* Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-269

- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
- refpolicy: Define and allow map permission
- init: Add NoNewPerms support for systemd.
- Add nnp_nosuid_transition policycap and related class/perm definitions.

policy-rawhide-contrib.patch

@@ -69486,7 +69486,7 @@ index 0000000..05648bd
 +')
 diff --git a/osad.te b/osad.te
 new file mode 100644
-index 0000000..6c2f264
+index 0000000..b372f68
 --- /dev/null
 +++ b/osad.te
 @@ -0,0 +1,56 @@
@@ -69515,7 +69515,7 @@ index 0000000..6c2f264
 +# osad local policy
 +#
 +
-+allow osad_t self:process setpgid;
++allow osad_t self:process { execmem setpgid };
 +
 +manage_files_pattern(osad_t, osad_log_t, osad_log_t)
 +logging_log_filetrans(osad_t, osad_log_t, file)

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 268%{?dist}
+Release: 269%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -683,6 +683,13 @@ exit 0
 %endif
 
 %changelog
+* Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-269
+- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
+- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
+- refpolicy: Define and allow map permission
+- init: Add NoNewPerms support for systemd.
+- Add nnp_nosuid_transition policycap and related class/perm definitions.
+
 * Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-268
 - Update for SELinux userspace release 20170804 / 2.7
 - Omit precompiled regular expressions from file_contexts.bin files