From 6860522227b96f700eb883d71c73281ba894213a Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Apr 01 2016 16:20:07 +0000
Subject: * Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-158.13

- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
- Label all run tgtd files, not just socket files
- Revert "Label all run tgtd files, not just socket files."
- Label all run tgtd files, not just socket files.
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
- Label all nvidia binaries as xserver_exec_t

---

diff --git a/policy-f23-base.patch b/policy-f23-base.patch
index 89a0210..e77eb65 100644
--- a/policy-f23-base.patch
+++ b/policy-f23-base.patch
@@ -26491,7 +26491,7 @@ index cc877c7..b8e6e98 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..12a5645 100644
+index 8274418..53f66a4 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,38 @@
@@ -26556,7 +26556,7 @@ index 8274418..12a5645 100644
  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +79,34 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +79,35 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  # /tmp
  #
  
@@ -26591,13 +26591,14 @@ index 8274418..12a5645 100644
  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 +/usr/bin/Xvnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 +/usr/bin/x11vnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/nvidia.*	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 +
 +/usr/libexec/Xorg\.bin  --  gen_context(system_u:object_r:xserver_exec_t,s0)   
 +/usr/libexec/Xorg\.wrap  --  gen_context(system_u:object_r:xserver_exec_t,s0)
  
  /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
  
-@@ -91,19 +132,34 @@ ifndef(`distro_debian',`
+@@ -91,19 +133,34 @@ ifndef(`distro_debian',`
  /var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
  /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -26636,7 +26637,7 @@ index 8274418..12a5645 100644
  /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -111,7 +167,18 @@ ifndef(`distro_debian',`
+@@ -111,7 +168,18 @@ ifndef(`distro_debian',`
  /var/run/slim.*			gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch
index 9924952..f359329 100644
--- a/policy-f23-contrib.patch
+++ b/policy-f23-contrib.patch
@@ -2536,10 +2536,10 @@ index 16d0d66..60abfd0 100644
  optional_policy(`
  	nscd_dontaudit_search_pid(amtu_t)
 diff --git a/anaconda.fc b/anaconda.fc
-index b098089..37d428c 100644
+index b098089..fe35beb 100644
 --- a/anaconda.fc
 +++ b/anaconda.fc
-@@ -1 +1,12 @@
+@@ -1 +1,13 @@
  # No file context specifications.
 +
 +/usr/libexec/anaconda/anaconda-yum  --  gen_context(system_u:object_r:install_exec_t,s0)
@@ -2548,6 +2548,7 @@ index b098089..37d428c 100644
 +/usr/bin/initial-setup  --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/bin/ostree         --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/bin/rpm-ostree     --  gen_context(system_u:object_r:install_exec_t,s0)
++/usr/libexec/rpm-ostreed --  gen_context(system_u:object_r:install_exec_t,s0)
 +
 +/usr/bin/preupg.*   --  gen_context(system_u:object_r:preupgrade_exec_t,s0)
 +/var/lib/preupgrade(/.*)?   gen_context(system_u:object_r:preupgrade_data_t,s0)
@@ -75912,10 +75913,10 @@ index 0000000..8231f4f
 +')
 diff --git a/prosody.te b/prosody.te
 new file mode 100644
-index 0000000..d531fa5
+index 0000000..3ef4a99
 --- /dev/null
 +++ b/prosody.te
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,97 @@
 +policy_module(prosody, 1.0.0)
 +
 +########################################
@@ -75991,6 +75992,7 @@ index 0000000..d531fa5
 +corenet_tcp_bind_jabber_client_port(prosody_t)
 +corenet_tcp_bind_jabber_interserver_port(prosody_t)
 +corenet_tcp_bind_jabber_router_port(prosody_t)
++corenet_tcp_bind_commplex_main_port(prosody_t)
 +
 +tunable_policy(`prosody_bind_http_port',`
 +    corenet_tcp_bind_http_port(prosody_t)
@@ -76008,6 +76010,10 @@ index 0000000..d531fa5
 +logging_send_syslog_msg(prosody_t)
 +
 +miscfiles_read_localization(prosody_t)
++
++optional_policy(`
++	sasl_connect(prosody_t)
++')
 diff --git a/psad.if b/psad.if
 index d4dcf78..3cce82e 100644
 --- a/psad.if
@@ -105162,7 +105168,7 @@ index cfaa2a1..a9bc6f1 100644
  
  optional_policy(`
 diff --git a/tgtd.fc b/tgtd.fc
-index 38389e6..4847b43 100644
+index 38389e6..ae0f9ab 100644
 --- a/tgtd.fc
 +++ b/tgtd.fc
 @@ -1,7 +1,4 @@
@@ -105176,7 +105182,7 @@ index 38389e6..4847b43 100644
 +/etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
 +/usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
 +/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
-+/var/run/tgtd.*			-s	gen_context(system_u:object_r:tgtd_var_run_t,s0)
++/var/run/tgtd.*			gen_context(system_u:object_r:tgtd_var_run_t,s0)
 diff --git a/tgtd.if b/tgtd.if
 index 5406b6e..dc5b46e 100644
 --- a/tgtd.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f00ef13..683a752 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 158.12%{?dist}
+Release: 158.13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -659,6 +659,15 @@ exit 0
 %endif
 
 %changelog
+* Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-158.13
+- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
+- Label all run tgtd files, not just socket files
+- Revert "Label all run tgtd files, not just socket files."
+- Label all run tgtd files, not just socket files.
+- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
+- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
+- Label all nvidia binaries as xserver_exec_t
+
 * Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-158.12
 - Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
 - Allow colord to read /etc/udev/hwdb.bin. rhzb#1320745