* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-106

- Allow docker to attach to the sandbox and user domains tun devices - Allow pingd to read /dev/urandom. BZ(1181831) - Allow virtd to list all mountpoints - Allow sblim-sfcb to search images - pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. - Call correct macro in virt_read_content(). - Dontaudit couchdb search in gconf_home_t. BZ(1177717) - Allow docker_t to changes it rlimit - Allow neutron to read rpm DB. - Allow radius to connect/bind radsec ports - Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log. - Add devicekit_read_log_files(). - Allow virt_qemu_ga to dbus chat with rpm. - Allow netutils chown capability to make tcpdump working with -w. - Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t. - journald now reads the netlink audit socket - Add auditing support for ipsec. * Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105 - Bump release
2015-01-29 17:35:42 +01:00 · 2015-01-29 17:35:42 +01:00 · a849531c0e
parent 72c96b37c5
commit a849531c0e
3 changed files with 532 additions and 399 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -1802,7 +1802,7 @@ index c6ca761..0c86bfd 100644
 ')
 
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..c7fe2c6 100644
+index c44c359..ec441aa 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@ -1818,6 +1818,15 @@ index c44c359..c7fe2c6 100644
 
 type netutils_t;
 type netutils_exec_t;
+@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
+ #
+ 
+ # Perform network administration operations and have raw access to the network.
+-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot };
+ dontaudit netutils_t self:capability { dac_override sys_tty_config };
+ allow netutils_t self:process { setcap signal_perms };
+ allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms;
 allow netutils_t self:udp_socket create_socket_perms;
 allow netutils_t self:tcp_socket create_stream_socket_perms;
@ -9565,7 +9574,7 @@ index cf04cb5..005fd45 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..ad25566 100644
+index b876c48..6bfb954 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -9585,7 +9594,7 @@ index b876c48..ad25566 100644
 /boot/.*			gen_context(system_u:object_r:boot_t,s0)
 /boot/\.journal			<<none>>
 /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-@@ -38,27 +39,35 @@ ifdef(`distro_suse',`
+@@ -38,27 +39,36 @@ ifdef(`distro_suse',`
 #
 # /emul
 #
@ -9625,10 +9634,11 @@ index b876c48..ad25566 100644
 +/etc/ostree/remotes.d(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
 +
 +/ostree/repo(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
+/ostree/deploy/rhel-atomic-host/deploy(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
 
 /etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
 
-@@ -70,7 +79,10 @@ ifdef(`distro_suse',`
+@@ -70,7 +80,10 @@ ifdef(`distro_suse',`
 
 /etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@ -9640,7 +9650,7 @@ index b876c48..ad25566 100644
 
 ifdef(`distro_gentoo', `
 /etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +90,6 @@ ifdef(`distro_gentoo', `
+@@ -78,10 +91,6 @@ ifdef(`distro_gentoo', `
 /etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 
@ -9651,7 +9661,7 @@ index b876c48..ad25566 100644
 ifdef(`distro_suse',`
 /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +112,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
+@@ -104,7 +113,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
 /initrd			-d	gen_context(system_u:object_r:root_t,s0)
 
 #
@ -9660,7 +9670,7 @@ index b876c48..ad25566 100644
 #
 /lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
 
-@@ -125,10 +133,13 @@ ifdef(`distro_debian',`
+@@ -125,10 +134,13 @@ ifdef(`distro_debian',`
 #
 # Mount points; do not relabel subdirectories, since
 # we don't want to change any removable media by default.
@ -9675,7 +9685,7 @@ index b876c48..ad25566 100644
 
 #
 # /misc
-@@ -138,7 +149,7 @@ ifdef(`distro_debian',`
+@@ -138,7 +150,7 @@ ifdef(`distro_debian',`
 #
 # /mnt
 #
@ -9684,7 +9694,7 @@ index b876c48..ad25566 100644
 /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /mnt/[^/]*/.*			<<none>>
 
-@@ -150,10 +161,10 @@ ifdef(`distro_debian',`
+@@ -150,10 +162,10 @@ ifdef(`distro_debian',`
 #
 # /opt
 #
@ -9697,7 +9707,7 @@ index b876c48..ad25566 100644
 
 #
 # /proc
-@@ -161,6 +172,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +173,12 @@ ifdef(`distro_debian',`
 /proc			-d	<<none>>
 /proc/.*			<<none>>
 
@ -9710,7 +9720,7 @@ index b876c48..ad25566 100644
 #
 # /run
 #
-@@ -169,6 +186,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +187,7 @@ ifdef(`distro_debian',`
 /run/.*\.*pid			<<none>>
 /run/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
 
@ -9718,7 +9728,7 @@ index b876c48..ad25566 100644
 #
 # /selinux
 #
-@@ -178,13 +196,14 @@ ifdef(`distro_debian',`
+@@ -178,13 +197,14 @@ ifdef(`distro_debian',`
 #
 # /srv
 #
@ -9735,7 +9745,7 @@ index b876c48..ad25566 100644
 /tmp/.*				<<none>>
 /tmp/\.journal			<<none>>
 
-@@ -194,9 +213,11 @@ ifdef(`distro_debian',`
+@@ -194,9 +214,11 @@ ifdef(`distro_debian',`
 #
 # /usr
 #
@ -9748,7 +9758,7 @@ index b876c48..ad25566 100644
 
 /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
-@@ -204,15 +225,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +226,9 @@ ifdef(`distro_debian',`
 
 /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
@ -9765,7 +9775,7 @@ index b876c48..ad25566 100644
 
 /usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
 
-@@ -220,8 +235,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +236,6 @@ ifdef(`distro_debian',`
 /usr/tmp/.*			<<none>>
 
 ifndef(`distro_redhat',`
@ -9774,7 +9784,7 @@ index b876c48..ad25566 100644
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 ')
-@@ -229,7 +242,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +243,7 @@ ifndef(`distro_redhat',`
 #
 # /var
 #
@ -9783,7 +9793,7 @@ index b876c48..ad25566 100644
 /var/.*				gen_context(system_u:object_r:var_t,s0)
 /var/\.journal			<<none>>
 
-@@ -237,11 +250,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +251,25 @@ ifndef(`distro_redhat',`
 
 /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
 
@ -9810,7 +9820,7 @@ index b876c48..ad25566 100644
 
 /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/log/lost\+found/.*		<<none>>
-@@ -256,12 +283,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
 /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*\.*pid		<<none>>
@ -9825,7 +9835,7 @@ index b876c48..ad25566 100644
 /var/tmp/.*			<<none>>
 /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*		<<none>>
-@@ -271,3 +300,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
 /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
@ -32669,7 +32679,7 @@ index 0d4c8d3..9395313 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..1cce3ba 100644
+index 312cd04..dd6638a 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -32763,7 +32773,7 @@ index 312cd04..1cce3ba 100644
 
 dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
-@@ -157,24 +170,33 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +170,32 @@ files_dontaudit_search_home(ipsec_t)
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
 
@ -32778,11 +32788,11 @@ index 312cd04..1cce3ba 100644
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
 
-+logging_read_all_logs(ipsec_mgmt_t)
+logging_send_audit_msgs(ipsec_t)
 logging_send_syslog_msg(ipsec_t)
 
 -miscfiles_read_localization(ipsec_t)
- 
+-
 sysnet_domtrans_ifconfig(ipsec_t)
 +sysnet_manage_config(ipsec_t)
 +sysnet_etc_filetrans_config(ipsec_t)
@ -32798,7 +32808,7 @@ index 312cd04..1cce3ba 100644
 	seutil_sigchld_newrole(ipsec_t)
 ')
 
-@@ -187,10 +209,10 @@ optional_policy(`
+@@ -187,10 +208,10 @@ optional_policy(`
 # ipsec_mgmt Local policy
 #
 
@ -32813,7 +32823,7 @@ index 312cd04..1cce3ba 100644
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -208,12 +230,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
 
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -32829,7 +32839,7 @@ index 312cd04..1cce3ba 100644
 
 # _realsetup needs to be able to cat /var/run/pluto.pid,
 # run ps on that pid, and delete the file
-@@ -246,6 +270,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
 
@ -32846,7 +32856,7 @@ index 312cd04..1cce3ba 100644
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
-@@ -255,6 +289,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 
@ -32855,7 +32865,7 @@ index 312cd04..1cce3ba 100644
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
 
-@@ -269,6 +305,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +304,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
 files_read_etc_runtime_files(ipsec_mgmt_t)
@ -32863,7 +32873,7 @@ index 312cd04..1cce3ba 100644
 files_read_usr_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +315,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
 
 term_use_console(ipsec_mgmt_t)
@ -32875,16 +32885,17 @@ index 312cd04..1cce3ba 100644
 
 init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +326,23 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +325,25 @@ init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 
 -logging_send_syslog_msg(ipsec_mgmt_t)
+-
+-miscfiles_read_localization(ipsec_mgmt_t)
 +ipsec_mgmt_systemctl(ipsec_mgmt_t)
 
-miscfiles_read_localization(ipsec_mgmt_t)
-
 -seutil_dontaudit_search_config(ipsec_mgmt_t)
+logging_read_all_logs(ipsec_mgmt_t)
 +logging_send_syslog_msg(ipsec_mgmt_t)
 
 sysnet_manage_config(ipsec_mgmt_t)
@ -32897,6 +32908,7 @@ index 312cd04..1cce3ba 100644
 +userdom_use_inherited_user_terminals(ipsec_mgmt_t)
 +
 +optional_policy(`
+    bind_domtrans(ipsec_mgmt_t)
 +	bind_read_dnssec_keys(ipsec_mgmt_t)
 +	bind_read_config(ipsec_mgmt_t)
 +	bind_read_state(ipsec_mgmt_t)
@ -32904,7 +32916,7 @@ index 312cd04..1cce3ba 100644
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +366,10 @@ optional_policy(`
+@@ -322,6 +367,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -32915,7 +32927,7 @@ index 312cd04..1cce3ba 100644
 	modutils_domtrans_insmod(ipsec_mgmt_t)
 ')
 
-@@ -335,7 +383,7 @@ optional_policy(`
+@@ -335,7 +384,7 @@ optional_policy(`
 #
 
 allow racoon_t self:capability { net_admin net_bind_service };
@ -32924,7 +32936,7 @@ index 312cd04..1cce3ba 100644
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +418,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +419,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
 
@ -32944,7 +32956,7 @@ index 312cd04..1cce3ba 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
 
-@@ -401,10 +448,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +449,10 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
 
@ -32957,7 +32969,7 @@ index 312cd04..1cce3ba 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +485,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +486,8 @@ corenet_setcontext_all_spds(setkey_t)
 
 locallogin_use_fds(setkey_t)
 
@ -34744,7 +34756,7 @@ index 4e94884..8de26ad 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..077c808 100644
+index 59b04c1..89471ff 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -34967,18 +34979,19 @@ index 59b04c1..077c808 100644
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,8 +412,11 @@ allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 +allow syslogd_t self:rawip_socket create_socket_perms;
+allow syslogd_t self:netlink_audit_socket r_netlink_socket_perms;
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
 +allow syslogd_t syslog_conf_t:dir list_dir_perms;
 
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +435,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
@ -35028,7 +35041,7 @@ index 59b04c1..077c808 100644
 # syslog-ng can listen and connect on tcp port 514 (rsh)
 corenet_tcp_sendrecv_generic_if(syslogd_t)
 corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
@ -35037,7 +35050,7 @@ index 59b04c1..077c808 100644
 corenet_tcp_connect_syslogd_port(syslogd_t)
 corenet_tcp_connect_postgresql_port(syslogd_t)
 corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
@ -35065,7 +35078,7 @@ index 59b04c1..077c808 100644
 domain_use_interactive_fds(syslogd_t)
 
 files_read_etc_files(syslogd_t)
-@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
@ -35083,7 +35096,7 @@ index 59b04c1..077c808 100644
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +550,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +551,11 @@ init_use_fds(syslogd_t)
 
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
@ -35098,7 +35111,7 @@ index 59b04c1..077c808 100644
 
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +581,7 @@ optional_policy(`
+@@ -497,6 +582,7 @@ optional_policy(`
 optional_policy(`
 	cron_manage_log_files(syslogd_t)
 	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -35106,7 +35119,7 @@ index 59b04c1..077c808 100644
 ')
 
 optional_policy(`
-@@ -507,15 +592,40 @@ optional_policy(`
+@@ -507,15 +593,40 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -35147,7 +35160,7 @@ index 59b04c1..077c808 100644
 ')
 
 optional_policy(`
-@@ -526,3 +636,26 @@ optional_policy(`
+@@ -526,3 +637,26 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 104%{?dist}
+Release: 106%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -605,6 +605,28 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-106
+- Allow docker to attach to the sandbox and user domains tun devices
+- Allow pingd to read /dev/urandom. BZ(1181831)
+- Allow virtd to list all mountpoints
+- Allow sblim-sfcb to search images
+- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
+- Call correct macro in virt_read_content().
+- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
+- Allow docker_t to changes it rlimit
+- Allow neutron to read rpm DB.
+- Allow radius to connect/bind radsec ports
+- Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log.
+- Add devicekit_read_log_files().
+- Allow  virt_qemu_ga to dbus chat with rpm.
+- Allow netutils chown capability to make tcpdump working with -w.
+- Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t.
+- journald now reads the netlink audit socket
+- Add auditing support for ipsec.
+
+* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105
+- Bump release
+
 * Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104
 - remove duplicate filename transition rules.
 - Call proper interface in sosreport.te.