* Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2

- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket
- Dontaudit sandbox web types to setattr lib_t dirs
- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)
- Allow haproxy_t domain to read network state of system
- Allow processes labeled as keepalived_t domain to get process group
- Introduce dbusd_unit_file_type
- Allow pesign_t domain to read/write named cache files.
- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
- Allow httpd_t domain to read/write named_cache_t files
- Add new interface bind_rw_cache()
- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
- Update cpucontrol_t SELinux policy
- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
- Run lldpd service as lldpad_t.
- Allow spamd_update_t domain to create unix dgram sockets.
- Update dbus role template for confined users to allow login into x session
- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
- Fix typo in networkmanager_append_log() interface
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
- Allow login user type to use systemd user session
- Allow xdm_t domain to start dbusd services.
- Introduce new type xdm_unit_file_t
- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute
- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)
- Allow ipsec_t domain to read/write named cache files
- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
- Label udp 8125 port as statsd_port_t

.gitignore

@@ -397,3 +397,5 @@ serefpolicy*
 /selinux-policy-contrib-4396848.tar.gz
 /selinux-policy-b313a79.tar.gz
 /selinux-policy-contrib-c55a896.tar.gz
+/selinux-policy-6a0cb45.tar.gz
+/selinux-policy-contrib-8ce79b2.tar.gz

selinux-policy.spec

@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 b313a79dbfd2fba545e00f31aa53d29c6f2b2722
+%global commit0 6a0cb453ba0dcbbc7e75fa04a6647936ccdb339a
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 c55a896148db8d2b16ef06149399a6c6b110d8b5
+%global commit1 8ce79b2c82b2d3e62bb4b22404e755bad7131c98
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.5
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -787,6 +787,36 @@ exit 0
 %endif
 
 %changelog
+* Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2
+- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket
+- Dontaudit sandbox web types to setattr lib_t dirs
+- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)
+- Allow haproxy_t domain to read network state of system
+- Allow processes labeled as keepalived_t domain to get process group
+- Introduce dbusd_unit_file_type
+- Allow pesign_t domain to read/write named cache files.
+- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
+- Allow httpd_t domain to read/write named_cache_t files
+- Add new interface bind_rw_cache()
+- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
+- Update cpucontrol_t SELinux policy
+- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
+- Run lldpd service as lldpad_t.
+- Allow spamd_update_t domain to create unix dgram sockets.
+- Update dbus role template for confined users to allow login into x session
+- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
+- Fix typo in networkmanager_append_log() interface
+- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
+- Allow login user type to use systemd user session
+- Allow xdm_t domain to start dbusd services.
+- Introduce new type xdm_unit_file_t
+- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute
+- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)
+- Allow ipsec_t domain to read/write named cache files
+- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
+- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
+- Label udp 8125 port as statsd_port_t
+
 * Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-1
 - Bump version
 

sources

@@ -1,4 +1,4 @@
-SHA512 (selinux-policy-contrib-c55a896.tar.gz) = 6a0388a314ccb52b18636c91f8398b3ed930e2a7b42e3f2106bd1bca9df19bdc089367d970b4a1f7be3ea425b047028c38ebb31fded74f4080297b18241f9970
-SHA512 (selinux-policy-b313a79.tar.gz) = eadcceeb207448aa38a3826e3dc444602abfc42c67543ae5a58c2379f78b209fe578bd50101e628d99a02282ba9d473dee3126462f172b68b2c39b889dd8062c
-SHA512 (container-selinux.tgz) = af6b07cd90cad7ddbd42a4c33fa7527177c7ec0b7d4ba330699f9916daba8c8d7edfb5ad358d4ecccb3bf4943ce786faf35a011fb107203b1d73081c4f6c197d
+SHA512 (container-selinux.tgz) = aeb4861d2f79b35ee10c1ad12280ea8d84ee33546eff2321287de98102093e2e004f689557ec884af929cc71bdcb38c9cc2ecf00226433a44a6e52d1d11959b4
 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4
+SHA512 (selinux-policy-6a0cb45.tar.gz) = b0058489dffe2de2bebcb9f7b9a1bf6d143e5c6fa0ed50bd1fff1b52be052f5f958d0feb4b9bd82d763dd87d6979bd8a37a52f7be52bbf44f76a8bc90439c79e
+SHA512 (selinux-policy-contrib-8ce79b2.tar.gz) = e36bb51c1bcb553a54a95a29cb6440b6f120c805d5fa34e324da181d45abc4c489db51b58296df73c45bc702a86eadbb13001c2e88efa590f18128fff6fe3e9e