##
@@ -5206,7 +5227,7 @@ index f6eb485..ce5dba7 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1171,8 +1528,31 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1548,31 @@ interface(`apache_cgi_domain',`
########################################
##
@@ -5240,7 +5261,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1189,18 +1569,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1589,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -5269,7 +5290,7 @@ index f6eb485..ce5dba7 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1210,10 +1591,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1611,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -5283,7 +5304,7 @@ index f6eb485..ce5dba7 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1605,182 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,182 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -5427,9 +5448,7 @@ index f6eb485..ce5dba7 100644
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+')
-
-- apache_run_all_scripts($1, $2)
-- apache_run_helper($1, $2)
++
+########################################
+##
+## Read apache pid files.
@@ -5448,7 +5467,9 @@ index f6eb485..ce5dba7 100644
+ files_search_pids($1)
+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+')
-+
+
+- apache_run_all_scripts($1, $2)
+- apache_run_helper($1, $2)
+########################################
+##
+## Send and receive messages from
@@ -15252,10 +15273,10 @@ index 0000000..d5920c0
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
-index 0000000..77cdd5e
+index 0000000..23ebc59
--- /dev/null
+++ b/cockpit.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,115 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
@@ -15355,10 +15376,14 @@ index 0000000..77cdd5e
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
++# cockpit-session resseting expired passwords
++auth_manage_passwd(cockpit_session_t)
++auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
++usermanage_read_crack_db(cockpit_session_t)
+
+optional_policy(`
+ userdom_signal_all_users(cockpit_session_t)
@@ -15570,7 +15595,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..b82bae6 100644
+index 6471fa8..cb6a356 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@@ -15596,8 +15621,9 @@ index 6471fa8..b82bae6 100644
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
+-allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:rawip_socket create_socket_perms;
- allow collectd_t self:unix_stream_socket { accept listen };
++allow collectd_t self:unix_stream_socket { accept listen connectto };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
@@ -29835,7 +29861,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c2..21cc5ed 100644
+index 36838c2..34a9ced 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -30009,9 +30035,9 @@ index 36838c2..21cc5ed 100644
+userdom_manage_user_home_content_files(ftpd_t)
+userdom_manage_user_tmp_dirs(ftpd_t)
+userdom_manage_user_tmp_files(ftpd_t)
-+
-tunable_policy(`allow_ftpd_anon_write',`
++
+tunable_policy(`ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
@@ -30070,8 +30096,11 @@ index 36838c2..21cc5ed 100644
- corenet_sendrecv_oracledb_client_packets(ftpd_t)
- corenet_tcp_connect_oracledb_port(ftpd_t)
- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
--')
--
++ corenet_sendrecv_oracle_client_packets(ftpd_t)
++ corenet_tcp_connect_oracle_port(ftpd_t)
++ corenet_tcp_sendrecv_oracle_port(ftpd_t)
+ ')
+
-tunable_policy(`ftp_home_dir',`
- allow ftpd_t self:capability { dac_override dac_read_search };
-
@@ -30084,11 +30113,8 @@ index 36838c2..21cc5ed 100644
-',`
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-+ corenet_sendrecv_oracle_client_packets(ftpd_t)
-+ corenet_tcp_connect_oracle_port(ftpd_t)
-+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
- ')
-
+-')
+-
-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(ftpd_t)
@@ -30124,7 +30150,17 @@ index 36838c2..21cc5ed 100644
kerberos_use(ftpd_t)
')
-@@ -416,86 +387,39 @@ optional_policy(`
+@@ -410,92 +381,49 @@ optional_policy(`
+ udev_read_db(ftpd_t)
+ ')
+
++optional_policy(`
++ apache_manage_user_content(ftpd_t)
++')
++
+ ########################################
+ #
+ # Ctl local policy
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -30184,14 +30220,13 @@ index 36838c2..21cc5ed 100644
- fs_manage_nfs_files(sftpd_t)
- fs_manage_nfs_symlinks(sftpd_t)
-')
-
+-
-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
- fs_manage_cifs_symlinks(sftpd_t)
-')
-+userdom_home_reader(sftpd_t)
-
+-
-tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
@@ -30205,13 +30240,14 @@ index 36838c2..21cc5ed 100644
-tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
-')
--
+
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
- fs_read_cifs_symlinks(sftpd_t)
-')
--
++userdom_home_reader(sftpd_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(sftpd_t)
- fs_read_nfs_files(sftpd_t)
@@ -67639,13 +67675,15 @@ index 0000000..3bcd32c
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
-index 0000000..c416596
+index 0000000..5655fac
--- /dev/null
+++ b/oracleasm.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
+
++/etc/sysconfig/oracleasm(/.*)? gen_context(system_u:object_r:oracleasm_conf_t,s0)
++
+/etc/sysconfig/oracleasm-_dev_oracleasm -- gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
@@ -67732,10 +67770,10 @@ index 0000000..6ae382c
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
-index 0000000..48fdbd5
+index 0000000..c4b5ddb
--- /dev/null
+++ b/oracleasm.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,66 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
@@ -67766,6 +67804,7 @@ index 0000000..48fdbd5
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow oracleasm_t oracleasm_conf_t:file manage_file_perms;
++allow oracleasm_t oracleasm_conf_t:dir manage_dir_perms;
+
+manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
@@ -67792,6 +67831,7 @@ index 0000000..48fdbd5
+
+storage_raw_read_fixed_disk(oracleasm_t)
+storage_raw_read_removable_device(oracleasm_t)
++storage_rw_inherited_fixed_disk_dev(oracleasm_t)
+
+optional_policy(`
+ mount_domtrans(oracleasm_t)
@@ -109465,7 +109505,7 @@ index 61c2e07..3b86095 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde..9353adb 100644
+index 5ceacde..f24416b 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@@ -109482,17 +109522,18 @@ index 5ceacde..9353adb 100644
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
-@@ -33,6 +40,9 @@ type tor_var_run_t;
+@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t)
+ type tor_var_run_t;
files_pid_file(tor_var_run_t)
init_daemon_run_dir(tor_var_run_t, "tor")
-
++files_mountpoint(tor_var_run_t)
++
+type tor_unit_file_t;
+systemd_unit_file(tor_unit_file_t)
-+
+
########################################
#
- # Local policy
-@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
allow tor_t tor_etc_t:file read_file_perms;
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
@@ -109501,7 +109542,7 @@ index 5ceacde..9353adb 100644
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
@@ -109509,7 +109550,7 @@ index 5ceacde..9353adb 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
@@ -109517,7 +109558,7 @@ index 5ceacde..9353adb 100644
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +110,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +111,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dd50564..f0a6308 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 191.16%{?dist}
+Release: 191.17%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -672,6 +672,18 @@ exit 0
%endif
%changelog
+* Fri Sep 23 2016 Lukas Vrabec 3.13.1-191.17
+- Make tor_var_run_t as mountpoint. BZ(1368621)
+- Fix typo in ftpd SELinux module.
+- Allow cockpit-session to reset expired passwords BZ(1374262)
+- Allow ftp daemon to manage apache_user_content
+- Label /etc/sysconfig/oracleasm as oracleasm_conf_t
+- Allow oracleasm to rw inherited fixed disk device
+- Allow collectd to connect on unix_stream_socket
+- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)
+- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)
+- Add interface files_dontaudit_mounton_isid()
+
* Thu Sep 15 2016 Lukas Vrabec 3.13.1-191.16
- Allow attach usb device to virtual machine BZ(1276873)
- Dontaudit mozilla_plugin to sys_ptrace