diff --git a/SOURCES/dbus-1.6.12-avoid-hardcoded-selinux-constants.patch b/SOURCES/dbus-1.6.12-avoid-hardcoded-selinux-constants.patch
new file mode 100644
index 0000000..91e3f6d
--- /dev/null
+++ b/SOURCES/dbus-1.6.12-avoid-hardcoded-selinux-constants.patch
@@ -0,0 +1,132 @@
+From 4b4747fe3533a6a34a901ec6cf1a99cef9f1dd2b Mon Sep 17 00:00:00 2001
+From: osmond sun <osmond.sun@gmail.com>
+Date: Wed, 6 Nov 2013 00:53:18 +0800
+Subject: [PATCH 1/2] selinux: Use selinux_set_mapping() to avoid hardcoded
+ constants for policy
+
+Previous to the introduction of selinux_set_mapping(), DBus pulled
+constants generated from the system's policy at build time. But this
+means it's impossible to replace the system policy without rebuilding
+userspace components.
+
+This patch maps from arbitrary class/perm indices used by D-Bus and
+the policy values and handles all the translation at runtime on
+avc_has_perm() calls.
+
+Bug: https://bugs.freedesktop.org/attachment.cgi?id=88719
+Reviewed-By: Colin Walters <walters@verbum.org>
+Tested-By: Colin Walters <walters@verbum.org>
+---
+ bus/bus.c | 2 +-
+ bus/selinux.c | 30 +++++++++++++++++++++++++++---
+ 2 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/bus/bus.c b/bus/bus.c
+index 59274ee..f4fad5b 100644
+--- a/bus/bus.c
++++ b/bus/bus.c
+@@ -902,7 +902,7 @@ bus_context_new (const DBusString *config_file,
+
+ if (!bus_selinux_full_init ())
+ {
+- bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but AVC initialization failed; check system log\n");
++ bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
+ }
+
+ if (!process_config_postinit (context, parser, error))
+diff --git a/bus/selinux.c b/bus/selinux.c
+index 6442b79..9a1d4b4 100644
+--- a/bus/selinux.c
++++ b/bus/selinux.c
+@@ -44,8 +44,6 @@
+ #include <syslog.h>
+ #include <selinux/selinux.h>
+ #include <selinux/avc.h>
+-#include <selinux/av_permissions.h>
+-#include <selinux/flask.h>
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -341,8 +339,27 @@ bus_selinux_pre_init (void)
+ #endif
+ }
+
++/*
++ * Private Flask definitions; the order of these constants must
++ * exactly match that of the structure array below!
++ */
++/* security dbus class constants */
++#define SECCLASS_DBUS 1
++
++/* dbus's per access vector constants */
++#define DBUS__ACQUIRE_SVC 1
++#define DBUS__SEND_MSG 2
++
++#ifdef HAVE_SELINUX
++static struct security_class_mapping dbus_map[] = {
++ { "dbus", { "acquire_svc", "send_msg", NULL } },
++ { NULL }
++};
++#endif /* HAVE_SELINUX */
++
+ /**
+- * Initialize the user space access vector cache (AVC) for D-Bus and set up
++ * Establish dynamic object class and permission mapping and
++ * initialize the user space access vector cache (AVC) for D-Bus and set up
+ * logging callbacks.
+ */
+ dbus_bool_t
+@@ -361,6 +378,13 @@ bus_selinux_full_init (void)
+
+ _dbus_verbose ("SELinux is enabled in this kernel.\n");
+
++ if (selinux_set_mapping (dbus_map) < 0)
++ {
++ _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).\n",
++ strerror (errno));
++ return FALSE;
++ }
++
+ avc_entry_ref_init (&aeref);
+ if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
+ {
+--
+2.7.4
+
+
+From 1859b1e672ca2cbcc05b43cf20aba3df2ca48317 Mon Sep 17 00:00:00 2001
+From: David King <dking@redhat.com>
+Date: Mon, 8 Aug 2016 13:25:14 +0200
+Subject: [PATCH 2/2] Rebase MLS change against new SELinux checks
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1364485
+---
+ bus/selinux.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bus/selinux.c b/bus/selinux.c
+index 9a1d4b4..2fb4a8b 100644
+--- a/bus/selinux.c
++++ b/bus/selinux.c
+@@ -345,14 +345,18 @@ bus_selinux_pre_init (void)
+ */
+ /* security dbus class constants */
+ #define SECCLASS_DBUS 1
++#define SECCLASS_CONTEXT 2
+
+ /* dbus's per access vector constants */
+ #define DBUS__ACQUIRE_SVC 1
+ #define DBUS__SEND_MSG 2
+
++#define CONTEXT__CONTAINS 1
++
+ #ifdef HAVE_SELINUX
+ static struct security_class_mapping dbus_map[] = {
+ { "dbus", { "acquire_svc", "send_msg", NULL } },
++ { "context", { "contains", NULL } },
+ { NULL }
+ };
+ #endif /* HAVE_SELINUX */
+--
+2.7.4
+
diff --git a/SOURCES/dbus-1.6.12-avoid-selinux-context-translation.patch b/SOURCES/dbus-1.6.12-avoid-selinux-context-translation.patch
new file mode 100644
index 0000000..5194954
--- /dev/null
+++ b/SOURCES/dbus-1.6.12-avoid-selinux-context-translation.patch
@@ -0,0 +1,67 @@
+From a82e1be24d0211d4358d8ff3b8cd06dae71a9993 Mon Sep 17 00:00:00 2001
+From: David King <dking@redhat.com>
+Date: Mon, 22 Aug 2016 09:43:29 +0100
+Subject: [PATCH] Use _raw() calls to avoid SELinux context translation
+
+When the credentials obtained from the client socket are used in future
+security checks, no context translation should be performed, so
+getpeercon() should be replaced with getpeercon_raw(), and similar
+changes should me be made for other calls such as avc_sid_to_context()
+and getcon().
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1356141
+---
+ bus/selinux.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/bus/selinux.c b/bus/selinux.c
+index 2fb4a8b..13361aa 100644
+--- a/bus/selinux.c
++++ b/bus/selinux.c
+@@ -412,14 +412,14 @@ bus_selinux_full_init (void)
+ bus_context = NULL;
+ bus_sid = SECSID_WILD;
+
+- if (getcon (&bus_context) < 0)
++ if (getcon_raw (&bus_context) < 0)
+ {
+ _dbus_verbose ("Error getting context of bus: %s\n",
+ _dbus_strerror (errno));
+ return FALSE;
+ }
+
+- if (avc_context_to_sid (bus_context, &bus_sid) < 0)
++ if (avc_context_to_sid_raw (bus_context, &bus_sid) < 0)
+ {
+ _dbus_verbose ("Error getting SID from bus context: %s\n",
+ _dbus_strerror (errno));
+@@ -713,7 +713,7 @@ bus_selinux_append_context (DBusMessage *message,
+ #ifdef HAVE_SELINUX
+ char *context;
+
+- if (avc_sid_to_context (SELINUX_SID_FROM_BUS (sid), &context) < 0)
++ if (avc_sid_to_context_raw (SELINUX_SID_FROM_BUS (sid), &context) < 0)
+ {
+ if (errno == ENOMEM)
+ BUS_SET_OOM (error);
+@@ -766,7 +766,7 @@ bus_connection_read_selinux_context (DBusConnection *connection,
+ return FALSE;
+ }
+
+- if (getpeercon (fd, con) < 0)
++ if (getpeercon_raw (fd, con) < 0)
+ {
+ _dbus_verbose ("Error getting context of socket peer: %s\n",
+ _dbus_strerror (errno));
+@@ -901,7 +901,7 @@ bus_selinux_init_connection_id (DBusConnection *connection,
+
+ _dbus_verbose ("Converting context to SID to store on connection\n");
+
+- if (avc_context_to_sid (con, &sid) < 0)
++ if (avc_context_to_sid_raw (con, &sid) < 0)
+ {
+ if (errno == ENOMEM)
+ BUS_SET_OOM (error);
+--
+2.7.4
+
diff --git a/SPECS/dbus.spec b/SPECS/dbus.spec
index d51b616..ba92e0a 100644
--- a/SPECS/dbus.spec
+++ b/SPECS/dbus.spec
@@ -13,7 +13,7 @@ Summary: D-BUS message bus
Name: dbus
Epoch: 1
Version: 1.6.12
-Release: 14%{?dist}
+Release: 17%{?dist}
URL: http://www.freedesktop.org/software/dbus/
#VCS: git:git://git.freedesktop.org/git/dbus/dbus
Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
@@ -65,6 +65,12 @@ Patch9: dbus-1.6.12-refresh-man-pages-and-dbus-launch-help.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1325870
Patch10: dbus-1.6.12-avoid-corrupting-multiple-fds.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1364485
+Patch11: dbus-1.6.12-avoid-hardcoded-selinux-constants.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1356141
+Patch12: dbus-1.6.12-avoid-selinux-context-translation.patch
+
%description
D-BUS is a system for sending messages between applications. It is
used both for the system-wide message bus service, and as a
@@ -123,6 +129,8 @@ in this separate package so server systems need not install X.
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
+%patch12 -p1
%build
if test -f autogen.sh; then env NOCONFIGURE=1 ./autogen.sh; else autoreconf -v -f -i; fi
@@ -268,6 +276,15 @@ fi
%{_includedir}/*
%changelog
+* Mon Sep 12 2016 David King <dking@redhat.com> - 1:1.6.12-17
+- Improve SELinux context translation patch (#1356141)
+
+* Mon Aug 22 2016 David King <dking@redhat.com> - 1:1.6.12-16
+- Fix SELinux MLS context translation (#1356141)
+
+* Mon Aug 08 2016 David King <dking@redhat.com> - 1:1.6.12-15
+- Avoid hardcoded SELinux constants (#1364485)
+
* Tue Apr 26 2016 David King <dking@redhat.com> - 1:1.6.12-14
- Close multiple fds correctly (#1325870)