* Fri Nov 27 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97

- Allow reading of symlinks in /etc/puppet
- Added TAGS to gitignore
- I guess there can be content under /var/lib/lockdown #1167502
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
- Allow keystone to send a generic signal to own process.
- Allow radius to bind tcp/1812 radius port.
- Dontaudit list user_tmp files for system_mail_t
- label virt-who as virtd_exec_t
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
- Add virt_signull() interface
- Add missing alias for _content_rw_t
- Allow .snapshots to be created in other directories, on all mountpoints
- Allow spamd to access razor-agent.log
- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
- Allow .snapshots to be created in other directories, on all mountpoints
- Label tcp port 5280 as ejabberd port. BZ(1059930)
- Make /usr/bin/vncserver running as unconfined_service_t
- Label /etc/docker/certs.d as cert_t
- Allow all systemd domains to search file systems

policy-rawhide-base.patch

@@ -5481,7 +5481,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..2f2f2b9 100644
+index b191055..87df0ad 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5659,12 +5659,13 @@ index b191055..2f2f2b9 100644
  network_port(iscsi, tcp,3260,s0)
  network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
- network_port(jabber_interserver, tcp,5269,s0)
+-network_port(jabber_interserver, tcp,5269,s0)
 -network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
 -network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 -network_port(kismet, tcp,2501,s0)
++network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0)
 +network_port(jabber_router, tcp,5347,s0)
 +network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
 +network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
@@ -8755,7 +8756,7 @@ index 0b1a871..f260e6f 100644
 +allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
 +allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..1b9b0b5 100644
+index 6a1e4d1..7ac2831 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
 @@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8830,7 +8831,33 @@ index 6a1e4d1..1b9b0b5 100644
  ##	Send a stop signal to all domains.
  ## </summary>
  ## <param name="domain">
-@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',`
+@@ -571,6 +566,25 @@ interface(`domain_kill_all_domains',`
+ 
+ ########################################
+ ## <summary>
++##	Destroy all domains semaphores
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`domain_destroy_all_semaphores',`
++	gen_require(`
++		attribute domain;
++	')
++
++	allow $1 domain:sem destroy;
++')
++
++########################################
++## <summary>
+ ##	Search the process state directory (/proc/pid) of all domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -631,7 +645,7 @@ interface(`domain_read_all_domains_state',`
  
  ########################################
  ## <summary>
@@ -8839,7 +8866,7 @@ index 6a1e4d1..1b9b0b5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +669,7 @@ interface(`domain_getattr_all_domains',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -8848,7 +8875,7 @@ index 6a1e4d1..1b9b0b5 100644
  ##	</summary>
  ## </param>
  #
-@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',`
+@@ -1356,6 +1370,24 @@ interface(`domain_manage_all_entry_files',`
  
  ########################################
  ## <summary>
@@ -8873,7 +8900,7 @@ index 6a1e4d1..1b9b0b5 100644
  ##	Relabel to and from all entry point
  ##	file types.
  ## </summary>
-@@ -1421,7 +1434,7 @@ interface(`domain_entry_file_spec_domtrans',`
+@@ -1421,7 +1453,7 @@ interface(`domain_entry_file_spec_domtrans',`
  ## <summary>
  ##	Ability to mmap a low area of the address
  ##	space conditionally, as configured by
@@ -8882,7 +8909,7 @@ index 6a1e4d1..1b9b0b5 100644
  ##	Preventing such mappings helps protect against
  ##	exploiting null deref bugs in the kernel.
  ## </summary>
-@@ -1448,7 +1461,7 @@ interface(`domain_mmap_low',`
+@@ -1448,7 +1480,7 @@ interface(`domain_mmap_low',`
  ## <summary>
  ##	Ability to mmap a low area of the address
  ##	space unconditionally, as configured
@@ -8891,7 +8918,7 @@ index 6a1e4d1..1b9b0b5 100644
  ##	Preventing such mappings helps protect against
  ##	exploiting null deref bugs in the kernel.
  ## </summary>
-@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',`
+@@ -1508,6 +1540,24 @@ interface(`domain_unconfined_signal',`
  
  ########################################
  ## <summary>
@@ -8916,7 +8943,7 @@ index 6a1e4d1..1b9b0b5 100644
  ##	Unconfined access to domains.
  ## </summary>
  ## <param name="domain">
-@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1580,63 @@ interface(`domain_unconfined',`
  	typeattribute $1 can_change_object_identity;
  	typeattribute $1 set_curr_context;
  	typeattribute $1 process_uncond_exempt;
@@ -8981,7 +9008,7 @@ index 6a1e4d1..1b9b0b5 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c2776d0 100644
+index cf04cb5..a0d747a 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9130,7 +9157,7 @@ index cf04cb5..c2776d0 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,356 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -9159,6 +9186,10 @@ index cf04cb5..c2776d0 100644
 +')
 +
 +optional_policy(`
++	snapper_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
 +	seutil_filetrans_named_content(named_filetrans_domain)
 +')
 +
@@ -20428,7 +20459,7 @@ index 0000000..63bc797
 +logging_stream_connect_syslog(sysadm_t)
 diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
 new file mode 100644
-index 0000000..0e8654b
+index 0000000..b680867
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.fc
 @@ -0,0 +1,8 @@
@@ -20436,7 +20467,7 @@ index 0000000..0e8654b
 +# e.g.:
 +# /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-+/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
++#/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 +
 +/usr/sbin/xrdp   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -27255,7 +27286,7 @@ index 2479587..890e1e2 100644
  /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
  /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..f645c21 100644
+index 3efd5b6..9e85ea0 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -27317,7 +27348,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -95,69 +117,68 @@ interface(`auth_use_pam',`
+@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
  interface(`auth_login_pgm_domain',`
  	gen_require(`
  		type var_auth_t, auth_cache_t;
@@ -27375,7 +27406,6 @@ index 3efd5b6..f645c21 100644
  	mls_file_downgrade($1)
  	mls_process_set_level($1)
 +    mls_process_write_to_clearance($1)
-+    mls_process_write_all_levels($1)
  	mls_fd_share_all_levels($1)
  
  	auth_use_pam($1)
@@ -27427,7 +27457,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -231,6 +252,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
  
  ########################################
  ## <summary>
@@ -27453,7 +27483,7 @@ index 3efd5b6..f645c21 100644
  ##	Execute a login_program in the target domain,
  ##	with a range transition.
  ## </summary>
-@@ -322,6 +362,24 @@ interface(`auth_rw_cache',`
+@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
  
  ########################################
  ## <summary>
@@ -27478,7 +27508,7 @@ index 3efd5b6..f645c21 100644
  ##	Manage authentication cache
  ## </summary>
  ## <param name="domain">
-@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  	')
@@ -27487,7 +27517,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
  
  ########################################
  ## <summary>
@@ -27512,7 +27542,7 @@ index 3efd5b6..f645c21 100644
  ##	Execute chkpwd programs in the chkpwd domain.
  ## </summary>
  ## <param name="domain">
-@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -27538,7 +27568,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
  
  	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
  	auth_dontaudit_read_shadow($1)
@@ -27546,7 +27576,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -664,6 +760,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -27557,7 +27587,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  #######################################
-@@ -763,7 +863,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
  	')
  
  	logging_search_logs($1)
@@ -27609,7 +27639,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  #######################################
-@@ -824,9 +967,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
  	allow $1 lastlog_t:file { rw_file_perms lock setattr };
  ')
  
@@ -27640,7 +27670,7 @@ index 3efd5b6..f645c21 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -834,12 +997,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
  ##	</summary>
  ## </param>
  #
@@ -27671,7 +27701,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -854,15 +1032,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
  #
  interface(`auth_signal_pam',`
  	gen_require(`
@@ -27690,7 +27720,7 @@ index 3efd5b6..f645c21 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -875,13 +1053,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
  ##	</summary>
  ## </param>
  #
@@ -27728,7 +27758,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -959,9 +1157,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
  	')
  
  	files_search_var($1)
@@ -27762,7 +27792,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -1040,6 +1259,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
  	files_search_pids($1)
  	allow $1 pam_var_run_t:dir manage_dir_perms;
  	allow $1 pam_var_run_t:file manage_file_perms;
@@ -27773,7 +27803,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -1176,6 +1399,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
  	files_search_pids($1)
  	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
  	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -27781,7 +27811,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  #######################################
-@@ -1576,6 +1800,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -27807,7 +27837,7 @@ index 3efd5b6..f645c21 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1726,24 +1969,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -27833,7 +27863,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -1767,11 +1993,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
  ## <infoflow type="both" weight="10"/>
  #
  interface(`auth_use_nsswitch',`
@@ -27850,7 +27880,7 @@ index 3efd5b6..f645c21 100644
  ')
  
  ########################################
-@@ -1805,3 +2033,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -35546,15 +35576,16 @@ index 79048c4..ce6f0ce 100644
  	udev_read_pid_files(lvm_t)
  ')
 diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..83acb32 100644
+index 9fe8e01..3d71062 100644
 --- a/policy/modules/system/miscfiles.fc
 +++ b/policy/modules/system/miscfiles.fc
-@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
  # /etc
  #
  /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 -/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 -/etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
++/etc/docker/certs\.d(/.*)?          gen_context(system_u:object_r:cert_t,s0)
 +/etc/httpd/alias(/.*)?	        gen_context(system_u:object_r:cert_t,s0)
 +/etc/localtime			gen_context(system_u:object_r:locale_t,s0)
 +/etc/locale.conf	--	gen_context(system_u:object_r:locale_t,s0)
@@ -35565,7 +35596,7 @@ index 9fe8e01..83acb32 100644
  
  ifdef(`distro_redhat',`
  /etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
-@@ -37,24 +39,20 @@ ifdef(`distro_redhat',`
+@@ -37,24 +40,20 @@ ifdef(`distro_redhat',`
  
  /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
  
@@ -35595,7 +35626,7 @@ index 9fe8e01..83acb32 100644
  
  /usr/X11R6/lib/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
  
-@@ -77,7 +75,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
  
  /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
@@ -35604,7 +35635,7 @@ index 9fe8e01..83acb32 100644
  
  /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
  
-@@ -90,6 +88,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
  ')
  
  ifdef(`distro_redhat',`
@@ -41338,10 +41369,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..a75ffd3
+index 0000000..769e942
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,700 @@
+@@ -0,0 +1,703 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -41482,6 +41513,7 @@ index 0000000..a75ffd3
 +domain_signal_all_domains(systemd_logind_t)
 +domain_signull_all_domains(systemd_logind_t)
 +domain_kill_all_domains(systemd_logind_t)
++domain_destroy_all_semaphores(systemd_logind_t)
 +
 +# /etc/udev/udev.conf should probably have a private type if only for confined administration
 +# /etc/nsswitch.conf
@@ -42016,6 +42048,8 @@ index 0000000..a75ffd3
 +
 +dev_read_urand(systemd_domain)
 +
++fs_search_all(systemd_domain)
++
 +files_read_etc_files(systemd_domain)
 +files_read_etc_runtime_files(systemd_domain)
 +files_read_usr_files(systemd_domain)

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 96%{?dist}
+Release: 97%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,27 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Nov 27 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97
+- Allow reading of symlinks in /etc/puppet
+- Added TAGS to gitignore
+- I guess there can be content under /var/lib/lockdown #1167502
+- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
+- Allow keystone to send a generic signal to own process.
+- Allow radius to bind tcp/1812 radius port.
+- Dontaudit list user_tmp files for system_mail_t
+- label virt-who as virtd_exec_t
+- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
+- Add virt_signull() interface
+- Add missing alias for _content_rw_t
+- Allow .snapshots to be created in other directories, on all mountpoints
+- Allow spamd to access razor-agent.log
+- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
+- Allow .snapshots to be created in other directories, on all mountpoints
+- Label tcp port 5280 as ejabberd port. BZ(1059930)
+- Make /usr/bin/vncserver running as unconfined_service_t
+- Label /etc/docker/certs.d as cert_t
+- Allow all systemd domains to search file systems
+
 * Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
 - Allow NetworkManager stream connect on openvpn. BZ(1165110)