diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 20293f5d..b9dfcddd 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -18132,7 +18132,7 @@ index 3023be7..20e370b 100644 + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ') diff --git a/cups.te b/cups.te -index c91813c..3598e62 100644 +index c91813c..2230476 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.16.2) @@ -18265,7 +18265,7 @@ index c91813c..3598e62 100644 # -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; ++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; allow cupsd_t self:capability2 block_suspend; -allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; @@ -26403,7 +26403,7 @@ index 5010f04..3b73741 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index 92a6479..064f58e 100644 +index 92a6479..e37a473 100644 --- a/fprintd.te +++ b/fprintd.te @@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t) @@ -26433,7 +26433,7 @@ index 92a6479..064f58e 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -54,8 +55,13 @@ optional_policy(` +@@ -54,8 +55,17 @@ optional_policy(` ') ') @@ -26446,6 +26446,10 @@ index 92a6479..064f58e 100644 +') + +optional_policy(` ++ udev_read_db(fprintd_t) ++') ++ ++optional_policy(` + xserver_read_state_xdm(fprintd_t) ') diff --git a/freeipmi.fc b/freeipmi.fc @@ -51881,7 +51885,7 @@ index ba64485..429bd79 100644 + +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) diff --git a/nscd.if b/nscd.if -index 8f2ab09..6ab4ea1 100644 +index 8f2ab09..bc2c7fe 100644 --- a/nscd.if +++ b/nscd.if @@ -1,8 +1,8 @@ @@ -52037,7 +52041,7 @@ index 8f2ab09..6ab4ea1 100644 +interface(`nscd_shm_use',` + gen_require(` + type nscd_t, nscd_var_run_t; -+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; ++ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; ') + + allow $1 nscd_var_run_t:dir list_dir_perms; @@ -58881,7 +58885,7 @@ index 0000000..9b8cb6b +/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 -index 0000000..ba24b40 +index 0000000..d9296b1 --- /dev/null +++ b/pcp.if @@ -0,0 +1,139 @@ @@ -58926,7 +58930,7 @@ index 0000000..ba24b40 + gen_require(` + type pcp_var_lib_t; + ') -+ libs_search_lib($1) ++ files_search_var_lib($1) + read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t) +') + @@ -105702,7 +105706,7 @@ index 0000000..ceaa219 +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) diff --git a/zoneminder.if b/zoneminder.if new file mode 100644 -index 0000000..e0604c7 +index 0000000..fb0519e --- /dev/null +++ b/zoneminder.if @@ -0,0 +1,374 @@ @@ -105915,7 +105919,7 @@ index 0000000..e0604c7 +# +interface(`zoneminder_manage_lib_sock_files',` + gen_require(` -+ type zoneminder_sock_var_lib_t; ++ type zoneminder_var_lib_t; + ') + files_search_var_lib($1) + manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index f0ce0e68..773dccba 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -580,6 +580,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Feb 28 2014 Miroslav Grepl 3.13.1-29 +- Make docker as permissive domain + * Thu Feb 27 2014 Miroslav Grepl 3.13.1-28 - Allow bumblebeed to send signal to insmod - Dontaudit attempts by crond_t net_admin caused by journald