From d1509872f058104a0a9af4c6f4373f3741d55f38 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jun 24 2015 09:08:57 +0000
Subject: * Wed Jun 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105.18

- Add unconfined_dontaudit_write_state() interface.
- Make docker_t as unconfined. BZ(1215842)

---

diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 8afa46e..24c40f3 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -20595,10 +20595,10 @@ index 0000000..b680867
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
 new file mode 100644
-index 0000000..60a9dbd
+index 0000000..f908e0a
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,671 @@
+@@ -0,0 +1,689 @@
 +## <summary>Unconfined user role</summary>
 +
 +########################################
@@ -21060,6 +21060,24 @@ index 0000000..60a9dbd
 +
 +########################################
 +## <summary>
++##	Dontaudit write process information for unconfined process.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unconfined_dontaudit_write_state',`
++	gen_require(`
++		type unconfined_t;
++	')
++
++	dontaudit $1 unconfined_t:file write;
++')
++
++########################################
++## <summary>
 +##	Write keys for the unconfined domain.
 +## </summary>
 +## <param name="domain">
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index e4812db..043fd1b 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -25334,10 +25334,10 @@ index 0000000..1542da8
 +
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..f85020e
+index 0000000..b1c5390
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,328 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -25639,6 +25639,10 @@ index 0000000..f85020e
 +    corenet_tcp_sendrecv_all_ports(docker_t)
 +')
 +
++optional_policy(`
++	unconfined_domain(docker_t)
++')
++
 +########################################
 +#
 +# spc local policy
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 62c7234..c78b727 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 105.17%{?dist}
+Release: 105.18%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Jun 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105.18
+- Add unconfined_dontaudit_write_state() interface.
+- Make docker_t as unconfined. BZ(1215842)
+
 * Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105.17
 - Dontaudit use console for chrome-sandbox. BZ(1216087)
 - Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)