From e4cc73ac1205488a7cbf6a4f0fb6db9f844494ad Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Aug 31 2017 16:00:08 +0000
Subject: * Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260.8

- Allow ddclient use nsswitch BZ(1456241)
- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
- Add interface dbus_manage_session_tmp_dirs()
- Allow targetd_t to create own tmp files. Dontaudit targetd_t to exec rpm binary file.
- Dontaudit useradd_t sys_ptrace BZ(1480121)
- Allow ipsec_t can exec ipsec_exec_t
- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs

---

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 9ddea9c..81f0bba 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f26-base.patch b/policy-f26-base.patch
index dd78d08..efb6180 100644
--- a/policy-f26-base.patch
+++ b/policy-f26-base.patch
@@ -3098,7 +3098,7 @@ index 99e3903ea..fa68362ea 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..121ace88e 100644
+index 1d732f1e7..d698fdd02 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3418,7 +3418,7 @@ index 1d732f1e7..121ace88e 100644
  userdom_use_unpriv_users_fds(sysadm_passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
-@@ -446,8 +492,9 @@ optional_policy(`
+@@ -446,8 +492,10 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -3427,10 +3427,11 @@ index 1d732f1e7..121ace88e 100644
 +allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
 +
 +dontaudit useradd_t self:capability { net_admin sys_tty_config };
++dontaudit useradd_t self:cap_userns { sys_ptrace };
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
  allow useradd_t self:fd use;
-@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -3441,7 +3442,7 @@ index 1d732f1e7..121ace88e 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3481,7 +3482,7 @@ index 1d732f1e7..121ace88e 100644
  
  auth_run_chk_passwd(useradd_t, useradd_roles)
  auth_rw_lastlog(useradd_t)
-@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -3489,7 +3490,7 @@ index 1d732f1e7..121ace88e 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t)
+@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3539,7 +3540,7 @@ index 1d732f1e7..121ace88e 100644
  ')
  
  optional_policy(`
-@@ -545,14 +599,27 @@ optional_policy(`
+@@ -545,14 +600,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3567,7 +3568,7 @@ index 1d732f1e7..121ace88e 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -562,3 +629,12 @@ optional_policy(`
+@@ -562,3 +630,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -38059,7 +38060,7 @@ index 0d4c8d35e..537aa4274 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..102b975de 100644
+index 312cd0417..56961b493 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -38121,7 +38122,15 @@ index 312cd0417..102b975de 100644
  
  manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
  manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+ files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
+ 
+ can_exec(ipsec_t, ipsec_mgmt_exec_t)
++can_exec(ipsec_t, ipsec_exec_t)
+ 
+ # pluto runs an updown script (by calling popen()!) as this is by default
+ # a shell script, we need to find a way to make things work without
+@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
  allow ipsec_mgmt_t ipsec_t:fd use;
  allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
  allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -38134,7 +38143,7 @@ index 312cd0417..102b975de 100644
  kernel_list_proc(ipsec_t)
  kernel_read_proc_symlinks(ipsec_t)
  # allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t)
  corecmd_exec_bin(ipsec_t)
  
  # Pluto needs network access
@@ -38166,7 +38175,7 @@ index 312cd0417..102b975de 100644
  
  dev_read_sysfs(ipsec_t)
  dev_read_rand(ipsec_t)
-@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t)
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
  
@@ -38201,7 +38210,7 @@ index 312cd0417..102b975de 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +213,30 @@ optional_policy(`
+@@ -182,19 +214,30 @@ optional_policy(`
  	udev_read_db(ipsec_t)
  ')
  
@@ -38236,7 +38245,7 @@ index 312cd0417..102b975de 100644
  
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
  
  allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -38252,7 +38261,7 @@ index 312cd0417..102b975de 100644
  
  # _realsetup needs to be able to cat /var/run/pluto.pid,
  # run ps on that pid, and delete the file
-@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -38269,7 +38278,7 @@ index 312cd0417..102b975de 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
  corecmd_exec_bin(ipsec_mgmt_t)
  corecmd_exec_shell(ipsec_mgmt_t)
  
@@ -38278,7 +38287,7 @@ index 312cd0417..102b975de 100644
  dev_read_rand(ipsec_mgmt_t)
  dev_read_urand(ipsec_mgmt_t)
  
-@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
  files_read_etc_files(ipsec_mgmt_t)
  files_exec_etc_files(ipsec_mgmt_t)
  files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -38286,7 +38295,7 @@ index 312cd0417..102b975de 100644
  files_read_usr_files(ipsec_mgmt_t)
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -38298,7 +38307,7 @@ index 312cd0417..102b975de 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
  init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
@@ -38332,7 +38341,7 @@ index 312cd0417..102b975de 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +391,10 @@ optional_policy(`
+@@ -322,6 +392,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38343,7 +38352,7 @@ index 312cd0417..102b975de 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +408,7 @@ optional_policy(`
+@@ -335,7 +409,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -38352,7 +38361,7 @@ index 312cd0417..102b975de 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -38372,7 +38381,7 @@ index 312cd0417..102b975de 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -38385,7 +38394,7 @@ index 312cd0417..102b975de 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
@@ -48192,10 +48201,10 @@ index 000000000..d1356af89
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..35fc2b865
+index 000000000..e7c2cc70b
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1020 @@
+@@ -0,0 +1,1021 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48486,6 +48495,7 @@ index 000000000..35fc2b865
 +optional_policy(`
 +	dbus_connect_system_bus(systemd_logind_t)
 +	dbus_system_bus_client(systemd_logind_t)
++    dbus_manage_session_tmp_dirs(systemd_logind_t)
 +')
 +
 +optional_policy(`
diff --git a/policy-f26-contrib.patch b/policy-f26-contrib.patch
index 356e8c3..d2f7f58 100644
--- a/policy-f26-contrib.patch
+++ b/policy-f26-contrib.patch
@@ -22515,7 +22515,7 @@ index dda905b9c..558729530 100644
  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb46..77afd180d 100644
+index 62d22cb46..c0c2ed47d 100644
 --- a/dbus.if
 +++ b/dbus.if
 @@ -1,4 +1,4 @@
@@ -22664,9 +22664,9 @@ index 62d22cb46..77afd180d 100644
 -	files_search_var_lib($1)
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 +	files_search_var_lib($1)
- 
-+	dev_read_urand($1)
 +
++	dev_read_urand($1)
+ 
 +	# For connecting to the bus
  	files_search_pids($1)
  	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
@@ -23376,7 +23376,7 @@ index 62d22cb46..77afd180d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
  ##	</summary>
  ## </param>
  #
@@ -23434,6 +23434,24 @@ index 62d22cb46..77afd180d 100644
 -	typeattribute $1 dbusd_unconfined;
 +	allow $1 system_dbusd_t:dbus acquire_svc;
 +
++')
++
++########################################
++## <summary>
++##      Manage session_dbusd tmp dirs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dbus_manage_session_tmp_dirs',`
++        gen_require(`
++                type session_dbusd_tmp_t;
++        ')
++
++	manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
  ')
 diff --git a/dbus.te b/dbus.te
 index c9998c80d..d8ef03416 100644
@@ -24039,7 +24057,7 @@ index 5606b4069..cd18cf2a7 100644
  	domain_system_change_exemption($1)
  	role_transition $2 ddclient_initrc_exec_t system_r;
 diff --git a/ddclient.te b/ddclient.te
-index a4caa1b5b..42f30662d 100644
+index a4caa1b5b..f244f9a63 100644
 --- a/ddclient.te
 +++ b/ddclient.te
 @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
@@ -24084,7 +24102,7 @@ index a4caa1b5b..42f30662d 100644
  fs_getattr_all_fs(ddclient_t)
  fs_search_auto_mountpoints(ddclient_t)
  
-+auth_read_passwd(ddclient_t)
++auth_use_nsswitch(ddclient_t)
 +
  logging_send_syslog_msg(ddclient_t)
  
@@ -93305,7 +93323,7 @@ index ebe91fc70..6ba4338cb 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  ')
 diff --git a/rpm.if b/rpm.if
-index ef3b22507..b15d901a4 100644
+index ef3b22507..a33cae9d6 100644
 --- a/rpm.if
 +++ b/rpm.if
 @@ -1,8 +1,8 @@
@@ -93406,16 +93424,34 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -109,7 +116,7 @@ interface(`rpm_exec',`
+@@ -109,7 +116,25 @@ interface(`rpm_exec',`
  
  ########################################
  ## <summary>
 -##	Send null signals to rpm.
++##	Do not audit to execute a rpm.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_exec',`
++	gen_require(`
++		type rpm_exec_t;
++	')
++
++	dontaudit $1 rpm_exec_t:file exec_file_perms;
++')
++
++########################################
++## <summary>
 +##	Send a null signal to rpm.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -127,7 +134,7 @@ interface(`rpm_signull',`
+@@ -127,7 +152,7 @@ interface(`rpm_signull',`
  
  ########################################
  ## <summary>
@@ -93424,7 +93460,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -145,7 +152,7 @@ interface(`rpm_use_fds',`
+@@ -145,7 +170,7 @@ interface(`rpm_use_fds',`
  
  ########################################
  ## <summary>
@@ -93433,7 +93469,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -163,7 +170,7 @@ interface(`rpm_read_pipes',`
+@@ -163,7 +188,7 @@ interface(`rpm_read_pipes',`
  
  ########################################
  ## <summary>
@@ -93442,7 +93478,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,6 +188,60 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +206,60 @@ interface(`rpm_rw_pipes',`
  
  ########################################
  ## <summary>
@@ -93503,7 +93539,7 @@ index ef3b22507..b15d901a4 100644
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -224,7 +285,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +303,7 @@ interface(`rpm_dontaudit_dbus_chat',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -93512,7 +93548,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -244,7 +305,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +323,7 @@ interface(`rpm_script_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -93521,7 +93557,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -263,7 +324,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +342,8 @@ interface(`rpm_search_log',`
  
  #####################################
  ## <summary>
@@ -93531,19 +93567,17 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -276,14 +338,30 @@ interface(`rpm_append_log',`
+@@ -276,14 +356,30 @@ interface(`rpm_append_log',`
  		type rpm_log_t;
  	')
  
 -	logging_search_logs($1)
 -	append_files_pattern($1, rpm_log_t, rpm_log_t)
 +	allow $1 rpm_log_t:file append_inherited_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	rpm log files.
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete the RPM log.
 +## </summary>
 +## <param name="domain">
@@ -93558,15 +93592,17 @@ index ef3b22507..b15d901a4 100644
 +	')
 +
 +    read_files_pattern($1, rpm_log_t, rpm_log_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	rpm log files.
 +##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -302,7 +380,32 @@ interface(`rpm_manage_log',`
+@@ -302,7 +398,32 @@ interface(`rpm_manage_log',`
  
  ########################################
  ## <summary>
@@ -93600,7 +93636,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -320,8 +423,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',`
  
  ########################################
  ## <summary>
@@ -93611,7 +93647,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -335,12 +438,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -93628,7 +93664,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -353,14 +459,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',`
  		type rpm_tmp_t;
  	')
  
@@ -93646,7 +93682,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -374,12 +479,34 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -93682,7 +93718,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -399,7 +526,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -93691,7 +93727,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -420,8 +547,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +565,7 @@ interface(`rpm_read_cache',`
  
  ########################################
  ## <summary>
@@ -93701,7 +93737,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -442,7 +568,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +586,7 @@ interface(`rpm_manage_cache',`
  
  ########################################
  ## <summary>
@@ -93710,7 +93746,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,11 +585,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +603,12 @@ interface(`rpm_read_db',`
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -93724,7 +93760,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -482,8 +609,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +627,7 @@ interface(`rpm_delete_db',`
  
  ########################################
  ## <summary>
@@ -93734,7 +93770,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -503,8 +629,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +647,28 @@ interface(`rpm_manage_db',`
  
  ########################################
  ## <summary>
@@ -93764,7 +93800,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +681,7 @@ interface(`rpm_dontaudit_manage_db',`
  		type rpm_var_lib_t;
  	')
  
@@ -93773,7 +93809,7 @@ index ef3b22507..b15d901a4 100644
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
-@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +707,7 @@ interface(`rpm_read_pid_files',`
  
  #####################################
  ## <summary>
@@ -93783,7 +93819,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +726,7 @@ interface(`rpm_manage_pid_files',`
  
  ######################################
  ## <summary>
@@ -93793,7 +93829,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +735,54 @@ interface(`rpm_manage_pid_files',`
  ## </param>
  #
  interface(`rpm_pid_filetrans',`
@@ -93865,7 +93901,7 @@ index ef3b22507..b15d901a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +790,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
  ##	</summary>
  ## </param>
  ## <param name="role">
@@ -93934,7 +93970,7 @@ index ef3b22507..b15d901a4 100644
  
  	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -641,9 +831,6 @@ interface(`rpm_admin',`
+@@ -641,9 +849,6 @@ interface(`rpm_admin',`
  
  	admin_pattern($1, rpm_file_t)
  
@@ -108361,10 +108397,10 @@ index 000000000..a6e216c73
 +
 diff --git a/targetd.te b/targetd.te
 new file mode 100644
-index 000000000..681ec9f67
+index 000000000..acdccbb18
 --- /dev/null
 +++ b/targetd.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,109 @@
 +policy_module(targetd, 1.0.0)
 +
 +########################################
@@ -108382,6 +108418,9 @@ index 000000000..681ec9f67
 +type targetd_unit_file_t;
 +systemd_unit_file(targetd_unit_file_t)
 +
++type targetd_tmp_t;
++files_tmp_file(targetd_tmp_t)
++
 +########################################
 +#
 +# targetd local policy
@@ -108399,6 +108438,10 @@ index 000000000..681ec9f67
 +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
 +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
 +
++manage_dirs_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
++manage_files_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
++files_tmp_filetrans(targetd_t, targetd_tmp_t, { file dir })
++
 +files_rw_isid_type_dirs(targetd_t)
 +
 +fs_getattr_xattr_fs(targetd_t)
@@ -108460,6 +108503,7 @@ index 000000000..681ec9f67
 +
 +optional_policy(`
 +    rpm_dontaudit_read_db(targetd_t)
++    rpm_dontaudit_exec(targetd_t)
 +')
 +
 +optional_policy(`
@@ -110582,10 +110626,10 @@ index 000000000..9524b50aa
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 000000000..d366c8b37
+index 000000000..2b15dca23
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,172 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -110754,6 +110798,10 @@ index 000000000..d366c8b37
 +	corenet_dontaudit_udp_bind_all_ports(thumb_t)
 +	corenet_dontaudit_udp_bind_generic_node(thumb_t)
 +')
++
++optional_policy(`
++    storage_getattr_fixed_disk_dev(thumb_t)
++')
 diff --git a/thunderbird.te b/thunderbird.te
 index 5e867da56..b25ea6e08 100644
 --- a/thunderbird.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a6aa4f4..e85178d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 260.7%{?dist}
+Release: 260.8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,15 @@ exit 0
 %endif
 
 %changelog
+* Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260.8
+- Allow ddclient use nsswitch BZ(1456241)
+- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
+- Add interface dbus_manage_session_tmp_dirs()
+- Allow targetd_t to create own tmp files. Dontaudit targetd_t to exec rpm binary file.
+- Dontaudit useradd_t sys_ptrace BZ(1480121)
+- Allow ipsec_t can exec ipsec_exec_t
+- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
+
 * Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260.7
 - Allow cupsd_t to execute ld_so_cache
 - Add few rules to make working targetd daemon with SELinux