* Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181

- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
- Label all run tgtd files, not just socket files.
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
- New cgroup2 file system in Rawhide

policy-rawhide-base.patch

@@ -20639,7 +20639,7 @@ index 8416beb..99002ca 100644
 +        read_files_pattern($1, efivarfs_t, efivarfs_t)
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..b00be59 100644
+index e7d1738..7e37941 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -20670,7 +20670,7 @@ index e7d1738..b00be59 100644
  
  type bdev_t;
  fs_type(bdev_t)
-@@ -63,12 +69,18 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,16 +69,23 @@ fs_type(binfmt_misc_fs_t)
  files_mountpoint(binfmt_misc_fs_t)
  genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
  
@@ -20690,7 +20690,12 @@ index e7d1738..b00be59 100644
  fs_type(cgroup_t)
  files_mountpoint(cgroup_t)
  dev_associate_sysfs(cgroup_t)
-@@ -88,6 +100,11 @@ fs_noxattr_type(ecryptfs_t)
+ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
++genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
+ 
+ type configfs_t;
+ fs_type(configfs_t)
+@@ -88,6 +101,11 @@ fs_noxattr_type(ecryptfs_t)
  files_mountpoint(ecryptfs_t)
  genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
  
@@ -20702,7 +20707,7 @@ index e7d1738..b00be59 100644
  type futexfs_t;
  fs_type(futexfs_t)
  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +113,7 @@ type hugetlbfs_t;
+@@ -96,6 +114,7 @@ type hugetlbfs_t;
  fs_type(hugetlbfs_t)
  files_mountpoint(hugetlbfs_t)
  fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -20710,7 +20715,7 @@ index e7d1738..b00be59 100644
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-@@ -111,6 +129,12 @@ type inotifyfs_t;
+@@ -111,6 +130,12 @@ type inotifyfs_t;
  fs_type(inotifyfs_t)
  genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
  
@@ -20723,7 +20728,7 @@ index e7d1738..b00be59 100644
  type mvfs_t;
  fs_noxattr_type(mvfs_t)
  allow mvfs_t self:filesystem associate;
-@@ -118,13 +142,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +143,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -20743,7 +20748,7 @@ index e7d1738..b00be59 100644
  fs_type(pstore_t)
  files_mountpoint(pstore_t)
  dev_associate_sysfs(pstore_t)
-@@ -150,17 +179,16 @@ fs_type(spufs_t)
+@@ -150,17 +180,16 @@ fs_type(spufs_t)
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -20765,7 +20770,7 @@ index e7d1738..b00be59 100644
  type vmblock_t;
  fs_noxattr_type(vmblock_t)
  files_mountpoint(vmblock_t)
-@@ -172,6 +200,8 @@ type vxfs_t;
+@@ -172,6 +201,8 @@ type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
  genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -20774,7 +20779,7 @@ index e7d1738..b00be59 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +212,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +213,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -20783,7 +20788,7 @@ index e7d1738..b00be59 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +293,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +294,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -20792,7 +20797,7 @@ index e7d1738..b00be59 100644
  files_mountpoint(removable_t)
  
  #
-@@ -280,6 +314,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +315,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -20800,7 +20805,7 @@ index e7d1738..b00be59 100644
  
  ########################################
  #
-@@ -301,9 +336,10 @@ fs_associate_noxattr(noxattrfs)
+@@ -301,9 +337,10 @@ fs_associate_noxattr(noxattrfs)
  # Unconfined access to this module
  #
  
@@ -43490,10 +43495,10 @@ index cbbda4a..d7c67bc 100644
 +userdom_use_inherited_user_terminals(netlabel_mgmt_t)
 +
 diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b1..04743dc 100644
+index d43f3b1..c5053db 100644
 --- a/policy/modules/system/selinuxutil.fc
 +++ b/policy/modules/system/selinuxutil.fc
-@@ -6,13 +6,14 @@
+@@ -6,13 +6,15 @@
  /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
  /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
@@ -43504,6 +43509,7 @@ index d43f3b1..04743dc 100644
 -/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 +/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
++/etc/selinux/(minimum|mls|targeted)/active(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
  /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
  /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
 -/etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
@@ -43511,7 +43517,7 @@ index d43f3b1..04743dc 100644
  
  #
  # /root
-@@ -35,19 +36,30 @@
+@@ -35,19 +37,30 @@
  /usr/lib/selinux(/.*)?			gen_context(system_u:object_r:policy_src_t,s0)
  
  /usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
@@ -48017,10 +48023,10 @@ index 0000000..3380372
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..45fcf4c
+index 0000000..d8fdd7b
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,919 @@
+@@ -0,0 +1,920 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48889,6 +48895,7 @@ index 0000000..45fcf4c
 +init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
 +
 +list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
++read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
 +
 +kernel_dgram_send(systemd_resolved_t)
 +

policy-rawhide-contrib.patch

@@ -2540,10 +2540,10 @@ index 16d0d66..60abfd0 100644
  optional_policy(`
  	nscd_dontaudit_search_pid(amtu_t)
 diff --git a/anaconda.fc b/anaconda.fc
-index b098089..37d428c 100644
+index b098089..fe35beb 100644
 --- a/anaconda.fc
 +++ b/anaconda.fc
-@@ -1 +1,12 @@
+@@ -1 +1,13 @@
  # No file context specifications.
 +
 +/usr/libexec/anaconda/anaconda-yum  --  gen_context(system_u:object_r:install_exec_t,s0)
@@ -2552,6 +2552,7 @@ index b098089..37d428c 100644
 +/usr/bin/initial-setup  --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/bin/ostree         --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/bin/rpm-ostree     --  gen_context(system_u:object_r:install_exec_t,s0)
++/usr/libexec/rpm-ostreed --  gen_context(system_u:object_r:install_exec_t,s0)
 +
 +/usr/bin/preupg.*   --  gen_context(system_u:object_r:preupgrade_exec_t,s0)
 +/var/lib/preupgrade(/.*)?   gen_context(system_u:object_r:preupgrade_data_t,s0)
@@ -52603,10 +52604,10 @@ index 65a246a..fa86320 100644
  netutils_domtrans_ping(mrtg_t)
  
 diff --git a/mta.fc b/mta.fc
-index f42896c..bd1eb52 100644
+index f42896c..2cf0c23 100644
 --- a/mta.fc
 +++ b/mta.fc
-@@ -1,34 +1,44 @@
+@@ -1,34 +1,41 @@
 -HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
@@ -52618,10 +52619,8 @@ index f42896c..bd1eb52 100644
 +HOME_DIR/.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
  
 -/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
- 
+-
 -/etc/aliases	--	gen_context(system_u:object_r:etc_aliases_t,s0)
-+/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-+
 +/etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
  /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 -/etc/mail(/.*)?	gen_context(system_u:object_r:etc_mail_t,s0)
@@ -76605,10 +76604,10 @@ index 0000000..8231f4f
 +')
 diff --git a/prosody.te b/prosody.te
 new file mode 100644
-index 0000000..d531fa5
+index 0000000..3ef4a99
 --- /dev/null
 +++ b/prosody.te
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,97 @@
 +policy_module(prosody, 1.0.0)
 +
 +########################################
@@ -76684,6 +76683,7 @@ index 0000000..d531fa5
 +corenet_tcp_bind_jabber_client_port(prosody_t)
 +corenet_tcp_bind_jabber_interserver_port(prosody_t)
 +corenet_tcp_bind_jabber_router_port(prosody_t)
++corenet_tcp_bind_commplex_main_port(prosody_t)
 +
 +tunable_policy(`prosody_bind_http_port',`
 +    corenet_tcp_bind_http_port(prosody_t)
@@ -76701,6 +76701,10 @@ index 0000000..d531fa5
 +logging_send_syslog_msg(prosody_t)
 +
 +miscfiles_read_localization(prosody_t)
++
++optional_policy(`
++	sasl_connect(prosody_t)
++')
 diff --git a/psad.if b/psad.if
 index d4dcf78..3cce82e 100644
 --- a/psad.if
@@ -104430,10 +104434,10 @@ index 0000000..a6e216c
 +
 diff --git a/targetd.te b/targetd.te
 new file mode 100644
-index 0000000..6768bda
+index 0000000..e372bd7
 --- /dev/null
 +++ b/targetd.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,63 @@
 +policy_module(targetd, 1.0.0)
 +
 +########################################
@@ -104477,6 +104481,7 @@ index 0000000..6768bda
 +
 +dev_read_sysfs(targetd_t)
 +dev_read_urand(targetd_t)
++dev_rw_lvm_control(targetd_t)
 +
 +libs_exec_ldconfig(targetd_t)
 +
@@ -106127,7 +106132,7 @@ index cfaa2a1..a9bc6f1 100644
  
  optional_policy(`
 diff --git a/tgtd.fc b/tgtd.fc
-index 38389e6..4847b43 100644
+index 38389e6..ae0f9ab 100644
 --- a/tgtd.fc
 +++ b/tgtd.fc
 @@ -1,7 +1,4 @@
@@ -106141,7 +106146,7 @@ index 38389e6..4847b43 100644
 +/etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
 +/usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
 +/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
-+/var/run/tgtd.*			-s	gen_context(system_u:object_r:tgtd_var_run_t,s0)
++/var/run/tgtd.*			gen_context(system_u:object_r:tgtd_var_run_t,s0)
 diff --git a/tgtd.if b/tgtd.if
 index 5406b6e..dc5b46e 100644
 --- a/tgtd.if

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 180%{?dist}
+Release: 181%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -653,6 +653,17 @@ exit 0
 %endif
 
 %changelog
+* Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
+- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
+- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
+- Label all run tgtd files, not just socket files.
+- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
+- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
+- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
+- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
+- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
+- New cgroup2 file system in Rawhide
+
 * Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-180
 - Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
 - Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514