From 2b83a4bd1d07ac648f4ee3ea4b3ab4d65e943334 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 10 Oct 2017 12:31:41 +0200 Subject: [PATCH] * Tue Oct 10 2017 Lukas Vrabec - 3.13.1-295 - Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088) - Allow fail2ban_t domain to mmap journals. BZ(1500089) - Add dac_override to abrt_t domain BZ(1499860) - Allow pppd domain to mmap own pid files BZ(1498587) - Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451) - Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules - Allow systemd to read sysfs sym links. BZ(1499327) - Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863) - Make systemd_networkd_var_run as mountpoint BZ(1499862) - Allow noatsecure for java-based unconfined services. BZ(1358476) - Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015) --- container-selinux.tgz | Bin 7098 -> 7098 bytes policy-rawhide-base.patch | 235 +++++++++++++++++++---------------- policy-rawhide-contrib.patch | 104 +++++++++------- selinux-policy.spec | 15 ++- 4 files changed, 202 insertions(+), 152 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index cbce65e4349acd38efc0bcda371d236ffe012178..a0acbbe62bb51cfabac74fb0aa8fb9eb89cdb6e6 100644 GIT binary patch delta 5845 zcmV;`7AonwH@Y`}ABzY8458dv00Zq^>u=;XlFwK7Um?r{7(1A;$4)jmjI(=KBn#Yq zI3U9JJxBUyYEi^Wn@7Hyao zNqw1azj~(h9@6*Ue}})&g@B1VutE70>l!rP>g0QNx zGz#0aEP_aMlprZ~@O$~=m0()|h+pdE27jFWMSbjB+BD;lZ17&UvJXl{OjwB)tM;Jx(Zu=C^tT}XJ>lTUaT;K1)Gv1D^0r7 z-mq5lZ`!j-O?zf*S}lXR%n}3qU*WL?52Gk)nlV&Fio)t@wEMvCq@L5YzIY|to3%b> z4DDX08*GBFZ_F47@f>3ng!EzuDt7oOqL$;)IohJIAWG*bJ90q%H3?&qZ&jDr`2tv} zK>X!@b~wZq8bKbN+#+l!>Y9o-t5;VrYq2_x%wETe^l#LRiu|&46U0!=s4eR>X(n{u z=Mg0DXHYC3LEeWol6Hcm{DZHrO*9{%o&m>)f3B;f&KqFdrdiU6j5#%R@`YD}mnLc& zqn}gImN`T6Eiqm6#Z687#RW~11J;m=GfUim);@Yh;Ow<|>X2BULFUaqtdo}{bt;g* z+!?ut)U&i{v2WXi&VdY%e41>WJ1g#HBltJ?pt=7{qaK&!rb?o8n?eJzhD3EG8BBSU zXUsYT@*k-$J>xuhTt~6YY%@e|5c+?FMYz)!l9w^Yaw^)h&21e1nAuHWj18D)oh1i< zE%>5Z&%5QA{A9a%v<~MmJo0ZD7sj%!@{*J@E*xB9<~NOFf%<$>eQ9d1GH3Zpclwm& zko>dGG(UlMfLr9vKS16M+9yJ#DIk|#b37r-L)z|x5C{(~NVrX-fNI~_9$;xlx=>m3 zt2({Me30@pHmHWoOR>gM81T`UOI0aq3 zTXrw<%fJ8pLe^Q**sC<2rX$sd!ZP6iR5M}oM?l7hi<>x_q`qI|2xB2Tx5dVP^whLT z9<|w2Tb=&yP^2x1ziTLl9rI0v$cVL8isW^YmAEklNu|)A=uNd0bjuQpMv`{nkZ=)heaGb)TwDRnI}1{Twi`rKY)z# zS=L@dOGp}Mhdf}|LiQ7+sS7iI2sCN-hh^11OsuvlHQ9iQBe46kgp*85bc?wi!z2%EF)x0%rw#&L)hx82pj*E6zvpIV;bh< z5IHeS5_`8$WB&1)ml9jSzZsO}-$EhnCHPJsAX&L{uqtbzg<@akiQWf)_@c-cU2#xo zSsIb#ZSYFIy9B;h7qfBVGP;`&(g62*P$GOf2Mttx73W=)rO>?dkyzapD9J3@FpM&q zCt0lo4ab1)w*!5dx}gn)x~M?N9;06NqWimwz?EG~5oY2H1Th)G(3~?d-eoY|HEPfD z)c*}e>#p~2)7@oK+%JiLx-XlySsIY`YYSr5NmFL`mneZnU|CBwpa^Wr$7Gr6GfY%! z7lbQe|B!`G%Ol<_2pP6zo{BjD6qg!S?R6OEX~EVaJoK~;AGTNtq)Yh%(2g|yltm%z z8&c`O$_HTpivDBJw4jpYw7w+m7uTOzX;9z5QqT4xGj4D#o@17OO?1B`vo_L}eUKlt zR@$kr%o{?D^MkOm2fgFN8QQP2kr{>NtQ0bawVQ0beK*(pv@VN$ z(x&Bknv2SLthL5}YIqkd>Nf8TcP*f&n_ujV&zU;oX$BB3Zy#ZkUV}7(CfyZb#s+Ng z>2{hy1~Q}7$xJ8;=04eQAt=We)-f^0&n=P~KT6pHfHekk3vFKV@4VP~^$kYCac-rb zj9ce~oeigjfssuZ{MS{PrO^}haA6eWR=^NOKr5ULE|m9wBSynFOB;LF;i27gN6&%9 zmtMXwhgd4_6t{I^=*<>Nm5+2sSC9sekMq$nH`KAN%Fi^f3n_Rv$5GzN3c|7HtOjM9 z$@%5#JXHJXYWHvyRM`QhSZ`&>O9|F7ecw$VFoxFD530z(xG4`s+|Yo*)6`|=GIk&= z;g4|Z?}|8o>kLAz;gAZJujAEDSOvr4$pFvS3?>UuIblJopQ;k7%QV%rS@vGc!dF+i z;?BKR;Zpq=9XrJ9a$>Ea6pI<%`aawpn0PGR*oT}(_gJMk+G_`r(SK4aiyxBFov=gF zUrQu6l=Sj3BH>#{k%q1iiq<%=lIp$;7P0qz0W_h1%a@K)^-r*EN~@VyJ!n%{#bZ~l z!?nX^&vBucx8AP3`SG_g>{p2(H^pS}rPpYzyU$%BG8>HC9wM4W{K*2bo>g>AXITOzO{H|lxKHqQ0G(E zN|>yF`-+Do5qSX7ITBsSM`#(w=`W{U-MS6yUD67gJZsi4Z|t}+T6-Ba*!R&e1DVC* zF)mTuNn~B~Ho;d%uGN~4K*)LysIYV-98~FNb@FozjE6Or#i8)@hJ|KhlUrjv`cI2} zf|c#5o?OgVT zx53Tj&A(i}zgTG#4RiBl*0rE6%eK6mI{mI*2R|o(Q&V6G&^cB#1I9@caTlwKJ69#> zq6EbW9`*^WgSF~T6w>xcoD+~WKg)u@|MW{xm31q9uqr;iGIXp=dnm$hwa*b z+h7}JO>&_XiI<4&>i99TdeQ^A=iKpsSC@w>IOk@`3qHAfl!7be44^BAZ6^!WO+!>P zNUMZd-?{PXQ;W?Qd1S_6lEd=Mmaua}POb~?e5r2^n}4i9agX-6q<4$H2~INMa_-3? z4O*t+*-PirZC2`vsVXsCZ!{?zoLU!uH8aBWMa-TJT17P)59z(y#c7tkQ0k=^sQP|F z=e@VXJ|>Sd`bAXS-1uD?6qorF#OR{dhZAmV!hwL)MS6&Qu=hXL`G>gT=%$a{oiwp> z^1rF-#$zAj(N-T*9CtCqOgO2X>s%(ZK>_&@neKUYt}!`Ae_jn{0DL4{2L8~05PPgn zWIQk*U^7Poi4K3-@wbhwS5b!>_9}BPHJ^`ZsJd~q4?Z;2TJz9Jhgm7dSp8gj2c_aX zNwwU^ECCR@H%c>DlcH z&moGWrN7U07Fjr@K9@ zykvms=bW+K(_$IpHdf7ZvL@7NG%$aJS-|u$c*VAFriH&rvh9Z`tiny2rR`JjF^Kl% zLlNAipa5;*UwFf|N!m0H^1Gsp18f>Pz@>j}(n8+9pa*pbI!)4U0TLH~yfr%CQTVS< zw_~LMEk-zOeB>_Q{BM3zUnd!8%^B!N<6y#e@=qvCbf}?Awc|W}MRbIE8>740I2rDe zX>^pRD2!4o8|%S#+M8LqPVC8>H#<5;hhI+)yj&q#sk>k?#E>3+8RjYy)CmO_F{g_Qo0SuEe zN}=!`BZ?|_M2(MNg{dfAqRn7h%hKX*4Zk3S7T2};g%V(Q{1)sXxkn$A1rVWC<22l9 zP~z<@NLQ)kI*q-FmI2s_CUqLEVU;lIau<>XN5MoEXw0cB)XiakY}83~&pZclFF#(g zIXqM}PkJe^3G~vc;AUBA`#A0B$IQbQi%q7-ju=s2nC>}zav>1q?VAN4eWo|=6^0SB zK5|`QTbH?_H=w4KmocahD`Uisk>Uw|^Wk376sq7@uwgKd*@&Zl^`6KEM|%Oy3+>u? z8#>(-fr&k~+1+w~PJ6l$85F3G{&MO7waZDb=2e-Q0Zh)BbE<1c(+m+_bronIv95F# zB={sRbj_>m&hTJvRh?Lqhn5Y`eBaFvOc9*CQSixcrXz$8VhFQP8nABR#>qVKePa9c zz8B?4F^xXnyzKg&%6I>0%Hk4UzH(LIqtPxnG&Fn~y6n7v4*nd+%yBgj?~VpLG@}5loMevXW`|uvmWH$*4AZW_$fM#Og`cF=PJaI|q zmMM*iG;?Krx^rPUVR&D<1lUNgl0iToJ6E*=GlNA(ee^$%0?|)?iRDvDR34W`5Fio$4Gzj}t z*AR8o&bDoO9vQ4nnJQvu!Yx+ECDwAb$uo0VOt@i1#~ai@&O=y1DZF#s>!2mKUDc^F z@NcVu!NN|`y>_!8P;omy%ldzi`+VDhhK;d^@JOb>lUHk?n2XhGm9V=mHYqC_ z3Zth>jLdO#!$y>c)@Y&>Lvbu`Ib>Z6Gf@jyNMCxP^7R;~6I!@lQ?%UdG2#H-w=&kf z*~M%#7J=R_EZn19UTc74l^#`GIAStXe=2M1V8j5kQHTdvoF2pQq!cpNG7s9%0SpCJ zqx$qtRL^?E-33K=zdCHz&?@K7VjyXZWaf`SeWXtUkDf@F)Tu7FsEhI_l&Klv8dSEv ze^ThsAN9<9J)0(nlfrP`#z0amrtuNCd0p`k2OoPej+Q|-GDi1Qe#P~iBRG0Ee?>p; z&LXX+jfODd=0We5Bk!jM4}9pYsy{RKTy5d!Sr||H?F%vIvajt*M0A^`LgbygA~BVh zARwF;mAAfY=DH|J`Rh>GWA=%!o-?c)xtm$~^B2vVwkcdL0OEso+LUjY*F-t>Nz&mM z-(wl9BK}$HdcGHF7rf6A=AB^Fe+ci|w+9sWE`@YR#-owhZ|EaVNDa9-@OUh*R@M91~Z`~b$PN%BE>yXe+2$9g88{< zO7d~&QyLg_cKMBuu6!3fVhM}b zs%FccutgDdZqiC`^{XaY{8#ps4FWVo)$U#3;%kf7Wv@B+Q(XJ1#ehabg$^qrZpoMy z44##~V6Zr?<~7F5auf8!e@F(m{UMdszZ-^>Sf6|6BXlaF9rQ`U5gn`dj0TEs7HM^l zYoil2KWHyXc8sir6c@S=`3uV!mi#2UXFwK|#!k$ggxO^&X#&#yOB`+>t=$Wzb$GvM z)06e$NNc#m#VXWya2^KpGz5hfk{CT$K#OSiWnn%4p>iYXZ(Y>Fe|1!$HeFFO`H1qZ z1zE>I0gdjMojl1+zKp{hW5rYTmUm$3(k-fy>Vh{6ZIj)uRXx>eG?ov>SUc|b*7p7A z432-T-z`x-Y+P4d=v?3TzFg~ni>mdH@Yzm??AcDZ`(-Na2%Yn4UF#pY(==3P1`0kd zO7SoP_moVHuG5p8f0O5j3!V`s_}K8k%SG~C%2|9keTgvc>NF<8xl?F&P!+hl{DJ*c z=uK}A>5d0pdyI_E!@w)F2 z4EQlK)y{ZZrityFa=Y2dbb2f4zAd;DIUE!&Pr|+Z{+>xe+r-ZTw!PHzusO zFfBEn8tLF_(>Tw_wJHzAc1osx7pc5NLvy&NT!_}IGMw_wFwz9=oa9|Qws%r=<^HF7 zJ30XR(x0?Df29dYHtFT|*}iS){{G|j_09L!`u88Ne>i>r@w22WR1mLzy<}f>qGKcM z63JuBKVi5&eBi51{h=HGJi2`I9>)9Cp{cL3bc2iW6~no@{O0W4J8v|x^X6YwLR1qd z`&kAWROSwEDZuP8dWUdJ)*Udf7Ahi{o2j5c5iM40e+IS`nxy)#|GE0_Z`f(WvJL(Y z?c`0nScy3*|76wDutj-aW`{g^H(eCUcOg6IhJ;+FWOL*EP%RVrT!H|{Ca~5&oL9Eq-qfT@|$1r z;}-rxWS_|x2NqF-{gM3(O#y?K0Y;aysr|@>#{)i3>;xW&H%CBrn4KJ#>847%gl(Cp zQ%91q;tD7a>b0a;?dZpdSi<9~w2W*K>5AJnf0C)~Wp4hXCSm7H#W9~@!V<{ldF$wD z%M8Eh>}AhlnMq9GFFcnC*u|$b4fyz(4OFAy%r>cCGyg4FRsx)%VOXH%=}@+E34%G( zjJ0sTURG&5NnIR)L;E`5HOt_=;}^n~Y>z9ZgHP@+1GhhAjs;*vpPVo|(HG}bpxrzi f1~JQhX@l95fEzB8kQ)mO3rPP5Mtd2^0Pp|+-}`-o delta 5866 zcmVyO+vlF!%aze2DBcqXuCJmbUx?Cc&E$pLpC z4hVJ^xDS`Rj#^T8Ye%n0>Uo^u{oAjq_z*>r6s6YKb3hYF+9Or{NETnkVzCsJMH{9? zQeURqZ=NWmc|hyQ{-Z5?SfS-v2*MtCuf>pPECShxOy1|GrOxvPz0KO?jxJBnYc2 zOQWz&%OZ$GM+uT*2fvp;T?w`ofcT|eZt%z1zdj_;3%x3!O+5jcBoo;oDf7m#_g59{PPNu3Jh zFLy@nA@wY6TI}04p>rU^BcCQ4=gx}T*$Dm(K4|X0(5S~Hxv7#U-KNk$tRYcdNd{9M zs*7I&TCO_G39<9SU43GR<#)YwLt2`&=j0*>snE6fPSfIX~RG*vLtIS!x(w#nK zIVAt2GtJMS9pDyu^AC`BgZ7C~X$r`t*Bp`yP+`e3Ufl4{v*lC;=)WosTHVm!!p z$)h%#YOB-V9g4Ii@plcyuw%Zd5E-%7N|C%yvJy9@AgL7k6TJy|63o0=w(K@%kn`#LpkCi5hRmFw#d>U)q; zKFiu`XbDLJ?T`lyTgZNbG<9Kr27xBc{;;gt$Eizrpy6A^8B9E`I5g1N+DDomaV+$O zDn^JV+BmtZTGD&*B?=0E4e}L)AEG@|bWz4oie-e1iJ3+^V+dP)6=CDQlA@g=YD~kN z93m%%Nn-C7YRo@g^HO3f_&0;H{97oby#(Ls10*YV4pwC?v{3BJJkk4q0ACdOqALyx zElVSkybfN-cbCBT;$k*VTt>I^K^ov*4@!hj=b(YAuj0IkvJ{$kJ`$_j0wtLx8-`Iv z^CYX4py3$M{dS-)Q#Z7sP!|;l*+bOJUUYv~5xBBzDZ)&gfgmO$7@Bh?#+wYLyGHF< zp8CJRXx;VxZMwTmin}F$QTJujHcJE2er-X_I%&%6?h+-i2rO%<1{8r!`H(DAeTIoj z?SgP6>>sl5ae2g>1tG(>%u_K3fZ|fas=W^5JT2H-gomEC;lmayfpjTf0NRnJpRy=~ zeM2f8Sot6fK+%5)nif=&oYt45{p$KND-G%!SnAncWX27y#dFMmvWf1OWY$L7vJdiu z)=E3|m3c#`aefe1_MmrsI79n&cD%p+`g2!?<~jGiD)R1uNQ-(I{P@~s*kjsqt)Z-> zps<=Z+7_O`KcIv}c^F;5i`AA#whrt|gmth!K&b*=KQg1xoRvbxuy&J;x9{e9m)2#G zPujFRO>kG0l+SPk!@Mcw9|;jRVrbn}ay@i|jxJk0>Y_7f@pFr$#*b3=0AP)Q+(Mg|{5vmpUVVd+aGYD| zC*#&RVQ0f>VPIqv2LE+cW@+?DJzN+CxfL*k5zq=}gA3(<{fN=<)zZe^b$Dp^+|hGj z@uio~%psP_JH>6C7<#jXQspDv(G{e@p}|N&2f}>vVw5zIjce0 zW^#VMIuF%;y4pP)1yy!{Db`yV@=}6zOy76Y2aKUL^@A!hFmB325jQko@HBOqxr`kM zOZX$)`nw{3&N_ooYdEBWc^^t>M~6=ZI-RD8*t%x4sW|2PPg%H})Z?(LGivj`rGtWb~iZ%HoG)bSLbP z^w$!}4JEyNj7a#_QKX?OgrYSLtfaaxgGKCpUjR*i=<=nbRQ(fdo6>6LRS((}R`J-C z>u~L`*>hYd=B>ADZ+`r34Et3g$W1X>eC;(F>+W-xh|C5fw}*&k5r49VR;-53k(m); zTcVP)37a(PFQ7uce#>Q5C)@PFAkSav1!aS+)}h(u2_3(}GYD0jjBhPo8RgmC8r1pJ zwGt+O>%QV4Nkkq%bdE$9@)25war(2`sT3t#~Kv(Xpc*Jx9FSTBoi*@ zo*dGkWh$P%bS~XyrLLH&62tXIld{2osdZ5^BTQe!?Af4IRHN~b-m6`lX4wm+UW$RL z?%7@lVkMf)nEp|N3vyq;13P4 z$Ld7J1M>kkb0m=H@TVPr+t_*)b+}=#GWSyR`Iv^P8%O)#LsP9a51n+Fm2!;L&!u-z zD$b+i!*e6T5MKD`_OUw`U*@jcKAsO*hG5)dr;jDQP?-?&5}J(6Yv%(-gP>tm9f+5n zeO%!=M3J=g_qoo3YiYWTlkNF`?+LAWYuMi59_Ar7Loe9STgd;Pb;n*eu>O#1tD zw}+LN3^4tiGq!tLEMwfps(DV@9iiUF=&m+S zhPz}M9VIFXqtwdAda#}LW>&5fd-CSZj*ijc*OLP;SBO^XE?A5)?K`HuFB6pM55a~1 z_GB|T0`aWXhn{F{R4ssia)<{gQ`ozKdJ}9&M`#XBl@zgyQ=dcCs-VS*2C-K^W|LC@ z!=#K-D7?prqRJgn<0DvMDoU4VGnm%0w76ZvF9@N5Y4Z zVZ^LYTvyoEWv=KAsA=V84C=$m7;$5yc*5U&xR*4ADmWHw7|dff;;3J}C$hoOUO@9g zyEfj2PB%qhVvlWqcDJ0r>e|sXLxfjd1==U9 zD_sQ%KFbST^D4VDJeXTmC)VVlWy3Syck=^N1SfA4eD<5^2;qYm!Yq^qtXsHoGEaP; z**?ARMLAMTqmMT)yMCwg%|Dv5xP+H4Tow3avg>=CW{Ac4HRBa?p-+$X_4yu&luO@aalnld|}nHaeKlM^6M zT+%uDw#0fs?1IBH%><0)xdNOoI6=7!SL_(^7 z(dwe95a`oYsj;!(a%jY`=@B!AZ_g%ZeKBu1PsE>{N(cVnQrPUVR&D;^lT{Oi0hg286E*=WlM)nb zf1{RX-~Y-4s02Hr6Z}^BV47Y7X%P0Qt|98Eoo(CnJTh3DGF8ORgj=kRORVK=lV|3# zm~g|2jyI@*oQJT2Qh4XM*Fj5eyQ))V;NMmQgN2=zdF~lRD?WXI&Qe|$_em%QE+VFJ zbjMz(saTdZ=T{Z{v=9@04x&v9oB51|f1otwyiM!m9!5+&TG3Zlq2hLami7N2_xZL1 z4I5(-;gL*%C$H8(F&C?sDq(kBY*JP<6h=>%7@6bfhK(o>tS>a>%+CW}+6Z zkiPUnL&O2PZ)L1|vy0hgECRhIyw(88Dm|*WaKvP&e^l1i z!H5B7qYw|UI6a2pNhxHkWgfJj0~iXdM)m2PsGjwRy9je(?COyeVN^Sa_8 z4nFo`94&)vWQ^{q{EF*2M{x9Te~NzGokdzt8x3K^&4b=AN8V2j9{A8(Rexsex!S_d zvoN0Y+ZSTaWnbHsi0C#=g~&T~MPe#1K|nYyDsO$)%ym(c^4FoV$LtedJ!e=qayPT| z=P#N!ZBw{h0K^CFv?<>(uZeQ%lcd8jzQ;0HMf|hY^?WbVE_k0K%sauTe-YlbZx1N$ zT?*-tj7KBy6U~o*$37o45(JM&TAdMhP34>zWlU~bEO3guhm5rMQH|?k)xyNrdqytG zjDLd2^=|ae%tG+aTP_Rb;kxj0Y!>djFFxqw_g^gEf*M)wj{P_k9d1mygf&fYe)lG1 zU)L_d7|eu{)aA)4i4^xle-Ze{2>yO+VwEbL|W$l{fx?E71w ztiUz`=h;jAPHAA!+2uDry7FD{h$SpytC}r)!WKo;xk)Sis9!bF;=i)5Y!IL!s&?-J z7hhYvE_=D=+CiTr9MQ3Q&uF0NW|3C+xHdXb^Mm%HWXH%_NO7V2kiW2uVaZRjdj@1d zY3#(@Ntj)hk|rSCzr^7N(%QXXT8HA&Jq01+<8E zUl!K$A1XJJ{-cXpf4Gh+)TS$HCLdA0wIJ&_D4@|Tvy&&e$(M1MW2|_pe&iikx^#vv0(4;$AN7dqGXy)W1L-=b>$BYd_K zB73$I?tYm{J3{BYTG#qV?lcY6nSp|ji&8v{z&#~XqwDk}f9K@+;euy`2|hMF@N$uS zmvR;#PG2I7yE=`DaPAb^9aIJGE`MM@6?)U#L%QRE*B&FI^Dyv=JE@HKu7p)}1@GwX z0K~!LaLMrq*WrmY6qin;E{LC)Yk0tqBB@r!TQW^--;CSMO&*73mc#sxpyz|9yEYho z_%ycz>m>gKe@+Cx&I1#i21cC)Je&mloCADC!pEsg`SA&=J;pmF#`hT3gn8@L>i`c* zx&Ezsq1*00`pS)%NowQwDZMdarG@FJ@zg{ISDMCoMy^wND6~^D^}9gjB^sK$J>^2Q zUX|gLuZ9sOXvZY)*s(p6q9gY|(c94h(AWNy-6_pTf3j&Ww@>zML-+R|udi?3Uk|?j z`1bwj`;T8DU7><__1h);q7xk(VV6iATK);c_2C0wb?Oh@Jiw#NH*aCwUmcqIDoZ!G zC|@z0tIO}s-n{Wf6FYDIRV73| zwPs*Tf1ydL|N5V+|Nf4hHZ0rVZ_rNOw2PIPqw-HyEe%_gcV%|SlQ+{vp?nvzgKkL3 zby_agQK?rg4*N94e2P+*Q5r9W*QkKY%p(2SbMgM9>Ji_Tv5ES8zX1pdNvnSfne)8qRE! z`Ze?4l4T{p85)KKYMu^dE0-XcGtF2F_uFNa#*@^=5jeE7175QX-Wz@)Y{~YxVmkQb z{xWd;Q|4FzR`kgUvlD%BP6gV{!x6LG1J^c~laU)8laL!63_XMNe*{&6)d27S0M=)T AJOBUy diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 49a586b7..aaf77a1d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -37908,7 +37908,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..fa8d5f276 100644 +index 17eda2480..cc1720cf2 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -38089,7 +38089,7 @@ index 17eda2480..fa8d5f276 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +213,28 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +213,29 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -38107,6 +38107,7 @@ index 17eda2480..fa8d5f276 100644 +corenet_udp_bind_all_ports(init_t) + +dev_create_all_chr_files(init_t) ++dev_list_sysfs(init_t) +dev_manage_sysfs(init_t) +dev_read_urand(init_t) +dev_read_raw_memory(init_t) @@ -38119,7 +38120,7 @@ index 17eda2480..fa8d5f276 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,45 +242,103 @@ domain_signal_all_domains(init_t) +@@ -139,45 +243,103 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -38230,7 +38231,7 @@ index 17eda2480..fa8d5f276 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +347,293 @@ ifdef(`distro_gentoo',` +@@ -186,29 +348,294 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38451,6 +38452,7 @@ index 17eda2480..fa8d5f276 100644 +systemd_config_all_services(initrc_t) +systemd_read_unit_files(initrc_t) +systemd_login_status(init_t) ++systemd_map_networkd_exec_files(init_t) + +create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + @@ -38533,7 +38535,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -216,7 +641,34 @@ optional_policy(` +@@ -216,7 +643,35 @@ optional_policy(` ') optional_policy(` @@ -38566,10 +38568,11 @@ index 17eda2480..fa8d5f276 100644 +optional_policy(` + domain_named_filetrans(init_t) + unconfined_server_domtrans(init_t) ++ unconfined_server_noatsecure(init_t) ') ######################################## -@@ -225,9 +677,9 @@ optional_policy(` +@@ -225,9 +680,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38581,7 +38584,7 @@ index 17eda2480..fa8d5f276 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +710,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +713,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38598,7 +38601,7 @@ index 17eda2480..fa8d5f276 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +735,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +738,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38641,7 +38644,7 @@ index 17eda2480..fa8d5f276 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +772,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +775,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38653,7 +38656,7 @@ index 17eda2480..fa8d5f276 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +784,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +787,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38664,7 +38667,7 @@ index 17eda2480..fa8d5f276 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +795,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +798,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38674,7 +38677,7 @@ index 17eda2480..fa8d5f276 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +804,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +807,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38682,7 +38685,7 @@ index 17eda2480..fa8d5f276 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +811,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +814,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38690,7 +38693,7 @@ index 17eda2480..fa8d5f276 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +819,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +822,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38708,7 +38711,7 @@ index 17eda2480..fa8d5f276 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +837,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +840,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38722,7 +38725,7 @@ index 17eda2480..fa8d5f276 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +852,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +855,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38736,7 +38739,7 @@ index 17eda2480..fa8d5f276 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +865,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +868,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38747,7 +38750,7 @@ index 17eda2480..fa8d5f276 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +878,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +881,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38755,7 +38758,7 @@ index 17eda2480..fa8d5f276 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +897,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +900,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38779,7 +38782,7 @@ index 17eda2480..fa8d5f276 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +930,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +933,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38787,7 +38790,7 @@ index 17eda2480..fa8d5f276 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +964,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +967,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38798,7 +38801,7 @@ index 17eda2480..fa8d5f276 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +988,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +991,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38807,7 +38810,7 @@ index 17eda2480..fa8d5f276 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +1003,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +1006,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38815,7 +38818,7 @@ index 17eda2480..fa8d5f276 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1024,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1027,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38823,7 +38826,7 @@ index 17eda2480..fa8d5f276 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1034,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1037,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38868,7 +38871,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -559,14 +1079,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1082,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38900,7 +38903,7 @@ index 17eda2480..fa8d5f276 100644 ') ') -@@ -577,6 +1114,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1117,39 @@ ifdef(`distro_suse',` ') ') @@ -38940,7 +38943,7 @@ index 17eda2480..fa8d5f276 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1159,8 @@ optional_policy(` +@@ -589,6 +1162,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38949,7 +38952,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -610,6 +1182,7 @@ optional_policy(` +@@ -610,6 +1185,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38957,7 +38960,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -626,6 +1199,17 @@ optional_policy(` +@@ -626,6 +1202,17 @@ optional_policy(` ') optional_policy(` @@ -38975,7 +38978,7 @@ index 17eda2480..fa8d5f276 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1226,13 @@ optional_policy(` +@@ -642,9 +1229,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38989,7 +38992,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -657,15 +1245,11 @@ optional_policy(` +@@ -657,15 +1248,11 @@ optional_policy(` ') optional_policy(` @@ -39007,7 +39010,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -686,6 +1270,15 @@ optional_policy(` +@@ -686,6 +1273,15 @@ optional_policy(` ') optional_policy(` @@ -39023,7 +39026,7 @@ index 17eda2480..fa8d5f276 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1319,7 @@ optional_policy(` +@@ -726,6 +1322,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -39031,7 +39034,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -743,7 +1337,13 @@ optional_policy(` +@@ -743,7 +1340,13 @@ optional_policy(` ') optional_policy(` @@ -39046,7 +39049,7 @@ index 17eda2480..fa8d5f276 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1366,10 @@ optional_policy(` +@@ -766,6 +1369,10 @@ optional_policy(` ') optional_policy(` @@ -39057,7 +39060,7 @@ index 17eda2480..fa8d5f276 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1379,20 @@ optional_policy(` +@@ -775,10 +1382,20 @@ optional_policy(` ') optional_policy(` @@ -39078,7 +39081,7 @@ index 17eda2480..fa8d5f276 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1401,10 @@ optional_policy(` +@@ -787,6 +1404,10 @@ optional_policy(` ') optional_policy(` @@ -39089,7 +39092,7 @@ index 17eda2480..fa8d5f276 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1426,6 @@ optional_policy(` +@@ -808,8 +1429,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39098,7 +39101,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -818,6 +1434,10 @@ optional_policy(` +@@ -818,6 +1437,10 @@ optional_policy(` ') optional_policy(` @@ -39109,7 +39112,7 @@ index 17eda2480..fa8d5f276 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1447,12 @@ optional_policy(` +@@ -827,10 +1450,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -39122,7 +39125,7 @@ index 17eda2480..fa8d5f276 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1479,62 @@ optional_policy(` +@@ -857,21 +1482,62 @@ optional_policy(` ') optional_policy(` @@ -39186,7 +39189,7 @@ index 17eda2480..fa8d5f276 100644 ') optional_policy(` -@@ -887,6 +1550,10 @@ optional_policy(` +@@ -887,6 +1553,10 @@ optional_policy(` ') optional_policy(` @@ -39197,7 +39200,7 @@ index 17eda2480..fa8d5f276 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1564,218 @@ optional_policy(` +@@ -897,3 +1567,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -47755,7 +47758,7 @@ index 2cea692c0..853ddefe4 100644 + files_pid_filetrans($1, net_conf_t, dir, "cloud-init") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4bc..d29b7f6fb 100644 +index a392fc4bc..a61ba7d4e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -47821,7 +47824,7 @@ index a392fc4bc..d29b7f6fb 100644 + manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) -+allow dhcpc_t dhcpc_state_t:file relabel_file_perms; ++allow dhcpc_t dhcpc_state_t:file { map relabel_file_perms }; # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) @@ -48270,10 +48273,10 @@ index 000000000..121b42208 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 000000000..634d9596a +index 000000000..5871e072d --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1862 @@ +@@ -0,0 +1,1880 @@ +## SELinux policy for systemd components + +###################################### @@ -50136,12 +50139,30 @@ index 000000000..634d9596a + files_type($1) + typeattribute $1 systemd_mount_directory; +') ++ ++######################################## ++## ++## Mmap systemd_networkd_exec_t files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_map_networkd_exec_files',` ++ gen_require(` ++ type systemd_networkd_exec_t; ++ ') ++ ++ allow $1 systemd_networkd_exec_t:file map; ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..e83a61cca +index 000000000..e944cee17 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1027 @@ +@@ -0,0 +1,1029 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50195,6 +50216,7 @@ index 000000000..e83a61cca + +type systemd_networkd_var_run_t; +files_pid_file(systemd_networkd_var_run_t) ++files_mountpoint(systemd_networkd_var_run_t) + +systemd_domain_template(systemd_initctl) + @@ -51138,6 +51160,7 @@ index 000000000..e83a61cca + +dev_read_sysfs(systemd_modules_load_t) + ++files_map_kernel_modules(systemd_modules_load_t) +files_read_kernel_modules(systemd_modules_load_t) +modutils_read_module_config(systemd_modules_load_t) + @@ -51768,7 +51791,7 @@ index 0abaf8432..8b34dbc09 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 5ca20a97d..5454d1668 100644 +index 5ca20a97d..43bb011b3 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,57 @@ @@ -51880,7 +51903,7 @@ index 5ca20a97d..5454d1668 100644 ') ######################################## -@@ -175,343 +185,12 @@ interface(`unconfined_alias_domain',` +@@ -175,258 +185,12 @@ interface(`unconfined_alias_domain',` ## # interface(`unconfined_execmem_alias_program',` @@ -52131,18 +52154,20 @@ index 5ca20a97d..5454d1668 100644 - ') - - dontaudit $1 unconfined_t:fifo_file read; --') -- --######################################## --## ++ refpolicywarn(`$0() has been deprecated.') + ') + + ######################################## + ## -## Read and write unconfined domain unnamed pipes. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to unconfined_server with a unix socket. + ## + ## + ## +@@ -434,84 +198,19 @@ interface(`unconfined_dontaudit_read_pipes',` + ## + ## + # -interface(`unconfined_rw_pipes',` - gen_require(` - type unconfined_t; @@ -52211,12 +52236,16 @@ index 5ca20a97d..5454d1668 100644 -## -# -interface(`unconfined_dontaudit_rw_tcp_sockets',` -- gen_require(` ++interface(`unconfined_server_stream_connect',` + gen_require(` - type unconfined_t; -- ') -- ++ type unconfined_service_t; + ') + - dontaudit $1 unconfined_t:tcp_socket { read write }; -+ refpolicywarn(`$0() has been deprecated.') ++ files_search_pids($1) ++ files_write_generic_pid_pipes($1) ++ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; ') ######################################## @@ -52226,59 +52255,33 @@ index 5ca20a97d..5454d1668 100644 ## ## ## -@@ -519,17 +198,19 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',` +@@ -519,17 +218,17 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',` ## ## # -interface(`unconfined_create_keys',` -+interface(`unconfined_server_stream_connect',` ++interface(`unconfined_server_domtrans',` gen_require(` - type unconfined_t; + type unconfined_service_t; ') - allow $1 unconfined_t:key create; -+ files_search_pids($1) -+ files_write_generic_pid_pipes($1) -+ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; - ') - - ######################################## - ## --## Send messages to the unconfined domain over dbus. -+## Connect to unconfined_server with a unix socket. - ## - ## - ## -@@ -537,19 +218,17 @@ interface(`unconfined_create_keys',` - ## - ## - # --interface(`unconfined_dbus_send',` -+interface(`unconfined_server_domtrans',` - gen_require(` -- type unconfined_t; -- class dbus send_msg; -+ type unconfined_service_t; - ') - -- allow $1 unconfined_t:dbus send_msg; + corecmd_bin_domtrans($1, unconfined_service_t) ') ######################################## ## --## Send and receive messages from --## unconfined_t over dbus. +-## Send messages to the unconfined domain over dbus. +## Allow caller domain to dbus chat unconfined_server. ## ## ## -@@ -557,20 +236,19 @@ interface(`unconfined_dbus_send',` +@@ -537,19 +236,19 @@ interface(`unconfined_create_keys',` ## ## # --interface(`unconfined_dbus_chat',` +-interface(`unconfined_dbus_send',` +interface(`unconfined_server_dbus_chat',` gen_require(` - type unconfined_t; @@ -52288,25 +52291,49 @@ index 5ca20a97d..5454d1668 100644 ') - allow $1 unconfined_t:dbus send_msg; -- allow unconfined_t $1:dbus send_msg; + allow $1 unconfined_service_t:dbus send_msg; + allow unconfined_service_t $1:dbus send_msg; ') ######################################## ## --## Connect to the the unconfined DBUS --## for service (acquire_svc). +-## Send and receive messages from +-## unconfined_t over dbus. +## Send signull to unconfined_service_t. ## ## ## -@@ -578,11 +256,10 @@ interface(`unconfined_dbus_chat',` +@@ -557,20 +256,17 @@ interface(`unconfined_dbus_send',` + ## + ## + # +-interface(`unconfined_dbus_chat',` ++interface(`unconfined_server_signull',` + gen_require(` +- type unconfined_t; +- class dbus send_msg; ++ type unconfined_service_t; + ') + +- allow $1 unconfined_t:dbus send_msg; +- allow unconfined_t $1:dbus send_msg; ++ allow $1 unconfined_service_t:process signull; + ') + + ######################################## + ## +-## Connect to the the unconfined DBUS +-## for service (acquire_svc). ++## Allow noatsecure. + ## + ## + ## +@@ -578,11 +274,10 @@ interface(`unconfined_dbus_chat',` ## ## # -interface(`unconfined_dbus_connect',` -+interface(`unconfined_server_signull',` ++interface(`unconfined_server_noatsecure',` gen_require(` - type unconfined_t; - class dbus acquire_svc; @@ -52314,7 +52341,7 @@ index 5ca20a97d..5454d1668 100644 ') - allow $1 unconfined_t:dbus acquire_svc; -+ allow $1 unconfined_service_t:process signull; ++ allow $1 unconfined_service_t:process { noatsecure }; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 5fe902db3..0a7c3bb00 100644 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8c89eb9f..99fe8055 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f070f..aa5b1112e 100644 +index eb50f070f..64589c601 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -718,7 +718,7 @@ index eb50f070f..aa5b1112e 100644 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; -+allow abrt_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; ++allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; +dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + @@ -5615,7 +5615,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..721dab24b 100644 +index 6649962b6..513f68674 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6303,7 +6303,7 @@ index 6649962b6..721dab24b 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,13 +524,20 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,13 +524,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -6322,10 +6322,11 @@ index 6649962b6..721dab24b 100644 +allow httpd_t httpd_sys_content_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) ++allow httpd_t httpd_sys_content_t:file map; allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; -@@ -438,6 +557,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi +@@ -438,6 +558,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) @@ -6333,7 +6334,7 @@ index 6649962b6..721dab24b 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +570,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +571,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6576,7 +6577,7 @@ index 6649962b6..721dab24b 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6636,7 +6637,7 @@ index 6649962b6..721dab24b 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6739,7 +6740,7 @@ index 6649962b6..721dab24b 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6820,7 +6821,7 @@ index 6649962b6..721dab24b 100644 ') optional_policy(` -@@ -749,24 +916,32 @@ optional_policy(` +@@ -749,24 +917,32 @@ optional_policy(` ') optional_policy(` @@ -6859,7 +6860,7 @@ index 6649962b6..721dab24b 100644 ') optional_policy(` -@@ -775,6 +950,10 @@ optional_policy(` +@@ -775,6 +951,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6870,7 +6871,7 @@ index 6649962b6..721dab24b 100644 ') optional_policy(` -@@ -786,35 +965,62 @@ optional_policy(` +@@ -786,35 +966,62 @@ optional_policy(` ') optional_policy(` @@ -6946,7 +6947,7 @@ index 6649962b6..721dab24b 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1028,31 @@ optional_policy(` +@@ -822,8 +1029,31 @@ optional_policy(` ') optional_policy(` @@ -6978,7 +6979,7 @@ index 6649962b6..721dab24b 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1061,8 @@ optional_policy(` +@@ -832,6 +1062,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6987,7 +6988,7 @@ index 6649962b6..721dab24b 100644 ') optional_policy(` -@@ -842,20 +1073,48 @@ optional_policy(` +@@ -842,20 +1074,48 @@ optional_policy(` ') optional_policy(` @@ -7042,7 +7043,7 @@ index 6649962b6..721dab24b 100644 ') optional_policy(` -@@ -863,16 +1122,31 @@ optional_policy(` +@@ -863,16 +1123,31 @@ optional_policy(` ') optional_policy(` @@ -7076,7 +7077,7 @@ index 6649962b6..721dab24b 100644 ') optional_policy(` -@@ -883,65 +1157,189 @@ optional_policy(` +@@ -883,65 +1158,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7288,7 +7289,7 @@ index 6649962b6..721dab24b 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1348,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1349,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7442,7 +7443,7 @@ index 6649962b6..721dab24b 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1433,107 @@ optional_policy(` +@@ -1083,172 +1434,107 @@ optional_policy(` ') ') @@ -7680,7 +7681,7 @@ index 6649962b6..721dab24b 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1541,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1542,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7778,7 +7779,7 @@ index 6649962b6..721dab24b 100644 ######################################## # -@@ -1321,8 +1616,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1617,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7795,7 +7796,7 @@ index 6649962b6..721dab24b 100644 ') ######################################## -@@ -1330,49 +1632,41 @@ optional_policy(` +@@ -1330,49 +1633,41 @@ optional_policy(` # User content local policy # @@ -7862,7 +7863,7 @@ index 6649962b6..721dab24b 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1676,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1677,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -11061,7 +11062,7 @@ index 02fefaaf7..308616e8d 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c48d..ff5713723 100644 +index 687d4c48d..7ee6d41fd 100644 --- a/boinc.te +++ b/boinc.te @@ -1,4 +1,4 @@ @@ -11162,7 +11163,7 @@ index 687d4c48d..ff5713723 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -61,84 +103,62 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) +@@ -61,84 +103,63 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -11186,6 +11187,7 @@ index 687d4c48d..ff5713723 100644 -logging_log_filetrans(boinc_t, boinc_log_t, file) +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++allow boinc_t boinc_project_var_lib_t:file map; -can_exec(boinc_t, boinc_var_lib_t) - @@ -11275,7 +11277,7 @@ index 687d4c48d..ff5713723 100644 tunable_policy(`boinc_execmem',` allow boinc_t self:process { execstack execmem }; -@@ -148,48 +168,69 @@ optional_policy(` +@@ -148,48 +169,69 @@ optional_policy(` mta_send_mail(boinc_t) ') @@ -29249,7 +29251,7 @@ index 50d0084d4..94e193606 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e56772..839025a07 100644 +index cf0e56772..040e11be6 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -29279,7 +29281,7 @@ index cf0e56772..839025a07 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t) +@@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t) auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) @@ -29287,6 +29289,7 @@ index cf0e56772..839025a07 100644 logging_send_syslog_msg(fail2ban_t) +logging_read_syslog_pid(fail2ban_t) +logging_dontaudit_search_audit_logs(fail2ban_t) ++logging_mmap_generic_logs(fail2ban_t) -miscfiles_read_localization(fail2ban_t) +mta_send_mail(fail2ban_t) @@ -29321,7 +29324,7 @@ index cf0e56772..839025a07 100644 iptables_domtrans(fail2ban_t) ') -@@ -118,6 +129,10 @@ optional_policy(` +@@ -118,6 +130,10 @@ optional_policy(` ') optional_policy(` @@ -29332,7 +29335,7 @@ index cf0e56772..839025a07 100644 shorewall_domtrans(fail2ban_t) ') -@@ -126,27 +141,37 @@ optional_policy(` +@@ -126,27 +142,37 @@ optional_policy(` # Client Local policy # @@ -78567,7 +78570,7 @@ index cd8b8b9cb..2cfa88a2d 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3e3..0ad15efea 100644 +index d616ca3e3..25b69407a 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -78637,7 +78640,7 @@ index d616ca3e3..0ad15efea 100644 type pptp_log_t; logging_log_file(pptp_log_t) -@@ -67,54 +74,59 @@ logging_log_file(pptp_log_t) +@@ -67,54 +74,60 @@ logging_log_file(pptp_log_t) type pptp_var_run_t; files_pid_file(pptp_var_run_t) @@ -78703,6 +78706,7 @@ index d616ca3e3..0ad15efea 100644 -domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) +manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) +files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file sock_file }) ++allow pppd_t pppd_var_run_t:file map; allow pppd_t pptp_t:process signal; @@ -78715,7 +78719,7 @@ index d616ca3e3..0ad15efea 100644 kernel_read_kernel_sysctls(pppd_t) kernel_read_system_state(pppd_t) kernel_rw_net_sysctls(pppd_t) -@@ -122,10 +134,10 @@ kernel_read_network_state(pppd_t) +@@ -122,10 +135,10 @@ kernel_read_network_state(pppd_t) kernel_request_load_module(pppd_t) dev_read_urand(pppd_t) @@ -78727,7 +78731,7 @@ index d616ca3e3..0ad15efea 100644 corenet_all_recvfrom_netlabel(pppd_t) corenet_tcp_sendrecv_generic_if(pppd_t) corenet_raw_sendrecv_generic_if(pppd_t) -@@ -135,9 +147,22 @@ corenet_raw_sendrecv_generic_node(pppd_t) +@@ -135,9 +148,22 @@ corenet_raw_sendrecv_generic_node(pppd_t) corenet_udp_sendrecv_generic_node(pppd_t) corenet_tcp_sendrecv_all_ports(pppd_t) corenet_udp_sendrecv_all_ports(pppd_t) @@ -78751,7 +78755,7 @@ index d616ca3e3..0ad15efea 100644 corecmd_exec_bin(pppd_t) corecmd_exec_shell(pppd_t) -@@ -147,36 +172,31 @@ files_exec_etc_files(pppd_t) +@@ -147,36 +173,31 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) @@ -78797,7 +78801,7 @@ index d616ca3e3..0ad15efea 100644 optional_policy(` ddclient_run(pppd_t, pppd_roles) -@@ -186,11 +206,13 @@ optional_policy(` +@@ -186,11 +207,13 @@ optional_policy(` l2tpd_dgram_send(pppd_t) l2tpd_rw_socket(pppd_t) l2tpd_stream_connect(pppd_t) @@ -78812,7 +78816,7 @@ index d616ca3e3..0ad15efea 100644 ') ') -@@ -216,18 +238,26 @@ optional_policy(` +@@ -216,18 +239,26 @@ optional_policy(` udev_read_db(pppd_t) ') @@ -78843,7 +78847,7 @@ index d616ca3e3..0ad15efea 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +266,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +267,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -78903,7 +78907,7 @@ index d616ca3e3..0ad15efea 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +313,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +314,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -78918,7 +78922,7 @@ index d616ca3e3..0ad15efea 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +330,10 @@ optional_policy(` +@@ -299,6 +331,10 @@ optional_policy(` ') optional_policy(` @@ -103395,7 +103399,7 @@ index e0644b5cf..ea347ccd5 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9cf6582d2..730889136 100644 +index 9cf6582d2..d0be162c8 100644 --- a/smartmon.te +++ b/smartmon.te @@ -38,7 +38,7 @@ ifdef(`enable_mls',` @@ -103407,8 +103411,12 @@ index 9cf6582d2..730889136 100644 dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) +@@ -58,23 +58,31 @@ kernel_read_network_state(fsdaemon_t) + kernel_read_software_raid_state(fsdaemon_t) + kernel_read_system_state(fsdaemon_t) ++auth_use_nsswitch(fsdaemon_t) ++ corecmd_exec_all_executables(fsdaemon_t) +corenet_all_recvfrom_netlabel(fsdaemon_t) @@ -103437,7 +103445,7 @@ index 9cf6582d2..730889136 100644 storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) -@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t) +@@ -83,7 +91,9 @@ storage_write_scsi_generic(fsdaemon_t) term_dontaudit_search_ptys(fsdaemon_t) @@ -103448,7 +103456,7 @@ index 9cf6582d2..730889136 100644 init_read_utmp(fsdaemon_t) -@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t) +@@ -92,12 +102,13 @@ libs_exec_lib_files(fsdaemon_t) logging_send_syslog_msg(fsdaemon_t) @@ -103463,7 +103471,7 @@ index 9cf6582d2..730889136 100644 tunable_policy(`smartmon_3ware',` allow fsdaemon_t self:process setfscreate; -@@ -116,9 +125,9 @@ optional_policy(` +@@ -116,9 +127,9 @@ optional_policy(` ') optional_policy(` @@ -111773,10 +111781,10 @@ index 000000000..368e18842 +') diff --git a/tlp.te b/tlp.te new file mode 100644 -index 000000000..1ef713150 +index 000000000..5185a9e8e --- /dev/null +++ b/tlp.te -@@ -0,0 +1,84 @@ +@@ -0,0 +1,86 @@ +policy_module(tlp, 1.0.0) + +######################################## @@ -111833,6 +111841,7 @@ index 000000000..1ef713150 +dev_rw_wireless(tlp_t) + +files_read_kernel_modules(tlp_t) ++files_map_kernel_modules(tlp_t) +files_load_kernel_modules(tlp_t) + +modutils_exec_insmod(tlp_t) @@ -111859,6 +111868,7 @@ index 000000000..1ef713150 +') + +optional_policy(` ++ sssd_read_public_files(tlp_t) + sssd_stream_connect(tlp_t) +') diff --git a/tmpreaper.te b/tmpreaper.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 0090d850..045fb264 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 294%{?dist} +Release: 295%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -678,6 +678,19 @@ exit 0 %endif %changelog +* Tue Oct 10 2017 Lukas Vrabec - 3.13.1-295 +- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088) +- Allow fail2ban_t domain to mmap journals. BZ(1500089) +- Add dac_override to abrt_t domain BZ(1499860) +- Allow pppd domain to mmap own pid files BZ(1498587) +- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451) +- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules +- Allow systemd to read sysfs sym links. BZ(1499327) +- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863) +- Make systemd_networkd_var_run as mountpoint BZ(1499862) +- Allow noatsecure for java-based unconfined services. BZ(1358476) +- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015) + * Mon Oct 09 2017 Lukas Vrabec - 3.13.1-294 - Allow cloud-init to create content in /var/run/cloud-init - Dontaudit VM to read gnome-boxes process data BZ(1415975)