From 9a45579f0449b2abee7df43196a4a99f889cdd05 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 17 2017 15:26:15 +0000
Subject: import selinux-policy-3.13.1-102.el7_3.13


---

diff --git a/SOURCES/policy-rhel-7.3.z-base.patch b/SOURCES/policy-rhel-7.3.z-base.patch
new file mode 100644
index 0000000..6d94846
--- /dev/null
+++ b/SOURCES/policy-rhel-7.3.z-base.patch
@@ -0,0 +1,13 @@
+diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
+index 9d2c142..1c0ed36 100644
+--- a/policy/modules/kernel/corenetwork.te.in
++++ b/policy/modules/kernel/corenetwork.te.in
+@@ -172,7 +172,7 @@ network_port(giftd, tcp,1213,s0)
+ network_port(git, tcp,9418,s0, udp,9418,s0)
+ network_port(glance, tcp,9292,s0, udp,9292,s0)
+ network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
+-network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
++network_port(gluster, tcp,24007-24027,s0, udp,24007-24027,s0, tcp, 38465-38469,s0)
+ network_port(gopher, tcp,70,s0, udp,70,s0)
+ network_port(gpsd, tcp,2947,s0)
+ network_port(hadoop_datanode, tcp,50010,s0)
diff --git a/SOURCES/policy-rhel-7.3.z-contrib.patch b/SOURCES/policy-rhel-7.3.z-contrib.patch
index 5559f0f..786a62c 100644
--- a/SOURCES/policy-rhel-7.3.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.3.z-contrib.patch
@@ -1,5 +1,53 @@
+diff --git a/ctdb.te b/ctdb.te
+index 47199aa..ac0508e 100644
+--- a/ctdb.te
++++ b/ctdb.te
+@@ -97,9 +97,12 @@ corenet_udp_bind_ctdb_port(ctdbd_t)
+ corenet_tcp_bind_smbd_port(ctdbd_t)
+ corenet_tcp_connect_ctdb_port(ctdbd_t)
+ corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
++corenet_tcp_connect_gluster_port(ctdbd_t)
++corenet_tcp_connect_nfs_port(ctdbd_t)
+ 
+ corecmd_exec_bin(ctdbd_t)
+ corecmd_exec_shell(ctdbd_t)
++corecmd_getattr_all_executables(ctdbd_t)
+ 
+ dev_read_sysfs(ctdbd_t)
+ dev_read_urand(ctdbd_t)
+@@ -131,6 +134,12 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    rpc_domtrans_rpcd(ctdbd_t)
++    rpc_manage_nfs_state_data_dir(ctdbd_t)
++    rpc_read_nfs_state_data(ctdbd_t)
++')
++
++optional_policy(`
+     samba_signull_smbd(ctdbd_t)
+ 	samba_initrc_domtrans(ctdbd_t)
+ 	samba_domtrans_net(ctdbd_t)
+diff --git a/glusterd.fc b/glusterd.fc
+index 52b4110..a3633cd 100644
+--- a/glusterd.fc
++++ b/glusterd.fc
+@@ -6,6 +6,13 @@
+ /usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+ /usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+ 
++/usr/sbin/glustereventsd   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++/usr/sbin/gluster-eventsapi   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++
++/usr/libexec/glusterfs/peer_eventsapi.py    -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++/usr/libexec/glusterfs/events/glustereventsd.py   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
+ /usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+ 
+ /opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 diff --git a/glusterd.te b/glusterd.te
-index 48811e2..d2a1ba9 100644
+index 48811e2..a8877f7 100644
 --- a/glusterd.te
 +++ b/glusterd.te
 @@ -59,7 +59,7 @@ files_type(glusterd_brick_t)
@@ -11,7 +59,15 @@ index 48811e2..d2a1ba9 100644
  
  allow glusterd_t self:capability2 block_suspend;
  allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
-@@ -155,6 +155,7 @@ corenet_tcp_connect_all_ports(glusterd_t)
+@@ -132,6 +132,7 @@ corenet_raw_bind_generic_node(glusterd_t)
+ 
+ corenet_tcp_connect_gluster_port(glusterd_t)
+ corenet_tcp_bind_gluster_port(glusterd_t)
++corenet_udp_bind_gluster_port(glusterd_t)
+ 
+ # replacement for rpc.mountd
+ corenet_sendrecv_all_server_packets(glusterd_t)
+@@ -155,6 +156,7 @@ corenet_tcp_connect_all_ports(glusterd_t)
  dev_read_sysfs(glusterd_t)
  dev_read_urand(glusterd_t)
  dev_read_rand(glusterd_t)
@@ -19,7 +75,7 @@ index 48811e2..d2a1ba9 100644
  
  domain_read_all_domains_state(glusterd_t)
  domain_getattr_all_sockets(glusterd_t)
-@@ -164,6 +165,7 @@ domain_use_interactive_fds(glusterd_t)
+@@ -164,6 +166,7 @@ domain_use_interactive_fds(glusterd_t)
  fs_mount_all_fs(glusterd_t)
  fs_unmount_all_fs(glusterd_t)
  fs_getattr_all_fs(glusterd_t)
@@ -27,6 +83,34 @@ index 48811e2..d2a1ba9 100644
  
  files_mounton_non_security(glusterd_t)
  
+@@ -185,6 +188,7 @@ init_read_script_state(glusterd_t)
+ init_rw_script_tmp_files(glusterd_t)
+ init_manage_script_status_files(glusterd_t)
+ init_status(glusterd_t)
++init_stop_transient_unit(glusterd_t)
+ 
+ systemd_config_systemd_services(glusterd_t)
+ systemd_signal_passwd_agent(glusterd_t)
+@@ -203,6 +207,7 @@ userdom_read_user_tmp_files(glusterd_t)
+ userdom_delete_user_tmp_files(glusterd_t)
+ userdom_rw_user_tmp_files(glusterd_t)
+ userdom_kill_all_users(glusterd_t)
++userdom_signal_unpriv_users(glusterd_t)
+ 
+ mount_domtrans(glusterd_t)
+ 
+diff --git a/puppet.te b/puppet.te
+index b80cb1e..46a4b5d 100644
+--- a/puppet.te
++++ b/puppet.te
+@@ -354,6 +354,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    systemd_dbus_chat_timedated(puppetagent_t)
+ 	systemd_dbus_chat_timedated(puppetmaster_t)
+ ')
+ 
 diff --git a/rhcs.te b/rhcs.te
 index ce1ca24..4c9f2b6 100644
 --- a/rhcs.te
@@ -42,3 +126,36 @@ index ce1ca24..4c9f2b6 100644
      ldap_systemctl(cluster_t)
  ')
  
+diff --git a/virt.if b/virt.if
+index 2397aeb..17156a6 100644
+--- a/virt.if
++++ b/virt.if
+@@ -1408,6 +1408,8 @@ interface(`virt_transition_svirt_sandbox',`
+ 	role $2 types svirt_sandbox_domain;
+ 	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+ 
++	allow svirt_sandbox_domain $1:fd use;
++
+ 	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
+ 	allow svirt_sandbox_domain $1:process sigchld;
+ 	ps_process_pattern($1, svirt_sandbox_domain)
+diff --git a/virt.te b/virt.te
+index 69333cf..6dd64f3 100644
+--- a/virt.te
++++ b/virt.te
+@@ -1316,6 +1316,7 @@ kernel_list_all_proc(svirt_sandbox_domain)
+ kernel_read_all_proc(svirt_sandbox_domain)
+ kernel_read_all_sysctls(svirt_sandbox_domain)
+ kernel_read_net_sysctls(svirt_sandbox_domain)
++kernel_rw_unix_sysctls(svirt_sandbox_domain)
+ kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+ kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+ kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
+@@ -1470,6 +1471,7 @@ allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+ 
+ kernel_read_irq_sysctls(svirt_lxc_net_t)
+ kernel_read_messages(svirt_lxc_net_t)
++kernel_rw_usermodehelper_state(svirt_lxc_net_t)
+ 
+ dev_read_sysfs(svirt_lxc_net_t)
+ dev_read_mtrr(svirt_lxc_net_t)
diff --git a/SOURCES/selinux-policy-migrate-local-changes.sh b/SOURCES/selinux-policy-migrate-local-changes.sh
index 628e006..7d4f1f8 100755
--- a/SOURCES/selinux-policy-migrate-local-changes.sh
+++ b/SOURCES/selinux-policy-migrate-local-changes.sh
@@ -59,7 +59,7 @@ WARNING: Do not remove this file or remove /etc/selinux/$MIGRATE_SELINUXTYPE/mod
 completely if you are confident that you don't need old files anymore.
 EOF
 
-if [ $REBUILD = 1 ]; then
+if [ ${DONT_REBUILD:-0} = 0 -a $REBUILD = 1 ]; then
     semodule -B -n -s $MIGRATE_SELINUXTYPE
     if [ "$MIGRATE_SELINUXTYPE" = "$SELINUXTYPE" ] && selinuxenabled; then
         load_policy
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index cd17f81..a55bfcf 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 102%{?dist}.7
+Release: 102%{?dist}.13
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -29,6 +29,7 @@ patch1: policy-rhel-7.1-contrib.patch
 patch2: policy-rhel-7.3-base.patch
 patch3: policy-rhel-7.3-contrib.patch
 patch4: policy-rhel-7.3.z-contrib.patch
+patch5: policy-rhel-7.3.z-base.patch
 Source1: modules-targeted-base.conf 
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@@ -337,6 +338,7 @@ Based off of reference policy: Checked out revision  2.20091117
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch2 -p1
+%patch5 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@@ -499,7 +501,8 @@ SELinux Reference policy targeted base module.
 
 %post targeted
 if [ -e /etc/selinux/targeted/modules/active/base.pp ]; then
-    %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh targeted
+    DONT_REBUILD=1 %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh targeted
+    touch /etc/selinux/targeted/.rebuild
     systemctl daemon-reexec
 fi
 %postInstall $1 targeted
@@ -547,7 +550,8 @@ fi
 
 %post minimum
 if [ -e /etc/selinux/minimum/modules/active/base.pp ]; then
-    %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh minimum
+    DONT_REBUILD=1 %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh minimum
+    touch /etc/selinux/minimum/.rebuild
     systemctl daemon-reexec
 fi
 contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
@@ -621,7 +625,8 @@ SELinux Reference policy mls base module.
 
 %post mls 
 if [ -e /etc/selinux/mls/modules/active/base.pp ]; then
-    %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh mls
+    DONT_REBUILD=1 %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh mls
+    touch /etc/selinux/mls/.rebuild
     systemctl daemon-reexec
 fi
 %postInstall $1 mls
@@ -638,6 +643,40 @@ fi
 %endif
 
 %changelog
+* Mon Jan 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-102.13
+- Allow systemd container to read/write usermodehelperstate
+Resolves: rhbz#1408126
+- Allow glusterd_t to bind on glusterd_port_t udp ports.
+Resolves: rhbz#1408128
+
+* Wed Jan 04 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-102.12
+- Allow glusterd_t to bind on glusterd_port_t udp ports.
+Resolves: rhbz#1408128
+- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
+Resolves: rhbz#1408128
+- Fixes for containers
+- Allow containers to attempt to write to unix_sysctls.
+- Allow cotainers to use the FD's leaked to them from parent processes.
+Resolves: rhbz#1408126
+- Allow systemd to stop glusterd_t domains.
+Resolves: rhbz#1408125
+
+* Mon Dec 19 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-102.11
+- Update ctdbd_t policy to reflect all changes.
+Resolves: rhbz#1403266
+
+* Thu Dec 15 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-102.10
+- Allow ctdbd_t domain transition to rpcd_t
+Resolves:rhbz#1403266
+
+* Tue Dec 13 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-102.9
+- Make working CTDB:NFS: CTDB failover from selinux-policy POV
+Resolves: rhbz#1403266
+
+* Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-102.8
+- Allow puppetagent_t to access timedated dbus. Use the systemd_dbus_chat_timedated interface to allow puppetagent_t the access.
+Resolves: rhbz#1400505
+
 * Mon Nov 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-102.7
 - Update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients.
 Resolves: rhbz#1394715