* Sun Jan 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-233

-Allow thumb domain sendto via dgram sockets. BZ(1398813) - Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077) - Allow cobbler domain to create netlink_audit sockets BZ(1384600) - Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626) - Add dhcpd_t domain fowner capability BZ(1409963) - Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942) - Fix broken interfaces - Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456) - Allow user_t run systemctl --user BZ(1401625)
2017-01-08 22:35:48 +01:00 · 2017-01-08 22:35:48 +01:00 · cb674ac32f
parent 5b738b7ea2
commit cb674ac32f
4 changed files with 97 additions and 59 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -27823,7 +27823,7 @@ index 3835596..fbca2be 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..656a8c4 100644
+index 6d77e81..20657b8 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@ -27839,7 +27839,7 @@ index 6d77e81..656a8c4 100644
 # this module should be named user, but that is
 # a compile error since user is a keyword.
-@@ -12,12 +19,98 @@ role user_r;
+@@ -12,12 +19,103 @@ role user_r;
 userdom_unpriv_user_template(user)
@ -27927,6 +27927,11 @@ index 6d77e81..656a8c4 100644
 +')
 +
 +optional_policy(`
 +	systemd_read_unit_files(user_t)
 +	systemd_exec_systemctl(user_t)
 +')
 +
 +optional_policy(`
 +	sandbox_transition(user_t, user_r)
 +')
 +
@ -27939,29 +27944,29 @@ index 6d77e81..656a8c4 100644
 ')
 optional_policy(`
-@@ -25,11 +118,19 @@ optional_policy(`
+@@ -25,11 +123,19 @@ optional_policy(`
 ')
 optional_policy(`
 -	vlock_run(user_t, user_r)
 +	setroubleshoot_dontaudit_stream_connect(user_t)
-+')
+ ')
-+
+ 
 +#optional_policy(`
 +#	telepathy_dbus_session_role(user_r, user_t)
 +#')
 +
 +optional_policy(`
 +	usbmuxd_stream_connect(user_t)
 ')
 optional_policy(`
 -	xserver_role(user_r, user_t)
 +	usbmuxd_stream_connect(user_t)
 +')
 +
 +optional_policy(`
 +	vlock_run(user_t, user_r)
 ')
 ifndef(`distro_redhat',`
-@@ -102,10 +203,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +208,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -27972,7 +27977,7 @@ index 6d77e81..656a8c4 100644
 		postgresql_role(user_r, user_t)
 	')
-@@ -128,7 +225,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +230,6 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		ssh_role_template(user, user_r, user_t)
 	')
@ -27980,7 +27985,7 @@ index 6d77e81..656a8c4 100644
 	optional_policy(`
 		su_role_template(user, user_r, user_t)
 	')
-@@ -160,4 +256,24 @@ ifndef(`distro_redhat',`
+@@ -160,4 +261,24 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		wireshark_role(user_r, user_t)
 	')
@ -45583,7 +45588,7 @@ index 3822072..d358162 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..9edcb69 100644
+index dc46420..8d4ed0f 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@ -46001,9 +46006,9 @@ index dc46420..9edcb69 100644
 -corecmd_exec_bin(semanage_t)
 -
 -dev_read_urand(semanage_t)
 -domain_use_interactive_fds(semanage_t)
 -
 -domain_use_interactive_fds(semanage_t)
 -files_read_etc_files(semanage_t)
 -files_read_etc_runtime_files(semanage_t)
 -files_read_usr_files(semanage_t)
@ -46026,11 +46031,11 @@ index dc46420..9edcb69 100644
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
 -
 -logging_send_syslog_msg(semanage_t)
 +# Admins are creating pp files in random locations
 +files_read_non_security_files(semanage_t)
 -logging_send_syslog_msg(semanage_t)
 -
 -miscfiles_read_localization(semanage_t)
 -
 -seutil_libselinux_linked(semanage_t)
@ -46118,7 +46123,7 @@ index dc46420..9edcb69 100644
 ')
 ########################################
-@@ -522,111 +597,197 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,201 @@ ifdef(`distro_ubuntu',`
 # Setfiles local policy
 #
@ -46197,23 +46202,27 @@ index dc46420..9edcb69 100644
 +optional_policy(`
 +    cloudform_dontaudit_write_cloud_log(setfiles_t)
 +')
-+
+ 
 -seutil_libselinux_linked(setfiles_t)
 +optional_policy(`
 +	devicekit_dontaudit_read_pid_files(setfiles_t)
 +	devicekit_dontaudit_rw_log(setfiles_t)
 +')
-seutil_libselinux_linked(setfiles_t)
+-userdom_use_all_users_fds(setfiles_t)
 +optional_policy(`
 +	# pki is leaking
 +	pki_dontaudit_write_log(setfiles_t)
 +')
 +
 +optional_policy(`
 +	kdump_rw_inherited_kdumpctl_tmp_pipes(setfiles_t)
 +')
 +
 +optional_policy(`
 +	xserver_append_xdm_tmp_files(setfiles_t)
 +')
- 
+
 -userdom_use_all_users_fds(setfiles_t)
 +ifdef(`hide_broken_symptoms',`
 +
 +	optional_policy(`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -14958,10 +14958,18 @@ index c223f81..8b567c1 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
 ')
 diff --git a/cobbler.te b/cobbler.te
-index 5f306dd..578b615 100644
+index 5f306dd..cf347c6 100644
 --- a/cobbler.te
 +++ b/cobbler.te
-@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+@@ -67,6 +67,7 @@ dontaudit cobblerd_t self:capability sys_tty_config;
 allow cobblerd_t self:process { getsched setsched signal };
 allow cobblerd_t self:fifo_file rw_fifo_file_perms;
 allow cobblerd_t self:tcp_socket { accept listen };
 +allow cobblerd_t self:netlink_audit_socket create_socket_perms;
 allow cobblerd_t cobbler_etc_t:dir list_dir_perms;
 allow cobblerd_t cobbler_etc_t:file read_file_perms;
@@ -81,6 +82,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
@ -14969,7 +14977,7 @@ index 5f306dd..578b615 100644
 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -89,7 +91,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
 kernel_read_system_state(cobblerd_t)
@ -14978,7 +14986,7 @@ index 5f306dd..578b615 100644
 corecmd_exec_bin(cobblerd_t)
 corecmd_exec_shell(cobblerd_t)
-@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
+@@ -112,14 +114,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
 corenet_tcp_connect_http_port(cobblerd_t)
 corenet_sendrecv_http_client_packets(cobblerd_t)
@ -14994,7 +15002,7 @@ index 5f306dd..578b615 100644
 fs_getattr_all_fs(cobblerd_t)
 fs_read_iso9660_files(cobblerd_t)
-@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
+@@ -128,6 +129,8 @@ selinux_get_enforce_mode(cobblerd_t)
 term_use_console(cobblerd_t)
@ -15003,7 +15011,7 @@ index 5f306dd..578b615 100644
 logging_send_syslog_msg(cobblerd_t)
 miscfiles_read_localization(cobblerd_t)
-@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
+@@ -160,6 +163,7 @@ tunable_policy(`cobbler_use_nfs',`
 ')
 optional_policy(`
@ -15011,7 +15019,7 @@ index 5f306dd..578b615 100644
 	apache_search_sys_content(cobblerd_t)
 ')
-@@ -170,6 +173,7 @@ optional_policy(`
+@@ -170,6 +174,7 @@ optional_policy(`
 	bind_domtrans(cobblerd_t)
 	bind_initrc_domtrans(cobblerd_t)
 	bind_manage_zone(cobblerd_t)
@ -15019,7 +15027,7 @@ index 5f306dd..578b615 100644
 ')
 optional_policy(`
-@@ -179,12 +183,22 @@ optional_policy(`
+@@ -179,12 +184,22 @@ optional_policy(`
 optional_policy(`
 	dhcpd_domtrans(cobblerd_t)
 	dhcpd_initrc_domtrans(cobblerd_t)
@ -15042,7 +15050,7 @@ index 5f306dd..578b615 100644
 ')
 optional_policy(`
-@@ -192,13 +206,14 @@ optional_policy(`
+@@ -192,13 +207,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -16417,7 +16425,7 @@ index 881d92f..a2d588a 100644
 +	')
 ')
 diff --git a/condor.te b/condor.te
-index ce9f040..dc29445 100644
+index ce9f040..320d6e8 100644
 --- a/condor.te
 +++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@ -16528,7 +16536,7 @@ index ce9f040..dc29445 100644
 #####################################
 #
 # Negotiator local policy
-@@ -183,6 +200,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +200,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
 allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
 allow condor_negotiator_t condor_master_t:udp_socket getattr;
@ -16537,7 +16545,14 @@ index ce9f040..dc29445 100644
 ######################################
 #
 # Procd local policy
-@@ -206,6 +225,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+ #
 allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
 +allow condor_procd_t self:cap_userns { sys_ptrace };
 allow condor_procd_t condor_domain:process sigkill;
@@ -206,6 +226,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
 allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@ -16546,7 +16561,7 @@ index ce9f040..dc29445 100644
 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
 domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -214,6 +235,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +236,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@ -16555,7 +16570,7 @@ index ce9f040..dc29445 100644
 #####################################
 #
 # Startd local policy
-@@ -238,11 +261,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +262,10 @@ domain_read_all_domains_state(condor_startd_t)
 mcs_process_set_categories(condor_startd_t)
 init_domtrans_script(condor_startd_t)
@ -16568,7 +16583,7 @@ index ce9f040..dc29445 100644
 optional_policy(`
 	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
 	ssh_domtrans(condor_startd_t)
-@@ -254,3 +276,7 @@ optional_policy(`
+@@ -254,3 +277,7 @@ optional_policy(`
 		kerberos_use(condor_startd_ssh_t)
 	')
 ')
@ -24621,7 +24636,7 @@ index c697edb..954c090 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
 ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..cb5795e 100644
+index 98a24b9..02c58ea 100644
 --- a/dhcp.te
 +++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@ -24639,7 +24654,7 @@ index 98a24b9..cb5795e 100644
 #
 -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
-+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw kill setgid setuid setpcap sys_resource };
+allow dhcpd_t self:capability { chown dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
 allow dhcpd_t self:process { getcap setcap signal_perms };
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@ -59439,7 +59454,7 @@ index 86dc29d..c7d9376 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
 ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..debb78b 100644
+index 55f2009..b073836 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -59530,7 +59545,7 @@ index 55f2009..debb78b 100644
 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,30 +102,29 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,30 +102,30 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
 setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@ -59542,7 +59557,8 @@ index 55f2009..debb78b 100644
 manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 -files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
-+files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, { dir file })
+manage_lnk_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 +files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, { dir file lnk_file })
 manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@ -59565,7 +59581,7 @@ index 55f2009..debb78b 100644
 corenet_all_recvfrom_netlabel(NetworkManager_t)
 corenet_tcp_sendrecv_generic_if(NetworkManager_t)
 corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,36 +135,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,36 +136,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
 corenet_tcp_sendrecv_all_ports(NetworkManager_t)
 corenet_udp_sendrecv_all_ports(NetworkManager_t)
 corenet_udp_bind_generic_node(NetworkManager_t)
@ -59607,7 +59623,7 @@ index 55f2009..debb78b 100644
 fs_getattr_all_fs(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
 fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +161,36 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +162,36 @@ mls_file_read_all_levels(NetworkManager_t)
 selinux_dontaudit_search_fs(NetworkManager_t)
@ -59645,7 +59661,7 @@ index 55f2009..debb78b 100644
 seutil_read_config(NetworkManager_t)
-@@ -166,21 +205,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +206,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
 sysnet_read_dhcpc_state(NetworkManager_t)
 sysnet_delete_dhcpc_state(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
@ -59687,7 +59703,7 @@ index 55f2009..debb78b 100644
 ')
 optional_policy(`
-@@ -196,10 +251,6 @@ optional_policy(`
+@@ -196,10 +252,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -59698,7 +59714,7 @@ index 55f2009..debb78b 100644
 	consoletype_exec(NetworkManager_t)
 ')
-@@ -210,31 +261,34 @@ optional_policy(`
+@@ -210,31 +262,34 @@ optional_policy(`
 optional_policy(`
 	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@ -59741,7 +59757,7 @@ index 55f2009..debb78b 100644
 ')
 optional_policy(`
-@@ -246,10 +300,26 @@ optional_policy(`
+@@ -246,10 +301,26 @@ optional_policy(`
 ')
 optional_policy(`
@ -59768,7 +59784,7 @@ index 55f2009..debb78b 100644
 ')
 optional_policy(`
-@@ -257,15 +327,19 @@ optional_policy(`
+@@ -257,15 +328,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -59790,7 +59806,7 @@ index 55f2009..debb78b 100644
 ')
 optional_policy(`
-@@ -274,10 +348,17 @@ optional_policy(`
+@@ -274,10 +349,17 @@ optional_policy(`
 	nscd_signull(NetworkManager_t)
 	nscd_kill(NetworkManager_t)
 	nscd_initrc_domtrans(NetworkManager_t)
@ -59808,7 +59824,7 @@ index 55f2009..debb78b 100644
 ')
 optional_policy(`
-@@ -286,9 +367,12 @@ optional_policy(`
+@@ -286,9 +368,12 @@ optional_policy(`
 	openvpn_kill(NetworkManager_t)
 	openvpn_signal(NetworkManager_t)
 	openvpn_signull(NetworkManager_t)
@ -59821,7 +59837,7 @@ index 55f2009..debb78b 100644
 	policykit_domtrans_auth(NetworkManager_t)
 	policykit_read_lib(NetworkManager_t)
 	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +380,7 @@ optional_policy(`
+@@ -296,7 +381,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -59830,7 +59846,7 @@ index 55f2009..debb78b 100644
 ')
 optional_policy(`
-@@ -307,6 +391,7 @@ optional_policy(`
+@@ -307,6 +392,7 @@ optional_policy(`
 	ppp_signal(NetworkManager_t)
 	ppp_signull(NetworkManager_t)
 	ppp_read_config(NetworkManager_t)
@ -59838,7 +59854,7 @@ index 55f2009..debb78b 100644
 ')
 optional_policy(`
-@@ -320,14 +405,21 @@ optional_policy(`
+@@ -320,14 +406,21 @@ optional_policy(`
 ')
 optional_policy(`
@ -59865,7 +59881,7 @@ index 55f2009..debb78b 100644
 ')
 optional_policy(`
-@@ -338,6 +430,13 @@ optional_policy(`
+@@ -338,6 +431,13 @@ optional_policy(`
 	vpn_relabelfrom_tun_socket(NetworkManager_t)
 ')
@ -59879,7 +59895,7 @@ index 55f2009..debb78b 100644
 ########################################
 #
 # wpa_cli local policy
-@@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
@ -108897,10 +108913,10 @@ index 0000000..9524b50
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..3f3a239
+index 0000000..ab916b7
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,167 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -108940,6 +108956,7 @@ index 0000000..3f3a239
 +allow thumb_t self:fifo_file manage_fifo_file_perms;
 +allow thumb_t self:unix_stream_socket create_stream_socket_perms;
 +allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
 +allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow thumb_t self:udp_socket create_socket_perms;
 +allow thumb_t self:tcp_socket create_socket_perms;
 +allow thumb_t self:shm create_shm_perms;
@ -108967,6 +108984,7 @@ index 0000000..3f3a239
 +can_exec(thumb_t, thumb_exec_t)
 +
 +kernel_read_system_state(thumb_t)
 +kernel_dgram_send(thumb_t)
 +
 +corecmd_exec_bin(thumb_t)
 +corecmd_exec_shell(thumb_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 232%{?dist}
+Release: 233%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,17 @@ exit 0
 %endif
 %changelog
 * Sun Jan 08 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-233
 -Allow thumb domain sendto via dgram sockets. BZ(1398813)
 - Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)
 - Allow cobbler domain to create netlink_audit sockets BZ(1384600)
 - Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626)
 - Add dhcpd_t domain fowner capability BZ(1409963)
 - Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942)
 - Fix broken interfaces
 - Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456)
 - Allow user_t run systemctl --user BZ(1401625)
 * Fri Jan 06 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-232
 - Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977)
 - Allow tlp_t domain to read proc_net_t BZ(1403487)