* Mon Jun 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-196

- Allow svirt_sandbox_domains to r/w onload sockets - Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc. - Add interface sysnet_filetrans_named_net_conf() - Rawhide fails to boot, systemd-logind needs to config transient config files - User Namespace is requires create on process domains
2016-06-13 16:38:21 +02:00 · 2016-06-13 16:38:21 +02:00 · be9b0d1f26
commit be9b0d1f26
parent 04ed479779
4 changed files with 164 additions and 68 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -10226,7 +10226,7 @@ index 6a1e4d1..26e5558 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7b76b77 100644
+index cf04cb5..b5fe8e5 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -10379,7 +10379,14 @@ index cf04cb5..7b76b77 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -160,11 +236,379 @@ allow unconfined_domain_type domain:msg { send receive };
+ 
+ # For /proc/pid
+ allow unconfined_domain_type domain:dir list_dir_perms;
+-allow unconfined_domain_type domain:file rw_file_perms;
+allow unconfined_domain_type domain:file manage_file_perms;
+ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+ 
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
@ -35025,7 +35032,7 @@ index bc0ffc8..37b8ea5 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..e69fa39 100644
+index 79a45f6..cf6add7 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -35740,7 +35747,7 @@ index 79a45f6..e69fa39 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1133,7 +1382,83 @@ interface(`init_getattr_all_script_files',`
+@@ -1133,7 +1382,102 @@ interface(`init_getattr_all_script_files',`
 ##	</summary>
 ## </param>
 #
@ -35813,6 +35820,25 @@ index 79a45f6..e69fa39 100644
 +
 +########################################
 +## <summary>
+##	Allow the specified domain to modify the systemd configuration of 
+##	transient scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_config_transient_files',`
+	gen_require(`
+		attribute init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:service all_service_perms;
+')
+
+########################################
+## <summary>
 +##	Read all init script files.
 +## </summary>
 +## <param name="domain">
@ -35825,7 +35851,7 @@ index 79a45f6..e69fa39 100644
 	gen_require(`
 		attribute init_script_file_type;
 	')
-@@ -1144,6 +1469,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1488,24 @@ interface(`init_read_all_script_files',`
 
 #######################################
 ## <summary>
@ -35850,7 +35876,7 @@ index 79a45f6..e69fa39 100644
 ##	Dontaudit read all init script files.
 ## </summary>
 ## <param name="domain">
-@@ -1195,12 +1538,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1557,7 @@ interface(`init_read_script_state',`
 	')
 
 	kernel_search_proc($1)
@ -35864,7 +35890,7 @@ index 79a45f6..e69fa39 100644
 ')
 
 ########################################
-@@ -1314,6 +1652,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1671,24 @@ interface(`init_signal_script',`
 
 ########################################
 ## <summary>
@ -35889,7 +35915,7 @@ index 79a45f6..e69fa39 100644
 ##	Send null signals to init scripts.
 ## </summary>
 ## <param name="domain">
-@@ -1440,6 +1796,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1815,27 @@ interface(`init_dbus_send_script',`
 ########################################
 ## <summary>
 ##	Send and receive messages from
@ -35917,7 +35943,7 @@ index 79a45f6..e69fa39 100644
 ##	init scripts over dbus.
 ## </summary>
 ## <param name="domain">
-@@ -1547,6 +1924,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1943,25 @@ interface(`init_getattr_script_status_files',`
 
 ########################################
 ## <summary>
@ -35943,7 +35969,7 @@ index 79a45f6..e69fa39 100644
 ##	Do not audit attempts to read init script
 ##	status files.
 ## </summary>
-@@ -1605,6 +2001,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2020,24 @@ interface(`init_rw_script_tmp_files',`
 
 ########################################
 ## <summary>
@ -35968,7 +35994,7 @@ index 79a45f6..e69fa39 100644
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
-@@ -1677,6 +2091,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2110,43 @@ interface(`init_read_utmp',`
 
 ########################################
 ## <summary>
@ -36012,7 +36038,7 @@ index 79a45f6..e69fa39 100644
 ##	Do not audit attempts to write utmp.
 ## </summary>
 ## <param name="domain">
-@@ -1765,7 +2216,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2235,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
 
@ -36021,12 +36047,14 @@ index 79a45f6..e69fa39 100644
 ')
 
 ########################################
-@@ -1806,6 +2257,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2276,672 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Allow the specified domain to connect to daemon with a tcp socket
 +##  Allow search  directory in the /run/systemd directory.
 +## </summary>
 +## <param name="domain">
@ -36085,8 +36113,8 @@ index 79a45f6..e69fa39 100644
 +##  Create objects in /run/systemd directory
 +##  with an automatic type transition to
 +##  a specified private type.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
@ -36102,31 +36130,39 @@ index 79a45f6..e69fa39 100644
 +##  </summary>
 +## </param>
 +## <param name="name" optional="true">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_tcp_recvfrom_all_daemons',`
+-	gen_require(`
+-		attribute daemon;
+-	')
 +interface(`init_pid_filetrans',`
 +    gen_require(`
 +        type init_var_run_t;
 +    ')
-+
+ 
+-	corenet_tcp_recvfrom_labeled($1, daemon)
 +	files_search_pids($1)
 +	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
-+')
-+
+ ')
+ 
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Allow the specified domain to connect to daemon with a udp socket
 +##	Create objects in /run/systemd directory
 +##	with an automatic type transition to
 +##	a specified private type.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <param name="private_type">
 +##	<summary>
 +##	The type of the object to create.
@ -36142,23 +36178,53 @@ index 79a45f6..e69fa39 100644
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
-+#
+ #
+-interface(`init_udp_recvfrom_all_daemons',`
 +interface(`init_named_pid_filetrans',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute daemon;
 +		type init_var_run_t;
-+	')
+ 	')
+-	corenet_udp_recvfrom_labeled($1, daemon)
 +
 +	files_search_pids($1)
 +	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
 +')
 +
- ########################################
- ## <summary>
- ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2418,511 @@ interface(`init_udp_recvfrom_all_daemons',`
- 	')
- 	corenet_udp_recvfrom_labeled($1, daemon)
- ')
+########################################
+## <summary>
+##	Allow the specified domain to connect to daemon with a tcp socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+	gen_require(`
+		attribute daemon;
+	')
+
+	corenet_tcp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to daemon with a udp socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_udp_recvfrom_all_daemons',`
+	gen_require(`
+		attribute daemon;
+	')
+	corenet_udp_recvfrom_labeled($1, daemon)
+')
 +
 +########################################
 +## <summary>
@ -36666,7 +36732,7 @@ index 79a45f6..e69fa39 100644
 +
 +	files_search_var_lib($1)
 +    allow $1 init_var_lib_t:dir search_dir_perms;
-+')
+ ')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index 17eda24..f09c5ae 100644
 --- a/policy/modules/system/init.te
@ -45402,7 +45468,7 @@ index 40edc18..95f4458 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..bf86a31 100644
+index 2cea692..8edb742 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -45819,7 +45885,7 @@ index 2cea692..bf86a31 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1053,143 @@ interface(`sysnet_use_portmap',`
 
 	sysnet_read_config($1)
 ')
@ -45945,6 +46011,24 @@ index 2cea692..bf86a31 100644
 +
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
+
+########################################
+## <summary>
+##	Transition to sysnet ifconfig named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_filetrans_net_conf',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_etc_filetrans($1, net_conf_t, file)
+')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
 index a392fc4..155d5ce 100644
 --- a/policy/modules/system/sysnetwork.te
@ -48142,10 +48226,10 @@ index 0000000..ebd6cc8
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..0be65c0
+index 0000000..8c07053
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,930 @@
+@@ -0,0 +1,931 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -48375,6 +48459,7 @@ index 0000000..0be65c0
 +init_signal_script(systemd_logind_t)
 +init_getattr_script_status_files(systemd_logind_t)
 +init_read_utmp(systemd_logind_t)
+init_config_transient_files(systemd_logind_t)
 +
 +getty_systemctl(systemd_logind_t)
 +
@ -49674,7 +49759,7 @@ index 0abaf84..8b34dbc 100644
 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..99a38b0 100644
+index 5ca20a9..5454d16 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@ -49701,7 +49786,8 @@ index 5ca20a9..99a38b0 100644
 +	allow $1 self:process { dyntransition transition };
 
 	# Write access is for setting attributes under /proc/self/attr.
- 	allow $1 self:file rw_file_perms;
+-	allow $1 self:file rw_file_perms;
+	allow $1 self:file manage_file_perms;
 +	allow $1 self:dir rw_dir_perms;
 
 	# Userland object managers
@ -55573,7 +55659,7 @@ index 9dc60c6..595ad40 100644
 +	')
 ')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..d7cbcec 100644
+index f4ac38d..1589d60 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@ -55662,7 +55748,7 @@ index f4ac38d..d7cbcec 100644
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
-@@ -70,26 +83,395 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,396 @@ ubac_constrained(user_home_dir_t)
 
 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -55729,6 +55815,7 @@ index f4ac38d..d7cbcec 100644
 +# Nautilus causes this avc
 +domain_dontaudit_access_check(unpriv_userdomain)
 +dontaudit unpriv_userdomain self:dir setattr;
+allow unpriv_userdomain self:file manage_file_perms;
 +allow unpriv_userdomain self:key manage_key_perms;
 +
 +mount_dontaudit_write_mount_pid(unpriv_userdomain)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -58759,7 +58759,7 @@ index 86dc29d..7380935 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
 ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..ab2d757 100644
+index 55f2009..debb78b 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -58965,7 +58965,7 @@ index 55f2009..ab2d757 100644
 
 seutil_read_config(NetworkManager_t)
 
-@@ -166,21 +205,36 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +205,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
 sysnet_read_dhcpc_state(NetworkManager_t)
 sysnet_delete_dhcpc_state(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
@ -58973,6 +58973,7 @@ index 55f2009..ab2d757 100644
 sysnet_manage_config(NetworkManager_t)
 -sysnet_etc_filetrans_config(NetworkManager_t)
 +sysnet_filetrans_named_content(NetworkManager_t)
+sysnet_filetrans_net_conf(NetworkManager_t)
 
 -# certificates in user home directories (cert_home_t in ~/\.pki)
 -userdom_read_user_home_content_files(NetworkManager_t)
@ -59006,7 +59007,7 @@ index 55f2009..ab2d757 100644
 ')
 
 optional_policy(`
-@@ -196,10 +250,6 @@ optional_policy(`
+@@ -196,10 +251,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59017,7 +59018,7 @@ index 55f2009..ab2d757 100644
 	consoletype_exec(NetworkManager_t)
 ')
 
-@@ -210,31 +260,34 @@ optional_policy(`
+@@ -210,31 +261,34 @@ optional_policy(`
 optional_policy(`
 	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
 
@ -59060,7 +59061,7 @@ index 55f2009..ab2d757 100644
 ')
 
 optional_policy(`
-@@ -246,10 +299,26 @@ optional_policy(`
+@@ -246,10 +300,26 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59087,7 +59088,7 @@ index 55f2009..ab2d757 100644
 ')
 
 optional_policy(`
-@@ -257,15 +326,19 @@ optional_policy(`
+@@ -257,15 +327,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59109,7 +59110,7 @@ index 55f2009..ab2d757 100644
 ')
 
 optional_policy(`
-@@ -274,10 +347,17 @@ optional_policy(`
+@@ -274,10 +348,17 @@ optional_policy(`
 	nscd_signull(NetworkManager_t)
 	nscd_kill(NetworkManager_t)
 	nscd_initrc_domtrans(NetworkManager_t)
@ -59127,7 +59128,7 @@ index 55f2009..ab2d757 100644
 ')
 
 optional_policy(`
-@@ -286,9 +366,12 @@ optional_policy(`
+@@ -286,9 +367,12 @@ optional_policy(`
 	openvpn_kill(NetworkManager_t)
 	openvpn_signal(NetworkManager_t)
 	openvpn_signull(NetworkManager_t)
@ -59140,7 +59141,7 @@ index 55f2009..ab2d757 100644
 	policykit_domtrans_auth(NetworkManager_t)
 	policykit_read_lib(NetworkManager_t)
 	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +379,7 @@ optional_policy(`
+@@ -296,7 +380,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59149,7 +59150,7 @@ index 55f2009..ab2d757 100644
 ')
 
 optional_policy(`
-@@ -307,6 +390,7 @@ optional_policy(`
+@@ -307,6 +391,7 @@ optional_policy(`
 	ppp_signal(NetworkManager_t)
 	ppp_signull(NetworkManager_t)
 	ppp_read_config(NetworkManager_t)
@ -59157,7 +59158,7 @@ index 55f2009..ab2d757 100644
 ')
 
 optional_policy(`
-@@ -320,14 +404,21 @@ optional_policy(`
+@@ -320,14 +405,21 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -59184,7 +59185,7 @@ index 55f2009..ab2d757 100644
 ')
 
 optional_policy(`
-@@ -338,6 +429,13 @@ optional_policy(`
+@@ -338,6 +430,13 @@ optional_policy(`
 	vpn_relabelfrom_tun_socket(NetworkManager_t)
 ')
 
@ -59198,7 +59199,7 @@ index 55f2009..ab2d757 100644
 ########################################
 #
 # wpa_cli local policy
-@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
 
@ -112661,7 +112662,7 @@ index facdee8..816d860 100644
 +        ps_process_pattern(virtd_t, $1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..5b78d90 100644
+index f03dcf5..8d090ad 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,402 @@
@ -114235,7 +114236,7 @@ index f03dcf5..5b78d90 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1250,354 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1250,355 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
 
@ -114300,6 +114301,7 @@ index f03dcf5..5b78d90 100644
 +dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
 +
 +fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+fs_rw_onload_sockets(svirt_sandbox_domain)
 +
 +tunable_policy(`deny_ptrace',`',`
 +	allow svirt_sandbox_domain self:process ptrace;
@ -114731,7 +114733,7 @@ index f03dcf5..5b78d90 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 
-@@ -1174,12 +1610,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1611,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
 
@ -114746,7 +114748,7 @@ index f03dcf5..5b78d90 100644
 sysnet_read_config(virt_qmf_t)
 
 optional_policy(`
-@@ -1192,7 +1628,7 @@ optional_policy(`
+@@ -1192,7 +1629,7 @@ optional_policy(`
 
 ########################################
 #
@ -114755,7 +114757,7 @@ index f03dcf5..5b78d90 100644
 #
 
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1637,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1638,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 195%{?dist}
+Release: 196%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -647,6 +647,13 @@ exit 0
 %endif

 %changelog
+* Mon Jun 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-196
+- Allow svirt_sandbox_domains to r/w onload sockets
+- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.
+- Add interface sysnet_filetrans_named_net_conf()
+- Rawhide fails to boot, systemd-logind needs to config transient config files
+- User Namespace is requires create on process domains
+
 * Thu Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195
 - Add hwloc-dump-hwdata SELinux policy
 - Add labels for mediawiki123