* Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90

- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
- Add 15672 as amqp_port_t
- Allow wine domains to read user homedir content
- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
- Allow winbind to read usermodehelper
- Allow telepathy domains to execute shells and bin_t
- Allow gpgdomains to create netlink_kobject_uevent_sockets
- Allow abrt to read software raid state. BZ (1157770)
- Fix rhcs_signull_haproxy() interface.
-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
- Allow snapperd to dbus chat with system cron jobs.
- Allow nslcd to read /dev/urandom.
- Allow dovecot to create user's home directory when they log into IMAP.
- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)

policy-rawhide-base.patch

@@ -5930,7 +5930,7 @@ index 3f6e168..51ad69a 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..50bfabf 100644
+index b31c054..872ff1b 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -5981,7 +5981,16 @@ index b31c054..50bfabf 100644
  /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
  /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
-@@ -106,6 +113,7 @@
+@@ -80,6 +87,8 @@
+ /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/nvme.*     -c  gen_context(system_u:object_r:nvme_device_t,s0)
++/dev/nvme.*     -b  gen_context(system_u:object_r:nvme_device_t,s0)
+ /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+ /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -106,6 +115,7 @@
  /dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
  /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -5989,7 +5998,7 @@ index b31c054..50bfabf 100644
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
  /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +126,11 @@
+@@ -118,6 +128,11 @@
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
  ')
@@ -6001,7 +6010,7 @@ index b31c054..50bfabf 100644
  /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
  /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +142,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +144,14 @@ ifdef(`distro_suse', `
  /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6016,7 +6025,7 @@ index b31c054..50bfabf 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -172,6 +187,8 @@ ifdef(`distro_suse', `
+@@ -172,6 +189,8 @@ ifdef(`distro_suse', `
  /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  
@@ -6025,7 +6034,7 @@ index b31c054..50bfabf 100644
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +215,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +217,27 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -8586,7 +8595,7 @@ index 76f285e..d36451a 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..f52e603 100644
+index 0b1a871..f260e6f 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -8667,7 +8676,20 @@ index 0b1a871..f52e603 100644
  # A more general type for mouse devices.
  #
  type mouse_device_t;
-@@ -227,6 +244,10 @@ files_mountpoint(sysfs_t)
+@@ -183,6 +200,12 @@ type nvram_device_t;
+ dev_node(nvram_device_t)
+ 
+ #
++# Type for controller device nodes
++#
++type nvme_device_t;
++dev_node(nvme_device_t)
++
++#
+ # Type for /dev/pmu
+ #
+ type power_device_t;
+@@ -227,6 +250,10 @@ files_mountpoint(sysfs_t)
  fs_type(sysfs_t)
  genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
  
@@ -8678,7 +8700,7 @@ index 0b1a871..f52e603 100644
  #
  # Type for /dev/tpm
  #
-@@ -266,6 +287,15 @@ dev_node(usbmon_device_t)
+@@ -266,6 +293,15 @@ dev_node(usbmon_device_t)
  type userio_device_t;
  dev_node(userio_device_t)
  
@@ -8694,7 +8716,7 @@ index 0b1a871..f52e603 100644
  type v4l_device_t;
  dev_node(v4l_device_t)
  
-@@ -274,6 +304,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +310,7 @@ dev_node(v4l_device_t)
  #
  type vhost_device_t;
  dev_node(vhost_device_t)
@@ -8702,7 +8724,7 @@ index 0b1a871..f52e603 100644
  
  # Type for vmware devices.
  type vmware_device_t;
-@@ -319,5 +350,6 @@ files_associate_tmp(device_node)
+@@ -319,5 +356,6 @@ files_associate_tmp(device_node)
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -29277,7 +29299,7 @@ index bc0ffc8..7198bd9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..f142c45 100644
+index 79a45f6..b88e8a2 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -30744,7 +30766,7 @@ index 79a45f6..f142c45 100644
 +		type init_t;
 +	')
 +
-+	allow $1 init_t:service { start stop reload status };
++	allow $1 init_t:service manage_service_perms;
 +')
 +
 +########################################
@@ -41157,10 +41179,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..5b904b0
+index 0000000..a75ffd3
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,699 @@
+@@ -0,0 +1,700 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -41812,6 +41834,7 @@ index 0000000..5b904b0
 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_sysctl_t)
++kernel_request_load_module(systemd_sysctl_t)
 +kernel_rw_all_sysctls(systemd_sysctl_t)
 +kernel_write_security_state(systemd_sysctl_t)
 +

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 89%{?dist}
+Release: 90%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,22 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
+- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
+- Add 15672 as amqp_port_t
+- Allow wine domains to read user homedir content
+- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
+- Allow winbind to read usermodehelper
+- Allow telepathy domains to execute shells and bin_t
+- Allow gpgdomains to create netlink_kobject_uevent_sockets
+- Allow abrt to read software raid state. BZ (1157770)
+- Fix rhcs_signull_haproxy() interface.
+-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
+- Allow snapperd to dbus chat with system cron jobs.
+- Allow nslcd to read /dev/urandom.
+- Allow dovecot to create user's home directory when they log into IMAP.
+- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
+
 * Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
 - Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
 - Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld