diff --git a/SOURCES/policy-rhel-7.1.z-base.patch b/SOURCES/policy-rhel-7.1.z-base.patch
new file mode 100644
index 0000000..6e5d0e2
--- /dev/null
+++ b/SOURCES/policy-rhel-7.1.z-base.patch
@@ -0,0 +1,125 @@
+diff --git a/policy/mls b/policy/mls
+index 9e0c245..53c2f8c 100644
+--- a/policy/mls
++++ b/policy/mls
+@@ -177,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+
+
+ # the socket "read" ops (note the check is dominance of the low level)
+-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen getopt recv_msg }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
+index 947af6c..59fe535 100644
+--- a/policy/modules/services/postgresql.fc
++++ b/policy/modules/services/postgresql.fc
+@@ -12,6 +12,8 @@
+ /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
++/usr/libexec/postgresql-ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++
+ /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index 2ef9dc6..cc76bdc 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -56,6 +56,7 @@ ssh_server_template(sshd)
+ init_daemon_domain(sshd_t, sshd_exec_t)
+ mls_trusted_object(sshd_t)
+ mls_process_write_all_levels(sshd_t)
++mls_dbus_send_all_levels(sshd_t)
+
+ type sshd_initrc_exec_t;
+ init_script_file(sshd_initrc_exec_t)
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index b88e8a2..b13579d 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -2602,7 +2602,7 @@ interface(`init_rw_tcp_sockets',`
+ type init_t;
+ ')
+
+- allow $1 init_t:tcp_socket { read write };
++ allow $1 init_t:tcp_socket { read write getattr getopt setopt };
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
+index 12c7fa6..0cd667e 100644
+--- a/policy/modules/system/ipsec.if
++++ b/policy/modules/system/ipsec.if
+@@ -541,3 +541,22 @@ interface(`ipsec_mgmt_systemctl',`
+
+ ps_process_pattern($1, ipsec_mgmt_t)
+ ')
++
++########################################
++##
++## Do not audit attempts to write the ipsec
++## log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`ipsec_dontaudit_write_log',`
++ gen_require(`
++ type ipsec_log_t;
++ ')
++
++ dontaudit $1 ipsec_log_t:file rw_inherited_file_perms;
++')
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index ca1b2bc..b3417f5 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -447,6 +447,7 @@ optional_policy(`
+ optional_policy(`
+ ipsec_write_pid(ifconfig_t)
+ ipsec_setcontext_default_spd(ifconfig_t)
++ ipsec_dontaudit_write_log(ifconfig_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index db531dc..7c2a68e 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -96,6 +96,7 @@ allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+
+ mls_file_read_all_levels(systemd_logind_t)
+ mls_file_write_all_levels(systemd_logind_t)
++mls_dbus_send_all_levels(systemd_logind_t)
+
+ files_delete_tmpfs_files(systemd_logind_t)
+
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 05274ae..29b37bc 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -169,6 +169,7 @@ template(`userdom_base_user_template',`
+
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
++ ssh_rw_dgram_sockets($1_usertype)
+ ssh_delete_tmp($1_t)
+ ssh_signal($1_t)
+ ')
+@@ -718,8 +719,8 @@ template(`userdom_common_user_template',`
+ application_getattr_socket($1_usertype)
+
+
+- ifdef(`enabled_mls',`
+- init_rw_tcp_sockets($1_usertype)
++ ifdef(`enable_mls',`
++ init_rw_tcp_sockets($1_t)
+ ')
+
+ logging_send_syslog_msg($1_t)
diff --git a/SOURCES/policy-rhel-7.1.z-contrib.patch b/SOURCES/policy-rhel-7.1.z-contrib.patch
new file mode 100644
index 0000000..3674c49
--- /dev/null
+++ b/SOURCES/policy-rhel-7.1.z-contrib.patch
@@ -0,0 +1,111 @@
+diff --git a/mongodb.fc b/mongodb.fc
+index 91adcaf..e9e6bc5 100644
+--- a/mongodb.fc
++++ b/mongodb.fc
+@@ -1,9 +1,15 @@
+ /etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
++/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+
+ /usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+ /usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+ /usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
++/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
+ /var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
+ /var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
+diff --git a/mongodb.te b/mongodb.te
+index dec8a95..d3fdae4 100644
+--- a/mongodb.te
++++ b/mongodb.te
+@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
+ type mongod_initrc_exec_t;
+ init_script_file(mongod_initrc_exec_t)
+
++type mongod_unit_file_t;
++systemd_unit_file(mongod_unit_file_t)
++
+ type mongod_log_t;
+ logging_log_file(mongod_log_t)
+
+@@ -30,7 +33,7 @@ files_tmp_file(mongod_tmp_t)
+ #
+
+
+-allow mongod_t self:process { setsched signal };
++allow mongod_t self:process { setsched signal execmem };
+ allow mongod_t self:fifo_file rw_fifo_file_perms;
+
+ allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -69,6 +72,8 @@ corenet_tcp_connect_mongod_port(mongod_t)
+ corenet_tcp_bind_mongod_port(mongod_t)
+ corenet_tcp_bind_generic_node(mongod_t)
+
++auth_use_nsswitch(mongod_t)
++
+ dev_read_sysfs(mongod_t)
+ dev_read_urand(mongod_t)
+
+diff --git a/mysql.fc b/mysql.fc
+index 4a315d5..c2c13aa 100644
+--- a/mysql.fc
++++ b/mysql.fc
+@@ -14,6 +14,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+ #
+ /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+ /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
++/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+ /etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
+@@ -24,6 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+ /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+ /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
++/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
++
+
+ /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+ /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+diff --git a/mysql.te b/mysql.te
+index e14423d..976d57e 100644
+--- a/mysql.te
++++ b/mysql.te
+@@ -132,7 +132,7 @@ files_search_var_lib(mysqld_t)
+ files_search_pids(mysqld_t)
+ files_getattr_all_sockets(mysqld_t)
+
+-auth_use_nsswitch(mysqld_t)
++auth_use_pam(mysqld_t)
+
+ logging_send_syslog_msg(mysqld_t)
+
+diff --git a/rhcs.te b/rhcs.te
+index 25c0f70..0706417 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -218,6 +218,8 @@ init_read_script_state(cluster_t)
+ init_rw_script_tmp_files(cluster_t)
+ init_manage_script_status_files(cluster_t)
+
++systemd_dbus_chat_logind(cluster_t)
++
+ userdom_delete_user_tmp_files(cluster_t)
+ userdom_rw_user_tmp_files(cluster_t)
+ userdom_kill_all_users(cluster_t)
+diff --git a/virt.if b/virt.if
+index 01641f5..90e8a28 100644
+--- a/virt.if
++++ b/virt.if
+@@ -357,6 +357,7 @@ interface(`virt_read_pid_files',`
+
+ files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ ')
+
+ ########################################
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 21a7eae..d1cc2da 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -19,13 +19,15 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 23%{?dist}
+Release: 23%{?dist}.7
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-rhel-7.1-base.patch
patch1: policy-rhel-7.1-contrib.patch
patch2: policy-RHEL-7.1-flask.patch
+patch3: policy-rhel-7.1.z-base.patch
+patch4: policy-rhel-7.1.z-contrib.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@@ -328,9 +330,11 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
+%patch4 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch -p1
+%patch3 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@@ -604,6 +608,45 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Apr 29 2015 Miroslav Grepl 3.13.1-23.el7_7.7
+- Label /usr/libexec/postgresql-ctl as postgresql_exec_t
+- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
+- Add labeling for /usr/libexec/mysqld_safe-scl-helper.
+- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
+Resolves:#1209942
+- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used
+Resolves:#1214236
+- Added label mysqld_etc_t for /etc/my.cnf.d/ dir.
+Resolves:#1214235
+- Add support for mongod/mongos systemd unit files.
+Resolves:#1214194
+
+* Tue Apr 21 2015 Miroslav Grepl 3.13.1-23.el7_7.6
+- Make mongodb_t as nsswitch domain
+- ALlow mongod execmem by default
+Resolves:#1212970
+
+* Wed Apr 8 2015 Miroslav Grepl 3.13.1-23.el7_7.5
+- Update policy/mls for sockets related to accept.
+Resolves:#1207549
+
+* Tue Mar 31 2015 Miroslav Grepl 3.13.1-23.el7_7.4
+- Update policy/mls for sockets. Rules were contradictory.
+Resolves:#1207549
+
+* Wed Mar 25 2015 Miroslav Grepl 3.13.1-23.el7_7.3
+- Dontaudit ifconfig writing inhertited /var/log/pluto.log.
+Resolves:#1205580
+- Update init_rw_tcp_sockets() interface to use getopt and setopt.
+
+* Mon Mar 23 2015 Miroslav Grepl 3.13.1-23.el7_7.2
+- Use enable_mls instead of enabled_mls in userdomain.if
+Resolves:#1204778
+
+* Mon Mar 23 2015 Miroslav Grepl 3.13.1-23.el7_7.1
+- Allow a user to login with different security level via ssh.
+Resolves:#1204778
+
* Wed Jan 30 2015 Miroslav Grepl 3.13.1-23
- Update seutil_manage_config() interface.
Resolves:#1185962