From f2106e0099950064e9db6e6e71f559d8a7796e2e Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Apr 07 2018 19:24:08 +0000
Subject: * Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-20

- Add new boolean redis_enable_notify()
- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab
- Add dac_override and dac_read_search capability to hypervvssd_t domain
- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t
- Allow samba to create /tmp/host_0 as krb5_host_rcache_t
- Add dac_override capability to fsdaemon_t BZ(1564143)
- Allow abrt_t domain to map dos files BZ(1564193)
- Add dac_override capability to automount_t domain
- Allow keepalived_t domain to connect to system dbus bus
- Allow nfsd_t to read nvme block devices BZ(1562554)
- Allow lircd_t domain to execute bin_t files BZ(1562835)
- Allow l2tpd_t domain to read sssd public files BZ(1563355)
- Allow logrotate_t domain to do dac_override BZ(1539327)
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
- Add capability sys_resource to systemd_sysctl_t domain
- Label all /dev/rbd* devices as fixed_disk_device_t
- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)
- Allow local_login_t domain to rread udev db
- Allow systemd_gpt_generator_t to read /dev/random device
- add definition of bpf class and systemd perms

---

diff --git a/.gitignore b/.gitignore
index 92128ac..d3c2153 100644
--- a/.gitignore
+++ b/.gitignore
@@ -268,3 +268,5 @@ serefpolicy*
 /selinux-policy-154a8cf.tar.gz
 /selinux-policy-01924d8.tar.gz
 /selinux-policy-contrib-1255203.tar.gz
+/selinux-policy-b8ba12a.tar.gz
+/selinux-policy-contrib-5ee31e8.tar.gz
diff --git a/make-rhat-patches.sh b/make-rhat-patches.sh
index 0ec792f..990d55e 100755
--- a/make-rhat-patches.sh
+++ b/make-rhat-patches.sh
@@ -2,7 +2,7 @@
 
 DISTGIT_PATH=$(pwd)
 
-FEDORA_VERSION=rawhide
+FEDORA_VERSION=f28
 DOCKER_FEDORA_VERSION=master
 DISTGIT_BRANCH=f28
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e7d9079..1891469 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 01924d88be61f3e27e247848a94c855fe00569dd
+%global commit0 b8ba12a5d68de91be7f86827a56ad1de08c00ac6
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 1255203e38764839fa90a34f43de98f81278756a
+%global commit1 b8ba12a5d68de91be7f86827a56ad1de08c00ac6
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.1
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -717,6 +717,30 @@ exit 0
 %endif
 
 %changelog
+* Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-20
+- Add new boolean redis_enable_notify()
+- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
+- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
+- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab
+- Add dac_override and dac_read_search capability to hypervvssd_t domain
+- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t
+- Allow samba to create /tmp/host_0 as krb5_host_rcache_t
+- Add dac_override capability to fsdaemon_t BZ(1564143)
+- Allow abrt_t domain to map dos files BZ(1564193)
+- Add dac_override capability to automount_t domain
+- Allow keepalived_t domain to connect to system dbus bus
+- Allow nfsd_t to read nvme block devices BZ(1562554)
+- Allow lircd_t domain to execute bin_t files BZ(1562835)
+- Allow l2tpd_t domain to read sssd public files BZ(1563355)
+- Allow logrotate_t domain to do dac_override BZ(1539327)
+- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
+- Add capability sys_resource to systemd_sysctl_t domain
+- Label all /dev/rbd* devices as fixed_disk_device_t
+- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)
+- Allow local_login_t domain to rread udev db
+- Allow systemd_gpt_generator_t to read /dev/random device
+- add definition of bpf class and systemd perms
+
 * Thu Mar 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-19
 - Allow accountsd_t domain to dac override BZ(1561304)
 - Allow cockpit_ws_t domain to read system state BZ(1561053)
diff --git a/sources b/sources
index 5dcf9a8..5f5a5b4 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (selinux-policy-01924d8.tar.gz) = c8ebdee9ac293216059e06100cb4c1c3d4f8db0e9bb27a4eeccf3f760a99e0bc77e159cfb56247b58bbe743f8ebda2fc8c73c4fe2182646d81d3dae4651419f8
-SHA512 (selinux-policy-contrib-1255203.tar.gz) = 5d3db6f6417d5d2197afad616e65baac4d32e01825410d190841e15cef63f3c4e2cd799d0407e86662eddf3ae79b80e1ea41e6408562a7466e662b910798ccd6
-SHA512 (container-selinux.tgz) = df8c701d4e56f30162d252b0370c7a7c4c608a05136240010d0b94765cc2bbd3861abfc4304da14d8a9d704a4f69c914daa7dcecedbbc0e63f056d93b92d254b
+SHA512 (selinux-policy-b8ba12a.tar.gz) = 73ba405607352fb68fcea77c8e8139cc537d19734533df37facb39d95c80f90e46b5da6cd486b9ce1442f7f37e62ebd4d3af48ad1147434be1714b572614a501
+SHA512 (selinux-policy-contrib-5ee31e8.tar.gz) = 54c9638f6c4ef29320d28e3429458dbf1ffde92b65ad51e937f59d0a6e0940fbde87bdaba321eb5f43c85cb3d0ed3229660f0c7742dc4e95648976ea7fdee464
+SHA512 (container-selinux.tgz) = 9d35efc77e6a14dc1f2a434203e72996c12f5eeb8fb48c5ef95813b4fdee1a31018199a0803c1de8b06253d9cf3848cf7195d21defadfd95c1510955987991e8