From b2b05fb557007e76775e69067e048a7e22c93738 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Dec 08 2016 15:35:14 +0000
Subject: * Thu Dec 08 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.3

- Label /usr/bin/rpcbind as rpcbind_exec_t
- Dontaudit mozilla plugin rawip socket creation. BZ(1275961)
- Add missing netlink access for containers

---

diff --git a/container-selinux.tgz b/container-selinux.tgz
index e29f167..489f535 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 15d2d0b..6b39114 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -38661,10 +38661,10 @@ index 0000000..419d280
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..1a30961
+index 0000000..ddbc007
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,235 @@
+@@ -0,0 +1,252 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@@ -38705,6 +38705,23 @@ index 0000000..1a30961
 +
 +########################################
 +## <summary>
++##	Connect to ipa-ods-exporter over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipa_stream_connect_ods_exporter',`
++	gen_require(`
++		type ipa_ods_exporter_t;
++	')
++    allow $1 ipa_ods_exporter_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
 +##	Execute ipa-helper in the ipa_helper domain.
 +## </summary>
 +## <param name="domain">
@@ -52349,7 +52366,7 @@ index 6194b80..e27c53d 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..9336364 100644
+index 11ac8e4..7d5d385 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -52802,7 +52819,7 @@ index 11ac8e4..9336364 100644
  ')
  
  optional_policy(`
-@@ -300,259 +339,257 @@ optional_policy(`
+@@ -300,259 +339,258 @@ optional_policy(`
  
  ########################################
  #
@@ -52816,6 +52833,7 @@ index 11ac8e4..9336364 100644
 +dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config };
 +dontaudit mozilla_plugin_t self:capability2 block_suspend;
 +dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace };
++dontaudit mozilla_plugin_t self:rawip_socket create_socket_perms;
 +
 +
 +allow mozilla_plugin_t self:cap_userns {sys_admin sys_chroot};
@@ -53206,7 +53224,7 @@ index 11ac8e4..9336364 100644
  ')
  
  optional_policy(`
-@@ -560,7 +597,11 @@ optional_policy(`
+@@ -560,7 +598,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53219,7 +53237,7 @@ index 11ac8e4..9336364 100644
  ')
  
  optional_policy(`
-@@ -568,108 +609,144 @@ optional_policy(`
+@@ -568,108 +610,144 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64674,10 +64692,10 @@ index 0000000..7c08157
 +')
 diff --git a/opendnssec.te b/opendnssec.te
 new file mode 100644
-index 0000000..e246d45
+index 0000000..3a760d7
 --- /dev/null
 +++ b/opendnssec.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,69 @@
 +policy_module(opendnssec, 1.0.0)
 +
 +########################################
@@ -64744,6 +64762,7 @@ index 0000000..e246d45
 +
 +optional_policy(`
 +    ipa_manage_lib(opendnssec_t)
++    ipa_stream_connect_ods_exporter(opendnssec_t)
 +')
 +
 diff --git a/openfortivpn.fc b/openfortivpn.fc
@@ -91369,10 +91388,10 @@ index 2da9fca..6935f5c 100644
  ')
  
 diff --git a/rpcbind.fc b/rpcbind.fc
-index d31220e..c84a461 100644
+index d31220e..0b6894a 100644
 --- a/rpcbind.fc
 +++ b/rpcbind.fc
-@@ -1,6 +1,9 @@
+@@ -1,8 +1,12 @@
  /etc/rc\.d/init\.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
  
 +/usr/lib/systemd/system/rpcbind\.service	--	gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
@@ -91381,6 +91400,9 @@ index d31220e..c84a461 100644
 +/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
  
  /usr/sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
++/usr/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
+ /var/cache/rpcbind(/.*)?	gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
  
 diff --git a/rpcbind.if b/rpcbind.if
 index 3b5e9ee..ff1163f 100644
@@ -103093,7 +103115,7 @@ index 1499b0b..e695a62 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..963d86c 100644
+index cc58e35..1e34535 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@@ -103557,7 +103579,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -267,36 +384,40 @@ optional_policy(`
+@@ -267,48 +384,54 @@ optional_policy(`
  
  ########################################
  #
@@ -103615,7 +103637,13 @@ index cc58e35..963d86c 100644
  logging_log_filetrans(spamd_t, spamd_log_t, file)
  
  manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +429,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+ manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+ manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+-files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
++manage_lnk_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
++files_spool_filetrans(spamd_t, spamd_spool_t, { file dir lnk_file })
+ 
+ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
@@ -103625,7 +103653,7 @@ index cc58e35..963d86c 100644
  manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  
-@@ -317,12 +439,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +440,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
  
@@ -103642,7 +103670,7 @@ index cc58e35..963d86c 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +455,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +456,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -103747,7 +103775,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -421,21 +527,13 @@ optional_policy(`
+@@ -421,21 +528,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103771,7 +103799,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -443,8 +541,8 @@ optional_policy(`
+@@ -443,8 +542,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103781,7 +103809,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -455,7 +553,17 @@ optional_policy(`
+@@ -455,7 +554,17 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -103800,7 +103828,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -463,9 +571,10 @@ optional_policy(`
+@@ -463,9 +572,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103812,7 +103840,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -474,32 +583,32 @@ optional_policy(`
+@@ -474,32 +584,32 @@ optional_policy(`
  
  ########################################
  #
@@ -103855,7 +103883,7 @@ index cc58e35..963d86c 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -114575,7 +114603,7 @@ index facdee8..2cff369 100644
 +	domtrans_pattern($1,container_file_t, $2)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..af39887 100644
+index f03dcf5..9bde200 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,403 @@
@@ -116159,7 +116187,7 @@ index f03dcf5..af39887 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1260,364 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1260,372 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -116530,6 +116558,14 @@ index f03dcf5..af39887 100644
 +	allow container_t self:netlink_socket create_socket_perms;
 +	allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow container_t self:netlink_kobject_uevent_socket create_socket_perms;
++	allow container_t self:netlink_connector_socket create_socket_perms;
++	allow container_t self:netlink_crypto_socket create_socket_perms;
++	allow container_t self:netlink_fib_lookup_socket create_socket_perms;
++	allow container_t self:netlink_generic_socket create_socket_perms;
++	allow container_t self:netlink_iscsi_socket create_socket_perms;
++	allow container_t self:netlink_netfilter_socket create_socket_perms;
++	allow container_t self:netlink_rdma_socket create_socket_perms;
++	allow container_t self:netlink_scsitransport_socket create_socket_perms;
 +', `
 +	logging_dontaudit_send_audit_msgs(container_t)
 +')
@@ -116668,7 +116704,7 @@ index f03dcf5..af39887 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1638,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -116683,7 +116719,7 @@ index f03dcf5..af39887 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1648,7 @@ optional_policy(`
+@@ -1192,7 +1656,7 @@ optional_policy(`
  
  ########################################
  #
@@ -116692,7 +116728,7 @@ index f03dcf5..af39887 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1665,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 36d104b..9d97759 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 225.2%{?dist}
+Release: 225.3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,11 @@ exit 0
 %endif
 
 %changelog
+* Thu Dec 08 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.3
+- Label /usr/bin/rpcbind as rpcbind_exec_t
+- Dontaudit mozilla plugin rawip socket creation. BZ(1275961)
+- Add missing netlink access for containers
+
 * Wed Dec 07 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.2
 - Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
 - Allot tlp domain to create unix_dgram sockets BZ(1401233)