* Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298

- Drop *.lst files from file list
- Ship file_contexts.homedirs in store
- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)
- Allow haproxy daemon to reexec itself. BZ(1447800)
- Allow conmand to use usb ttys.
- Allow systemd_machined to read mock lib files. BZ(1504493)
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
This commit is contained in:
Lukas Vrabec 2017-10-22 15:56:04 +02:00
parent b442d09884
commit 1014cb1eee
4 changed files with 33 additions and 11 deletions

Binary file not shown.

View File

@ -50166,10 +50166,10 @@ index 000000000..5871e072d
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 000000000..e944cee17
index 000000000..9b84c582d
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1029 @@
@@ -0,0 +1,1037 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -50537,6 +50537,10 @@ index 000000000..e944cee17
+')
+
+optional_policy(`
+ mock_read_lib_files(systemd_machined_t)
+')
+
+optional_policy(`
+ virt_dbus_chat(systemd_machined_t)
+ virt_sandbox_read_state(systemd_machined_t)
+ virt_signal_sandbox(systemd_machined_t)
@ -51115,6 +51119,10 @@ index 000000000..e944cee17
+ dbus_connect_system_bus(systemd_resolved_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(systemd_resolved_t)
+')
+
+########################################
+#
+# Common rules for systemd domains

View File

@ -17134,10 +17134,10 @@ index 000000000..1cc5fa464
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 000000000..2357f3ba8
index 000000000..25cbb9aff
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,97 @@
@@ -0,0 +1,99 @@
+policy_module(conman, 1.0.0)
+
+########################################
@ -17215,6 +17215,8 @@ index 000000000..2357f3ba8
+
+userdom_use_user_ptys(conman_t)
+
+term_use_usb_ttys(conman_t)
+
+tunable_policy(`conman_can_network',`
+ corenet_sendrecv_all_client_packets(conman_t)
+ corenet_tcp_connect_all_ports(conman_t)
@ -71621,10 +71623,10 @@ index 000000000..02df03ad6
+')
diff --git a/pdns.te b/pdns.te
new file mode 100644
index 000000000..509d89837
index 000000000..63ddc577c
--- /dev/null
+++ b/pdns.te
@@ -0,0 +1,82 @@
@@ -0,0 +1,83 @@
+policy_module(pdns, 1.0.2)
+
+########################################
@ -71642,6 +71644,7 @@ index 000000000..509d89837
+type pdns_t;
+type pdns_exec_t;
+init_daemon_domain(pdns_t, pdns_exec_t)
+init_nnp_daemon_domain(pdns_t)
+
+type pdns_unit_file_t;
+systemd_unit_file(pdns_unit_file_t)
@ -90156,7 +90159,7 @@ index c8bdea28d..beb2872e3 100644
+ allow $1 haproxy_unit_file_t:service {status start};
')
diff --git a/rhcs.te b/rhcs.te
index 6cf79c449..14be26dce 100644
index 6cf79c449..7b0fd415b 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -90682,7 +90685,7 @@ index 6cf79c449..14be26dce 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
@@ -275,10 +607,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
@@ -275,10 +607,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@ -90714,6 +90717,8 @@ index 6cf79c449..14be26dce 100644
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
+
+can_exec(haproxy_t, haproxy_exec_t)
+
+corenet_sendrecv_unlabeled_packets(haproxy_t)
+
+corenet_tcp_connect_commplex_link_port(haproxy_t)
@ -90742,7 +90747,7 @@ index 6cf79c449..14be26dce 100644
######################################
#
# qdiskd local policy
@@ -292,7 +671,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
@@ -292,7 +673,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
@ -90750,7 +90755,7 @@ index 6cf79c449..14be26dce 100644
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -321,6 +699,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
@@ -321,6 +701,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 297%{?dist}
Release: 298%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -718,6 +718,15 @@ exit 0
%endif
%changelog
* Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298
- Drop *.lst files from file list
- Ship file_contexts.homedirs in store
- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)
- Allow haproxy daemon to reexec itself. BZ(1447800)
- Allow conmand to use usb ttys.
- Allow systemd_machined to read mock lib files. BZ(1504493)
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
* Fri Oct 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-297
- Fix typo in virt file contexts file
- allow ipa_dnskey_t to read /proc/net/unix file