From 00f3e49e648a3a91fdbde0bf15287804c59c4385 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Sep 29 2017 13:02:11 +0000
Subject: * Fri Sep 29 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.23

- Fix typo bug in apache module
- Make working webadm_t userdomain
- Allow redis domain to execute shell scripts.
- Add couple capabilities to keepalived domain and allow get attributes of all domains
- Allow dmidecode read rhsmcertd lock files
- Add new interface rhsmcertd_rw_lock_files()
- Label all plymouthd archives as plymouthd_var_log_t
- Add few rules to make tlp_t domain working in enforcing mode
- Allow cloud_init_t to dbus chat with systemd_timedated_t
- Allow logrotate_t to write to kmsg
- Add capability kill to rhsmcertd_t
- Allow winbind to manage smbd_tmp_t files
- Allow ipa_dnskey_t to exec ipa_dnskey_exec_t files
- Add missing dac_read_search cap for abrt_t domain BZ(1486492)
- Allow useradd_t domain dbus chat with systemd
- Dontaudit netutils to write to kdumpctl_tmp_t pipes BZ(1481670)

---

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 8018518..da66bee 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index fc9076a..8e59d9a 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -2108,7 +2108,7 @@ index c6ca761c9..0c86bfd54 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c3592a..5038ed0d5 100644
+index c44c3592a..cba535365 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2166,7 +2166,7 @@ index c44c3592a..5038ed0d5 100644
  
  fs_getattr_xattr_fs(netutils_t)
  
-@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t)
+@@ -80,15 +86,19 @@ init_use_script_ptys(netutils_t)
  
  auth_use_nsswitch(netutils_t)
  
@@ -2182,7 +2182,14 @@ index c44c3592a..5038ed0d5 100644
  userdom_use_all_users_fds(netutils_t)
  
  optional_policy(`
-@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw };
++    kdump_dontaudit_inherited_kdumpctl_tmp_pipes(netutils_t)
++')
++
++optional_policy(`
+ 	nis_use_ypbind(netutils_t)
+ ')
+ 
+@@ -110,11 +120,10 @@ allow ping_t self:capability { setuid net_raw };
  allow ping_t self:process { getcap setcap };
  dontaudit ping_t self:capability sys_tty_config;
  allow ping_t self:tcp_socket create_socket_perms;
@@ -2196,7 +2203,7 @@ index c44c3592a..5038ed0d5 100644
  corenet_all_recvfrom_netlabel(ping_t)
  corenet_tcp_sendrecv_generic_if(ping_t)
  corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +133,9 @@ corenet_raw_bind_generic_node(ping_t)
  corenet_tcp_sendrecv_all_ports(ping_t)
  
  fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -2206,7 +2213,7 @@ index c44c3592a..5038ed0d5 100644
  
  domain_use_interactive_fds(ping_t)
  
-@@ -131,14 +139,14 @@ files_read_etc_files(ping_t)
+@@ -131,14 +143,14 @@ files_read_etc_files(ping_t)
  files_dontaudit_search_var(ping_t)
  
  kernel_read_system_state(ping_t)
@@ -2225,7 +2232,7 @@ index c44c3592a..5038ed0d5 100644
  
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
-@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',`
+@@ -146,14 +158,29 @@ ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		nagios_dontaudit_rw_log(ping_t)
  		nagios_dontaudit_rw_pipes(ping_t)
@@ -2255,7 +2262,7 @@ index c44c3592a..5038ed0d5 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -161,6 +184,15 @@ optional_policy(`
+@@ -161,6 +188,15 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -2271,7 +2278,7 @@ index c44c3592a..5038ed0d5 100644
  ########################################
  #
  # Traceroute local policy
-@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +210,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
  kernel_read_system_state(traceroute_t)
  kernel_read_network_state(traceroute_t)
  
@@ -2279,7 +2286,7 @@ index c44c3592a..5038ed0d5 100644
  corenet_all_recvfrom_netlabel(traceroute_t)
  corenet_tcp_sendrecv_generic_if(traceroute_t)
  corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +233,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -2287,7 +2294,7 @@ index c44c3592a..5038ed0d5 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +242,17 @@ auth_use_nsswitch(traceroute_t)
  
  logging_send_syslog_msg(traceroute_t)
  
@@ -3089,7 +3096,7 @@ index 99e3903ea..fa68362ea 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..7a132d600 100644
+index 1d732f1e7..772847460 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3472,7 +3479,7 @@ index 1d732f1e7..7a132d600 100644
  
  auth_run_chk_passwd(useradd_t, useradd_roles)
  auth_rw_lastlog(useradd_t)
-@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,45 +549,50 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -3480,7 +3487,11 @@ index 1d732f1e7..7a132d600 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
+ 
+ init_use_fds(useradd_t)
+ init_rw_utmp(useradd_t)
++init_dbus_chat(useradd_t)
+ 
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3530,7 +3541,7 @@ index 1d732f1e7..7a132d600 100644
  ')
  
  optional_policy(`
-@@ -545,14 +600,27 @@ optional_policy(`
+@@ -545,14 +601,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3558,7 +3569,7 @@ index 1d732f1e7..7a132d600 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -562,3 +630,12 @@ optional_policy(`
+@@ -562,3 +631,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index ba80bfb..c0c3837 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f070f..53512e89f 100644
+index eb50f070f..7fb68fe86 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -718,7 +718,7 @@ index eb50f070f..53512e89f 100644
  
 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
 -dontaudit abrt_t self:capability sys_rawio;
-+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
++allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
 +dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
  allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
 +
@@ -5570,7 +5570,7 @@ index f6eb4851f..fe461a3fc 100644
 +		ps_process_pattern(httpd_t, $1)
  ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..4e154808c 100644
+index 6649962b6..1088f0b9b 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6818,7 +6818,7 @@ index 6649962b6..4e154808c 100644
  		avahi_dbus_chat(httpd_t)
  	')
 +
-+    tunable_policy(`httpd_dbus_sssd',
++    tunable_policy(`httpd_dbus_sssd',`
 +        sssd_dbus_chat(httpd_t)
 +    ')
  ')
@@ -12486,7 +12486,7 @@ index 008f8ef26..144c0740a 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287ce..e85ac9761 100644
+index 550b287ce..aa89f57ca 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
@@ -12585,7 +12585,7 @@ index 550b287ce..e85ac9761 100644
  ')
  
  optional_policy(`
-@@ -92,11 +116,72 @@ optional_policy(`
+@@ -92,11 +116,73 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12618,6 +12618,7 @@ index 550b287ce..e85ac9761 100644
 +optional_policy(`
 +	pki_rw_tomcat_cert(certmonger_t)
 +	pki_read_tomcat_lib_files(certmonger_t)
++	pki_systemctl_tomcat(certmonger_t)
 +')
 +
 +optional_policy(`
@@ -14770,10 +14771,10 @@ index 000000000..55fe0d668
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 000000000..21e6ae757
+index 000000000..73f3eb8a0
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,250 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -14881,6 +14882,7 @@ index 000000000..21e6ae757
 +selinux_validate_context(cloud_init_t)
 +
 +systemd_dbus_chat_hostnamed(cloud_init_t)
++systemd_dbus_chat_timedated(cloud_init_t)
 +systemd_exec_systemctl(cloud_init_t)
 +systemd_start_all_services(cloud_init_t)
 +
@@ -26037,7 +26039,7 @@ index 41c3f6770..653a1ecbb 100644
  ## <summary>
  ##	Execute dmidecode in the dmidecode
 diff --git a/dmidecode.te b/dmidecode.te
-index aa0ef6e94..02bdb681d 100644
+index aa0ef6e94..3c52d892c 100644
 --- a/dmidecode.te
 +++ b/dmidecode.te
 @@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t)
@@ -26048,7 +26050,7 @@ index aa0ef6e94..02bdb681d 100644
 +userdom_use_inherited_user_terminals(dmidecode_t)
 +
 +optional_policy(`
-+    rhsmcertd_rw_inherited_lock_files(dmidecode_t)
++    rhsmcertd_rw_lock_files(dmidecode_t)
 +')
 diff --git a/dnsmasq.fc b/dnsmasq.fc
 index 23ab808d8..84735a8cb 100644
@@ -39406,10 +39408,10 @@ index 000000000..a25fe8807
 +
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 000000000..ffb6e4f8a
+index 000000000..b4b8f83c8
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,266 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@@ -39597,6 +39599,8 @@ index 000000000..ffb6e4f8a
 +
 +dev_read_rand(ipa_dnskey_t)
 +
++can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
++
 +libs_exec_ldconfig(ipa_dnskey_t)
 +
 +logging_send_syslog_msg(ipa_dnskey_t)
@@ -42710,10 +42714,10 @@ index 000000000..bd7e7fa17
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 000000000..04c46e714
+index 000000000..2c49ee0a1
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,96 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@@ -42739,7 +42743,7 @@ index 000000000..04c46e714
 +# keepalived local policy
 +#
 +
-+allow keepalived_t self:capability { net_admin net_raw kill };
++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace };
 +allow keepalived_t self:process { signal_perms };
 +allow keepalived_t self:netlink_socket create_socket_perms;
 +allow keepalived_t self:netlink_generic_socket create_socket_perms;
@@ -42770,6 +42774,7 @@ index 000000000..04c46e714
 +corenet_tcp_connect_squid_port(keepalived_t)
 +
 +domain_read_all_domains_state(keepalived_t)
++domain_getattr_all_domains(keepalived_t)
 +
 +dev_read_urand(keepalived_t)
 +
@@ -46907,7 +46912,7 @@ index dd8e01af3..9cd6b0b8e 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..6180bdbdc 100644
+index be0ab84b3..6992c73a7 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -46982,7 +46987,7 @@ index be0ab84b3..6180bdbdc 100644
  allow logrotate_t self:shm create_shm_perms;
  allow logrotate_t self:sem create_sem_perms;
  allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive };
  allow logrotate_t logrotate_lock_t:file manage_file_perms;
  files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
  
@@ -47005,6 +47010,7 @@ index be0ab84b3..6180bdbdc 100644
  
 +dev_read_urand(logrotate_t)
 +dev_read_sysfs(logrotate_t)
++dev_write_kmsg(logrotate_t)
 +
 +fs_search_auto_mountpoints(logrotate_t)
 +fs_getattr_all_fs(logrotate_t)
@@ -47041,7 +47047,7 @@ index be0ab84b3..6180bdbdc 100644
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
  files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +135,56 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +136,56 @@ mls_process_write_to_clearance(logrotate_t)
  selinux_get_fs_mount(logrotate_t)
  selinux_get_enforce_mode(logrotate_t)
  
@@ -47104,7 +47110,7 @@ index be0ab84b3..6180bdbdc 100644
  ')
  
  optional_policy(`
-@@ -135,16 +199,17 @@ optional_policy(`
+@@ -135,16 +200,17 @@ optional_policy(`
  
  optional_policy(`
  	apache_read_config(logrotate_t)
@@ -47124,7 +47130,7 @@ index be0ab84b3..6180bdbdc 100644
  ')
  
  optional_policy(`
-@@ -170,6 +235,11 @@ optional_policy(`
+@@ -170,6 +236,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47136,7 +47142,7 @@ index be0ab84b3..6180bdbdc 100644
  	fail2ban_stream_connect(logrotate_t)
  ')
  
-@@ -178,7 +248,8 @@ optional_policy(`
+@@ -178,7 +249,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47146,7 +47152,7 @@ index be0ab84b3..6180bdbdc 100644
  ')
  
  optional_policy(`
-@@ -198,17 +269,18 @@ optional_policy(`
+@@ -198,17 +270,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47168,7 +47174,7 @@ index be0ab84b3..6180bdbdc 100644
  ')
  
  optional_policy(`
-@@ -216,6 +288,14 @@ optional_policy(`
+@@ -216,6 +289,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47183,7 +47189,7 @@ index be0ab84b3..6180bdbdc 100644
  	samba_exec_log(logrotate_t)
  ')
  
-@@ -228,26 +308,50 @@ optional_policy(`
+@@ -228,26 +309,50 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72373,10 +72379,10 @@ index 000000000..47cd0f8ba
 +/usr/lib/systemd/system/pki-tomcat.*	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
 diff --git a/pki.if b/pki.if
 new file mode 100644
-index 000000000..798efb632
+index 000000000..e15518779
 --- /dev/null
 +++ b/pki.if
-@@ -0,0 +1,287 @@
+@@ -0,0 +1,312 @@
 +
 +## <summary>policy for pki</summary>
 +
@@ -72664,6 +72670,31 @@ index 000000000..798efb632
 +    read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
 +    read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
 +')
++
++
++########################################
++## <summary>
++##  Allow given domain systemctl access on pki_tomcat unit files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`pki_systemctl_tomcat',`
++    gen_require(`
++        type httpd_t;
++        type pki_tomcat_unit_file_t;
++    ')
++
++    systemd_exec_systemctl($1)
++    init_reload_services($1)
++    allow $1 pki_tomcat_unit_file_t:file read_file_perms;
++    allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
++
++    ps_process_pattern($1, httpd_t)
++')
 diff --git a/pki.te b/pki.te
 new file mode 100644
 index 000000000..afa1ba1f4
@@ -72954,7 +72985,7 @@ index 000000000..afa1ba1f4
 +')
 +
 diff --git a/plymouthd.fc b/plymouthd.fc
-index 735500fd1..2ba6832cc 100644
+index 735500fd1..7f694728c 100644
 --- a/plymouthd.fc
 +++ b/plymouthd.fc
 @@ -1,15 +1,14 @@
@@ -72972,7 +73003,7 @@ index 735500fd1..2ba6832cc 100644
  
 -/var/lib/plymouth(/.*)?	gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
 +/var/run/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/log/boot\.log			gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
++/var/log/boot\.log.*			gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
  
 -/var/log/boot\.log.*	--	gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
 +/usr/sbin/plymouthd		--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
@@ -86950,7 +86981,7 @@ index 16c8ecbe3..4e021eca7 100644
 +	')
  ')
 diff --git a/redis.te b/redis.te
-index 25cd4175f..61de8277a 100644
+index 25cd4175f..84c02e325 100644
 --- a/redis.te
 +++ b/redis.te
 @@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t)
@@ -86982,7 +87013,7 @@ index 25cd4175f..61de8277a 100644
  manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
  manage_files_pattern(redis_t, redis_log_t, redis_log_t)
  manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
-@@ -42,14 +50,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+@@ -42,24 +50,27 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
  manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
  manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
  manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
@@ -87000,7 +87031,12 @@ index 25cd4175f..61de8277a 100644
  
  corenet_sendrecv_redis_server_packets(redis_t)
  corenet_tcp_bind_redis_port(redis_t)
-@@ -60,6 +71,4 @@ dev_read_urand(redis_t)
+ corenet_tcp_sendrecv_redis_port(redis_t)
+ 
++corecmd_exec_shell(redis_t)
++
+ dev_read_sysfs(redis_t)
+ dev_read_urand(redis_t)
  
  logging_send_syslog_msg(redis_t)
  
@@ -89875,7 +89911,7 @@ index 8c0280418..896c8c67f 100644
  
  /var/lock/subsys/rhsmcertd	--	gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
 diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905b3..4b17c933e 100644
+index 6dbc905b3..42e4306c8 100644
 --- a/rhsmcertd.if
 +++ b/rhsmcertd.if
 @@ -1,8 +1,8 @@
@@ -89971,23 +90007,21 @@ index 6dbc905b3..4b17c933e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -196,10 +192,47 @@ interface(`rhsmcertd_read_pid_files',`
  	allow $1 rhsmcertd_var_run_t:file read_file_perms;
  ')
  
 -####################################
 +########################################
- ## <summary>
--##	Connect to rhsmcertd with a
--##	unix domain stream socket.
++## <summary>
 +##	Read rhsmcertd PID files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',`
- ##	</summary>
- ## </param>
- #
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`rhsmcertd_manage_pid_files',`
 +	gen_require(`
 +		type rhsmcertd_var_run_t;
@@ -90016,6 +90050,27 @@ index 6dbc905b3..4b17c933e 100644
 +	allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
 +')
 +
++########################################
+ ## <summary>
+-##	Connect to rhsmcertd with a
+-##	unix domain stream socket.
++##	Read/wirte lock files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -207,6 +240,26 @@ interface(`rhsmcertd_read_pid_files',`
+ ##	</summary>
+ ## </param>
+ #
++interface(`rhsmcertd_rw_lock_files',`
++	gen_require(`
++		type rhsmcertd_lock_t;
++	')
++
++	files_search_locks($1)
++	allow $1 rhsmcertd_lock_t:file rw_file_perms;
++')
++
 +####################################
 +## <summary>
 +##  Connect to rhsmcertd over a unix domain
@@ -90030,7 +90085,7 @@ index 6dbc905b3..4b17c933e 100644
  interface(`rhsmcertd_stream_connect',`
  	gen_require(`
  		type rhsmcertd_t, rhsmcertd_var_run_t;
-@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',`
+@@ -239,30 +292,29 @@ interface(`rhsmcertd_dbus_chat',`
  
  ######################################
  ## <summary>
@@ -90074,7 +90129,7 @@ index 6dbc905b3..4b17c933e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+@@ -270,35 +322,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
  ##	</summary>
  ## </param>
  ## <param name="role">
@@ -90106,24 +90161,24 @@ index 6dbc905b3..4b17c933e 100644
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 rhsmcertd_t:process ptrace;
 +	')
-+
+ 
+-	logging_search_logs($1)
+-	admin_pattern($1, rhsmcertd_log_t)
 +    rhsmcertd_initrc_domtrans($1)
 +    domain_system_change_exemption($1)
 +    role_transition $2 rhsmcertd_initrc_exec_t system_r;
 +    allow $2 system_r;
  
--	logging_search_logs($1)
--	admin_pattern($1, rhsmcertd_log_t)
-+    logging_search_logs($1)
-+    admin_pattern($1, rhsmcertd_log_t)
- 
 -	files_search_var_lib($1)
 -	admin_pattern($1, rhsmcertd_var_lib_t)
-+    files_search_var_lib($1)
-+    admin_pattern($1, rhsmcertd_var_lib_t)
++    logging_search_logs($1)
++    admin_pattern($1, rhsmcertd_log_t)
  
 -	files_search_pids($1)
 -	admin_pattern($1, rhsmcertd_var_run_t)
++    files_search_var_lib($1)
++    admin_pattern($1, rhsmcertd_var_lib_t)
++
 +    files_search_pids($1)
 +    admin_pattern($1, rhsmcertd_var_run_t)
 +
@@ -90134,7 +90189,7 @@ index 6dbc905b3..4b17c933e 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a279..75b615f81 100644
+index d32e1a279..b79ae3194 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -90147,11 +90202,13 @@ index d32e1a279..75b615f81 100644
  type rhsmcertd_var_lib_t;
  files_type(rhsmcertd_var_lib_t)
  
-@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -29,19 +32,22 @@ files_pid_file(rhsmcertd_var_run_t)
+ # Local policy
  #
  
- allow rhsmcertd_t self:capability sys_nice;
+-allow rhsmcertd_t self:capability sys_nice;
 -allow rhsmcertd_t self:process { signal setsched };
++allow rhsmcertd_t self:capability { kill sys_nice };
 +allow rhsmcertd_t self:process { signal_perms setsched };
 +
  allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
@@ -95970,7 +96027,7 @@ index 50d07fb2e..a34db489c 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441e7..d79c13644 100644
+index 2b7c441e7..a7faeed9f 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -97104,9 +97161,12 @@ index 2b7c441e7..d79c13644 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +966,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -871,40 +964,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
- rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+-rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
++manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
 -# This needs a file context specification
 -allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -110380,10 +110440,10 @@ index 000000000..368e18842
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 000000000..f31ed95d7
+index 000000000..761cc35b0
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,80 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@@ -110428,6 +110488,7 @@ index 000000000..f31ed95d7
 +kernel_rw_fs_sysctls(tlp_t)
 +kernel_rw_kernel_sysctl(tlp_t)
 +kernel_rw_vm_sysctls(tlp_t)
++kernel_create_rpc_sysctls(tlp_t)
 +
 +auth_read_passwd(tlp_t)
 +
@@ -110436,12 +110497,16 @@ index 000000000..f31ed95d7
 +dev_list_sysfs(tlp_t)
 +dev_manage_sysfs(tlp_t)
 +dev_rw_cpu_microcode(tlp_t)
++dev_rw_wireless(tlp_t)
 +
 +files_read_kernel_modules(tlp_t)
++files_load_kernel_modules(tlp_t)
 +
 +modutils_exec_insmod(tlp_t)
 +modutils_read_module_config(tlp_t)
 +
++logging_send_syslog_msg(tlp_t)
++
 +storage_raw_read_fixed_disk(tlp_t)
 +storage_raw_write_removable_device(tlp_t)
 +
@@ -110449,6 +110514,7 @@ index 000000000..f31ed95d7
 +
 +optional_policy(`
 +    dbus_stream_connect_system_dbusd(tlp_t)
++    dbus_system_bus_client(tlp_t)
 +')
 +
 +optional_policy(`
@@ -119292,10 +119358,10 @@ index 4815a93f4..24dcf5174 100644
 +	rhcs_rw_cluster_tmpfs(wdmd_t)
  ')
 diff --git a/webadm.te b/webadm.te
-index 2a6cae773..6d0a2a1c5 100644
+index 2a6cae773..d2752d9bb 100644
 --- a/webadm.te
 +++ b/webadm.te
-@@ -25,6 +25,9 @@ role webadm_r;
+@@ -25,12 +25,21 @@ role webadm_r;
  
  userdom_base_user_template(webadm)
  
@@ -119305,26 +119371,43 @@ index 2a6cae773..6d0a2a1c5 100644
  ########################################
  #
  # Local policy
-@@ -32,6 +35,12 @@ userdom_base_user_template(webadm)
- 
- allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ #
  
+-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource };
++
 +manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
 +manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
 +manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
 +files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
 +can_exec(webadm_t, webadm_tmp_t)
-+
+ 
  files_dontaudit_search_all_dirs(webadm_t)
  files_list_var(webadm_t)
+@@ -38,12 +47,26 @@ files_list_var(webadm_t)
+ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
  
-@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t)
++init_rw_pipes(webadm_t)
++init_status(webadm_t)
++
+ logging_send_audit_msgs(webadm_t)
+ logging_send_syslog_msg(webadm_t)
  
  userdom_dontaudit_search_user_home_dirs(webadm_t)
++userdom_dontaudit_manage_admin_files(webadm_t)
++
++optional_policy(`
++	apache_admin(webadm_t, webadm_r)
++')
++
++optional_policy(`
++    dbus_system_bus_client(webadm_t)
++')
  
 -apache_admin(webadm_t, webadm_r)
 +optional_policy(`
-+	apache_admin(webadm_t, webadm_r)
++    policykit_dbus_chat(webadm_t)
 +')
  
  tunable_policy(`webadm_manage_user_files',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 13d2777..17c649a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 225.22%{?dist}
+Release: 225.23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,24 @@ exit 0
 %endif
 
 %changelog
+* Fri Sep 29 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.23
+- Fix typo bug in apache module
+- Make working webadm_t userdomain
+- Allow redis domain to execute shell scripts.
+- Add couple capabilities to keepalived domain and allow get attributes of all domains
+- Allow dmidecode read rhsmcertd lock files
+- Add new interface rhsmcertd_rw_lock_files()
+- Label all plymouthd archives as plymouthd_var_log_t
+- Add few rules to make tlp_t domain working in enforcing mode
+- Allow cloud_init_t to dbus chat with systemd_timedated_t
+- Allow logrotate_t to write to kmsg
+- Add capability kill to rhsmcertd_t
+- Allow winbind to manage smbd_tmp_t files
+- Allow ipa_dnskey_t to exec ipa_dnskey_exec_t files
+- Add missing dac_read_search cap for abrt_t domain BZ(1486492)
+- Allow useradd_t domain dbus chat with systemd
+- Dontaudit netutils to write to kdumpctl_tmp_t pipes BZ(1481670)
+
 * Thu Aug 31 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.22
 - Allow ddclient use nsswitch BZ(1456241)
 - Allow thumb_t domain getattr fixed_disk device. BZ(1379137)