From 8473826036b112a71a2deae06d9737f8c9adf2e0 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Apr 29 2016 13:23:30 +0000
Subject: * Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184

- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
- Revert "Add new permissions stop/start to class system. rhbz#1324453"
- Fix typo in module compilation message

---

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 311f744..55276b3 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-f24-base.patch b/policy-f24-base.patch
index 2e07578..e2e6f5e 100644
--- a/policy-f24-base.patch
+++ b/policy-f24-base.patch
@@ -46,9 +46,18 @@ index ec7b5cb..a027110 100644
  ifndef LOCAL_ROOT
  	rm -f $(fcsort)
 diff --git a/Rules.modular b/Rules.modular
-index 313d837..ef3c532 100644
+index 313d837..4f261a9 100644
 --- a/Rules.modular
 +++ b/Rules.modular
+@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
+ # Build module packages
+ #
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+-	@echo "Compliling $(NAME) $(@F) module"
++	@echo "Compiling $(NAME) $(@F) module"
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+ 	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 @@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs)
  	@echo "Validating policy linking."
  	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
@@ -868,7 +877,7 @@ index 3a45f23..ee7d7b3 100644
  constrain socket_class_set { create relabelto relabelfrom } 
  (
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..d0a8a5b 100644
+index a94b169..2e137e6 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
 @@ -329,6 +329,7 @@ class process
@@ -879,7 +888,7 @@ index a94b169..d0a8a5b 100644
  }
  
  
-@@ -393,6 +394,15 @@ class system
+@@ -393,6 +394,13 @@ class system
  	syslog_mod
  	syslog_console
  	module_request
@@ -890,12 +899,10 @@ index a94b169..d0a8a5b 100644
 +    enable
 +    disable
 +    reload
-+	stop
-+	start
  }
  
  #
-@@ -443,10 +453,13 @@ class capability
+@@ -443,10 +451,13 @@ class capability
  class capability2 
  {
  	mac_override	# unused by SELinux
@@ -910,7 +917,7 @@ index a94b169..d0a8a5b 100644
  }
  
  #
-@@ -690,6 +703,8 @@ class nscd
+@@ -690,6 +701,8 @@ class nscd
  	shmemhost
  	getserv
  	shmemserv
@@ -919,7 +926,7 @@ index a94b169..d0a8a5b 100644
  }
  
  # Define the access vector interpretation for controlling
-@@ -831,6 +846,38 @@ inherits socket
+@@ -831,6 +844,38 @@ inherits socket
  	attach_queue
  }
  
@@ -958,7 +965,7 @@ index a94b169..d0a8a5b 100644
  class x_pointer
  inherits x_device
  
-@@ -865,3 +912,18 @@ inherits database
+@@ -865,3 +910,18 @@ inherits database
  	implement
  	execute
  }
diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch
index 0a17576..67a9ec7 100644
--- a/policy-f24-contrib.patch
+++ b/policy-f24-contrib.patch
@@ -9425,10 +9425,10 @@ index c3fd7b1..e189593 100644
 -
 -miscfiles_read_localization(bcfg2_t)
 diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..750788c 100644
+index 2b9a3a1..49accb6 100644
 --- a/bind.fc
 +++ b/bind.fc
-@@ -1,54 +1,76 @@
+@@ -1,54 +1,77 @@
 -/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -9463,6 +9463,7 @@ index 2b9a3a1..750788c 100644
 -/usr/sbin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
 +/usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
 +/usr/sbin/named-sdb	--	gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-pkcs11	--	gen_context(system_u:object_r:named_exec_t,s0)
 +/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 +/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
  /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
@@ -99737,12 +99738,14 @@ index cbfe369..6594af3 100644
  	files_search_var_lib($1)
 diff --git a/snapper.fc b/snapper.fc
 new file mode 100644
-index 0000000..4f4bdb3
+index 0000000..34f7846
 --- /dev/null
 +++ b/snapper.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,16 @@
 +/usr/sbin/snapperd		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
 +
++/usr/lib/snapper/systemd-helper		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
++
 +/etc/snapper(/.*)?          gen_context(system_u:object_r:snapperd_conf_t,s0)
 +/etc/sysconfig/snapper  --  gen_context(system_u:object_r:snapperd_conf_t,s0)
 +
@@ -99843,10 +99846,10 @@ index 0000000..ed76979
 +
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..88805d7
+index 0000000..17a28ec
 --- /dev/null
 +++ b/snapper.te
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,79 @@
 +policy_module(snapper, 1.0.0)
 +
 +########################################
@@ -99872,7 +99875,8 @@ index 0000000..88805d7
 +# snapperd local policy
 +#
 +
-+allow snapperd_t self:capability dac_override;
++allow snapperd_t self:capability { dac_override sys_admin };
++allow snapperd_t self:process setsched;
 +
 +allow snapperd_t self:fifo_file rw_fifo_file_perms;
 +allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b6182f9..576d484 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 183%{?dist}
+Release: 184%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -651,6 +651,13 @@ exit 0
 %endif
 
 %changelog
+* Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184
+- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
+- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
+- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
+- Revert "Add new permissions stop/start to class system. rhbz#1324453"
+- Fix typo in module compilation message
+
 * Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183
 - Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
 - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)