From c4065f7c948f2dc6788059887903b53f3d836b13 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Apr 03 2019 12:33:40 +0000
Subject: * Wed Apr 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-7

- Allow fontconfig file transition for xguest_u user
- Add gnome_filetrans_fontconfig_home_content interface
- Add permissions needed by systemd's machinectl shell/login
- Update SELinux policy for xen services
- Add dac_override capability for kdumpctl_t process domain
- Allow chronyd_t domain to exec shell
- Fix varnisncsa typo
- Allow init start freenx-server BZ(1678025)
- Create logrotate_use_fusefs boolean
- Add tcpd_wrapped_domain for telnetd BZ(1676940)
- Allow tcpd bind to services ports BZ(1676940)
- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t
- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t
- Allow esmtp access .esmtprc BZ(1691149)
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow tlp_t domain to read nvme block devices BZ(1692154)
- Add support for smart card authentication in cockpit BZ(1690444)
- Add permissions needed by systemd's machinectl shell/login
- Allow kmod_t domain to mmap modules_dep_t files.
- Allow systemd_machined_t dac_override capability BZ(1670787)
- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)"
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Allow init_t read mnt_t symlinks BZ(1637070)
- Update dev_filetrans_all_named_dev() interface
- Allow xdm_t domain to execmod temp files BZ(1686675)
- Revert "Allow xdm_t domain to create own tmp files BZ(1686675)"
- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)
- Allow confined users labeled as staff_t to run iptables.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow xdm_t domain to create own tmp files BZ(1686675)
- Add miscfiles_dontaudit_map_generic_certs interface.

---

diff --git a/.gitignore b/.gitignore
index 1c74153..cc1d3cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -351,3 +351,6 @@ serefpolicy*
 /selinux-policy-contrib-dc92f2d.tar.gz
 /selinux-policy-b78306b.tar.gz
 /selinux-policy-contrib-ef0c1e0.tar.gz
+/macro-expander
+/selinux-policy-549ed43.tar.gz
+/selinux-policy-contrib-e753aa8.tar.gz
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 185eac1..efbe68e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 b78306bdff7cf7960c539477d5886e3e91c75a18
+%global commit0 549ed432e0e7c6348687e3737aa29fd6e91f6e74
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 ef0c1e086e735f3a3864091e610914bc85a067dc
+%global commit1 e753aa82ec360bb2715ef2cc8b00eeb1719e1c26
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.4
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -714,6 +714,44 @@ exit 0
 %endif
 
 %changelog
+* Wed Apr 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-7
+- Allow fontconfig file transition for xguest_u user
+- Add gnome_filetrans_fontconfig_home_content interface
+- Add permissions needed by systemd's machinectl shell/login
+- Update SELinux policy for xen services
+- Add dac_override capability for kdumpctl_t process domain
+- Allow chronyd_t domain to exec shell
+- Fix varnisncsa typo
+- Allow init start freenx-server BZ(1678025)
+- Create logrotate_use_fusefs boolean
+- Add tcpd_wrapped_domain for telnetd BZ(1676940)
+- Allow tcpd bind to services ports BZ(1676940)
+- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t
+- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
+- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
+- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t
+- Allow esmtp access .esmtprc BZ(1691149)
+- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
+- Allow tlp_t domain to read nvme block devices BZ(1692154)
+- Add support for smart card authentication in cockpit BZ(1690444)
+- Add permissions needed by systemd's machinectl shell/login
+- Allow kmod_t domain to mmap modules_dep_t files.
+- Allow systemd_machined_t dac_override capability BZ(1670787)
+- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files
+- Allow unconfined_domain_type to use bpf tools BZ(1694115)
+- Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)"
+- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
+- Allow unconfined_domain_type to use bpf tools BZ(1694115)
+- Allow init_t read mnt_t symlinks BZ(1637070)
+- Update dev_filetrans_all_named_dev() interface
+- Allow xdm_t domain to execmod temp files BZ(1686675)
+- Revert "Allow xdm_t domain to create own tmp files BZ(1686675)"
+- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)
+- Allow confined users labeled as staff_t to run iptables.
+- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
+- Allow xdm_t domain to create own tmp files BZ(1686675)
+- Add miscfiles_dontaudit_map_generic_certs interface.
+
 * Sat Mar 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-6
 - Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)
 - Allow fail2ban execute journalctl BZ(1689034)
diff --git a/sources b/sources
index a2ec60c..71efdd6 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
-SHA512 (selinux-policy-b78306b.tar.gz) = 475dcb354faa956eac97e611cf1b821aaf9d21b3772a7d8ea81ccd784e64514ac65ec221dade5300c08ce0b60f3104403dbb77ff1fbb92bc53f72e676b1e3917
-SHA512 (selinux-policy-contrib-ef0c1e0.tar.gz) = 7a34e4cf5d078a5443181efe6043f6a612ad0bf97c0aa80eee69e78f7c62f5a2f226619ed68e7d59eca4c2a91ccb7eea5f1b0df74aae2c884e559d1609e02250
-SHA512 (container-selinux.tgz) = 578fb3091094079c4464cc90402173809b69db2b291919b76279eacadd7a9ddd6023da5fe868e55a0268004b34237d830613ca597fbeb268f91837d2a65e702d
+SHA512 (macro-expander) = b4f26e7ed6c32b3d7b3f1244e549a0e68cb387ab5276c4f4e832a9a6b74b08bea2234e8064549d47d1b272dbd22ef0f7c6b94cd307cc31ab872f9b68206021b2
+SHA512 (selinux-policy-549ed43.tar.gz) = 79d87904709dd9ffda8b230e0c9921b7928550ab8d1ac23088035d5765eac2bda189b3f1905c005ce92a97c539d78e78f3d5c6b1f2b43481744044439c50ae22
+SHA512 (selinux-policy-contrib-e753aa8.tar.gz) = 29eb4d653d3bcb1d0210bec9bc3aec360b2ca6f84049d6fa12fdaf30bff0fe55cb337e7018988db4feb42c0b1dedad9de7e39eb3372a75e4dbdeccb1f9d3feb1
+SHA512 (container-selinux.tgz) = b4677836f52d49ad2d2f24e201005ffdce6eebc3d967c357acc147cb5b2eeb493b649b01912c92b5ba8046c05cbeba7c7dbefc2b018fac9435bced5fbf04b5ba