From 0c6eef95d36a608144653622bb38f842a5560de2 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 28 Aug 2017 18:08:50 +0200 Subject: [PATCH] * Mon Aug 28 2017 Lukas Vrabec - 3.13.1-277 - Allow cupsd_t to execute ld_so_cache - Add cgroup_seclabel policycap. - Allow xdm_t to read systemd hwdb - Add new interface systemd_hwdb_mmap_config() - Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050) --- container-selinux.tgz | Bin 6904 -> 6903 bytes policy-rawhide-base.patch | 104 +++++++++++++++++++++++------------ policy-rawhide-contrib.patch | 49 +++++++++-------- selinux-policy.spec | 9 ++- 4 files changed, 101 insertions(+), 61 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index cbeb3df143cd5da26e2fb224f92c1963f97e5e55..a7e7037193b3f861a287abab3a3465926ea60e7a 100644 GIT binary patch delta 6285 zcmV;87;@+MHTN}tABzY8$3LW500Zq^>u=;XlFwK7Um?r{7(1BpYw`fb**z?h1MWT? z5bQ2+A1-$twWRJ=tXCwpA7{+|?N?QNh@wb}Qp+>m!x%_Bma2Xvi)67_ES93OXv4Hf z>hpB_)ieEE!q4~Le~Z7be)#TE{S80wzkh#q_0`q;tM9IVF5my~!{rZOU0%JvzPkJ> zxO}b(sXvFN4eKEID!Z%0O%hq@#@_#v{;XcV4t{J7c^=k}fBySE3Cb!d-ZkZ+j*=j( zsw|DdHZ6-F5(6bjiXHqu|M5bwtpLRDr&k*Maq_PZNpxrv1wAc-cCS8&%N+i3POKLS zZ}4Lk)?prh6k(qH=@p}T_2)qeKhujK%(C)6iG#Kb+Bz(n6dPp%y&zQh_bM&gq~3;6 za{8OB&AL7mZJH-*D35U7y!~x;vP+6}o&0e~YoJ}7oV1UX(gMlTzBN2dKmzOb#=(_W z+lDCKoUK+TQCTNZ9i&vt*S?^=P(C>A+!7ljv+Khn^&oNg)NH2Dx;((tbYB?XBvn>h>qIAx( zBPY~flaulRD}PZpD)P(HO%OvhqqeNmq?s^ypGS~UYe+Bj($o(TXcrxTS8s*#Z6uN*#%9?0b5Ab znI&%P7(F3y_S&pEB-SU8d9x4eu;D=`yvc2+> zj597ATz_Kbca39#`gBr#X=bmYvwWpHU1d2W|E!wkC$J81i@fBpO6hgS zBeLA5?LG*B@X&&U+cXNO^_}klmUg5Il{LSr(>p8&DL-L{YRJ46YpjIlyXZ} z2NMb!DiKL(N>Pk=9c5wDSc;-|!?HFBFD{-^9)JG-RZvza|1kU0tF}Januw%Yv700< zc3#Drr-)e3y&b&93F7j`DwE*rYxwUy{P*p$dy!xM{pT05&XUDmrSUWysXi1Ig#%E{ zgv}oT86Ph0;%JikZjmF5h5XzWAJb#gCVA9mQ+;*%yF-z-B>t|W7*xE-@k2n|lLVp!AL=$bC+*K{vz4#IZg})8*6@(w6Ju`Gs z#!!o8gp5DTHPSgl*y^hY8~>FQ?G#bt&#)wi$cbT+*t>-q%a7N*me>pa-JmT077FPv z!FT!u$;zFBRapxy6#Fty^fAB}MZV~YgF?&Fh$L@=SMuFC@Vz>ljT4vA?R=01xDD5X z8sXD9XkhBAIPap9Bn3Qw@h$^(*Qg`Q)BZO&t-H~`O?T%>aknJuzHHiNX+YYqEr?ks zO_|-DqXZU#Wj)n^A+RYQl4Y9DFwv-85Uzy%Ll!oCsK zf~`e(=xLiiY_SqZ=kf)h9qIZhi$eG}q|t$m55fQp{fD4w!6eClX?;oB&u%}n+MvCG zwVoYCX58RfBF8M7=zdLRZKN&xAU|lWwo_l3H-sAJ2jOK8ddG(|tY7EA``a%+b#-W7 z^60A~?-7W!XqUk+U%w1{Ok1us)Rhbr*78Q%!V~xhl#r+oqYHSo+VaTWfqjYa4%P># zRlwUvZWPj4DHIGqYd86L`(dtkX>zt|a{ zGjqn%4Io0^o?w$+gEWFB-4$WRCT#HWlb!}y5u2r*z3cGM?s=f+z~f6VUs#g}2OSnO z>2)Cm@9sD%I$1$D_MFvVY%@8(T$4Ko;sMW-9tbf33zJX?UVrY3)c>SEvPaL`)_`EaB4~{0Bg>QR9T!f5f8DccyLXEAu3Rv;C`Qg9<0@Hl90?};U^|YD(hCp;D1zHPcn3DOnWH8joMbZH3M_~ZLkfqCOOlp#B0Q?dVY+kditUCoCkjI z>he$pr`#=d#YKyn_ca)9(H>QLr}Ry5k_pwhCx>)sn5t*5oqua>Td9VGx`=VR!L-rS%zS*cNx43aM!@3zfX62Sb1p!-Y+?0`~JlW#%+vR=44B#vuHqngjvAs zF?hv%WTu6`NwV#SD6GOwnx*Yy@DxP*^1cXeQ!s$G@Grb!*(7Zm2l;JL#sPK>9pKTw zHh*a$ezu6Q)5<|3JG}H}R<4bD^5)Hsj!WUUCkF=6 zvjA*0kbaD5-!bidnV?R82rm4$Cz~nYgMSyTKJ-LuqiO+^Lp(s4!ro2D>tI8+KyzrS zq=;Rdx~^24f-WMOtX|`oDWL$SNg1V3d5;-IjXR>nN3ep*Ntfs|P+wVE+^%o=1;s;h zhv5N7)Jz~kN5pBk)1buLS&*(;$t4sA0BLC0BqntltwDhs&8#!Yf&+IV3&?*e3xADF z7|wMP-Lar9+-8s0Yz_}q&68dVYy!R9@Vi-7+7?Um%A0w(e&1yJwf+&yf|-TGCuagt zUW`}((nlllfE`R`^u!nUZC&QwLQe@#@-hZ9VP#B)Fj74c3OwBAnQoCE3pUKNFdK0+ zmu=htlO-BeH#1v*( z4q)AC0n@DbKC&%zKfrCIn#S;3UU&Vv+q>VJvN(sAuUrjyGP>-BK7fzIXn%^=!C&H- z#T4e@ZPE+)*(cF$a9`H9=Ro#vWtD6XS@wtycaT6{-jO%H2=0?$AHpADut`t=K~rW2 z^xy*5e{urkiAy@d+?Lo5=-js~!sWg^WHB!s|IT4~26GAag9!jQ!*jU%l>Gw28&8JL z-yu98ok++OFgipu69U8SG=Dah_Y3_CHalX*^zFIptS{zG=ZV;pr?)SD-&g51*)?d( zq(4&NBiB%l7P>F~F@pDR19wb3XCdO&`E!;r+2Ed1hR-UZF_Gb{EFU-SLo8S6Th--0 zb(*lYsbKJy?WizbS3q2bu4FdjisiWGx0q!Co4Tq z+{ud16L-2Z$`g39797L%(S*I!-4i!~ri>B(RbJ459m{n#cl3H;PBkJuf#(e~58zqD z%!S*JEASo$9MUulWPjUfK==&fVU{Ot?A}W~!!Odp_{JD1{qaX0ZNQHz`auWAwsesQ z#E8-KxHWDuqTZ~ZZ$aou#-qJim=y(mo5@w`B5Bb*;Y&_8O&^=6%`8+$bQkTj9+#7T zYUO5BX~&1*XqEJ6)GokJg!R2~&J{*A`zT+q^YDVsA%qU5jX8SctWVYKlPvR~^K&d6 zacbB*&l7Cvb_UbTvb12Kg^%|3ZCiO3Ay}d^&#NqXSksss=k1+t`byBq@1!FpiI~~{44tQN{GS_Hf{3O$lnBVXXZSz=Z?4iL+ zX*nMM`#`d64_?hX6y%4|{MNSaLKhN~K1G*1+sG-I-)E%q9>Qq)J>e+zeq9zUIV?{V zV{S{+mNlAi7{fs7`vHUa(&pAePe=E-h!st9pSIE7On=AIBk02iHl}fTZ-M3+ZN+^x zGZhix`-7!LoS>}S{5Ew&@5MHfpO{jf2#kbrbo8oA6@n9d5a)5@*Iw_KTJ#EUqCEI!7_Zqw#IC~P?JfUM<$pX;gfX)f zJmQPhpi1D)!)T4}(>je4`h!I^d*M(lP0`G$!nML{uYzyb^HY;q5jua9DYi1e6^ps+ zrUxZIIf7GzNTjG6=^Trnu{%hc#yUKR^F5MLFKBVAy|-kJ`!sgUL2{Q?pq7hmIpP5M z8j*vG#^pSSZuel8Cakh0)GT><}599?Sm+M96u z?X~qc=Na3_tDXthc0chT^OZo;zdi37Qab5~D+E+_!y|88ZIK(T^#j{@`Vo_pWf4CN zEm`{mOvh~Ffb{gm5L#N4ZMuDQyKK^8pP)vLl@O(o7Rg#J?}i$Y=e=LqtL_j>I;*Wa zNl99@`GbQ*NFINXtdb`};RhHc6!YRxpaB_$)Cu+jH?+WDr`~N8q3;@aXy2~WJ!a;) zq5&hXFWX!J9ZTJ=7P;C<~aAh*t2i=5)q9)y-kbzi|n?3G+>;i9AZZ zMMO7b{feYwK3AWTPj#+_%IG9 zp%`f%q$Gd9@k*QBe2Aft>$xqPo{-rg_nF2tNMmVdV(tvndqeOkyPCp|-)^)r`$1JE zKqdDNo#401_oMU{NQbaba}7xt?QGko7m>mGl$j!SCfs6mTw*O}n>;g@#f2MIbi6?w z!FF`=49+kJgtKYgP$&Bkz*<<$YqFz|58@bagef>px^K49&i!Xn5 zb;{eO*F-&aCFzJ;pOsEqO>oA(4>FSFjHl9^k#I}poS0rpn&B2WC4fPuQoB*J!&vPK z@p+Ds`yAun7;(KDz1p!5yz?@~LS?w_WgJ_C`-+AS`uH^s%g0_u)c&zwe<64Ml)FOH z1m|}XK#q0ou7<(!B}rYenUY8exD$WrV~k*aL5GrjJRVJw&Qy4Ef~BgeZgRfIL&K}ndLg@=MR4jZu(Oy zt^Y7gDd8mQdHl)GuN_@U!Vz1e_lzcrzR_>>7-C~sFh4pjN_H@+<&0)tJ01ZmlNa){ z*`7;OP#Om@4|`?Tf231GkC<=-HaOxsT=5*5da_=HXbrcLScCc@yTdGwhOECr5~Hqi z^zn6{4%N#a8aI;u#zifHAr*gW)1@m@)FU^s$=}<+M*o(1ev{l3oi{8oR$?!2_yCqc z%Ay&mE_lP#HhH32HTJ4T_wQhiwd0XoZ9g*15X#p2U1sFd#&v0fPO5!xfVKYjf?EGP zk?n;1knM!qOs3k7&^a%Qwf^}ZO;dGdhS=lM(+*QCPbt(G3_K~^c7A`J*ctg@kIf6a zTt3*P!k>rgOXTTR)tJcFO}V?lRNw*N2llJN_;7p9Zal)-V@hnE=UWMolnK3+GQDypJ zy)i0HJ4m-G`DZv5_dS0OpKuI5di?Ei?Cp2l?JE*KPhG~3Pip2d-YJ=)$FL^otv7Fj z-@4Czt8vw~+kC!qBW9A?_zgjCOjv0_9W|bo=-`shIM2uhArFIgN}+yNg1kgSy4zDO zMC;WUPWfh-Gl6zY^41vJGbuK5{~Meg-Ip)y{lEN?J%7G^wr?BTxxfE+b@}b}cZ2W$ zU4Hrg-zWLGK>P9H*K?B~85@5D{c>?=>WeJh;F^8Ga4ycjIeGWa8%=D?`B!xi)db3Z zEdvb}b%(bUVD=EbL%1c|4wx4URuSGs%Ty52B-MZY&&7X#!%hyC?VWe%^KRP3YRpmj zcZZgSEy}wxJLJi`>7r0R;@3epB;-0Rml{>ifmcRpycAxe0xmO)`r3bE@h(zISZ)$@ z(0pskf6r4{%4g>|deRD|dJ4+r>|aj2u_EzJ1`gY7qVWn_uw@0{%i|-y#?X7P(*jk^L)8 zXk_o4LielBxY=?*5~cuv1fU%x6$o0@2B1%8sX)7VI6{+rZl}zbpD#aOe!l#Cf}j5b0?Ga=0LTCU DZvIOx delta 6285 zcmV;87;@+LHTX4uABzY8saK&{00Zq^>yO+vlF!%aze2DBcqZ^XJdS;UC%cD5vcTPk z1A^TJ_QU0_qn6a&%IFnIJ&!ZIfBRMyAEGFdqSP9D_TT}M@kmual0~vuEEY>qS+rqV zB=tqQ{pN{&uHfhW`|t7hn}2(ErT&JWx9{J+dGpPiw{PBmU0uI>`~KaVZ?4|Fy}o+) zO>p&86;gi=O&iuh@J)7Chnpm_(v7|U7yVhid>Q=E9P&J@AOHBbeG-&aQk*yCp^lOu ztg0-H!Zt07AQA&5NQxc&zWCu%u&n^Z@26K9{BiQi&vt*S?^=P(C>A+!7ljr+Khn^Pcc_PNY8en;((tbYB?XBvn>h>qIAx( zBPY~fl9TZPD}PcqD)P(HO%OvhqqeNmq?s^ypGJ^;oI$mG1bG+MNZJXK$`8JMW1{&0 z?F=|R{BvC;b>0BuHqDYo6wIkK3z7>ofWsU z5&S!R(A|HcS&vI{QzcQlO`(HWN20ls3{)PK8M6U_{72eLPpAiv8z>gdHbdkFq5oG{ zggbp9c^-2tr>Z@fZsYLBXg7f|HesGrOAdPQS@oWG&oTMQe)H%Z&S7}u-!m?ZWqaj0 z8E0HLxPQdV?;6Jf_4%aw+{|7@XZcEZy2^4${z)~>k6<0(7J2g<$h$%RM5uHHl+x>t zM`XEA+kFrM;h_Zyw`mkm>pR~AEbT}aDrsPzK00%$Ddm=| z4ki>dR3ehnl%g2#I?BSPu@pt`hGlIMUR*q-Jb(QEi=eDf{$ciq7j1p8H4#a*VmC=z z?7WIKPZ6=6dpmfI6U60>RVKl=*YMw4`0x8=_aZ<4=TFaMoh6ICO5))HvTIq+9{&OpJ7Q3krTrtv3CnKmLIQqEwLB;yFpq0EfmsU zg75SRl9f9LtFjhaDE4KZ=wpB{ihR)(2ZffU5lLPLFXX!m;Cpd48z(NK+xZ|3a1E~q zHNvNJ(7@DJan7TYBLzHvah`#?Yt)hDY5yCX*4^mern`%zxLXo+Up8&CG$8HQ7R0QR zrp)dxPy&mS6ml{^>br|Pq z!PX)?^t4SMwpaPiL*Yk8w>;R*Z$N=Vd)(FMF(ZFywxz`jIy2kQgW zD&XxSHwx*j6bgnwwVQmr{V>1`r`{A7PVTgEWFB-4$WRCT#HOlbr@x5v!%0z3cGM?s=f+z~f6VpIMU!2OSm@ z>2)Cm@9sD%I$1$D_MFvVY%@7OUz0iq;sGy{9SAW2Gm}pUUVrI})c>MCvPUo4RRKECX?XXkg)vSMd2yKJpq`o1J~fo& zy5P)JeRJ6Swg$s3+M`PEl)ed0GNC&6PUj5>9%bh9hQXCZhIFZxd+u<0K?(BXQl`toMR|3Ul_JSKjl=^TY zY)Kp-les_-kq`EMr#k--SGex`$lXZ;t0(`Pnr?La8;>^nnBusDA!Z^-=~U-3p$#g? zk4W^$n}1V{$uax$YM=q|k?a}xLqqJbI+5|fbb!qck|jF)X~*9-woyd`ZaAvUqttvp zqM_=}u|D|FRc9?jCmj~09AorL=^d1b^9cFy)QB*I7crWB>@LKUg=@Btr$d$@7?0TK zW63B)CWO3%E+hBK>44E7XjoMT;-zOdEA&GbNqQ+ z(~k4>4bBnjZH!?_<7DV$q*+j+K`=_q&lWLuS~+NBhnL>W%C%8X-n`k-aVh-vMKi&+x0EKpm<2` zFg)Ohnh8Ych&T;*8kBfD3({39xrE{XAPo(h#H3E6H7IbSnRO;vaNtg40r^j5p?{GH z!?{kPI~LT1+wAe0&EcV{dD2UPO`w+>emBcX+hS>6c{2~!@0(1&)<0rdFtc#@8rXz$8VhXb? z2e59nfN55IpV$_X3s(a^8eMinAHb(!G=Ig*;7@VP zVhZ!{Ht7ZY?33s=xG(G53n2TCvP!mxEPF(UJ4hfe@5mcp1oug>58;n6*d!=`peeHh zdT@d3@0x+5Qc_Q}Y>FtZ(_f>jLb`9Dx z>5mln$TgIsh3<=gjNtv-z#S7$S%|oG{*+}*Hn^vh;j@ZpOk_AK%g2rT5X)8iR&}{g zohGbps#!6wIWluV=P;Ww%Up>W=MEMR%*lhp19NG-$+O*s>C?lUcz>ed<2#CFRhF@o z%-3$81iQO~`;_q4%j28wjXzBh%AN10D*&%)uU>XET}i!M9n0BVW2x!pOngtw$x6=? zce3L1#GUSp@&ul&1;=oGG+{4w_ry)0DPx3xl@~N%$8w#`9lc(dQ;kSZ;CaK$19;Xj zbK&;m3cQB_hcpcX*?)E#5I)0rnB_?uyZ2Jh@QbuCzA;8hfBcC@8}Orwe$aujEnOr6 zF=8}5ZjD=vs5k59TM&AZ@n~-rW<^2YW^$FfNLqAH_>$92)5j)iGfPzj@jW7Yk%HKo zXrIJ>h2wd*MF?G_^qS(~!>CQ~U_Ql`@;QBs?+!7g)8mD(H-C*wC?Zxb-9`JX$K|A- zTDcij+VNpHS|vRiwF~eQVSTThbA?gOKFSyDJiMTD2%&>%V~!p<>r*xRB+ESL{2WV1 zoErAd^8{PEoxwD-EG<}Q;iJ8M+g6@M2$rbK^D0Xo)-)!^d3&duz7jMt`JM63K1rQ% zlstAa%9cBt>VI6_u?TVty+R&!!I)0sPRI4M1725~%r#mVKgskX<~Mvp+dNhpduZ@d zT8_v6K9DTigIDto1^Hn#zqPHq(1paLPtoPhHgZbl_Zg|YhcKFcPdG}wUzY_-4$D); znA_5{WsN2r#xRije!w8Uw7Ip=)6qRHVnx&3r){)1(|_^w2>S4WjcHuoTcCMHTXA2_ zOhrWa{$OblCnzg7zfB#{d$En=C#IAq0wZA@9lh#Oh2VszR_D#mLfs<<8wpRYfZDeC zPMb)X1{B(u{$FSh@b4J9E?~C^*K{DYjuKn@O{~JM-NF+<2m!;PI<(pnlNaUwJ`UT^ zF^|ah7Jrk@UV)dvklN96j=ccml}V5l@AHc33;EeV%j8N9ZOU!eIN64WtYvKX&rfB9=;acIfSHU;z`D2q<5juZIQ*32`D;9It zO%F=`=m<^?B9WqQq;o8O#_k|(8td>N&i6=0y`aUd_TG{??$g*Y2gzMpfm$xM<%k31 z_e0XOYqII|3#JBo-kx<1vjmJ8w+luPyB#bBVjuqwecsLs`KdfiK+1-r2d&zNWQ+?h z74dqq_KdC3W)CebWO0AlEN(`-X*A$tStU^+!;nh$Nd}YAWqz+#adM~bK`fpqg$M+P zhwU~u7f@2S!(wZhEt2HmL6hCln%mZ;qiXm`1gw>lA}h^_t`Jb!4UfEWwMA~U)(>ps=|@aXmPPz9 zv}ElMFdegv1JctMLuhGHw(0iK?XpRWeS#V}Rzj3US|n?^yc=pnp7(xbuew7l>8!Ty zBqeFp<_``MA$fm5vPzx^g&$y)P|S-%fd*t0QYY9C+|UApoqD%XguZLwp?$kf_n4XI ziUy3lzHD;^bS!ndmVb#)Jvn*e%>k{C5Y5G1YFjkr{Rp4Es-$IO!}BhM;F6XdK5!ml zbsVhYx`G_CGBSx!*r_~rb*Cg(P^Kzlq}(c@&A43g3?+ZkS#Xy^r;;Ca%PvuOsuZ3$ z>Yx!i8mLjSFdwHkSmSW(i4(bm6}E|WqAXxeB3i-6n$sEcR5yny|H>usCd@aXCh{ot z7A28-bq`TalRB}Ci=D(ZR%fdac*Y$P#uom!m7mG#D#D&S+G!+r)W%5fZmD3Q;lntb zgkq$5kdl7@$181i^C5;puIILFdO~K0+-DloAdRJ+iMcaO?+wAH>}m=-e!J1i><3ku z0F~T7bb{Y1-;dH;ARWR!%{3%pw6krSUPK1#Q)Y_TnQ)8Maf!8@ZSu@q78h<<(eVa# zkn<2$P>PTn_c~}PZC7=s4E)>bV6d>$GS9<(XvKf0?{Qh`%hDhT!@xzvEROEj3oRAP zvgS-O?`MUW=yMQlTG-rYERmwAm?-*%^o5S(0w{!-P0~+pRve$CUZ59XmiObW21O8g<4apZ5t}Y0D2|FqbN>~ z`DIc{5^K?Dc8|WH!iID;>}>R;N8DZSbB~b2W)1Q^byfpOVn)O>vZ&N!DJY9 zrA1x(LSYuoNOqvI^&^c!hb5>N<{P6lIZuBQ<|#I2NTQs4$J~W=CHfnD#lkpS2F1wa z!&CW{$Z(F}7~%Bkr0!JFdTwaQk8GawekJm8Y6y^r(W-_UD0>FY1jn`dLHTzr42 zt5e=Ky(a3ZD@jM(`mA)?YJxNNeUOnXXFQeWjD%Y%=fw0<(hRr2DFF;JmD-J(9mZ-` zh|hD3+~*ko#)#|P=+%ye;GLH-7AnJaFXPxE+*dSw(8sT7SU&bLqV|vd`U|=1r`#2q zCOE&F0CKErcQp)-FG=c(&6Gq+z@2|cA7cdb3p$kKtv1%pO_R ziX?<9RPwN=~&{_Jl1CXnT@%cB5aO&=P#IH2MT+ zNSoZdXTsMdDttv{v(|ldc=eyu)z`6;fm+b)RXlpL~FQ}#2VBO*&SwaG-Ul1k{ETB zqmQrqbf{kb(72KGH!f-s45@!mn=W0Mq8_=4P5#~nHu|^B^PA+R=)7Txu@ZZE!w0Yo zQWnifb-^2^w#gIKsbW-hm1FZGG7u5Ra ziEJn2hioU@W-`@wgwAVdVZpz&arUDNDKd@gF#)sQ;cH+hHOA@CnD@qsQMK$KHO&-M%8>^VDVh_@rhYo%{QLZ?3+-ey4x` z58i+M{@>^LxkUT%@|O#f9vK^d0{wD%XzI%>-Qb#i$#5<&zB@TT_eK*NbN*EwL^Xl3 zU&}y)Mcv^o1(-cV=LolC+X3@(!79SLXqgHknxy*g|GoU5@7T$~vb}STKJTVoti~Lb ze|KnU*rL2EvqPSoPZx#q5x)+)AtBdkxzwn73cNB(ynZ)Yl$=i+7Py!g7_sf2#037rx=g?> zuF^E%<24(YMlsb6?71Jrsy#MR&2Hj8h}2Xr2_5d;RsFgrJXWgf4=^F{rURy8Gil=%KoU^0LTCU D=0R$g diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9a64a865..5fc67302 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -31132,7 +31132,7 @@ index 6bf0ecc2d..29db5fd25 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..fc04c66d5 100644 +index 8b403774f..a03fa4661 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -31733,7 +31733,7 @@ index 8b403774f..fc04c66d5 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +650,48 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +650,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -31773,20 +31773,23 @@ index 8b403774f..fc04c66d5 100644 -miscfiles_read_localization(xdm_t) +miscfiles_search_man_pages(xdm_t) miscfiles_read_fonts(xdm_t) +- +-sysnet_read_config(xdm_t) +miscfiles_manage_fonts_cache(xdm_t) +miscfiles_manage_localization(xdm_t) +miscfiles_read_hwdata(xdm_t) - --sysnet_read_config(xdm_t) ++ +systemd_write_inhibit_pipes(xdm_t) +systemd_dbus_chat_localed(xdm_t) +systemd_dbus_chat_hostnamed(xdm_t) +systemd_start_power_services(xdm_t) +systemd_status_power_services(xdm_t) ++systemd_hwdb_mmap_config(xdm_t) ++systemd_hwdb_read_config(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +700,167 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +702,167 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -31960,7 +31963,7 @@ index 8b403774f..fc04c66d5 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +873,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +875,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -31992,7 +31995,7 @@ index 8b403774f..fc04c66d5 100644 ') optional_policy(` -@@ -518,8 +908,36 @@ optional_policy(` +@@ -518,8 +910,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -32016,12 +32019,12 @@ index 8b403774f..fc04c66d5 100644 + devicekit_dbus_chat_power(xdm_t) + ') + - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ optional_policy(` + hal_dbus_chat(xdm_t) + ') + -+ optional_policy(` + optional_policy(` +- accountsd_dbus_chat(xdm_t) + gnomeclock_dbus_chat(xdm_t) + ') + @@ -32030,7 +32033,7 @@ index 8b403774f..fc04c66d5 100644 ') ') -@@ -530,6 +948,20 @@ optional_policy(` +@@ -530,6 +950,20 @@ optional_policy(` ') optional_policy(` @@ -32051,7 +32054,7 @@ index 8b403774f..fc04c66d5 100644 hostname_exec(xdm_t) ') -@@ -547,28 +979,78 @@ optional_policy(` +@@ -547,28 +981,78 @@ optional_policy(` ') optional_policy(` @@ -32139,7 +32142,7 @@ index 8b403774f..fc04c66d5 100644 ') optional_policy(` -@@ -580,6 +1062,14 @@ optional_policy(` +@@ -580,6 +1064,14 @@ optional_policy(` ') optional_policy(` @@ -32154,7 +32157,7 @@ index 8b403774f..fc04c66d5 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1084,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1086,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -32163,7 +32166,7 @@ index 8b403774f..fc04c66d5 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1094,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1096,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -32176,7 +32179,7 @@ index 8b403774f..fc04c66d5 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1111,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1113,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -32192,7 +32195,7 @@ index 8b403774f..fc04c66d5 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1127,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1129,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -32203,7 +32206,7 @@ index 8b403774f..fc04c66d5 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1142,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1144,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32245,7 +32248,7 @@ index 8b403774f..fc04c66d5 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1193,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1195,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -32277,7 +32280,7 @@ index 8b403774f..fc04c66d5 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1226,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1228,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32292,7 +32295,7 @@ index 8b403774f..fc04c66d5 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1247,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1249,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32316,7 +32319,7 @@ index 8b403774f..fc04c66d5 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1266,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1268,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -32325,7 +32328,7 @@ index 8b403774f..fc04c66d5 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1310,54 @@ optional_policy(` +@@ -785,17 +1312,54 @@ optional_policy(` ') optional_policy(` @@ -32382,7 +32385,7 @@ index 8b403774f..fc04c66d5 100644 ') optional_policy(` -@@ -803,6 +1365,10 @@ optional_policy(` +@@ -803,6 +1367,10 @@ optional_policy(` ') optional_policy(` @@ -32393,7 +32396,7 @@ index 8b403774f..fc04c66d5 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1384,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1386,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -32418,7 +32421,7 @@ index 8b403774f..fc04c66d5 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1407,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1409,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -32453,7 +32456,7 @@ index 8b403774f..fc04c66d5 100644 ') optional_policy(` -@@ -912,7 +1472,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1474,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -32462,7 +32465,7 @@ index 8b403774f..fc04c66d5 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1526,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1528,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -32494,7 +32497,7 @@ index 8b403774f..fc04c66d5 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1572,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1574,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -41166,7 +41169,7 @@ index 4e9488463..e7d5f42a5 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1a2..483fb780e 100644 +index 59b04c1a2..370f8a825 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -41269,9 +41272,12 @@ index 59b04c1a2..483fb780e 100644 init_dontaudit_use_fds(auditctl_t) -@@ -136,9 +175,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; +@@ -134,11 +173,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms; + allow auditd_t self:tcp_socket create_stream_socket_perms; + allow auditd_t auditd_etc_t:dir list_dir_perms; - allow auditd_t auditd_etc_t:file read_file_perms; +-allow auditd_t auditd_etc_t:file read_file_perms; ++allow auditd_t auditd_etc_t:file { read_file_perms map }; +manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t) manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) @@ -47157,10 +47163,10 @@ index 000000000..121b42208 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 000000000..278a1f69b +index 000000000..634d9596a --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1843 @@ +@@ -0,0 +1,1862 @@ +## SELinux policy for systemd components + +###################################### @@ -48944,6 +48950,25 @@ index 000000000..278a1f69b + +######################################## +## ++## Allow process to mmap hwdb config file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`systemd_hwdb_mmap_config',` ++ gen_require(` ++ type systemd_hwdb_etc_t; ++ ') ++ ++ allow $1 systemd_hwdb_etc_t:file map; ++') ++ ++######################################## ++## +## Allow process to manage hwdb config file. +## +## @@ -57067,15 +57092,22 @@ index f4ac38dc7..1589d6065 100644 + ssh_signal(confined_admindomain) +') diff --git a/policy/policy_capabilities b/policy/policy_capabilities -index db3cbca45..710bd7cd2 100644 +index db3cbca45..0728639e8 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities -@@ -31,3 +31,14 @@ policycap network_peer_controls; +@@ -31,3 +31,21 @@ policycap network_peer_controls; # blk_file: open # policycap open_perms; + + ++# Enable fine-grained labeling of cgroup and cgroup2 filesystems. ++# Requires Linux v4.11 and later. ++# ++# Added checks: ++# (none) ++#policycap cgroup_seclabel; ++ +# Enable NoNewPrivileges support. Requires libsepol 2.7+ +# and kernel 4.14 (estimated). +# diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b27035ab..0a5c4e16 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -21269,7 +21269,7 @@ index 3023be7f6..5afde8039 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813ccb..8c014f781 100644 +index c91813ccb..e0ba2f7d9 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21546,7 +21546,7 @@ index c91813ccb..8c014f781 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,22 +289,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,22 +289,29 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -21554,6 +21554,7 @@ index c91813ccb..8c014f781 100644 libs_exec_lib_files(cupsd_t) +libs_exec_ldconfig(cupsd_t) +libs_exec_ld_so(cupsd_t) ++libs_use_ld_so(cupsd_t) logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) @@ -21580,7 +21581,7 @@ index c91813ccb..8c014f781 100644 optional_policy(` apm_domtrans_client(cupsd_t) -@@ -272,6 +323,8 @@ optional_policy(` +@@ -272,6 +324,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -21589,7 +21590,7 @@ index c91813ccb..8c014f781 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -279,11 +332,17 @@ optional_policy(` +@@ -279,11 +333,17 @@ optional_policy(` ') optional_policy(` @@ -21607,7 +21608,7 @@ index c91813ccb..8c014f781 100644 ') ') -@@ -296,8 +355,8 @@ optional_policy(` +@@ -296,8 +356,8 @@ optional_policy(` ') optional_policy(` @@ -21617,7 +21618,7 @@ index c91813ccb..8c014f781 100644 ') optional_policy(` -@@ -306,7 +365,6 @@ optional_policy(` +@@ -306,7 +366,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -21625,7 +21626,7 @@ index c91813ccb..8c014f781 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -316,6 +374,10 @@ optional_policy(` +@@ -316,6 +375,10 @@ optional_policy(` ') optional_policy(` @@ -21636,7 +21637,7 @@ index c91813ccb..8c014f781 100644 samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) -@@ -326,7 +388,7 @@ optional_policy(` +@@ -326,7 +389,7 @@ optional_policy(` ') optional_policy(` @@ -21645,7 +21646,7 @@ index c91813ccb..8c014f781 100644 ') optional_policy(` -@@ -334,7 +396,11 @@ optional_policy(` +@@ -334,7 +397,11 @@ optional_policy(` ') optional_policy(` @@ -21658,7 +21659,7 @@ index c91813ccb..8c014f781 100644 ') ######################################## -@@ -342,12 +408,11 @@ optional_policy(` +@@ -342,12 +409,11 @@ optional_policy(` # Configuration daemon local policy # @@ -21674,7 +21675,7 @@ index c91813ccb..8c014f781 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -367,23 +432,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -367,23 +433,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -21702,7 +21703,7 @@ index c91813ccb..8c014f781 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +457,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +458,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -21723,7 +21724,7 @@ index c91813ccb..8c014f781 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +474,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +475,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -21735,7 +21736,7 @@ index c91813ccb..8c014f781 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +501,12 @@ optional_policy(` +@@ -449,9 +502,12 @@ optional_policy(` ') optional_policy(` @@ -21749,7 +21750,7 @@ index c91813ccb..8c014f781 100644 ') optional_policy(` -@@ -467,6 +522,10 @@ optional_policy(` +@@ -467,6 +523,10 @@ optional_policy(` ') optional_policy(` @@ -21760,7 +21761,7 @@ index c91813ccb..8c014f781 100644 rpm_read_db(cupsd_config_t) ') -@@ -487,10 +546,6 @@ optional_policy(` +@@ -487,10 +547,6 @@ optional_policy(` # Lpd local policy # @@ -21771,7 +21772,7 @@ index c91813ccb..8c014f781 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +563,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +564,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -21789,7 +21790,7 @@ index c91813ccb..8c014f781 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +592,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +593,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -21799,7 +21800,7 @@ index c91813ccb..8c014f781 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -549,9 +601,9 @@ optional_policy(` +@@ -549,9 +602,9 @@ optional_policy(` # Pdf local policy # @@ -21811,7 +21812,7 @@ index c91813ccb..8c014f781 100644 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +618,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +619,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -21963,7 +21964,7 @@ index c91813ccb..8c014f781 100644 ######################################## # -@@ -735,7 +662,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +663,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -21971,7 +21972,7 @@ index c91813ccb..8c014f781 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +671,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +672,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -21985,7 +21986,7 @@ index c91813ccb..8c014f781 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +683,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +684,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -21994,7 +21995,7 @@ index c91813ccb..8c014f781 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +695,4 @@ optional_policy(` +@@ -773,3 +696,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 56debaba..dfdb9a19 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 276%{?dist} +Release: 277%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,13 @@ exit 0 %endif %changelog +* Mon Aug 28 2017 Lukas Vrabec - 3.13.1-277 +- Allow cupsd_t to execute ld_so_cache +- Add cgroup_seclabel policycap. +- Allow xdm_t to read systemd hwdb +- Add new interface systemd_hwdb_mmap_config() +- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050) + * Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276 - Allow couple map rules