf79c4..1fafe47 100644
 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
 files_lock_filetrans(fenced_t, fenced_lock_t, file)
 
-@@ -118,9 +411,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
@ -86533,7 +86537,7 @@ index 6cf79c4..1fafe47 100644
 
 corecmd_exec_bin(fenced_t)
 corecmd_exec_shell(fenced_t)
-@@ -140,6 +432,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
 
 corenet_sendrecv_zented_server_packets(fenced_t)
 corenet_tcp_bind_zented_port(fenced_t)
@ -86542,7 +86546,7 @@ index 6cf79c4..1fafe47 100644
 corenet_tcp_sendrecv_zented_port(fenced_t)
 
 corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +442,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +443,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
 
 dev_read_sysfs(fenced_t)
 dev_read_urand(fenced_t)
@ -86554,7 +86558,7 @@ index 6cf79c4..1fafe47 100644
 
 storage_raw_read_fixed_disk(fenced_t)
 storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +454,7 @@ term_getattr_pty_fs(fenced_t)
 term_use_generic_ptys(fenced_t)
 term_use_ptmx(fenced_t)
 
@ -86563,7 +86567,7 @@ index 6cf79c4..1fafe47 100644
 
 tunable_policy(`fenced_can_network_connect',`
 	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +475,8 @@ optional_policy(`
+@@ -182,7 +476,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -86573,7 +86577,7 @@ index 6cf79c4..1fafe47 100644
 ')
 
 optional_policy(`
-@@ -190,12 +484,17 @@ optional_policy(`
+@@ -190,12 +485,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -86592,7 +86596,7 @@ index 6cf79c4..1fafe47 100644
 ')
 
 optional_policy(`
-@@ -203,6 +502,21 @@ optional_policy(`
+@@ -203,6 +503,21 @@ optional_policy(`
 	snmp_manage_var_lib_dirs(fenced_t)
 ')
 
@ -86614,7 +86618,7 @@ index 6cf79c4..1fafe47 100644
 #######################################
 #
 # foghorn local policy
-@@ -221,16 +535,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +536,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
 corenet_tcp_connect_agentx_port(foghorn_t)
 corenet_tcp_sendrecv_agentx_port(foghorn_t)
 
@ -86639,7 +86643,7 @@ index 6cf79c4..1fafe47 100644
 	snmp_stream_connect(foghorn_t)
 ')
 
-@@ -247,16 +567,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +568,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
 stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
 stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
@ -86661,7 +86665,7 @@ index 6cf79c4..1fafe47 100644
 optional_policy(`
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +599,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +600,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
 
 dev_list_sysfs(groupd_t)
 
@ -86721,7 +86725,7 @@ index 6cf79c4..1fafe47 100644
 ######################################
 #
 # qdiskd local policy
-@@ -292,7 +663,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +664,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
 manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
 files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
 
@ -86729,7 +86733,7 @@ index 6cf79c4..1fafe47 100644
 kernel_read_software_raid_state(qdiskd_t)
 kernel_getattr_core_if(qdiskd_t)
 
-@@ -321,6 +691,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +692,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
 
 auth_use_nsswitch(qdiskd_t)
 
@ -88903,7 +88907,7 @@ index a6fb30c..38a2f09 100644
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +
 diff --git a/rpc.if b/rpc.if
-index 0bf13c2..50f25de 100644
+index 0bf13c2..4f3c2b9 100644
 --- a/rpc.if
 +++ b/rpc.if
@@ -1,4 +1,4 @@
@ -89221,10 +89225,11 @@ index 0bf13c2..50f25de 100644
 	files_search_var_lib($1)
 -	allow $1 var_lib_nfs_t:dir search;
 +	allow $1 var_lib_nfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read nfs lib files.
 +##	List NFS state data in /var/lib/nfs.
 +## </summary>
 +## <param name="domain">
@ -89240,11 +89245,10 @@ index 0bf13c2..50f25de 100644
 +
 +	files_search_var_lib($1)
 +	allow $1 var_lib_nfs_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Read nfs lib files.
+')
+
+########################################
+## <summary>
 +##	Read NFS state data in /var/lib/nfs.
 ## </summary>
 ## <param name="domain">
@ -89259,7 +89263,7 @@ index 0bf13c2..50f25de 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -366,31 +403,50 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -366,31 +403,68 @@ interface(`rpc_manage_nfs_state_data',`
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@ -89277,6 +89281,7 @@ index 0bf13c2..50f25de 100644
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+-## <param name="role">
 +#
 +interface(`rpc_rw_gssd_keys',`
 +	gen_require(`
@ -89286,6 +89291,25 @@ index 0bf13c2..50f25de 100644
 +	allow $1 gssd_t:key { read search setattr view write };
 +')
 +
+########################################
+## <summary>
+##	Transition to alsa named content
+## </summary>
+## <param name="domain">
+ ##	<summary>
+-##	Role allowed access.
+##      Domain allowed access.
+ ##	</summary>
+ ## </param>
+#
+interface(`rpc_filetrans_var_lib_nfs_content',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs")
+')
+
 +#######################################
 +## <summary>
 +##  All of the rules required to
@ -89296,14 +89320,11 @@ index 0bf13c2..50f25de 100644
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
- ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+## <param name="role">
 +##  <summary>
 +##  Role allowed access.
 +##  </summary>
- ## </param>
+## </param>
 ## <rolecap/>
 #
 interface(`rpc_admin',`
@ -89317,7 +89338,7 @@ index 0bf13c2..50f25de 100644
 	')
 
 	allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,7 +467,7 @@ interface(`rpc_admin',`
+@@ -411,7 +485,7 @@ interface(`rpc_admin',`
 	admin_pattern($1, rpcd_var_run_t)
 
 	files_list_all($1)
@ -89327,10 +89348,10 @@ index 0bf13c2..50f25de 100644
 	files_list_tmp($1)
 	admin_pattern($1, gssd_tmp_t)
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..876a4e7 100644
+index 2da9fca..7f491b0 100644
 --- a/rpc.te
 +++ b/rpc.te
-@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
+@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
 #
 
 ## <desc>
@ -89360,10 +89381,17 @@ index 2da9fca..876a4e7 100644
 ## </desc>
 -gen_tunable(allow_nfsd_anon_write, false)
 +gen_tunable(nfsd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow rpcd_t  to manage fuse files
+## </p>
+## </desc>
+gen_tunable(rpcd_use_fusefs, false)
 
 attribute rpc_domain;
 
-@@ -39,21 +37,23 @@ files_tmp_file(gssd_tmp_t)
+@@ -39,21 +44,23 @@ files_tmp_file(gssd_tmp_t)
 type rpcd_var_run_t;
 files_pid_file(rpcd_var_run_t)
 
@ -89392,7 +89420,7 @@ index 2da9fca..876a4e7 100644
 
 type var_lib_nfs_t;
 files_mountpoint(var_lib_nfs_t)
-@@ -71,7 +71,6 @@ allow rpc_domain self:tcp_socket { accept listen };
+@@ -71,7 +78,6 @@ allow rpc_domain self:tcp_socket { accept listen };
 manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
 manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
 
@ -89400,7 +89428,7 @@ index 2da9fca..876a4e7 100644
 kernel_read_kernel_sysctls(rpc_domain)
 kernel_rw_rpc_sysctls(rpc_domain)
 
-@@ -79,8 +78,6 @@ dev_read_sysfs(rpc_domain)
+@@ -79,8 +85,6 @@ dev_read_sysfs(rpc_domain)
 dev_read_urand(rpc_domain)
 dev_read_rand(rpc_domain)
 
@ -89409,7 +89437,7 @@ index 2da9fca..876a4e7 100644
 corenet_tcp_sendrecv_generic_if(rpc_domain)
 corenet_udp_sendrecv_generic_if(rpc_domain)
 corenet_tcp_sendrecv_generic_node(rpc_domain)
-@@ -108,41 +105,43 @@ files_read_etc_runtime_files(rpc_domain)
+@@ -108,41 +112,45 @@ files_read_etc_runtime_files(rpc_domain)
 files_read_usr_files(rpc_domain)
 files_list_home(rpc_domain)
 
@ -89451,6 +89479,8 @@ index 2da9fca..876a4e7 100644
 manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
 files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
 
+read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
+
 +# rpc.statd executes sm-notify
 can_exec(rpcd_t, rpcd_exec_t)
 
@ -89461,7 +89491,7 @@ index 2da9fca..876a4e7 100644
 kernel_read_sysctl(rpcd_t)
 kernel_rw_fs_sysctls(rpcd_t)
 kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -163,13 +162,14 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,13 +171,21 @@ fs_getattr_all_fs(rpcd_t)
 
 storage_getattr_fixed_disk_dev(rpcd_t)
 
@ -89472,14 +89502,20 @@ index 2da9fca..876a4e7 100644
 miscfiles_read_generic_certs(rpcd_t)
 
 -seutil_dontaudit_search_config(rpcd_t)
-
-userdom_signal_all_users(rpcd_t)
 +userdom_signal_unpriv_users(rpcd_t)
 +userdom_read_user_home_content_files(rpcd_t)
 
+-userdom_signal_all_users(rpcd_t)
+tunable_policy(`rpcd_use_fusefs',`
+	fs_manage_fusefs_dirs(rpcd_t)
+	fs_manage_fusefs_files(rpcd_t)
+	fs_read_fusefs_symlinks(rpcd_t)
+	fs_getattr_fusefs(rpcd_t)
+')
+ 
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcd_t)
-@@ -181,19 +181,27 @@ optional_policy(`
+@@ -181,19 +197,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -89510,7 +89546,7 @@ index 2da9fca..876a4e7 100644
 ')
 
 ########################################
-@@ -202,41 +210,56 @@ optional_policy(`
+@@ -202,41 +226,56 @@ optional_policy(`
 #
 
 allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -89528,10 +89564,10 @@ index 2da9fca..876a4e7 100644
 kernel_request_load_module(nfsd_t)
 -# kernel_mounton_proc(nfsd_t)
 +kernel_mounton_proc(nfsd_t)
-+
-+corecmd_exec_shell(nfsd_t)
 
 -corenet_sendrecv_nfs_server_packets(nfsd_t)
+corecmd_exec_shell(nfsd_t)
+
 +corenet_tcp_bind_all_rpc_ports(nfsd_t)
 +corenet_udp_bind_all_rpc_ports(nfsd_t)
 corenet_tcp_bind_nfs_port(nfsd_t)
@ -89576,7 +89612,7 @@ index 2da9fca..876a4e7 100644
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
-@@ -245,7 +268,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +284,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
@ -89584,7 +89620,7 @@ index 2da9fca..876a4e7 100644
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +279,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +295,12 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
@ -89599,7 +89635,7 @@ index 2da9fca..876a4e7 100644
 ')
 
 ########################################
-@@ -270,7 +292,7 @@ optional_policy(`
+@@ -270,7 +308,7 @@ optional_policy(`
 # GSSD local policy
 #
 
@ -89608,7 +89644,7 @@ index 2da9fca..876a4e7 100644
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-@@ -280,6 +302,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +318,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
@ -89616,7 +89652,7 @@ index 2da9fca..876a4e7 100644
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
-@@ -288,25 +311,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +327,31 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
@ -89651,7 +89687,7 @@ index 2da9fca..876a4e7 100644
 ')
 
 optional_policy(`
-@@ -314,9 +343,12 @@ optional_policy(`
+@@ -314,9 +359,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -102159,19 +102195,21 @@ index b38b8b1..eb36653 100644
 userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
 
 diff --git a/squid.fc b/squid.fc
-index 0a8b0f7..20a2ecc 100644
+index 0a8b0f7..0630506 100644
 --- a/squid.fc
 +++ b/squid.fc
-@@ -1,20 +1,24 @@
+@@ -1,20 +1,26 @@
 -/etc/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
+/dev/shm/squid-*	--	gen_context(system_u:object_r:squid_tmpfs_t,s0)
+ 
+-/etc/rc\.d/init\.d/squid	--	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/squid --	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
 +/etc/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
 +/etc/lightsquid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
 
-/etc/rc\.d/init\.d/squid	--	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
-+/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:squid_script_exec_t,s0)
- 
 -/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:squid_script_exec_t,s0)
+
 +/usr/sbin/lightparser.pl --	gen_context(system_u:object_r:squid_cron_exec_t,s0)
 
 /usr/sbin/squid	--	gen_context(system_u:object_r:squid_exec_t,s0)
@ -103573,11 +103611,50 @@ index 0000000..e847ea3
 +	rpm_exec(stapserver_t)
 +')
 +
+diff --git a/stunnel.fc b/stunnel.fc
+index 49dd63c..ae2e798 100644
+--- a/stunnel.fc
+++ b/stunnel.fc
+@@ -5,3 +5,5 @@
+ /usr/sbin/stunnel	--	gen_context(system_u:object_r:stunnel_exec_t,s0)
+ 
+ /var/run/stunnel(/.*)?	gen_context(system_u:object_r:stunnel_var_run_t,s0)
+
+/var/log/stunnel.* 		--	gen_context(system_u:object_r:stunnel_log_t,s0)
 diff --git a/stunnel.te b/stunnel.te
-index 27a8480..88f7dc8 100644
+index 27a8480..5482c75 100644
 --- a/stunnel.te
 +++ b/stunnel.te
-@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t)
+ type stunnel_etc_t;
+ files_config_file(stunnel_etc_t)
+ 
+type stunnel_log_t;
+logging_log_file(stunnel_log_t)
+
+ type stunnel_tmp_t;
+ files_tmp_file(stunnel_tmp_t)
+ 
+@@ -23,7 +26,7 @@ files_pid_file(stunnel_var_run_t)
+ # Local policy
+ #
+ 
+-allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:capability { setgid setuid sys_chroot sys_nice };
+ dontaudit stunnel_t self:capability sys_tty_config;
+ allow stunnel_t self:process signal_perms;
+ allow stunnel_t self:fifo_file rw_fifo_file_perms;
+@@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms;
+ allow stunnel_t stunnel_etc_t:file read_file_perms;
+ allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
+ 
+allow stunnel_t stunnel_log_t:file manage_file_perms;
+logging_log_filetrans(stunnel_t, stunnel_log_t, file)
+
+ manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+ manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+ files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
+@@ -48,7 +54,6 @@ kernel_read_network_state(stunnel_t)
 
 corecmd_exec_bin(stunnel_t)
 
@ -103585,7 +103662,7 @@ index 27a8480..88f7dc8 100644
 corenet_all_recvfrom_netlabel(stunnel_t)
 corenet_tcp_sendrecv_generic_if(stunnel_t)
 corenet_tcp_sendrecv_generic_node(stunnel_t)
-@@ -75,7 +74,6 @@ auth_use_nsswitch(stunnel_t)
+@@ -75,7 +80,6 @@ auth_use_nsswitch(stunnel_t)
 logging_send_syslog_msg(stunnel_t)
 
 miscfiles_read_generic_certs(stunnel_t)
@ -103593,7 +103670,7 @@ index 27a8480..88f7dc8 100644
 
 userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
 userdom_dontaudit_search_user_home_dirs(stunnel_t)
-@@ -105,4 +103,5 @@ optional_policy(`
+@@ -105,4 +109,5 @@ optional_policy(`
 gen_require(`
 	type stunnel_port_t;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 186%{?dist}
+Release: 187%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -653,6 +653,16 @@ exit 0
 %endif

 %changelog
+* Thu May 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-187
+- Allow stunnel create log files. BZ(1333033)
+- Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574)
+- Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287)
+- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs.
+- Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980)
+- Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927)
+- Label /usr/sbin/xrdp* files as bin_t BZ(1258453)
+- Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318
+
 * Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186
 - Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
 - Label named-pkcs11 binary as named_exec_t. BZ(1331316)