* Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298

- Drop *.lst files from file list - Ship file_contexts.homedirs in store - Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522) - Allow haproxy daemon to reexec itself. BZ(1447800) - Allow conmand to use usb ttys. - Allow systemd_machined to read mock lib files. BZ(1504493) - Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
2017-10-22 15:56:04 +02:00 · 2017-10-22 15:56:04 +02:00 · 1014cb1eee
parent b442d09884
commit 1014cb1eee
4 changed files with 33 additions and 11 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -50166,10 +50166,10 @@ index 000000000..5871e072d
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..e944cee17
+index 000000000..9b84c582d
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1029 @@
+@@ -0,0 +1,1037 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -50537,6 +50537,10 @@ index 000000000..e944cee17
 +')
 +
 +optional_policy(`
+    mock_read_lib_files(systemd_machined_t)
+')
+
+optional_policy(`
 +	virt_dbus_chat(systemd_machined_t)
 +	virt_sandbox_read_state(systemd_machined_t)
 +	virt_signal_sandbox(systemd_machined_t)
@ -51115,6 +51119,10 @@ index 000000000..e944cee17
 +	dbus_connect_system_bus(systemd_resolved_t)
 +')
 +
+optional_policy(`
+    networkmanager_dbus_chat(systemd_resolved_t)
+')
+
 +########################################
 +#
 +# Common rules for systemd domains
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -17134,10 +17134,10 @@ index 000000000..1cc5fa464
 +')
 diff --git a/conman.te b/conman.te
 new file mode 100644
-index 000000000..2357f3ba8
+index 000000000..25cbb9aff
 --- /dev/null
 +++ b/conman.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,99 @@
 +policy_module(conman, 1.0.0)
 +
 +########################################
@ -17215,6 +17215,8 @@ index 000000000..2357f3ba8
 +
 +userdom_use_user_ptys(conman_t)
 +
+term_use_usb_ttys(conman_t)
+
 +tunable_policy(`conman_can_network',`
 +	corenet_sendrecv_all_client_packets(conman_t)
 +	corenet_tcp_connect_all_ports(conman_t)
@ -71621,10 +71623,10 @@ index 000000000..02df03ad6
 +')
 diff --git a/pdns.te b/pdns.te
 new file mode 100644
-index 000000000..509d89837
+index 000000000..63ddc577c
 --- /dev/null
 +++ b/pdns.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,83 @@
 +policy_module(pdns, 1.0.2)
 +
 +########################################
@ -71642,6 +71644,7 @@ index 000000000..509d89837
 +type pdns_t;
 +type pdns_exec_t;
 +init_daemon_domain(pdns_t, pdns_exec_t)
+init_nnp_daemon_domain(pdns_t)
 +
 +type pdns_unit_file_t;
 +systemd_unit_file(pdns_unit_file_t)
@ -90156,7 +90159,7 @@ index c8bdea28d..beb2872e3 100644
 +	allow $1 haproxy_unit_file_t:service {status start};
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c449..14be26dce 100644
+index 6cf79c449..7b0fd415b 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -90682,7 +90685,7 @@ index 6cf79c449..14be26dce 100644
 optional_policy(`
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +607,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +607,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
 
 dev_list_sysfs(groupd_t)
 
@ -90714,6 +90717,8 @@ index 6cf79c449..14be26dce 100644
 +manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
 +files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
 +
+can_exec(haproxy_t, haproxy_exec_t)
+
 +corenet_sendrecv_unlabeled_packets(haproxy_t)
 +
 +corenet_tcp_connect_commplex_link_port(haproxy_t)
@ -90742,7 +90747,7 @@ index 6cf79c449..14be26dce 100644
 ######################################
 #
 # qdiskd local policy
-@@ -292,7 +671,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +673,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
 manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
 files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
 
@ -90750,7 +90755,7 @@ index 6cf79c449..14be26dce 100644
 kernel_read_software_raid_state(qdiskd_t)
 kernel_getattr_core_if(qdiskd_t)
 
-@@ -321,6 +699,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +701,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
 
 auth_use_nsswitch(qdiskd_t)
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 297%{?dist}
+Release: 298%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -718,6 +718,15 @@ exit 0
 %endif

 %changelog
+* Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298
+- Drop *.lst files from file list
+- Ship file_contexts.homedirs in store
+- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)
+- Allow haproxy daemon to reexec itself. BZ(1447800)
+- Allow conmand to use usb ttys.
+- Allow systemd_machined to read mock lib files. BZ(1504493)
+- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
+
 * Fri Oct 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-297
 - Fix typo in virt file contexts file
 - allow ipa_dnskey_t to read /proc/net/unix file