* Fri Jan 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-309

- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy - Allow git_script_t to mmap git_user_content_t files BZ(1530937) - Allow certmonger domain to create temp files BZ(1530795) - Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563) - Allow fsdaemon_t to read nvme devices BZ(1530018) - Dontaudit fsdaemon_t to write to admin homedir. BZ(153030) - Update munin plugin policy BZ(1528471) - Allow sendmail_t domain to be system dbusd client BZ(1478735) - Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645) - Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313) - Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672) - Allow thumb_t to mmap non security files BZ(1517393) - Allow smbd_t to mmap files with label samba_share_t BZ(1530453) - Fix broken sysnet_filetrans_named_content() interface - Allow init_t to create tcp sockets for unconfined services BZ(1366968) - Allow xdm_t to getattr on xserver_t process files BZ(1506116) - Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297) - Allow X userdomains to send dgram msgs to xserver_t BZ(1515967) - Add interface files_map_non_security_files()
2018-01-05 15:16:17 +01:00 · 2018-01-05 15:16:17 +01:00 · af863d8251
parent 46f9f9c36a
commit af863d8251
4 changed files with 3997 additions and 1753 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2331,7 +2331,7 @@ index 7f4dfbca3..e5c9f45b8 100644
 /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 
 diff --git a/amanda.te b/amanda.te
-index 519051c7d..96bbc0825 100644
+index 519051c7d..48d816150 100644
 --- a/amanda.te
 +++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@ -2425,7 +2425,12 @@ index 519051c7d..96bbc0825 100644
 
 files_read_etc_runtime_files(amanda_t)
 files_list_all(amanda_t)
-@@ -130,6 +145,7 @@ fs_list_all(amanda_t)
+@@ -126,10 +141,12 @@ files_getattr_all_sockets(amanda_t)
+ 
+ fs_getattr_xattr_fs(amanda_t)
+ fs_list_all(amanda_t)
+fs_getattr_tmpfs(amanda_t)
+ 
 storage_raw_read_fixed_disk(amanda_t)
 storage_read_tape(amanda_t)
 storage_write_tape(amanda_t)
@ -2433,7 +2438,7 @@ index 519051c7d..96bbc0825 100644
 
 auth_use_nsswitch(amanda_t)
 auth_read_shadow(amanda_t)
-@@ -141,7 +157,7 @@ logging_send_syslog_msg(amanda_t)
+@@ -141,7 +158,7 @@ logging_send_syslog_msg(amanda_t)
 # Recover local policy
 #
 
@ -2442,7 +2447,7 @@ index 519051c7d..96bbc0825 100644
 allow amanda_recover_t self:process { sigkill sigstop signal };
 allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
 allow amanda_recover_t self:unix_stream_socket create_socket_perms;
-@@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +187,6 @@ kernel_read_system_state(amanda_recover_t)
 corecmd_exec_shell(amanda_recover_t)
 corecmd_exec_bin(amanda_recover_t)
 
@ -2450,7 +2455,7 @@ index 519051c7d..96bbc0825 100644
 corenet_all_recvfrom_netlabel(amanda_recover_t)
 corenet_tcp_sendrecv_generic_if(amanda_recover_t)
 corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +210,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +211,16 @@ files_search_tmp(amanda_recover_t)
 
 auth_use_nsswitch(amanda_recover_t)
 
@ -5635,7 +5640,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
 ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..1df48fb13 100644
+index 6649962b6..c45ca1fb1 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -7895,39 +7900,47 @@ index 6649962b6..1df48fb13 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1682,110 @@ dev_read_urand(httpd_passwd_t)
+@@ -1384,36 +1684,109 @@ domain_use_interactive_fds(httpd_passwd_t)
 
- domain_use_interactive_fds(httpd_passwd_t)
- 
-+
 auth_use_nsswitch(httpd_passwd_t)
 
 -miscfiles_read_generic_certs(httpd_passwd_t)
 -miscfiles_read_localization(httpd_passwd_t)
-+miscfiles_read_certs(httpd_passwd_t)
+init_dontaudit_read_state(httpd_passwd_t)
 
 -########################################
 -#
 -# GPG local policy
 -#
+miscfiles_read_certs(httpd_passwd_t)
+ 
+-allow httpd_gpg_t self:process setrlimit;
 +systemd_manage_passwd_run(httpd_passwd_t)
 +systemd_manage_passwd_run(httpd_t)
 +#systemd_passwd_agent_dev_template(httpd)
 
-allow httpd_gpg_t self:process setrlimit;
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
 +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
 +dontaudit httpd_passwd_t httpd_config_t:file read;
-+
+ 
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
 +search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
 +corecmd_shell_entry_type(httpd_script_type)
-+
+ 
+-files_read_usr_files(httpd_gpg_t)
 +allow httpd_script_type self:fifo_file rw_file_perms;
 +allow httpd_script_type self:unix_stream_socket connectto;
-+
+ 
+-miscfiles_read_localization(httpd_gpg_t)
 +allow httpd_script_type httpd_t:fifo_file write;
 +# apache should set close-on-exec
 +apache_dontaudit_leaks(httpd_script_type)
-+
+ 
+-tunable_policy(`httpd_gpg_anon_write',`
+-	miscfiles_manage_public_files(httpd_gpg_t)
 +append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
 +logging_search_logs(httpd_script_type)
 +
@ -7955,29 +7968,20 @@ index 6649962b6..1df48fb13 100644
 +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
 +allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
 +allow httpd_t httpd_script_exec_type:dir list_dir_perms;
- 
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+
 +allow httpd_script_type self:process { setsched signal_perms };
 +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
 +allow httpd_script_type self:unix_dgram_socket create_socket_perms;
 +allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
- 
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+
 +allow httpd_script_type httpd_t:fd use;
 +allow httpd_script_type httpd_t:process sigchld;
- 
-files_read_usr_files(httpd_gpg_t)
+
 +dontaudit httpd_script_type httpd_t:tcp_socket { read write };
 +dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
- 
-miscfiles_read_localization(httpd_gpg_t)
+
 +fs_getattr_xattr_fs(httpd_script_type)
- 
-tunable_policy(`httpd_gpg_anon_write',`
-	miscfiles_manage_public_files(httpd_gpg_t)
+
 +files_read_etc_runtime_files(httpd_script_type)
 +
 +libs_read_lib_files(httpd_script_type)
@ -12617,10 +12621,10 @@ index 008f8ef26..144c0740a 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287ce..73104ec93 100644
+index 550b287ce..36c9f99b1 100644
 --- a/certmonger.te
 +++ b/certmonger.te
-@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
+@@ -18,18 +18,29 @@ files_type(certmonger_var_lib_t)
 type certmonger_var_run_t;
 files_pid_file(certmonger_var_run_t)
 
@ -12629,6 +12633,9 @@ index 550b287ce..73104ec93 100644
 +
 +type certmonger_unit_file_t;
 +systemd_unit_file(certmonger_unit_file_t)
+
+type certmonger_tmp_t;
+files_tmp_file(certmonger_tmp_t)
 +
 ########################################
 #
@ -12651,15 +12658,21 @@ index 550b287ce..73104ec93 100644
 
 manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
 manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
+@@ -39,8 +50,13 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
 
+manage_dirs_pattern(certmonger_t, certmonger_tmp_t, certmonger_tmp_t)
+manage_files_pattern(certmonger_t, certmonger_tmp_t, certmonger_tmp_t)
+files_tmp_filetrans(certmonger_t, certmonger_tmp_t, { file dir })
+
 kernel_read_kernel_sysctls(certmonger_t)
 kernel_read_system_state(certmonger_t)
 +kernel_read_network_state(certmonger_t)
 
 corenet_all_recvfrom_unlabeled(certmonger_t)
 corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,17 +58,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +65,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
 
 corenet_sendrecv_certmaster_client_packets(certmonger_t)
 corenet_tcp_connect_certmaster_port(certmonger_t)
@ -12687,7 +12700,7 @@ index 550b287ce..73104ec93 100644
 
 fs_search_cgroup_dirs(certmonger_t)
 
-@@ -68,18 +86,24 @@ auth_rw_cache(certmonger_t)
+@@ -68,18 +93,24 @@ auth_rw_cache(certmonger_t)
 
 init_getattr_all_script_files(certmonger_t)
 
@ -12716,7 +12729,7 @@ index 550b287ce..73104ec93 100644
 ')
 
 optional_policy(`
-@@ -92,11 +116,74 @@ optional_policy(`
+@@ -92,11 +123,74 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -32849,7 +32862,7 @@ index 1e29af196..6c64f55c3 100644
 +		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
 +')
 diff --git a/git.te b/git.te
-index dc49c715e..e25890c3d 100644
+index dc49c715e..43f79d6de 100644
 --- a/git.te
 +++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@ -32934,7 +32947,7 @@ index dc49c715e..e25890c3d 100644
 ')
 
 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -215,48 +218,53 @@ tunable_policy(`git_system_use_nfs',`
+@@ -215,48 +218,54 @@ tunable_policy(`git_system_use_nfs',`
 # CGI policy
 #
 
@ -32951,6 +32964,7 @@ index dc49c715e..e25890c3d 100644
 +read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
 +files_search_var_lib(git_script_t)
 +allow git_script_t git_sys_content_t:file map;
+allow git_script_t git_user_content_t:file map;
 
 -auth_use_nsswitch(httpd_git_script_t)
 +auth_use_nsswitch(git_script_t)
@ -33010,7 +33024,7 @@ index dc49c715e..e25890c3d 100644
 ')
 
 ########################################
-@@ -266,12 +274,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -266,12 +275,9 @@ tunable_policy(`git_cgi_use_nfs',`
 
 allow git_daemon self:fifo_file rw_fifo_file_perms;
 
@ -51743,10 +51757,10 @@ index 000000000..394bc4658
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/mock.if b/mock.if
 new file mode 100644
-index 000000000..f5b98e6de
+index 000000000..4807174c8
 --- /dev/null
 +++ b/mock.if
-@@ -0,0 +1,311 @@
+@@ -0,0 +1,312 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@ -51804,6 +51818,7 @@ index 000000000..f5b98e6de
 +	files_search_var_lib($1)
 +    list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
 +	read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+	read_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
 +')
 +
 +########################################
@ -57636,7 +57651,7 @@ index b744fe35e..cb0e2af61 100644
 +	admin_pattern($1, munin_content_t)
 ')
 diff --git a/munin.te b/munin.te
-index b70870816..e2a5280c3 100644
+index b70870816..19e70e27c 100644
 --- a/munin.te
 +++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@ -57697,16 +57712,18 @@ index b70870816..e2a5280c3 100644
 dontaudit munin_t self:capability sys_tty_config;
 allow munin_t self:process { getsched setsched signal_perms };
 allow munin_t self:unix_stream_socket { accept connectto listen };
-@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -117,8 +116,9 @@ files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
+ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+allow munin_t munin_var_lib_t:file map;
 
 -read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
 +rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
 
 manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
 manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -134,7 +134,6 @@ kernel_read_all_sysctls(munin_t)
 corecmd_exec_bin(munin_t)
 corecmd_exec_shell(munin_t)
 
@ -57714,7 +57731,7 @@ index b70870816..e2a5280c3 100644
 corenet_all_recvfrom_netlabel(munin_t)
 corenet_tcp_sendrecv_generic_if(munin_t)
 corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
+@@ -157,7 +156,6 @@ domain_use_interactive_fds(munin_t)
 domain_read_all_domains_state(munin_t)
 
 files_read_etc_runtime_files(munin_t)
@ -57722,7 +57739,7 @@ index b70870816..e2a5280c3 100644
 files_list_spool(munin_t)
 
 fs_getattr_all_fs(munin_t)
-@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
+@@ -169,7 +167,6 @@ logging_send_syslog_msg(munin_t)
 logging_read_all_logs(munin_t)
 
 miscfiles_read_fonts(munin_t)
@ -57730,7 +57747,7 @@ index b70870816..e2a5280c3 100644
 miscfiles_setattr_fonts_cache_dirs(munin_t)
 
 sysnet_exec_ifconfig(munin_t)
-@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -177,13 +174,6 @@ sysnet_exec_ifconfig(munin_t)
 userdom_dontaudit_use_unpriv_user_fds(munin_t)
 userdom_dontaudit_search_user_home_dirs(munin_t)
 
@ -57744,7 +57761,7 @@ index b70870816..e2a5280c3 100644
 
 optional_policy(`
 	cron_system_entry(munin_t, munin_exec_t)
-@@ -217,7 +206,6 @@ optional_policy(`
+@@ -217,7 +207,6 @@ optional_policy(`
 
 optional_policy(`
 	postfix_list_spool(munin_t)
@ -57752,10 +57769,12 @@ index b70870816..e2a5280c3 100644
 ')
 
 optional_policy(`
-@@ -246,21 +234,25 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -246,21 +235,27 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
 
 rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
+auth_use_nsswitch(disk_munin_plugin_t)
+
 +kernel_read_fs_sysctls(disk_munin_plugin_t)
 +
 corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
@ -57782,7 +57801,7 @@ index b70870816..e2a5280c3 100644
 
 sysnet_read_config(disk_munin_plugin_t)
 
-@@ -272,34 +264,50 @@ optional_policy(`
+@@ -272,34 +267,53 @@ optional_policy(`
 	fstools_exec(disk_munin_plugin_t)
 ')
 
@ -57804,7 +57823,10 @@ index b70870816..e2a5280c3 100644
 
 rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
+auth_use_nsswitch(mail_munin_plugin_t)
+
 +kernel_read_net_sysctls(mail_munin_plugin_t)
+kernel_read_network_state(mail_munin_plugin_t)
 +
 dev_read_urand(mail_munin_plugin_t)
 
@ -57838,7 +57860,16 @@ index b70870816..e2a5280c3 100644
 ')
 
 optional_policy(`
-@@ -339,7 +347,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -311,6 +325,8 @@ optional_policy(`
+ # Selinux local policy
+ #
+ 
+auth_use_nsswitch(selinux_munin_plugin_t)
+
+ selinux_get_enforce_mode(selinux_munin_plugin_t)
+ 
+ ###################################
+@@ -339,7 +355,7 @@ dev_read_rand(services_munin_plugin_t)
 sysnet_read_config(services_munin_plugin_t)
 
 optional_policy(`
@ -57847,7 +57878,7 @@ index b70870816..e2a5280c3 100644
 ')
 
 optional_policy(`
-@@ -348,6 +356,10 @@ optional_policy(`
+@@ -348,6 +364,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -57858,7 +57889,7 @@ index b70870816..e2a5280c3 100644
 	lpd_exec_lpr(services_munin_plugin_t)
 ')
 
-@@ -361,7 +373,11 @@ optional_policy(`
+@@ -361,7 +381,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -57871,7 +57902,7 @@ index b70870816..e2a5280c3 100644
 ')
 
 optional_policy(`
-@@ -393,6 +409,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +417,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
 
 kernel_read_network_state(system_munin_plugin_t)
 kernel_read_all_sysctls(system_munin_plugin_t)
@ -57879,7 +57910,7 @@ index b70870816..e2a5280c3 100644
 
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +438,33 @@ optional_policy(`
+@@ -421,3 +446,33 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(unconfined_munin_plugin_t)
 ')
@ -57908,7 +57939,7 @@ index b70870816..e2a5280c3 100644
 +
 +files_search_var_lib(munin_script_t)
 +
-+auth_read_passwd(munin_script_t)
+auth_use_nsswitch(munin_script_t)
 +
 +optional_policy(`
 +	apache_search_sys_content(munin_t)
@ -94607,7 +94638,7 @@ index ebe91fc70..6ba4338cb 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 diff --git a/rpm.if b/rpm.if
-index ef3b22507..79518530e 100644
+index ef3b22507..b7bd65539 100644
 --- a/rpm.if
 +++ b/rpm.if
@@ -1,8 +1,8 @@
@ -94886,7 +94917,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -302,7 +398,32 @@ interface(`rpm_manage_log',`
+@@ -302,7 +398,33 @@ interface(`rpm_manage_log',`
 
 ########################################
 ## <summary>
@ -94912,6 +94943,7 @@ index ef3b22507..79518530e 100644
 +	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
 +	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
 +	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
+	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpmrebuilddb")
 +')
 +
 +########################################
@ -94920,7 +94952,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +442,8 @@ interface(`rpm_use_script_fds',`
 
 ########################################
 ## <summary>
@ -94931,7 +94963,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +457,15 @@ interface(`rpm_manage_script_tmp_files',`
 	')
 
 	files_search_tmp($1)
@ -94948,7 +94980,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +478,13 @@ interface(`rpm_append_tmp_files',`
 		type rpm_tmp_t;
 	')
 
@ -94966,7 +94998,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +498,34 @@ interface(`rpm_manage_tmp_files',`
 	')
 
 	files_search_tmp($1)
@ -95002,7 +95034,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +545,7 @@ interface(`rpm_read_script_tmp_files',`
 
 ########################################
 ## <summary>
@ -95011,7 +95043,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -420,8 +565,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +566,7 @@ interface(`rpm_read_cache',`
 
 ########################################
 ## <summary>
@ -95021,7 +95053,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -442,7 +586,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +587,7 @@ interface(`rpm_manage_cache',`
 
 ########################################
 ## <summary>
@ -95030,7 +95062,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -459,11 +603,13 @@ interface(`rpm_read_db',`
+@@ -459,11 +604,13 @@ interface(`rpm_read_db',`
 	allow $1 rpm_var_lib_t:dir list_dir_perms;
 	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
 	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@ -95045,7 +95077,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -482,8 +628,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +629,7 @@ interface(`rpm_delete_db',`
 
 ########################################
 ## <summary>
@ -95055,7 +95087,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -499,12 +644,33 @@ interface(`rpm_manage_db',`
+@@ -499,12 +645,33 @@ interface(`rpm_manage_db',`
 	files_search_var_lib($1)
 	manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
 	manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@ -95090,7 +95122,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -517,9 +683,10 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,9 +684,10 @@ interface(`rpm_dontaudit_manage_db',`
 		type rpm_var_lib_t;
 	')
 
@ -95102,7 +95134,7 @@ index ef3b22507..79518530e 100644
 ')
 
 #####################################
-@@ -543,8 +710,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +711,7 @@ interface(`rpm_read_pid_files',`
 
 #####################################
 ## <summary>
@ -95112,7 +95144,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -563,8 +729,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +730,7 @@ interface(`rpm_manage_pid_files',`
 
 ######################################
 ## <summary>
@ -95122,7 +95154,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -573,43 +738,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +739,54 @@ interface(`rpm_manage_pid_files',`
 ## </param>
 #
 interface(`rpm_pid_filetrans',`
@ -95194,7 +95226,7 @@ index ef3b22507..79518530e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -617,22 +793,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +794,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -95263,7 +95295,7 @@ index ef3b22507..79518530e 100644
 
 	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -641,9 +852,6 @@ interface(`rpm_admin',`
+@@ -641,9 +853,6 @@ interface(`rpm_admin',`
 
 	admin_pattern($1, rpm_file_t)
 
@ -97896,7 +97928,7 @@ index 50d07fb2e..a15cd5b6b 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441e7..0f95635dd 100644
+index 2b7c441e7..1bfd11b61 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -98194,7 +98226,7 @@ index 2b7c441e7..0f95635dd 100644
 ')
 
 optional_policy(`
-@@ -249,46 +261,59 @@ optional_policy(`
+@@ -249,47 +261,61 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -98265,9 +98297,11 @@ index 2b7c441e7..0f95635dd 100644
 +manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t)
 +manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+allow smbd_t samba_share_t:file { map };
 allow smbd_t samba_share_t:filesystem { getattr quotaget };
 
-@@ -297,66 +322,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -297,66 +323,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@ -98366,7 +98400,7 @@ index 2b7c441e7..0f95635dd 100644
 
 fs_getattr_all_fs(smbd_t)
 fs_getattr_all_dirs(smbd_t)
-@@ -366,44 +399,53 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +400,53 @@ fs_getattr_rpc_dirs(smbd_t)
 fs_list_inotifyfs(smbd_t)
 fs_get_all_fs_quotas(smbd_t)
 
@ -98432,7 +98466,7 @@ index 2b7c441e7..0f95635dd 100644
 ')
 
 tunable_policy(`samba_domain_controller',`
-@@ -419,20 +461,16 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +462,16 @@ tunable_policy(`samba_domain_controller',`
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
@ -98459,7 +98493,7 @@ index 2b7c441e7..0f95635dd 100644
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
-@@ -441,6 +479,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +480,7 @@ tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_named_sockets(smbd_t)
 ')
 
@ -98467,7 +98501,7 @@ index 2b7c441e7..0f95635dd 100644
 tunable_policy(`samba_share_fusefs',`
 	fs_manage_fusefs_dirs(smbd_t)
 	fs_manage_fusefs_files(smbd_t)
-@@ -448,15 +487,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,15 +488,10 @@ tunable_policy(`samba_share_fusefs',`
 	fs_search_fusefs(smbd_t)
 ')
 
@ -98487,7 +98521,7 @@ index 2b7c441e7..0f95635dd 100644
 ')
 
 optional_policy(`
-@@ -466,6 +500,7 @@ optional_policy(`
+@@ -466,6 +501,7 @@ optional_policy(`
 optional_policy(`
 	ctdbd_stream_connect(smbd_t)
 	ctdbd_manage_lib_files(smbd_t)
@ -98495,7 +98529,7 @@ index 2b7c441e7..0f95635dd 100644
 ')
 
 optional_policy(`
-@@ -474,11 +509,31 @@ optional_policy(`
+@@ -474,11 +510,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -98527,7 +98561,7 @@ index 2b7c441e7..0f95635dd 100644
 	lpd_exec_lpr(smbd_t)
 ')
 
-@@ -488,6 +543,10 @@ optional_policy(`
+@@ -488,6 +544,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -98538,7 +98572,7 @@ index 2b7c441e7..0f95635dd 100644
 	rpc_search_nfs_state_data(smbd_t)
 ')
 
-@@ -499,12 +558,53 @@ optional_policy(`
+@@ -499,12 +559,53 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
 
@ -98593,7 +98627,7 @@ index 2b7c441e7..0f95635dd 100644
 allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow nmbd_t self:fd use;
 allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +612,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +613,11 @@ allow nmbd_t self:msg { send receive };
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -98608,7 +98642,7 @@ index 2b7c441e7..0f95635dd 100644
 
 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
 manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +628,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +629,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -98634,7 +98668,7 @@ index 2b7c441e7..0f95635dd 100644
 
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +646,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +647,44 @@ kernel_read_kernel_sysctls(nmbd_t)
 kernel_read_network_state(nmbd_t)
 kernel_read_software_raid_state(nmbd_t)
 kernel_read_system_state(nmbd_t)
@ -98703,7 +98737,7 @@ index 2b7c441e7..0f95635dd 100644
 ')
 
 optional_policy(`
-@@ -606,18 +696,29 @@ optional_policy(`
+@@ -606,18 +697,29 @@ optional_policy(`
 
 ########################################
 #
@ -98739,7 +98773,7 @@ index 2b7c441e7..0f95635dd 100644
 
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
-@@ -627,39 +728,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +729,38 @@ domain_use_interactive_fds(smbcontrol_t)
 
 dev_read_urand(smbcontrol_t)
 
@ -98791,7 +98825,7 @@ index 2b7c441e7..0f95635dd 100644
 
 allow smbmount_t samba_secrets_t:file manage_file_perms;
 
-@@ -668,26 +768,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +769,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
 
@ -98827,7 +98861,7 @@ index 2b7c441e7..0f95635dd 100644
 
 fs_getattr_cifs(smbmount_t)
 fs_mount_cifs(smbmount_t)
-@@ -699,58 +795,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +796,77 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
 
@ -98920,7 +98954,7 @@ index 2b7c441e7..0f95635dd 100644
 
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +874,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +875,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
 manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 
@ -98944,7 +98978,7 @@ index 2b7c441e7..0f95635dd 100644
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -777,36 +888,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +889,25 @@ kernel_read_network_state(swat_t)
 
 corecmd_search_bin(swat_t)
 
@ -98987,7 +99021,7 @@ index 2b7c441e7..0f95635dd 100644
 
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
-@@ -818,10 +918,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +919,11 @@ logging_send_syslog_msg(swat_t)
 logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
 
@ -99001,7 +99035,7 @@ index 2b7c441e7..0f95635dd 100644
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
-@@ -840,17 +941,20 @@ optional_policy(`
+@@ -840,17 +942,20 @@ optional_policy(`
 # Winbind local policy
 #
 
@ -99028,7 +99062,7 @@ index 2b7c441e7..0f95635dd 100644
 
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +964,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +965,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
 
 manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -99039,7 +99073,7 @@ index 2b7c441e7..0f95635dd 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -870,41 +972,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+@@ -870,41 +973,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
 files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
@ -99098,7 +99132,7 @@ index 2b7c441e7..0f95635dd 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1019,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1020,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
 
@ -99157,7 +99191,7 @@ index 2b7c441e7..0f95635dd 100644
 ')
 
 optional_policy(`
-@@ -959,31 +1080,36 @@ optional_policy(`
+@@ -959,31 +1081,36 @@ optional_policy(`
 # Winbind helper local policy
 #
 
@ -99201,7 +99235,7 @@ index 2b7c441e7..0f95635dd 100644
 
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1123,38 @@ optional_policy(`
+@@ -997,25 +1124,38 @@ optional_policy(`
 
 ########################################
 #
@ -102451,7 +102485,7 @@ index 35ad2a733..afdc7da29 100644
 +	admin_pattern($1, mail_spool_t)
 ')
 diff --git a/sendmail.te b/sendmail.te
-index 12700b413..debacc88b 100644
+index 12700b413..e28f69e3e 100644
 --- a/sendmail.te
 +++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@ -102594,7 +102628,18 @@ index 12700b413..debacc88b 100644
 ')
 
 optional_policy(`
-@@ -164,6 +171,10 @@ optional_policy(`
+@@ -143,6 +150,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+    dbus_system_bus_client(sendmail_t)
+')
+
+optional_policy(`
+ 	dovecot_write_inherited_tmp_files(sendmail_t)
+ ')
+ 
+@@ -164,6 +175,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -102605,7 +102650,7 @@ index 12700b413..debacc88b 100644
 	milter_stream_connect_all(sendmail_t)
 ')
 
-@@ -172,6 +183,11 @@ optional_policy(`
+@@ -172,6 +187,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -102617,7 +102662,7 @@ index 12700b413..debacc88b 100644
 	postfix_domtrans_postdrop(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
 	postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +209,10 @@ optional_policy(`
+@@ -193,6 +213,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -102628,7 +102673,7 @@ index 12700b413..debacc88b 100644
 	udev_read_db(sendmail_t)
 ')
 
-@@ -206,8 +226,6 @@ optional_policy(`
+@@ -206,8 +230,6 @@ optional_policy(`
 #
 
 optional_policy(`
@ -104096,7 +104141,7 @@ index e0644b5cf..ea347ccd5 100644
 	domain_system_change_exemption($1)
 	role_transition $2 fsdaemon_initrc_exec_t system_r;
 diff --git a/smartmon.te b/smartmon.te
-index 9cf6582d2..d0be162c8 100644
+index 9cf6582d2..97d1e6d7c 100644
 --- a/smartmon.te
 +++ b/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
@ -104108,7 +104153,7 @@ index 9cf6582d2..d0be162c8 100644
 dontaudit fsdaemon_t self:capability sys_tty_config;
 allow fsdaemon_t self:process { getcap setcap signal_perms };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
-@@ -58,23 +58,31 @@ kernel_read_network_state(fsdaemon_t)
+@@ -58,23 +58,32 @@ kernel_read_network_state(fsdaemon_t)
 kernel_read_software_raid_state(fsdaemon_t)
 kernel_read_system_state(fsdaemon_t)
 
@ -104123,6 +104168,7 @@ index 9cf6582d2..d0be162c8 100644
 +
 dev_read_sysfs(fsdaemon_t)
 dev_read_urand(fsdaemon_t)
+dev_read_nvme(fsdaemon_t)
 
 domain_use_interactive_fds(fsdaemon_t)
 
@ -104142,7 +104188,7 @@ index 9cf6582d2..d0be162c8 100644
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
 storage_raw_read_removable_device(fsdaemon_t)
-@@ -83,7 +91,9 @@ storage_write_scsi_generic(fsdaemon_t)
+@@ -83,7 +92,9 @@ storage_write_scsi_generic(fsdaemon_t)
 
 term_dontaudit_search_ptys(fsdaemon_t)
 
@ -104153,7 +104199,7 @@ index 9cf6582d2..d0be162c8 100644
 
 init_read_utmp(fsdaemon_t)
 
-@@ -92,12 +102,13 @@ libs_exec_lib_files(fsdaemon_t)
+@@ -92,12 +103,14 @@ libs_exec_lib_files(fsdaemon_t)
 
 logging_send_syslog_msg(fsdaemon_t)
 
@ -104164,11 +104210,12 @@ index 9cf6582d2..d0be162c8 100644
 
 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
 userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
+userdom_dontaudit_manage_admin_dir(fsdaemon_t)
 +userdom_use_user_terminals(fsdaemon_t)
 
 tunable_policy(`smartmon_3ware',`
 	allow fsdaemon_t self:process setfscreate;
-@@ -116,9 +127,9 @@ optional_policy(`
+@@ -116,9 +129,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -112077,10 +112124,10 @@ index 000000000..d371f62f6
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 000000000..6c04973ea
+index 000000000..a82cab79b
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,176 @@
+@@ -0,0 +1,177 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -112169,6 +112216,7 @@ index 000000000..6c04973ea
 +domain_dontaudit_read_all_domains_state(thumb_t)
 +
 +files_read_non_security_files(thumb_t)
+files_map_non_security_files(thumb_t)
 +
 +fs_getattr_all_fs(thumb_t)
 +fs_read_dos_files(thumb_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 308%{?dist}
+Release: 309%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -717,6 +717,27 @@ exit 0
 %endif

 %changelog
+* Fri Jan 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-309
+- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy
+- Allow git_script_t to mmap git_user_content_t files BZ(1530937)
+- Allow certmonger domain to create temp files BZ(1530795)
+- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)
+- Allow fsdaemon_t to read nvme devices BZ(1530018)
+- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)
+- Update munin plugin policy BZ(1528471)
+- Allow sendmail_t domain to be system dbusd client BZ(1478735)
+- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
+- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)
+- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)
+- Allow thumb_t to mmap non security files BZ(1517393)
+- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)
+- Fix broken sysnet_filetrans_named_content() interface
+- Allow init_t to create tcp sockets for unconfined services BZ(1366968)
+- Allow xdm_t to getattr on xserver_t process files BZ(1506116)
+- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)
+- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)
+- Add interface files_map_non_security_files()
+
 * Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308
 - Make working SELinux sandbox with Wayland. BZ(1474082)
 - Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)