diff --git a/SOURCES/policy-rhel-7.2.z-base.patch b/SOURCES/policy-rhel-7.2.z-base.patch
new file mode 100644
index 0000000..18c6f0b
--- /dev/null
+++ b/SOURCES/policy-rhel-7.2.z-base.patch
@@ -0,0 +1,29 @@
+diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
+index 2afd2f6..2fc80d1 100644
+--- a/policy/modules/kernel/filesystem.if
++++ b/policy/modules/kernel/filesystem.if
+@@ -2633,6 +2633,24 @@ interface(`fs_rw_hugetlbfs_files',`
+
+ ########################################
+ ##
++## Manage hugetlbfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++##
+ ## Execute hugetlbfs files.
+ ##
+ ##
diff --git a/SOURCES/policy-rhel-7.2.z-contrib.patch b/SOURCES/policy-rhel-7.2.z-contrib.patch
new file mode 100644
index 0000000..7474c85
--- /dev/null
+++ b/SOURCES/policy-rhel-7.2.z-contrib.patch
@@ -0,0 +1,62 @@
+diff --git a/ctdb.if b/ctdb.if
+index 6b7d687..06895f3 100644
+--- a/ctdb.if
++++ b/ctdb.if
+@@ -55,6 +55,23 @@ interface(`ctdbd_signal',`
+ allow $1 ctdbd_t:process signal;
+ ')
+
++#######################################
++##
++## Allow domain to sigchld ctdbd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_sigchld',`
++ gen_require(`
++ type ctdbd_t;
++ ')
++ allow $1 ctdbd_t:process sigchld;
++')
++
+ ########################################
+ ##
+ ## Read ctdbd's log files.
+diff --git a/openvswitch.te b/openvswitch.te
+index 1b606d8..2d00be4 100644
+--- a/openvswitch.te
++++ b/openvswitch.te
+@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t)
+ # openvswitch local policy
+ #
+
+-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource };
+ allow openvswitch_t self:capability2 block_suspend;
+ allow openvswitch_t self:process { fork setsched setrlimit signal };
+ allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+@@ -92,6 +92,8 @@ files_read_kernel_modules(openvswitch_t)
+
+ fs_getattr_all_fs(openvswitch_t)
+ fs_search_cgroup_dirs(openvswitch_t)
++fs_manage_hugetlbfs_files(openvswitch_t)
++fs_manage_hugetlbfs_dirs(openvswitch_t)
+
+ auth_use_nsswitch(openvswitch_t)
+
+diff --git a/samba.te b/samba.te
+index bf7a710..aac4015 100644
+--- a/samba.te
++++ b/samba.te
+@@ -726,6 +726,7 @@ userdom_use_inherited_user_terminals(smbcontrol_t)
+
+ optional_policy(`
+ ctdbd_stream_connect(smbcontrol_t)
++ ctdbd_sigchld(smbcontrol_t)
+ ')
+
+ ########################################
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index a011577..4881a76 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 60%{?dist}
+Release: 60%{?dist}.3
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -28,6 +28,8 @@ patch1: policy-rhel-7.1-contrib.patch
patch2: policy-RHEL-7.1-flask.patch
patch3: policy-rhel-7.2-base.patch
patch4: policy-rhel-7.2-contrib.patch
+patch5: policy-rhel-7.2.z-base.patch
+patch6: policy-rhel-7.2.z-contrib.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@@ -333,10 +335,12 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch4 -p1
+%patch6 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch3 -p1
%patch2 -p1
+%patch5 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@@ -611,6 +615,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 27 2016 Lukas Vrabec 3.13.1-60.3
+- Allow openvswitch domain capability sys_rawio
+Resolves: rhbz#1299405
+
+* Tue Jan 26 2016 Lukas Vrabec 3.13.1-60.2
+- Add fs_manage_hugetlbfs_files() interface.
+Resolves: rhbz#1299405
+- Allow openvswitch to manage hugetlfs files and dirs
+Resolves: rhbz#1299405
+
+* Mon Jan 25 2016 Lukas Vrabec 3.13.1-60.1
+- Allow openvswitch read/write hugetlb filesystem.
+Resolves: rhbz#1299405
+- Allow smbcontrol domain to send sigchld to ctdbd domain.
+Resolves: rhbz#1301522
+
* Wed Oct 14 2015 Miroslav Grepl 3.13.1-60
Allow hypervvssd to list all mountpoints to have VSS live backup working correctly.
Resolves:#1247880