From 7f9914e3be07a7df53f00ec300ab9582236e9048 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Oct 27 2015 14:57:44 +0000
Subject: * Tue Oct 27 2015 Lukas Vrabec  <lvrabec@redhat.com> 3.13.1-153

- Label /var/run/chrony directory as chronyd_var_run_t. BZ(1259636)
- Fixes for chrony version 2.2 BZ(#1259636)
  * Allow chrony chown capability
  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
- Allow fail2ban-client to execute ldconfig. #1268715

---

diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch
index 82db54f..34aff8b 100644
--- a/policy-f23-contrib.patch
+++ b/policy-f23-contrib.patch
@@ -13059,10 +13059,10 @@ index 0000000..5955ff0
 +	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
 +')
 diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143e..36ee9e1 100644
+index 4e4143e..f03dba0 100644
 --- a/chronyd.fc
 +++ b/chronyd.fc
-@@ -1,13 +1,17 @@
+@@ -1,13 +1,18 @@
 -/etc/chrony\.keys	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 +/etc/chrony\.keys.*	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
  
@@ -13078,6 +13078,7 @@ index 4e4143e..36ee9e1 100644
  /var/log/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_log_t,s0)
  
 -/var/run/chronyd(/.*)	gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 +/var/run/chronyd(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 +/var/run/chrony-helper(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
  /var/run/chronyd\.pid	--	gen_context(system_u:object_r:chronyd_var_run_t,s0)
@@ -13278,7 +13279,7 @@ index 32e8265..c5a2913 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..337110c 100644
+index e5b621c..135100a 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -13297,11 +13298,11 @@ index e5b621c..337110c 100644
  
 -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
 -allow chronyd_t self:process { getcap setcap setrlimit signal };
-+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown };
 +allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
  allow chronyd_t self:shm create_shm_perms;
 +allow chronyd_t self:udp_socket create_socket_perms;
-+allow chronyd_t self:unix_dgram_socket create_socket_perms;
++allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow chronyd_t self:fifo_file rw_fifo_file_perms;
  
 +allow chronyd_t chronyd_keys_t:file append_file_perms;
@@ -13309,7 +13310,7 @@ index e5b621c..337110c 100644
  allow chronyd_t chronyd_keys_t:file read_file_perms;
  
  manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,36 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,38 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
  corenet_udp_bind_chronyd_port(chronyd_t)
  corenet_udp_sendrecv_chronyd_port(chronyd_t)
  
@@ -13333,6 +13334,8 @@ index e5b621c..337110c 100644
 +sysnet_read_dhcpc_state(chronyd_t)
 +
 +systemd_exec_systemctl(chronyd_t)
++
++userdom_dgram_send(chronyd_t)
  
  optional_policy(`
  	gpsd_rw_shm(chronyd_t)
@@ -27929,7 +27932,7 @@ index 50d0084..94e1936 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..6c3ce35 100644
+index cf0e567..7945ad9 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -28010,7 +28013,7 @@ index cf0e567..6c3ce35 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +146,32 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -28033,6 +28036,8 @@ index cf0e567..6c3ce35 100644
  
 +auth_use_nsswitch(fail2ban_client_t)
 +
++libs_exec_ldconfig(fail2ban_client_t)
++
  logging_getattr_all_logs(fail2ban_client_t)
  logging_search_all_logs(fail2ban_client_t)
 -
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8c748c3..c077b29 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 152%{?dist}
+Release: 153%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -656,6 +656,13 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
+- Label /var/run/chrony directory as chronyd_var_run_t. BZ(1259636)
+- Fixes for chrony version 2.2 BZ(#1259636)
+  * Allow chrony chown capability
+  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
+- Allow fail2ban-client to execute ldconfig. #1268715
+
 * Wed Oct 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-152
 - Allow setroubleshootd to create/execute a shared memory and temporary files. It is caused by libffi which is used for signal handlers.  BZ(#1271061)
 - Allow winbindd to send signull to kernel. BZ(#1269193)