From 959229d1e324ee1fd184bb520cb80d198e17dd07 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Fri, 23 Jun 2017 17:16:37 +0200
Subject: [PATCH] * Fri Jun 23 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-261 - Allow boinc_t nsswitch - Dontaudit firewalld to write to lib_t
 dirs - Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
 - Allow thumb_t domain to allow create dgram sockets - Disable mysqld_safe_t
 secure mode environment cleansing - Allow couple rules needed to start
 targetd daemon with SELinux in enforcing mode - Allow dirsrv domain setrlimit
 - Dontaudit staff_t user read admin_home_t files. - Add interface
 lvm_manage_metadata - Add permission open to files_read_inherited_tmp_files()
 interface

---
 container-selinux.tgz        | Bin 6832 -> 6831 bytes
 policy-rawhide-base.patch    |  67 +++++++++++++++++++++++------------
 policy-rawhide-contrib.patch |  55 +++++++++++++++++-----------
 selinux-policy.spec          |  14 +++++++-
 4 files changed, 92 insertions(+), 44 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 47b8aa5cb574ac3ebe26614f65228c9ed10d847f..30bcc9dfc4b55308fd9e8cc73451c2869189ce75 100644
GIT binary patch
delta 4978
zcmV-&6OHV!HLo=xABzY8elJZ~00Zq^ZI9eGlFrxZUm@55JQLV6_Bc*(o{=Fcf54uZ
zR@FnYNEVC5Vks(%HcX48zD&1Yo#^uxKHq)!E&hD>{fD>ePx!q5_WSoAzIylm-SzwH
z>+e5&|KY2*@8GxhUj=VZRU!3rXxgw2g0Hf>I@~0Ym2T|$|I^Rv<;&oQ=8)%M{rKm9
z?319ZlHyHM9_lCw!m7&BC~VWRe+VKmP=ch`!OzPdt_0f(K>R+v(%_G?zdj_<p-mL@
zv<TY0`bAvk@XIB!UMal64^>!)c~FFT@~0P!>cyW2CHzDWf-uX<`y>w9GHC0tXi{vH
z3G|9k;rCTqv`M`UqvZToS(|lzDB3hn)=(bdyn6lX>TH)3>pJ=Ukk&xEe>yvBA1kE=
zlBa!b_%Z<rtlJw0S6*!!qIh+&TAf8@okV%OZj!K$_UlbroPYi9Vs$1ew64My>W$yp
zi!(iGFIHH<f?dgxl`h?BPgt+{ckS7vu06ALtyVx?W{Cm*Z}7DQ52Gk)nlV&Fio)t@
zboju}Nh7E0eep>2H|u>Ye;E3`PB+*EUtgOs5aJYb6@>J~PE;K5Q$#K2qjR=JVL_D6
zS$5=v`dbplB;TqoaqtDOQi1r(?Qn`MG=n?_xkcDe)iqUb)~K#PYq2(tXs=^M`giI^
zMSfYj31X;b)RuLcG!q8zX#~l~8C1(hkauB?q@5tC{NU?%CYq1Xf6jp8!>{Wqsq+RH
zw`rC%qF_!<gM8uD;7b!V&C$;(Xp7E}d`qZ{zPPDt|8PN*a=;c+b!Lg%I!4b3oIN(H
z4vF;{WZvw<I{A{MP8IT(J0tgydX_dVj%}OJIgsHipDr8c&WhXF2>u;D=<dJJtj8s}
zsgfw&rqDsGBhg$*e+DX#%8c27K>j1`r4#DG;|7XFv&|5>LFoSx7U51`NWP3YmQ&SE
zrrS9DG1^UFj7^x6YDr@ceo3Z)(vPUrPScGJb$L?h{|Firw+)-$K;8}R*+Qi&pp;&B
zJR-||+U|o82oEhtxJ{#gTHo!*K;0o-sOZ6}PVcZBr2LE>f2tw#TCA}a27GjIQBz<O
zg_@WN1(kP1Qkqf}<6TEt*ff@+=-IHWO~Q+dr<8~PzX-|-<sW8$dePPgTN9B~D|VBl
z#m=i(^Ar&}&fDo_oFFa_l`;vwzJ`DA;orB*+Gjui`%hoU%0X64mB!Q74cG=-6b?W&
z6AWSkGJd)EP`0m0>bphUx(oUKEc@=qrcLsw&8GS<^k;`6ZAtuHM=|V}8(N|u)>|o(
z*GX2Qu?~_-VLZ{3fPVxt@78U}z$;KJ_c7Ll;TZO#N=-iEkCPPyYagEm`3l01(Y{`@
z339)NS}Y@E{IKm}w?Sm9uOe*xEt8)FRspw@_5_LndXs?#WdVhg=LH>qe)#%j*w?h>
zT0>pQKw&L!v@JY=e?$q1`Y^hHSF0_L>>b#b2=8EhfLaB-edI<Vos~ktuy&J=w;%d<
zm)2#GPujGcrn{(~$9ik5j(5?cZuib`*8+CB`N7WkJu_!K-2fsC=m|FIHAo|9(p?c|
zY{CYgZl*b8pfFmU%!Hzog9dW}`jhttn*w|-lavQZ0oRk>2YCUnlUN8N0X36+2pWI=
z?!$NQ-wy8ozJI>|`&mBBtFX??7$)(#91X97>&tila{2aRrOgc%(#SjsL0y(@c{|lC
zT)hl_N&u&(i^ZT{S2S(oq=|SqNyP(65)8+H>IC=u1m=9LhE9ZJ3JRYnc`mao_{Wbw
z2US_OGTx-(I)R~MW7<OzZq&BQZ3usurmur-m^I0TRwZ5|X2J3!Gu5jNrRO}zc~_T*
zDmdpZm<z6vJZixW5C+iI!)CQZbJGx&Dy^U}-<?KgpIR866nz$lNe-%rDX4QpNv;cy
zT&*>S&2MWkQldSouTH_4;3N~OE>8}*c{f$hUOSf_U#W|xs<8PQX;Q45S{Hvc+i><p
z%)T4+is~R6(tGub(*<>*v`g8H_hTZ?dryaBOuBCSRa8QH7#@ks?C~{*<MiP~h>kcc
zrKOR+L_XN(oa_8UT;ZnfBX?ePR!{ynHQngqHoEcqn8LNs5Hk^wbFOol&;}Lc#{qhj
z$+^blnEiP*&;a<A>>2n&L+pRCI+5{kaDdGYO(i<~X~#!e^QfW$Hyl;wQEEO5&`@<p
zP#=8gma>+ilMahgT=xA^dWS;7_b$IYHzEw-MLc33y9;Mzp^5F|`H*D@#-kJZSTf>{
z2_Y|`%gB{*K43Hm8dlYTc<H;F75ZF@q@};lbrxJp(`}q=&wov5&0BwiDT`+JOCJ4<
z3qX9#G6egYx51kLEo3JBeY)Gj%1fKge#sfz<1SV(n(S(slP#gnq5=I8W&yLu;1Tl&
znHK&g$+jP(unIS6mbQ<<QxNUT`y#ka!2sIAZveJ!k~WQl{I)3L0K0|`tLV2)TF6*)
z`l1fOrb*f@K;nY8#y|!mO8@fdW|J2SNioxt0|Ulcu(296KE|}~nD)L*P^aGo7yj<a
zW(scLMXO(WqP0=A0LmdApiE)!CggRKkqe#yH<K_7fB`R)u?!gjij&I>m;(WXH<M-!
zV1FC;A(pH3t?F{0I!##HRI_4UbL1`g&S5rVmbntM%^fTrn3D&G2j<dvlV`gN)2D|y
z@kGPNcNEL2EMqB|ub7?$ySs0CO8D#L@lAK6Pg8_)zxi|p;FaXn%Z{cish5{xIh$)N
z4cnZF?}<5C>3QN#R(zhg)16VCz>~G$7=NyhChVo|owx}!Wk>L@@`48JSYEHWqt^>_
zsuAf4Ja3qJ0M8m`F5G@xf%h=rkfvcE+fD<*XBZDN8fjzqUg{ZsX%xmc#z^U3f8x;w
z{HUTIbYN^t7l}ZO7&(qx;})aG&HDKkgq~zPvYCZhQGm0VT%|6O7TpuR<aDd@v44r$
z%u*FWe2>Upq#(8?+9$DJ;dtI{5keOgyr$UiFly5~m`|~#d`=(ZvqMa&<9H$LN#hcV
zh}BDX(LU>OIq9cXZbp@Md>D>aNsmVD0{lc+-z(=_VN|n^@&!8&FX$XX=wRBIqem|K
zRLwrgG7maG$I=m}hQ0GV!Io}kFn`S~OA8iS_-Jq6wv}fQf+Z^RyvmY?HI2z}-rnh^
zuLO-uerLS1Pf}+bC6AqqvgMAZI#+irg4{x{kVjoGrjxkSaXsyTSF<K_jTXjFGX048
zZPw5>kCnzA8oYp&<MF=_B+G2z)x1MNei+SfZR;*{Au;Jwbh)#QoRax{Mt>^rA&jQq
z6OK~v*JZ&Hq4KmS=C(9#S)&PuF$|=>A25h7ZEh{}baao4SkW~1X&dd$bUYP+K73$f
z8khGLXr8@Q+|4pm5fMH=SX#sh%F4}eQ%Ce%Y$N%JDdj}KNEk;)ue!7tIN_<)d9$-n
z_lUtp!jmhYwr#%CCQ_yWg?~1t{~Ou^{5yuO3)qdhH62K;qr}#J6RWUmx9|-hgn;2t
z9a?RP$%}G-ABSz|m`7xLi%Dm%z{_Ar?dUnjUV!n+gujaSdByaFd~KLzawUg0<+f{_
zY{Ns=GC#|MO(ZG@8-6zE#|D>}nEP+mET5fa(r{ujh0?7P*N`BkX@B<J<y9lsD>GwV
z<yPnB1$)dyvvE+^0W76%Ve*$*GtxH}=CooK;yiAA+v6Qmi(cVP6yFTvHG7EIwNJdg
z<sYj2&nJp7X10Pye6bo-3A}k2t<im2r*T4mu&8D)9EznWnmJXtR(S1I@C|!@3Se!a
zSZnzMM-2X~c4-`l&41+}y_0X8A*cWuUl_1m?J#K3J8JP^TkA2pM@2z$1${gq#Sq84
zx(gwGGR0N~xMDGP-SnX3Cr5B<5Q%hbBb{UMGj<1Q(^!WGalS_~>IE%swfC0Hai7MH
zIY{o(3e<A3Ek_(6zaNsOU6W0xUobV$^Y*NBm?dD$xLq)U*njO{F%bLscj)z2UdX5N
zFaaqWjvlmXACfUHyi~;N$=WlvMw>mfw2;MRv$z@UrqO_pWl%(g3_~i}CmBpem-)R~
z#mSwz2eEjf6e18D9=6-uTtG?P4vVd2wn&nL2TgWIYi?VYj;dk$f2@_0A}h<v3(BuZ
ztQ?pWwbKP4WG$99X-v^rqg!;oRXKuTbca6R@Y#b8nB<w<BrbX4Hs)_&JmUp$-G$UX
zbOrpAY7(3QrIQB}Hv)d)lRy(Q0(|3>brVm2Z!2F3)m4Oj?`Wry+)*1Ny}PA?g@zB~
za1x4<=0QpV9Iv$5&4(BYxt_<d=?R$~a$jgngOrUvO#P@R6Ni$#hmPP|<z+`Yn)K-U
z6m7^DXlL6ty^splDa@9zGvOYo;}VN8+ohSgEI!z<qVoxou=5mEP>Prt_d;eVZC7=F
zwg~)g^$=LtX`SZrI<#cd%cCsyWqFLm%I+d!CPQ~_g{FpOU2<kb_cJ3*^f`z&Eo}ZT
zmi5n6@;0rLd$1GY(T2XV3KjR`v)uOwxly;BNZ1&Q2+vdsJUX=|KDk)ER0+E~R+EaN
zsW5sx#K;_HFKkA6n0+QnF%`$kmQ&V$wXzbm2vGE;7dBgufd-+4>m_Bn%pM{R(B-*b
z_q2=I=_?YK$;84Yjbw5;%it#7Orh44YTJeiF@RnP@hpkcV}h8JGMZX6n%yODsIVd5
z3_ILB>k)VN^V}okuvvqA&z;pk(iq9iuVi_m7jupt4wx*PuC%DjKPc>)8QBVdRJMMo
zQ0Oq_^um0Dj3y^K!lb&!6i1X)@0iQ1u1tM{S1uT5%b*yUDR(Nr657oX93!0G^V1y*
zS`YpV$$ZU|-mgSHP7M+6Fk01kVH~;I63&Y-9=h9?RL*5zrIozIHk*UUJHta_Di1+G
zs2-K4zN_E5D9McLP}$e)MLWHJxKuZCr&;>?i}dEjm?{^qmFkqYO|OZ1>PpfPcs?ul
zvznodz06`HO&QOHIU{41$~iGVlr+OFa7qM%%!PKNrgyR072;hIBNsBpUx?v)HhMQ>
zA$aF)iiOH>U932^2=^TeAN28i7M3@YjHvx%UsXc>_9>TrrU}k3lwXd2b?vf+!E+@^
zUBQ)-NQsye`Cp7+eo=#xd_15`lFn3kt*-4}20yZdh1nxZTamK2!N8&o<}@nfOMGiy
zV6a_f#`&&(7d&wV%c-dr%f4ZY1KOTso!#iSAG8deEay7`8uA|ZE(-C>5?+^z=3JR@
z?JpJs8cp&zY=pSDVOlVMcv1R-!7^!@*BCR)b<j@$7~J%yR9gRTm{P(?)N|RBqh33E
zl7u6+M(;bCDEdaf)q{YIalQQPw<y`krk3=XdF^-ztIR&g4_A9WO+jfK#5``5-QST;
z4L#(+5t-l!%y0!{XzIy&m!UOWD`E}m$J`FnFdEYK3Q3Imy3xmf*S+UbFMnv<NctNW
zwTNa^s7<$~24RcnAZcKCf6EfTCAlf4ZdgpLL`>fBQ7c1>Mcq?f+J^aTazC|d#8izw
z-@(Lc$K$Wsems{U0Il`Ag2?BJ>#7BvFZ<rxYW;8XwEo#0+X-16+X;7&Otl@Mb6)Xk
z{j)Zj=I6}3uE!;Rl^rHVo>HhWgm+Sq?ELJmGqSoKo6U8(EUrrhEf3X~$gZubF_C4P
zGH!!?z{9o=>_>%B-S$k|cy6=DMAkezw-VMU({L*(HC>q@dS<^kKO3$y9=RYqk%r>Z
zY1CEliG?T!{6vjfWxTD?#P%Jy-PhuA=3_Zj?g)CZVEPe%yD^qbJN~vR`4b#w`yOIX
zIJ_P`wDvfx_B*8Z6$ziGE{n$}q4F5-l>E+PSQGTttJlG=-3zJJXlUCVJYTsHGf8dy
zUY|E6thAtx8c*|caJ6QfXXILshZQ@eP``^jUZNr0?I{<c^=b^K^m}#NA|F|s%k9bD
zZRURe+q<`a-(G(hy#MX(^ZVaE%jXI$k*i-W*&AKxO^7%ol82VR!fbu`$kki@u^YNP
zg>~~5=E~KfsjsqhgWCU!;apvQbN1$qH=5Yu@wciVstJ_+SOywwvkq@5!0aJ<gK$f>
z9WbvJtRg&%mZ>13Nvi+)pR51=hB=;>?VUI1GHu#_#cIq^`Fm%UhAqmwGCSnSo9UuZ
zUgFk4HzedbEteWqr@$+tG+qj?Q302kMSbnDco!)pEH?={XuiqeKj*0|<+WoRJ!yqf
zJqP7-@vmpzSdqxdPXg$0_&hxx4oBxvD66ZxkjV~%dl-^0P#3;I^$|clQ7wW6P*<$h
zzhI(&PH#{VpJIZPR1KnEe)9`vkoOlN%SAs9EOLMPBl}mH(ta)jjDagt$B_$<r)`}$
z2s{w4kAUnjJ2@^hOqG5K+cHn5&Lm^Q6;PhVXGyWz(T@?agvV8B8QCJz72ixIQ~S%@
z{YNQbr>5eVCs0@d*{rvYR$FHHMYWf`h-H*{n806HmkHR#RhkBTyk-N_Xr`UgMaIZ_
zBA6tYGnEZ^ta86xR%txRBpZQ4ry<}q%iz7?mo%0UAz!_io!d+W9Rw~ZdJKRSn{9#y
wpjRiUK)ZQ3LX-T_PMPP=^XK{V{CWO7f1W?jpXbl>=R}|X13nXLUI54d0J&zt0ssI2

delta 4995
zcmV-}6MXEiHLx`yABzY8h~r0D00Zq^ZI9eGlFrxZUm@55JQLV6<8k8P?2#cVe;{d3
ztLh<HB#Xsju@sd>8>U54U#8oyPV~8k&-?e^;`iI{zq?ky;q&g>@85m*)!TP(Z{B|Y
z{_Xqg@4vc!`|jrE`m5mjR25P`ho%kdAowb~tHVtaS?R`}|3Ce#UcL-|XbyQE){lSw
z$36+lDk<JH<)My}Agrn^jlwo9e~Taz10_g`9eiK@a3$DQ0OI%Ql?H#D{q-S<4sD{K
zr$x~2)gR(AhkslW>y^SA{7{8;m<L6eCx3dus9yYeP{L32APBRpyiekwErYfWizdZJ
znLw`y75=?Si#DmZVU(QzDr>W@4@H~i$r{QdoL8@ZU7hWcVqGV{AJQ6Ve^+N`?PI01
zK=QP&4L>Fzfpz=Q!If9rhA3WLtX5}HStn5*ubU*Sqy2i57Uy5Ty;z-z3azWKg?i(!
z_To%W+KUwyuwYkmWTi`Y+7s4m{#|=EscX+{U8@yPmsw(f{~P=)!NVv@nq~|Yk)p7=
z8XZ3HJ!#~0y)Pb#{${<8e+5Io*Xahk;OiSR211--u7Z%h*ole*eu}8&e00vXC@hH5
zIm?cmP=8CpnB-g4B@Vs-Rw@vGxgAcig=Ub)Ah!q`s=B7?%^KAeXf4*p5$$!XNdHdV
zsK_r%H$e>5jM}nJlV-x;J&hpwID=~W2=Xqhk+c&el^=Zl)<p9Gf7%&veE8?OO6t4;
z#%-D<jVPE?(;#1XHTcp*O>^{f3fiJGB;OM1qAzah+CN;-q#Uq?RGnGkwvN#=0%woS
zszYLZ2AMbeuui@tsZ)jg<<7`Gq@JZsi(}g+bPi<r$*0T4xwGPSHiCbL54!s=H0yCm
zZmJ|ow<&ZG>qs<Lf0BX9qcUSQAdvq^d+CIF@VJ3u(QGqBZV>u^ghja17m_byj^$Lf
zlj$}Ne~fk$7-JLWq*~J0gI|&<p!6duwbOK?LtUO!`agok#BIaoH;{LOd$v&N3Mi%5
z9goOzpSJrT1j0iL5^mEdpw@T$F;I6%7b<$Ns?$3x2Pr>ee}`(wycTP$g#jNOT+|fU
zM4={TLP6ynk(8zs#dz0I7B-EgD0((5Ym@Ne;wk0f|6c@Uh4K%xKfP${gRO~3sujCQ
z(qiXTta*wE9p~-zGENYehf0|QU*Eug@8G|0m$lD+{`a50kd=e1m@18@tsAfnwkRBc
zY9<)O1Z4biQSohGlhk*MxOEru{aN<ik4>B8QJYQmU+B*cMcR`1yN+VmF*meCL9Dk@
zB(IaKL}MK!mBM(UCjtKmX5Oval7UyCSngx23Bxh$N0pj<z^{`O1Zy8}gM0<yhiG4~
z*#x;?LoJpOGJe>0vD+ZB)mITV{wtH71XcmBll26O0cMkc1!aGPPdMlusm!o`odfUh
zKmXX(q4|<WUln<eK%_;x48DB*GVEvCa;>4RWT3E?H`*4Sz(1gbM12@tz^m1kNA?cv
zON4i@K0vJk-ac}pkj_e>U|74!$J-D6yG!e`$R}-DPSagf&tttcR>!;OQMY?%xN8AB
z-TYu@{GFLIo^BNY5eD=GoAer_5j5$p2s1WegHIo)lX(Vw0r`{m2Acx>ER&N5NdeE3
z-3NIApOaSzBLOp$dk7kTegED2ch`gazwe&!|9+Ma^D3<KGKNWfE=R-b;O6q}zg%8l
zthBkoLK>MTA*jo;EpMlqg{zmrPYK}Ebg>xp>x!mroHP*+C#iTKNrK@RP@Uj@pTL~2
z)zFEMOhMrjCC_D+1^@W*=b$R<R>qrDTqiJeY)pG7!j0NixeWn-)AV()4YMY>(5l31
z#4K2TWTtwxq4b;wIq&N7PzC4Q1#`hQl1DAL0m1;fdf2RXXl@#!Ql%9X=DX9#>{AQF
zlcLY!Fv&p`F$HyQD9Lrfk*l@lu=#BbMoP3t_0=gj6P#p1)#b?{H}9tE*=y(0<12O1
zR24Q~BTb5xQ|qFCW*g4Fh}mz0UQr!nLwc`%ak`)`ly)hb@qSFidGG0Pj7isRzluso
z55psInLWP7aGXAz2+<LTrL;8CkH`o6oO7Ljh%4OGedNxo&g#kkrluQR+(tKkA5*yY
z8Db^^a?W)w6WXAH{5U|5GC9|n9J4>K1{wf=l05@|Xox+3RwptZ4i2!{p{YcNKkfKP
zYaUfJ;D)2hJW9=H0UE0A2<n3m-BQ*vbkbo_ip#!VO7Boe_}=A@=SGAfyog8aV|U?<
zEHtrwJRh<Q!FY5+A4^8uF(Kq7bQ!r4&IgPJLBpy#5HJ1qafLqDB5CRGbDag((sUaq
z+w)%&TJzR_V9KJ|{gOvN;{p&Lvkbw$<~n#2poPq&zfX62Sb1r)*)KU`d)&neMw4AF
zbFwAWSu~(O!Yp9+7(8PBAk)I%B-!>u6jtFT&C>QUcnYF@d0zy#DHuRo_!od}o1{(S
zAipijIKZx<!z%jMCM{&FIsH(FVACY+79erKTVtRG5v70m^l_6G3rR8U$$<gmEZA5L
z8XsfYcT9U<CaBZzf(!rc$z}>};6<xHdZM*awE)T?9-vHN?<V9;laLFZ0WXs;41fV2
zldudK0f>{z444A~!jF?>4Pbwd?n5kB>08z1K6RR~wy9>tyynPT@}0wM#w>FsW}7=$
zJTNB@4iC(w@g~o97p6}SbK;4HkMAg!RawSTGG8%033hki^px;7%j28wNS~$%<$m+&
z3cxGLtCt;3S5hx8#d0>+SQ@rD6W<eaveNU!ovipgai=?@Jb@=`!7+baA5GXx-8*p;
zXv&V@U*!c2*s;7`b4RZi=2Ron6L{V*^8lVT%v`wrxB~BCz#&b;K(?I*gwHS@W;D{q
z?!DAA{L(0lZ;X-BfBwXy4fs(-Kj^^NmM#*37%_4jx5h0-kDK-LEeJiycw{pRv!VcJ
zGr3A#BrUope97rn<zs&nwV9<Vg7_Yhy+}c9O|(y9zryjn+aiQ6DtJw?-(l3IcQBt~
zOZl8W#%G6^QpfQ^*ptR36cMYJ?xKCx<8snZt=x<%?f5Vpt&$#%+6DNDu)bH$xx%Ps
zALR>n9$wHngwVmXF-MPF^r@PCl4TxrevYLhP7QnKd4et7&R~C<S(X+owD8g1zHKYd
zA_PlR=6RJR4{I8e<Gj7oO<xHbnf%UpXP>0bI7%Kn8D+~IO?9sBSOmF+ULlXVU`!`*
zr{j9s0k39F<{B-GpJe(G^V_VUZ5}I)Jv4X$E63x1A4rzjz^i$Og8VR=-`dt)=t5%B
zr|5EL8#yKO`;327-a{Bozb71}-mlAoB|_zCQOs>=+OkFy4r3TdeLr9jU)tPS=;`Pl
z7qOyg?$b8fo9TEe0Dbtt#xySPEzmrBtGJtGrXnJIez3HN6O@&k-=>b}x!6YX6I05G
zfRQkcj$U<XF>u0DtMg`Oq3#ibjf5vxKyBN6r%j|x0}6j_O#e5u2l#gkT^Fz$b89+~
zT1Sbk{U%mn*KXk#KnMZDp*pnM5|bC@{yq-d&@qq5_7;=QUV)dvklN96j=ccml?i_p
z@AHc33;EhG%j8N9ZOU!eIN64WtYv<d2b)M#4mSL3(2or+F){bwtXV!g%cSANWD2EQ
zC$1quO4EPryUVLau2*Kpy2`E2%?tLJiDu)Vumf01-NNKAvu31kEX--eEW~--__oJ8
zrWU=zn<%~+#%uNvv1^}rd&@sm`JYb|Va#j=kN9FWs1kVdFj}Mgv`*uM{$NqfUN{s>
zQ#5m`aHH_rtKb{<{1m|2Lb2BJ3r7roSGzP0#O8l;klx8R&Ja|9j4uq>u67u-=pD8A
zu&wnN-J_x)xq?0(kYb4AUEPHcKbc}H16;9~yKZ_=@{=PtHHbtywvo=U_!+x{v}vrv
zgE-$K8TEn|x7vG4=D1H|#~dVgX$5Mz*p?#>klznU)2_*;(=V7B=y`kAIm{9;X520q
zLF|8auo#Ga{5$k|D=*|zd6<Bd4Mz`JwGYV{7hWpj^<?cCTcgb$T3X2BvRT}WcGGCU
z$1*6QLWUug?2`;8qs#nWt>WZP-Gf*>Q3??V4iDRHZZ4ptZimIzGFv3c!Gk8dqcyj!
zOGni({Xf>qNs*Oh<pt$eBvuYgirVP{5Hc-Gn>40qtkEqx->MwJFuFq@aQN)O2Tbxz
zZW5O~aU1hDFrM)Oxb8w~AG!kmlW7v10i%-!6E_0>;FCWSGXnhLlXMeLf8SQV5~`~R
z``yt_Be|nCMtXNk1q%%y#^EFsBh7=91UO!4vzrew6mmU}W788dJLJC5m<A~ueVF=D
zQ6>&0c@G`Ix5~?obTsMF^(oqrG0@JoZF(UUtW%gRVQ0cUQpY70W422(b6I?_VMXT?
zBw^<%s-P4xGwy}VQrfQSe{2!>x79;nVW)MP$Lr9NO)rnK)R*Nk5-Yolh?xxCxfPlk
zmUYRQ5#7&>Fwy5A+O)9wzgX5kQ_0)3PVT`@h({ax$|_XckI!=7ALK^eb|PV8EFwHp
zDe&mjn)u{m^-?A5?pRGKil)No@em_(oV~Ca<ze=jD8*D9D_c%kf7i-N)FMF9mtNRx
zJq8+t7Ot0+=`wqWI6#-@e%;e9W~Z-6TqY9>n>3Qi<t&4ncr%4sQ>twnD#QSKCB(BN
zPLBy<Qp#v*(P(y;yrIH|d^7BD^Q=eQ-OqE6ki%vT@;!G}14&~fGryAMiC)Y(dN^RR
zY`W5-F8`pgYi49Ce^A-_p+cd<l+z3I4KkXX=m?YQ8dDrmQoUm?v$`_%4PLomoGpW5
zWTxDy{7PsyM{taAde2XHENDIWGbHmhPkO%+`8YL1xWi~w<ArhLYD+jT!g%OzUs5@j
zeU(=765DJJBJT_jiK#pU0ik+Sp8BqS>!Ktxu0v%%vls33f8tWz$em{C>o3xq7h|ei
zyjH4H-Zs4^>ZvP9N8tIa+|O!;GWIfyku+sI7v_wNSt{qm{7}*ix4<b82r?JiM>V~R
z)vgflk{G#=G5$gf*R#>P84JNXZ&NH(hU;R*u|>G=Sooli-?Om1nPf!mAN#5j^0!a9
z>@!Vpexdwwf2?blEexJ3N$Lu&ltfCzoXG!T1oMj;l;q<9Ws-EJ!fSPH_cHjAB`nMy
zS=x$}y$uEyZ7`=%8DHXC^8$nIDl^V^^}FDSD_BlVwOIBGTO82#B<t*>e)~bo(8+SX
z6QCjQaqprKzbxT(sc6oX3D^E&F`&^TkHbcYiyNi|e}fmLFBmM7rg@Dqv)lyz1c1TE
z{*+4V-wjhrIEi{LdverkXHSxF#MbEjMiWKf=(l<huraQepZyjkJK5BdJ~OW!4`G$r
z2l?S@&!;IUjf0rSt+M+&(y5_`JUAi~9Dy0GfDBDNS?@BmhHFKvLH(H9VH!q5+Fl`v
zQC~OufB3rhT<YZyjT=e-(M2ty85L^Nt*JrSB05MK*xlc<#BWJ%im4kG6DtvuANi=2
zp~a%^sV;59d^WkCS~X&-MxXCsVzuM(S8YF@%MgIp`dvZfbH#Plg3gzH?`^gIw|QFs
z?2he(td8x3J4mM5j?g);c(wjn8%^_bW?t9hf0D`$6C+P4)EL4$DM)sHcGnqMU60M?
zx?C35rGl1+>PuwTR@IouvP~Jc!9L(&+XwblVN|z0(>9*l>@krw&(5ucHOe&HN=i*v
zW{95IFV4?~>x@S(2v4M;xO5tI6?|eL$^k!7qgEMjYc#Qa2X6PZc%1oI4wXBCUM!e?
zf5dK#CDV?-txEm`huOY|*b@$~M-Qz%4y*kRseMJl=c&u$@kyvW#ycgy^BC3yz4hvK
z@N4%%YBd_#b_dT_Zp2Jd8^71*jR`9)sH4Wy{2W}Z8Rr?f*5hHtPASyyB9E77NOyb6
zg=oDR!zuk<-L}X_*5-11vUi)g-~aaZfBM^-?*{LGyMBKE+h_S)p(S$l%O!iG3%v;u
zheYzw@>iIx4<ERCt3Px@m#469u3@fR9h&+oOE;+fuNcnN<u_+<-gu*lEgpZX3Zj}o
z+1E1AV4HP#O95sN(Hn$Yvh9F*wO|$DS+q<A5lvG4*Z*Ao_czS(yln5hL6>RMe=b&I
zj>_LVvovf`-j&%QPu@%yh4K=&4!R*B*J-)bs5%8+8Kv=3c#R6U%q;3_kHx!4DPg%u
z&_VM}4*#B~vXs}3arC4WO7$F+%f-K*d1FN)CqD_G!{PJvcsLxLN1?2)?m{Lz4DMk_
zzCd002GvIZ^+dG@7C>FGTK|HHe>%NEMSO}0Qc^XDe)-KWm_goOh%6WVIIzh5>5uGR
zX-fOK3@`?+OdUrqJf607;vn!qyg350!|dd^%rI5@C2Y$)ojQ|@4Oc*U7M~@>YDYgt
z#1bA?rDbG`NLPF_nN003bN3&mgq@m-W1c`^31qY0I$CX+;TP3j_9B*1d13;8VO=I*
z7guQ-@bQ`rOrx20N*5U;>xp2JV9r!F;IYd6a#^MEB$I3e4xNU8*DQnghF{WHMudFz
zVs>sb6?71|r06jKR&2Hj8h~D%qyp{c;RsFgM>}PnKhK}%&-3T`^Za@KJb#`)&z}>0
N{tqI8=zRdl008*^!Q}t|

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 53806d8d..7d99ec3a 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -11114,7 +11114,7 @@ index b876c48..2e591a5 100644
 +
 +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?           gen_context(system_u:object_r:root_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..b64717f 100644
+index f962f76..4785fe8 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -13574,7 +13574,7 @@ index f962f76..b64717f 100644
 +		attribute tmpfile;
 +	')
 +
-+	allow $1 tmpfile:file { append read_inherited_file_perms };
++	allow $1 tmpfile:file { append open read_inherited_file_perms };
 +')
 +
 +########################################
@@ -23945,7 +23945,7 @@ index 234a940..a92415a 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..c3c0f6d 100644
+index 0fef1fc..25e60c8 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -24152,7 +24152,7 @@ index 0fef1fc..c3c0f6d 100644
  ')
  
  optional_policy(`
-@@ -35,15 +213,31 @@ optional_policy(`
+@@ -35,20 +213,74 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24186,10 +24186,12 @@ index 0fef1fc..c3c0f6d 100644
  ')
  
  optional_policy(`
-@@ -52,11 +246,61 @@ optional_policy(`
- ')
- 
- optional_policy(`
+ 	sysadm_role_change(staff_r)
+ 	userdom_dontaudit_use_user_terminals(staff_t)
++    userdom_dontaudit_read_admin_home_files(staff_t)
++')
++
++optional_policy(`
 +	systemd_read_unit_files(staff_t)
 +	systemd_exec_systemctl(staff_t)
 +')
@@ -24224,10 +24226,10 @@ index 0fef1fc..c3c0f6d 100644
 +	virt_getattr_exec(staff_t)
 +	virt_search_images(staff_t)
 +	virt_stream_connect(staff_t)
-+')
-+
-+optional_policy(`
- 	vlock_run(staff_t, staff_r)
+ ')
+ 
+ optional_policy(`
+@@ -56,7 +288,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24249,7 +24251,7 @@ index 0fef1fc..c3c0f6d 100644
  ')
  
  ifndef(`distro_redhat',`
-@@ -65,10 +309,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +310,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -24260,7 +24262,7 @@ index 0fef1fc..c3c0f6d 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -78,10 +318,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +319,6 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		dbus_role_template(staff, staff_r, staff_t)
@@ -24271,7 +24273,7 @@ index 0fef1fc..c3c0f6d 100644
  	')
  
  	optional_policy(`
-@@ -101,10 +337,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +338,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -24282,7 +24284,7 @@ index 0fef1fc..c3c0f6d 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +357,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +358,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -24293,7 +24295,7 @@ index 0fef1fc..c3c0f6d 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +369,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +370,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -24304,7 +24306,7 @@ index 0fef1fc..c3c0f6d 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +400,24 @@ ifndef(`distro_redhat',`
+@@ -176,3 +401,24 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -40906,7 +40908,7 @@ index 6b91740..7724116 100644
 +
 +/var/run/storaged(/.*)?   gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..9e86fce 100644
+index 58bc27f..842ce28 100644
 --- a/policy/modules/system/lvm.if
 +++ b/policy/modules/system/lvm.if
 @@ -1,5 +1,41 @@
@@ -40951,7 +40953,7 @@ index 58bc27f..9e86fce 100644
  ########################################
  ## <summary>
  ##	Execute lvm programs in the lvm domain.
-@@ -86,6 +122,50 @@ interface(`lvm_read_config',`
+@@ -86,6 +122,71 @@ interface(`lvm_read_config',`
  
  ########################################
  ## <summary>
@@ -40998,11 +41000,32 @@ index 58bc27f..9e86fce 100644
 +')
 +
 +########################################
++## <summary>
++##	Manage LVM metadata files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`lvm_manage_metadata',`
++	gen_require(`
++		type lvm_metadata_t;
++	')
++
++	allow $1 lvm_metadata_t:dir list_dir_perms;
++	manage_dirs_pattern($1, lvm_metadata_t, lvm_metadata_t)
++	manage_files_pattern($1, lvm_metadata_t, lvm_metadata_t)
++')
++
++########################################
 +## <summary>
  ##	Manage LVM configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -105,6 +185,25 @@ interface(`lvm_manage_config',`
+@@ -105,6 +206,25 @@ interface(`lvm_manage_config',`
  	manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
  ')
  
@@ -41028,7 +41051,7 @@ index 58bc27f..9e86fce 100644
  ######################################
  ## <summary>
  ##	Execute a domain transition to run clvmd.
-@@ -123,3 +222,175 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +243,175 @@ interface(`lvm_domtrans_clvmd',`
  	corecmd_search_bin($1)
  	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b2f3b0fc..832df906 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -10917,7 +10917,7 @@ index 02fefaa..308616e 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 687d4c4..bce6267 100644
+index 687d4c4..ff57137 100644
 --- a/boinc.te
 +++ b/boinc.te
 @@ -1,4 +1,4 @@
@@ -11112,7 +11112,7 @@ index 687d4c4..bce6267 100644
 -files_read_usr_files(boinc_t)
  
 -fs_getattr_all_fs(boinc_t)
-+auth_read_passwd(boinc_t)
++auth_use_nsswitch(boinc_t)
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
@@ -25555,7 +25555,7 @@ index 0000000..b3784d8
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..fa74f85
+index 0000000..6cca2dd
 --- /dev/null
 +++ b/dirsrv.te
 @@ -0,0 +1,204 @@
@@ -25611,7 +25611,7 @@ index 0000000..fa74f85
 +#
 +# dirsrv local policy
 +#
-+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
++allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms};
 +allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
 +allow dirsrv_t self:fifo_file manage_fifo_file_perms;
 +allow dirsrv_t self:sem create_sem_perms;
@@ -29362,7 +29362,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..0235724 100644
+index 98072a3..e6904e2 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -29413,7 +29413,7 @@ index 98072a3..0235724 100644
  corecmd_exec_bin(firewalld_t)
  corecmd_exec_shell(firewalld_t)
  
-@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +79,27 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -29430,6 +29430,7 @@ index 98072a3..0235724 100644
  
 -miscfiles_read_localization(firewalld_t)
 +libs_exec_ldconfig(firewalld_t)
++libs_dontaudit_write_lib_dirs(firewalld_t)
  
 -seutil_exec_setfiles(firewalld_t)
 -seutil_read_file_contexts(firewalld_t)
@@ -29447,7 +29448,7 @@ index 98072a3..0235724 100644
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -91,10 +113,15 @@ optional_policy(`
+@@ -91,10 +114,15 @@ optional_policy(`
  
  	optional_policy(`
  		networkmanager_dbus_chat(firewalld_t)
@@ -51463,7 +51464,7 @@ index b1ac8b5..24782b3 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..2055876 100644
+index d15eb5b..ad481ce 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
 @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -51486,16 +51487,17 @@ index d15eb5b..2055876 100644
  
  kernel_read_system_state(modemmanager_t)
  
+-dev_read_sysfs(modemmanager_t)
+-dev_rw_modem(modemmanager_t)
 +auth_read_passwd(modemmanager_t)
-+
-+corecmd_exec_bin(modemmanager_t)
-+
- dev_read_sysfs(modemmanager_t)
-+dev_read_urand(modemmanager_t)
- dev_rw_modem(modemmanager_t)
  
 -files_read_etc_files(modemmanager_t)
--
++corecmd_exec_bin(modemmanager_t)
++
++dev_rw_sysfs(modemmanager_t)
++dev_read_urand(modemmanager_t)
++dev_rw_modem(modemmanager_t)
+ 
  term_use_generic_ptys(modemmanager_t)
  term_use_unallocated_ttys(modemmanager_t)
 +term_use_usb_ttys(modemmanager_t)
@@ -57508,7 +57510,7 @@ index 687af38..5381f1b 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe..1443a3a 100644
+index 7584bbe..318ee4d 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@@ -57707,7 +57709,7 @@ index 7584bbe..1443a3a 100644
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
  
 -allow mysqld_safe_t mysqld_t:process signull;
-+allow mysqld_safe_t mysqld_t:process { rlimitinh };
++allow mysqld_safe_t mysqld_t:process { rlimitinh noatsecure };
  
  read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 -manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@@ -107947,10 +107949,10 @@ index 0000000..a6e216c
 +
 diff --git a/targetd.te b/targetd.te
 new file mode 100644
-index 0000000..0315421
+index 0000000..4cc8557
 --- /dev/null
 +++ b/targetd.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,91 @@
 +policy_module(targetd, 1.0.0)
 +
 +########################################
@@ -107995,6 +107997,7 @@ index 0000000..0315421
 +kernel_get_sysvipc_info(targetd_t)
 +kernel_read_system_state(targetd_t)
 +kernel_read_network_state(targetd_t)
++kernel_load_module(targetd_t)
 +
 +rpc_read_exports(targetd_t)
 +
@@ -108023,12 +108026,21 @@ index 0000000..0315421
 +optional_policy(`
 +   lvm_read_config(targetd_t)
 +   lvm_write_metadata(targetd_t)
++   lvm_manage_metadata(targetd_t)
 +   lvm_manage_lock(targetd_t)
 +   lvm_rw_pipes(targetd_t)
 +   lvm_stream_connect(targetd_t)
 +')
 +
 +optional_policy(`
++    modutils_read_module_config(targetd_t)
++')
++
++optional_policy(`
++    rpc_manage_nfs_state_data(targetd_t)
++')
++
++optional_policy(`
 +   udev_read_pid_files(targetd_t)
 +')
 +
@@ -110135,10 +110147,10 @@ index 0000000..9524b50
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..ab916b7
+index 0000000..d366c8b
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,168 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -110177,6 +110189,7 @@ index 0000000..ab916b7
 +
 +allow thumb_t self:fifo_file manage_fifo_file_perms;
 +allow thumb_t self:unix_stream_socket create_stream_socket_perms;
++allow thumb_t self:unix_dgram_socket create_socket_perms;
 +allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
 +allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow thumb_t self:udp_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a05d64dd..2d9d0d17 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 260%{?dist}
+Release: 261%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -690,6 +690,18 @@ exit 0
 %endif
 
 %changelog
+* Fri Jun 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261
+- Allow boinc_t nsswitch
+- Dontaudit firewalld to write to lib_t dirs
+- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
+- Allow thumb_t domain to allow create dgram sockets
+- Disable mysqld_safe_t secure mode environment cleansing
+- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode
+- Allow dirsrv domain setrlimit
+- Dontaudit staff_t user read admin_home_t files.
+- Add interface lvm_manage_metadata
+- Add permission open to files_read_inherited_tmp_files() interface
+
 * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260
 - Allow sssd_t to read realmd lib files.
 - Fix init interface file. init_var_run_t is type not attribute