* Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136

- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve

policy-rawhide-base.patch

@@ -5565,7 +5565,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..3812e33 100644
+index b191055..bb7bad0 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5639,7 +5639,7 @@ index b191055..3812e33 100644
  # reserved_port_t is the type of INET port numbers below 1024.
  #
  type reserved_port_t, port_type, reserved_port_type;
-@@ -83,56 +106,71 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
+@@ -83,56 +106,72 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
  network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
  network_port(amavisd_recv, tcp,10024,s0)
  network_port(amavisd_send, tcp,10025,s0)
@@ -5710,6 +5710,7 @@ index b191055..3812e33 100644
  network_port(ftp_data, tcp,20,s0)
  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
 +network_port(gear, tcp,43273,s0, udp,43273,s0)
++network_port(geneve, tcp,6080,s0)
  network_port(gdomap, tcp,538,s0, udp,538,s0)
  network_port(gds_db, tcp,3050,s0, udp,3050,s0)
  network_port(giftd, tcp,1213,s0)
@@ -5720,7 +5721,7 @@ index b191055..3812e33 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +178,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +179,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5791,7 +5792,7 @@ index b191055..3812e33 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +234,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +235,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5934,7 +5935,7 @@ index b191055..3812e33 100644
  network_port(xserver, tcp,6000-6020,s0)
  network_port(zarafa, tcp,236,s0, tcp,237,s0)
  network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +359,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +360,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -5961,7 +5962,7 @@ index b191055..3812e33 100644
  
  ########################################
  #
-@@ -333,6 +408,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +409,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5970,7 +5971,7 @@ index b191055..3812e33 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -345,9 +422,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +423,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -14445,7 +14446,7 @@ index d7c11a0..6b3331d 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..d7111b8 100644
+index 8416beb..a250b32 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -15453,7 +15454,32 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2485,6 +3021,7 @@ interface(`fs_read_nfs_files',`
+@@ -2398,6 +2934,24 @@ interface(`fs_getattr_nfs',`
+ 
+ ########################################
+ ## <summary>
++##	Set the attributes of nfs directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_setattr_nfs_dirs',`
++	gen_require(`
++		type nfs_t;
++	')
++
++	allow $1 nfs_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ##	Search directories on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -2485,6 +3039,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -15461,7 +15487,7 @@ index 8416beb..d7111b8 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2523,6 +3060,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3078,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -15469,7 +15495,7 @@ index 8416beb..d7111b8 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2549,6 +3087,44 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3105,44 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -15514,7 +15540,7 @@ index 8416beb..d7111b8 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2569,7 +3145,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3163,7 @@ interface(`fs_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -15523,7 +15549,7 @@ index 8416beb..d7111b8 100644
  ##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2589,6 +3165,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3183,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -15566,7 +15592,7 @@ index 8416beb..d7111b8 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2603,7 +3215,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3233,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -15575,7 +15601,7 @@ index 8416beb..d7111b8 100644
  ')
  
  ########################################
-@@ -2627,7 +3239,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3257,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -15584,7 +15610,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2719,6 +3331,47 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3349,47 @@ interface(`fs_search_rpc',`
  
  ########################################
  ## <summary>
@@ -15632,7 +15658,7 @@ index 8416beb..d7111b8 100644
  ##	Search removable storage directories.
  ## </summary>
  ## <param name="domain">
-@@ -2741,7 +3394,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3412,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15641,7 +15667,7 @@ index 8416beb..d7111b8 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +3430,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3448,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15650,7 +15676,7 @@ index 8416beb..d7111b8 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +3623,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3641,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -15658,7 +15684,7 @@ index 8416beb..d7111b8 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +3664,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3682,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -15666,7 +15692,7 @@ index 8416beb..d7111b8 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +3705,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3723,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -15674,7 +15700,7 @@ index 8416beb..d7111b8 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3137,6 +3793,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +3811,24 @@ interface(`fs_nfs_domtrans',`
  
  ########################################
  ## <summary>
@@ -15699,7 +15725,7 @@ index 8416beb..d7111b8 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3263,6 +3937,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3955,24 @@ interface(`fs_getattr_nfsd_files',`
  	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
  ')
  
@@ -15724,7 +15750,7 @@ index 8416beb..d7111b8 100644
  ########################################
  ## <summary>
  ##	Read and write NFS server files.
-@@ -3283,6 +3975,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3993,24 @@ interface(`fs_rw_nfsd_fs',`
  
  ########################################
  ## <summary>
@@ -15749,7 +15775,7 @@ index 8416beb..d7111b8 100644
  ##	Allow the type to associate to ramfs filesystems.
  ## </summary>
  ## <param name="type">
-@@ -3392,7 +4102,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4120,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -15758,7 +15784,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4139,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4157,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -15767,7 +15793,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4157,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4175,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -15776,7 +15802,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3743,25 +4453,61 @@ interface(`fs_getattr_rpc_pipefs',`
+@@ -3743,25 +4471,61 @@ interface(`fs_getattr_rpc_pipefs',`
  
  #########################################
  ## <summary>
@@ -15844,7 +15870,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3769,17 +4515,17 @@ interface(`fs_rw_rpc_named_pipes',`
+@@ -3769,17 +4533,17 @@ interface(`fs_rw_rpc_named_pipes',`
  ##	</summary>
  ## </param>
  #
@@ -15865,7 +15891,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3787,17 +4533,17 @@ interface(`fs_mount_tmpfs',`
+@@ -3787,17 +4551,17 @@ interface(`fs_mount_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -15886,7 +15912,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3805,12 +4551,12 @@ interface(`fs_remount_tmpfs',`
+@@ -3805,12 +4569,12 @@ interface(`fs_remount_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -15901,7 +15927,7 @@ index 8416beb..d7111b8 100644
  ')
  
  ########################################
-@@ -3908,7 +4654,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +4672,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
@@ -15910,7 +15936,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,17 +4662,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +4680,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15931,7 +15957,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3934,17 +4680,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +4698,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -15952,7 +15978,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +4698,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +4716,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15992,7 +16018,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +4735,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +4753,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -16048,7 +16074,7 @@ index 8416beb..d7111b8 100644
  ')
  
  ########################################
-@@ -4105,7 +4887,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +4905,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
  		type tmpfs_t;
  	')
  
@@ -16057,7 +16083,7 @@ index 8416beb..d7111b8 100644
  ')
  
  ########################################
-@@ -4165,6 +4947,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4965,24 @@ interface(`fs_rw_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -16082,7 +16108,7 @@ index 8416beb..d7111b8 100644
  ##	Read tmpfs link files.
  ## </summary>
  ## <param name="domain">
-@@ -4202,7 +5002,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5020,7 @@ interface(`fs_rw_tmpfs_chr_files',`
  
  ########################################
  ## <summary>
@@ -16091,7 +16117,7 @@ index 8416beb..d7111b8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4221,6 +5021,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5039,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -16152,7 +16178,7 @@ index 8416beb..d7111b8 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4278,6 +5132,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5150,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
  
  ########################################
  ## <summary>
@@ -16197,7 +16223,7 @@ index 8416beb..d7111b8 100644
  ##	Read and write, create and delete generic
  ##	files on tmpfs filesystems.
  ## </summary>
-@@ -4297,6 +5189,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5207,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -16223,7 +16249,7 @@ index 8416beb..d7111b8 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4503,6 +5414,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5432,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -16232,7 +16258,7 @@ index 8416beb..d7111b8 100644
  ')
  
  ########################################
-@@ -4549,7 +5462,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5480,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -16241,7 +16267,7 @@ index 8416beb..d7111b8 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +5509,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5527,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -16268,7 +16294,7 @@ index 8416beb..d7111b8 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +5604,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +5622,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -16294,7 +16320,7 @@ index 8416beb..d7111b8 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +5864,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5882,43 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -35708,7 +35734,7 @@ index 4e94884..7ab6191 100644
 +	filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..0bdf67e 100644
+index 59b04c1..75844b4 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -35895,7 +35921,7 @@ index 59b04c1..0bdf67e 100644
  corenet_all_recvfrom_netlabel(audisp_remote_t)
  corenet_tcp_sendrecv_generic_if(audisp_remote_t)
  corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +325,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,13 +325,23 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
  
  files_read_etc_files(audisp_remote_t)
  
@@ -35915,7 +35941,12 @@ index 59b04c1..0bdf67e 100644
  
  sysnet_dns_name_resolve(audisp_remote_t)
  
-@@ -326,7 +379,6 @@ files_read_etc_files(klogd_t)
++term_search_ptys(audisp_remote_t)
++
+ ########################################
+ #
+ # klogd local policy
+@@ -326,7 +381,6 @@ files_read_etc_files(klogd_t)
  
  logging_send_syslog_msg(klogd_t)
  
@@ -35923,7 +35954,7 @@ index 59b04c1..0bdf67e 100644
  
  mls_file_read_all_levels(klogd_t)
  
-@@ -355,13 +407,12 @@ optional_policy(`
+@@ -355,13 +409,12 @@ optional_policy(`
  # sys_admin for the integrated klog of syslog-ng and metalog
  # sys_nice for rsyslog
  # cjp: why net_admin!
@@ -35940,7 +35971,7 @@ index 59b04c1..0bdf67e 100644
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,11 +420,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,11 +422,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
  allow syslogd_t self:fifo_file rw_fifo_file_perms;
  allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -35957,7 +35988,7 @@ index 59b04c1..0bdf67e 100644
  files_pid_filetrans(syslogd_t, devlog_t, sock_file)
  
  # create/append log files.
-@@ -389,30 +444,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +446,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -36008,7 +36039,7 @@ index 59b04c1..0bdf67e 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +494,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +496,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -36017,7 +36048,7 @@ index 59b04c1..0bdf67e 100644
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +506,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +508,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -36051,7 +36082,7 @@ index 59b04c1..0bdf67e 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -448,13 +545,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +547,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
@@ -36069,7 +36100,7 @@ index 59b04c1..0bdf67e 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +567,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +569,12 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -36085,7 +36116,7 @@ index 59b04c1..0bdf67e 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +599,7 @@ optional_policy(`
+@@ -497,6 +601,7 @@ optional_policy(`
  optional_policy(`
  	cron_manage_log_files(syslogd_t)
  	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -36093,7 +36124,7 @@ index 59b04c1..0bdf67e 100644
  ')
  
  optional_policy(`
-@@ -507,15 +610,40 @@ optional_policy(`
+@@ -507,15 +612,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36134,7 +36165,7 @@ index 59b04c1..0bdf67e 100644
  ')
  
  optional_policy(`
-@@ -526,3 +654,26 @@ optional_policy(`
+@@ -526,3 +656,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 135%{?dist}
+Release: 136%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,29 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
+- Add samba_unconfined_script_exec_t to samba_admin header.
+- Add jabberd_lock_t label to jabberd_admin header.
+- Add rpm_var_run_t label to rpm_admin header.
+- Make all interfaces related to openshift_cache_t as deprecated.
+- Remove non exits nfsd_ro_t label.
+- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
+- Fix *_admin intefaces where body is not consistent with header.
+- Allow networkmanager read rfcomm port.
+- Fix nova_domain_template interface, Fix typo bugs in nova policy
+- Create nova sublabels.
+- Merge all nova_* labels under one nova_t.
+- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
+- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
+- Fix label openstack-nova-metadata-api binary file
+- Allow nova_t to bind on geneve tcp port, and all udp ports
+- Label swift-container-reconciler binary as swift_t.
+- Allow glusterd to execute showmount in the showmount domain.
+- Allow NetworkManager_t send signull to dnssec_trigger_t.
+- Add support for openstack-nova-* packages.
+- Allow audisp-remote searching devpts.
+- Label 6080 tcp port as geneve
+
 * Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
 - Update mta_filetrans_named_content() interface to cover more db files.
 - Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."