* Thu Sep 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-2

- Allow tomcat services create link file in /tmp
- Label /etc/shorewall6 as shorewall_etc_t
- Allow winbind_t domain kill in user namespaces
- Allow firewalld_t domain to read random device
- Allow abrt_t domain to do execmem
- Allow geoclue_t domain to execute own var_lib_t files
- Allow openfortivpn_t domain to read system network state
- Allow dnsmasq_t domain to read networkmanager lib files
- sssd: Allow to limit capabilities using libcap
- sssd: Remove unnecessary capability
- sssd: Do not audit usage of lib nss_systemd.so
- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file
- Add correct namespace_init_exec_t context to /etc/security/namespace.d/*
- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files
- Allow exim_t domain to mmap bin files
- Allow mysqld_t domain to executed with nnp transition
- Allow svirt_t domain to mmap svirt_image_t block files
- Add caps dac_read_search and dav_override to pesign_t domain
- Allow iscsid_t domain to mmap userio chr files
- Add read interfaces for mysqld_log_t that was added in commit df832bf
- Allow boltd_t to dbus chat with xdm_t
- Conntrackd need to load kernel module to work
- Allow mysqld sys_nice capability
- Update boltd policy based on SELinux denials from rhbz#1607974
- Allow systemd to create symlinks in for /var/lib
- Add comment to show that template call also allows changing shells
- Document userdom_change_password_template() behaviour
- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file
- Fix typo in logging SELinux module
- Allow usertype to mmap user_tmp_type files
- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue
- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern"
- Add boolean: domain_can_mmap_files.
- Allow ipsec_t domian to mmap own tmp files
- Add .gitignore file
- Add execute_no_trans permission to mmap_exec_file_perms pattern
- Allow sudodomain to search caller domain proc info
- Allow audisp_remote_t domain to read auditd_etc_t
- netlabel: Remove unnecessary sssd nsswitch related macros
- Allow to use sss module in auth_use_nsswitch
- Limit communication with init_t over dbus
- Add actual modules.conf to the git repo
- Add few interfaces to optional block
- Allow sysadm_t and staff_t domain to manage systemd unit files
- Add interface dev_map_userio_dev()

.gitignore

@@ -306,3 +306,5 @@ serefpolicy*
 /selinux-policy-contrib-ab97c9d.tar.gz
 /selinux-policy-c8dfe84.tar.gz
 /selinux-policy-contrib-a342008.tar.gz
+/selinux-policy-contrib-5ed2192.tar.gz
+/selinux-policy-38c6414.tar.gz

selinux-policy.spec

@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 c8dfe84c09d2d197265f1d883f8b11527f5846c9
+%global commit0 38c6414d2dac8b3e77914561f34babdf93ef27ff
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 a3420086d85dcd5b7407c3101587047369c45ea1
+%global commit1 5ed2192d563e34d3f1e7c4f7b2673af960de8769
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -709,6 +709,53 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-2
+- Allow tomcat services create link file in /tmp
+- Label /etc/shorewall6 as shorewall_etc_t
+- Allow winbind_t domain kill in user namespaces
+- Allow firewalld_t domain to read random device
+- Allow abrt_t domain to do execmem
+- Allow geoclue_t domain to execute own var_lib_t files
+- Allow openfortivpn_t domain to read system network state
+- Allow dnsmasq_t domain to read networkmanager lib files
+- sssd: Allow to limit capabilities using libcap
+- sssd: Remove unnecessary capability
+- sssd: Do not audit usage of lib nss_systemd.so
+- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file
+- Add correct namespace_init_exec_t context to /etc/security/namespace.d/*
+- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files
+- Allow exim_t domain to mmap bin files
+- Allow mysqld_t domain to executed with nnp transition
+- Allow svirt_t domain to mmap svirt_image_t block files
+- Add caps dac_read_search and dav_override to pesign_t domain
+- Allow iscsid_t domain to mmap userio chr files
+- Add read interfaces for mysqld_log_t that was added in commit df832bf
+- Allow boltd_t to dbus chat with xdm_t
+- Conntrackd need to load kernel module to work
+- Allow mysqld sys_nice capability
+- Update boltd policy based on SELinux denials from rhbz#1607974
+- Allow systemd to create symlinks in for /var/lib
+- Add comment to show that template call also allows changing shells
+- Document userdom_change_password_template() behaviour
+- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file
+- Fix typo in logging SELinux module
+- Allow usertype to mmap user_tmp_type files
+- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue
+- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern"
+- Add boolean: domain_can_mmap_files.
+- Allow ipsec_t domian to mmap own tmp files
+- Add .gitignore file
+- Add execute_no_trans permission to mmap_exec_file_perms pattern
+- Allow sudodomain to search caller domain proc info
+- Allow audisp_remote_t domain to read auditd_etc_t
+- netlabel: Remove unnecessary sssd nsswitch related macros
+- Allow to use sss module in auth_use_nsswitch
+- Limit communication with init_t over dbus
+- Add actual modules.conf to the git repo
+- Add few interfaces to optional block
+- Allow sysadm_t and staff_t domain to manage systemd unit files
+- Add interface dev_map_userio_dev()
+
 * Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1
 - Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
 - Add interface devicekit_mounton_var_lib()

sources

@@ -1,3 +1,3 @@
-SHA512 (selinux-policy-c8dfe84.tar.gz) = 1932e821f40e5f255580c9fd6ac48fdbe78ec86c89de04bba9a297e4971e4c96c3127ef890ab4a864b33f2230aad3b31b1aae08b509e501864763e3a53b11f05
-SHA512 (selinux-policy-contrib-a342008.tar.gz) = 3e49ff37fa815ff18ff9e6daa02c385b660ef9f63e7cdd475895f864834d5a8afd7f5355f2c5c936c370861f45606d82cf1c38c0f149ee7d3e7aba4e114adfbc
-SHA512 (container-selinux.tgz) = 5ec87fe001d2c6256d7e97963e9ab44fc1068cd0df251a7f40547505f2f6c8e9e20ff0056da9bce7d37afb6649da6dfe605248885293d5d39b48e378d2554570
+SHA512 (selinux-policy-contrib-5ed2192.tar.gz) = 6d8c08980a10b498155893d7c9d949c89761622b4b16ca1e4c80d78ebd97791ee9e59112b725aae8402aec382214001cb9952e0e22b11698abacaea74ae7db41
+SHA512 (selinux-policy-38c6414.tar.gz) = a0d47bee2311baea12ade3a1f6460a76ba3e479314838957e5225c0e8ec0926ae0e9027b6204f1d5153f7e8b0ef207e4bbb30d9ee16bf1f5396ad87626b78528
+SHA512 (container-selinux.tgz) = a563b1da0a6c3b4bd1b171b263e171cd1a99758130c9c0e7d351df7709aa6f0e52e5e6eb211469697db0bdb86adf9de6c0b5f5935c928611854867084327114d