* Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298
- Drop *.lst files from file list - Ship file_contexts.homedirs in store - Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522) - Allow haproxy daemon to reexec itself. BZ(1447800) - Allow conmand to use usb ttys. - Allow systemd_machined to read mock lib files. BZ(1504493) - Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
This commit is contained in:
parent
b442d09884
commit
1014cb1eee
Binary file not shown.
@ -50166,10 +50166,10 @@ index 000000000..5871e072d
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 000000000..e944cee17
|
||||
index 000000000..9b84c582d
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,1029 @@
|
||||
@@ -0,0 +1,1037 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -50537,6 +50537,10 @@ index 000000000..e944cee17
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mock_read_lib_files(systemd_machined_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ virt_dbus_chat(systemd_machined_t)
|
||||
+ virt_sandbox_read_state(systemd_machined_t)
|
||||
+ virt_signal_sandbox(systemd_machined_t)
|
||||
@ -51115,6 +51119,10 @@ index 000000000..e944cee17
|
||||
+ dbus_connect_system_bus(systemd_resolved_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ networkmanager_dbus_chat(systemd_resolved_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Common rules for systemd domains
|
||||
|
@ -17134,10 +17134,10 @@ index 000000000..1cc5fa464
|
||||
+')
|
||||
diff --git a/conman.te b/conman.te
|
||||
new file mode 100644
|
||||
index 000000000..2357f3ba8
|
||||
index 000000000..25cbb9aff
|
||||
--- /dev/null
|
||||
+++ b/conman.te
|
||||
@@ -0,0 +1,97 @@
|
||||
@@ -0,0 +1,99 @@
|
||||
+policy_module(conman, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -17215,6 +17215,8 @@ index 000000000..2357f3ba8
|
||||
+
|
||||
+userdom_use_user_ptys(conman_t)
|
||||
+
|
||||
+term_use_usb_ttys(conman_t)
|
||||
+
|
||||
+tunable_policy(`conman_can_network',`
|
||||
+ corenet_sendrecv_all_client_packets(conman_t)
|
||||
+ corenet_tcp_connect_all_ports(conman_t)
|
||||
@ -71621,10 +71623,10 @@ index 000000000..02df03ad6
|
||||
+')
|
||||
diff --git a/pdns.te b/pdns.te
|
||||
new file mode 100644
|
||||
index 000000000..509d89837
|
||||
index 000000000..63ddc577c
|
||||
--- /dev/null
|
||||
+++ b/pdns.te
|
||||
@@ -0,0 +1,82 @@
|
||||
@@ -0,0 +1,83 @@
|
||||
+policy_module(pdns, 1.0.2)
|
||||
+
|
||||
+########################################
|
||||
@ -71642,6 +71644,7 @@ index 000000000..509d89837
|
||||
+type pdns_t;
|
||||
+type pdns_exec_t;
|
||||
+init_daemon_domain(pdns_t, pdns_exec_t)
|
||||
+init_nnp_daemon_domain(pdns_t)
|
||||
+
|
||||
+type pdns_unit_file_t;
|
||||
+systemd_unit_file(pdns_unit_file_t)
|
||||
@ -90156,7 +90159,7 @@ index c8bdea28d..beb2872e3 100644
|
||||
+ allow $1 haproxy_unit_file_t:service {status start};
|
||||
')
|
||||
diff --git a/rhcs.te b/rhcs.te
|
||||
index 6cf79c449..14be26dce 100644
|
||||
index 6cf79c449..7b0fd415b 100644
|
||||
--- a/rhcs.te
|
||||
+++ b/rhcs.te
|
||||
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
|
||||
@ -90682,7 +90685,7 @@ index 6cf79c449..14be26dce 100644
|
||||
optional_policy(`
|
||||
lvm_exec(gfs_controld_t)
|
||||
dev_rw_lvm_control(gfs_controld_t)
|
||||
@@ -275,10 +607,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
@@ -275,10 +607,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
||||
|
||||
dev_list_sysfs(groupd_t)
|
||||
|
||||
@ -90714,6 +90717,8 @@ index 6cf79c449..14be26dce 100644
|
||||
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
|
||||
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
|
||||
+
|
||||
+can_exec(haproxy_t, haproxy_exec_t)
|
||||
+
|
||||
+corenet_sendrecv_unlabeled_packets(haproxy_t)
|
||||
+
|
||||
+corenet_tcp_connect_commplex_link_port(haproxy_t)
|
||||
@ -90742,7 +90747,7 @@ index 6cf79c449..14be26dce 100644
|
||||
######################################
|
||||
#
|
||||
# qdiskd local policy
|
||||
@@ -292,7 +671,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
||||
@@ -292,7 +673,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
||||
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
||||
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
|
||||
|
||||
@ -90750,7 +90755,7 @@ index 6cf79c449..14be26dce 100644
|
||||
kernel_read_software_raid_state(qdiskd_t)
|
||||
kernel_getattr_core_if(qdiskd_t)
|
||||
|
||||
@@ -321,6 +699,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
@@ -321,6 +701,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
||||
|
||||
auth_use_nsswitch(qdiskd_t)
|
||||
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 297%{?dist}
|
||||
Release: 298%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -718,6 +718,15 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298
|
||||
- Drop *.lst files from file list
|
||||
- Ship file_contexts.homedirs in store
|
||||
- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)
|
||||
- Allow haproxy daemon to reexec itself. BZ(1447800)
|
||||
- Allow conmand to use usb ttys.
|
||||
- Allow systemd_machined to read mock lib files. BZ(1504493)
|
||||
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
|
||||
|
||||
* Fri Oct 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-297
|
||||
- Fix typo in virt file contexts file
|
||||
- allow ipa_dnskey_t to read /proc/net/unix file
|
||||
|
Loading…
Reference in New Issue
Block a user