From b148e1b7510983eace1928d241aa3f9525d5a934 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 06 2018 18:39:46 +0000
Subject: import selinux-policy-3.13.1-166.el7_4.9


---

diff --git a/SOURCES/policy-rhel-7.4.z-contrib.patch b/SOURCES/policy-rhel-7.4.z-contrib.patch
index 0ccfd7f..3fcd9dd 100644
--- a/SOURCES/policy-rhel-7.4.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.4.z-contrib.patch
@@ -1,5 +1,5 @@
 diff --git a/certmonger.te b/certmonger.te
-index 0803529e4..0585431e1 100644
+index 0803529e4a..0585431e14 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -144,6 +144,7 @@ optional_policy(`
@@ -11,7 +11,7 @@ index 0803529e4..0585431e1 100644
  
  optional_policy(`
 diff --git a/keepalived.te b/keepalived.te
-index c4f0c3237..4b5c0e4ec 100644
+index c4f0c3237b..4b5c0e4ecf 100644
 --- a/keepalived.te
 +++ b/keepalived.te
 @@ -24,7 +24,7 @@ application_executable_file(keepalived_unconfined_script_exec_t)
@@ -24,7 +24,7 @@ index c4f0c3237..4b5c0e4ec 100644
  allow keepalived_t self:netlink_generic_socket create_socket_perms;
  allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
 diff --git a/lldpad.te b/lldpad.te
-index 42e5578f2..3399d597a 100644
+index 42e5578f22..3399d597a8 100644
 --- a/lldpad.te
 +++ b/lldpad.te
 @@ -64,3 +64,7 @@ optional_policy(`
@@ -35,8 +35,57 @@ index 42e5578f2..3399d597a 100644
 +optional_policy(`
 +    virt_dgram_send(lldpad_t)
 +')
+diff --git a/openvswitch.te b/openvswitch.te
+index d37f970208..1dc8a63a6b 100644
+--- a/openvswitch.te
++++ b/openvswitch.te
+@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t)
+ # openvswitch local policy
+ #
+ 
+-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
++allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+ allow openvswitch_t self:capability2 block_suspend;
+ allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
+ allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+@@ -41,6 +41,7 @@ allow openvswitch_t self:tcp_socket create_stream_socket_perms;
+ allow openvswitch_t self:netlink_socket create_socket_perms;
+ allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow openvswitch_t self:netlink_generic_socket create_socket_perms;
++allow openvswitch_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+ 
+ can_exec(openvswitch_t, openvswitch_exec_t)
+ 
+@@ -69,6 +70,7 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
+ 
++kernel_load_module(openvswitch_t)
+ kernel_read_network_state(openvswitch_t)
+ kernel_read_system_state(openvswitch_t)
+ kernel_request_load_module(openvswitch_t)
+@@ -87,6 +89,8 @@ corecmd_exec_shell(openvswitch_t)
+ dev_read_rand(openvswitch_t)
+ dev_read_urand(openvswitch_t)
+ dev_read_sysfs(openvswitch_t)
++dev_rw_vfio_dev(openvswitch_t)
++corenet_rw_tun_tap_dev(openvswitch_t)
+ 
+ domain_use_interactive_fds(openvswitch_t)
+ 
+@@ -111,6 +115,10 @@ modutils_read_module_deps(openvswitch_t)
+ 
+ sysnet_dns_name_resolve(openvswitch_t)
+ 
++logging_send_audit_msgs(openvswitch_t)
++
++write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t)
++
+ optional_policy(`
+     hostname_exec(openvswitch_t)
+ ')
 diff --git a/pki.if b/pki.if
-index f18fcc68f..f69ae0298 100644
+index f18fcc68fc..f69ae02984 100644
 --- a/pki.if
 +++ b/pki.if
 @@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
@@ -68,7 +117,7 @@ index f18fcc68f..f69ae0298 100644
 +	ps_process_pattern($1, pki_tomcat_t)
 +')
 diff --git a/rhcs.if b/rhcs.if
-index 59e5d7e3b..145d67f2a 100644
+index 59e5d7e3b7..145d67f2a0 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -957,3 +957,22 @@ interface(`rhcs_start_haproxy_services',`
@@ -95,22 +144,22 @@ index 59e5d7e3b..145d67f2a 100644
 +	logging_log_named_filetrans($1, var_log_t, dir, "bundles")
 +')
 diff --git a/rhcs.te b/rhcs.te
-index a95c73dc7..a5aec03a8 100644
+index a95c73dc7e..a5aec03a82 100644
 --- a/rhcs.te
 +++ b/rhcs.te
-@@ -320,6 +320,10 @@ optional_policy(`
+@@ -319,6 +319,10 @@ optional_policy(`
+     ricci_dontaudit_rw_modcluster_pipes(cluster_t)
  ')
  
- optional_policy(`
++optional_policy(`
 +    rhcs_named_filetrans_log_dir(cluster_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
      rpc_systemctl_nfsd(cluster_t)
      rpc_systemctl_rpcd(cluster_t)
- 
 diff --git a/tomcat.te b/tomcat.te
-index 97bdd60c9..e35ae6b3d 100644
+index 97bdd60c90..e35ae6b3d9 100644
 --- a/tomcat.te
 +++ b/tomcat.te
 @@ -51,6 +51,9 @@ optional_policy(`
@@ -132,7 +181,7 @@ index 97bdd60c9..e35ae6b3d 100644
  dev_read_rand(tomcat_domain)
  dev_read_urand(tomcat_domain)
 diff --git a/virt.if b/virt.if
-index 1d17889f3..c6792a5a3 100644
+index 1d17889f38..c6792a5a37 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1618,4 +1618,23 @@ interface(`virt_dontaudit_read_state',`
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 7c535d8..8ff5ccd 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 166%{?dist}.7
+Release: 166%{?dist}.9
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -655,6 +655,14 @@ fi
 %endif
 
 %changelog
+* Wed Feb 21 2018 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.9
+- Update openvswitch policy from Fedora
+Resolves: rhbz#1538936
+
+* Fri Jan 26 2018 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.8
+- Update openvswitch SELinux module
+Resolves: rhbz#1538936
+
 * Thu Nov 16 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.7
 - Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t
 Resolves: rhbz:#1513075