* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17

- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for  /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session

.gitignore

@@ -279,3 +279,5 @@ serefpolicy*
 /selinux-policy-17160ee.tar.gz
 /selinux-policy-contrib-4f6a859.tar.gz
 /selinux-policy-718d75d.tar.gz
+/selinux-policy-cab8dc9.tar.gz
+/selinux-policy-contrib-19624b4.tar.gz

selinux-policy.spec

@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 718d75d6ef457c74ce1defac3b2d671b3d1f71eb
+%global commit0 cab8dc9056f382289b0559b3bdf336aa09ef8105
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 4f6a859548cce112341679e720b88f7d1cb674d7
+%global commit1 19624b4009a0a252a57e7192dea7d3d322fcd0da
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.2
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -718,6 +718,41 @@ exit 0
 %endif
 
 %changelog
+* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17
+- Add dac_override capability to remote_login_t domain
+- Allow chrome_sandbox_t to mmap tmp files
+- Update ulogd SELinux security policy
+- Allow rhsmcertd_t domain send signull to apache processes
+- Allow systemd socket activation for modemmanager
+- Allow geoclue to dbus chat with systemd
+- Fix file contexts on conntrackd policy
+- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
+- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
+- Add label for  /usr/sbin/pacemaker-remoted to have cluster_exec_t
+- Allow nscd_t domain to be system dbusd client
+- Allow abrt_t domain to read sysctl
+- Add dac_read_search capability for tangd
+- Allow systemd socket activation for rshd domain
+- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
+- Allow kdump_t domain to map /boot files
+- Allow conntrackd_t domain to send msgs to syslog
+- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
+- Allow swnserve_t domain to stream connect to sasl domain
+- Allow smbcontrol_t to create dirs with samba_var_t label
+- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
+- Allow tangd to read public sssd files BZ(1509054)
+- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
+- Allow ctdb_t domain modify ctdb_exec_t files
+- Allow firewalld_t domain to create netlink_netfilter sockets
+- Allow radiusd_t domain to read network sysctls
+- Allow pegasus_t domain to mount tracefs_t filesystem
+- Allow create systemd to mount pid files
+- Add files_map_boot_files() interface
+- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
+- Fix typo xserver SELinux module
+- Allow systemd to mmap files with var_log_t label
+- Allow x_userdomains read/write to xserver session
+
 * Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16
 - Allow systemd to mmap files with var_log_t label
 - Allow x_userdomains read/write to xserver session

sources

@@ -1,3 +1,3 @@
-SHA512 (selinux-policy-718d75d.tar.gz) = 176da6f3835a17e21e8e0c7377130a90bd2bcd1807cb60ee5eb9070ba843793660ca059d63296236aca98d810b68e1b72cd98e1d351ebe3a46274be1de418137
-SHA512 (selinux-policy-contrib-4f6a859.tar.gz) = 3f2ac4cf26466a324adcc952286c20254cbd0e40149b9948eb623b03804ec056355deefa231dd9e4910097f5b0874f358f1731b68b47c746859a2f02adab23a6
-SHA512 (container-selinux.tgz) = 847b4649718df078e824e344adb95868ed272a4133ac39147b2afac54289ffbd62584b540f6744fbd1b945573ce23e6dbcc425d780d37b5894a1ca5b4cca177e
+SHA512 (selinux-policy-cab8dc9.tar.gz) = d922ec08de3f8a47b312b00d9a64a73466e230b3e8344768f95d762b5e1f52f3d99b77ee5d5901ff76d3ecfa315daecbec428ef6f1a4b9322588ff8fc721f4ae
+SHA512 (selinux-policy-contrib-19624b4.tar.gz) = 25a8fb5a856dc8cb5f2ab42bb9a16371488172393ba8fbcb4aa35f021b00dd9ccd5e40f3fd249799e38bdb6a3461da6ef7b8794ce0250209cad789258959d8fe
+SHA512 (container-selinux.tgz) = 04f324dcf9ecc426157686679201eac943cc535a6d33dec9d7da221585170bc2af89a076a00fc35a10fa0d8be6acce877f19e427bcea5598d72b47f698534ff8