From 11eddd67ccb5203c848b6fe2e5a0031839a41470 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Mar 12 2018 16:24:11 +0000
Subject: * Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-13

- allow bluetooth_t domain to create alg_socket bz(1554410)
- allow tor_t domain to execute bin_t files bz(1496274)
- allow iscsid_t domain to mmap kernel modules bz(1553759)
- update minidlna selinux policy bz(1554087)
- allow motion_t domain to read sysfs_t files bz(1554142)
- allow snapperd_t domain to getattr on all files,dirs,sockets,pipes bz(1551738)
- allow l2tp_t domain to read ipsec config files bz(1545348)
- allow colord_t to mmap home user files bz(1551033)
- dontaudit httpd_t creating kobject uevent sockets bz(1552536)
- allow ipmievd_t to mmap kernel modules bz(1552535)
- allow boinc_t domain to read cgroup files bz(1468381)
- backport allow rules from refpolicy upstream repo
- allow gpg_t domain to bind on all unereserved udp ports
- allow systemd to create systemd_rfkill_var_lib_t dirs bz(1502164)
- allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t bz(1483655)
- allow xdm_t domain to sys_ptrace bz(1554150)
- allow application_domain_type also mmap inherited user temp files bz(1552765)
- update ipsec_read_config() interface
- fix broken sysadm selinux module
- allow ipsec_t to search for bind cache bz(1542746)
- allow staff_t to send sigkill to mount_t domain bz(1544272)
- label /run/systemd/resolve/stub-resolv.conf as net_conf_t bz(1471545)
- label ip6tables.init as iptables_exec_t bz(1551463)
- allow hostname_t to use usb ttys bz(1542903)
- add fsetid capability to updpwd_t domain bz(1543375)
- allow systemd machined send signal to all domains bz(1372644)
- dontaudit create netlink selinux sockets for unpriv selinux users bz(1547876)
- allow sysadm_t to create netlink generic sockets bz(1547874)
- allow passwd_t domain chroot
- dontaudit confined unpriviliged users setuid capability

---

diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9005079..f13990c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 bd7ad92fc722388928f9441892a078018914cb7b
+%global commit0 9bd65d321e20805535392f3ea1bad8ac093bf7b5
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 f5640723a5d5982bde2a85b6003c12d2fbf976b6
+%global commit1 fbc029066ded32b6ddafb04023743ec25ebc6197
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.1
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -714,6 +714,38 @@ exit 0
 %endif
 
 %changelog
+* Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-13
+- allow bluetooth_t domain to create alg_socket bz(1554410)
+- allow tor_t domain to execute bin_t files bz(1496274)
+- allow iscsid_t domain to mmap kernel modules bz(1553759)
+- update minidlna selinux policy bz(1554087)
+- allow motion_t domain to read sysfs_t files bz(1554142)
+- allow snapperd_t domain to getattr on all files,dirs,sockets,pipes bz(1551738)
+- allow l2tp_t domain to read ipsec config files bz(1545348)
+- allow colord_t to mmap home user files bz(1551033)
+- dontaudit httpd_t creating kobject uevent sockets bz(1552536)
+- allow ipmievd_t to mmap kernel modules bz(1552535)
+- allow boinc_t domain to read cgroup files bz(1468381)
+- backport allow rules from refpolicy upstream repo
+- allow gpg_t domain to bind on all unereserved udp ports
+- allow systemd to create systemd_rfkill_var_lib_t dirs bz(1502164)
+- allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t bz(1483655)
+- allow xdm_t domain to sys_ptrace bz(1554150)
+- allow application_domain_type also mmap inherited user temp files bz(1552765)
+- update ipsec_read_config() interface
+- fix broken sysadm selinux module
+- allow ipsec_t to search for bind cache bz(1542746)
+- allow staff_t to send sigkill to mount_t domain bz(1544272)
+- label /run/systemd/resolve/stub-resolv.conf as net_conf_t bz(1471545)
+- label ip6tables.init as iptables_exec_t bz(1551463)
+- allow hostname_t to use usb ttys bz(1542903)
+- add fsetid capability to updpwd_t domain bz(1543375)
+- allow systemd machined send signal to all domains bz(1372644)
+- dontaudit create netlink selinux sockets for unpriv selinux users bz(1547876)
+- allow sysadm_t to create netlink generic sockets bz(1547874)
+- allow passwd_t domain chroot
+- dontaudit confined unpriviliged users setuid capability
+
 * Tue Mar 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-12
 - Allow l2tpd_t domain to create pppox sockets
 - Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)