From 46f9f9c36a62c31dd5da44dd63279a56329b9be0 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Thu, 4 Jan 2018 13:06:00 +0100 Subject: [PATCH] * Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308 - Make working SELinux sandbox with Wayland. BZ(1474082) - Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169) - Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723) - Allow collectd to connect to lmtp_port_t BZ(1304029) - Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776) - Allow thumb_t to mmap removable_t files. BZ(1522724) - Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118) - Add interface fs_mmap_removable_files() --- container-selinux.tgz | Bin 7244 -> 7247 bytes policy-rawhide-base.patch | 324 ++++++++++++++++++----------------- policy-rawhide-contrib.patch | 125 +++++++++----- selinux-policy.spec | 12 +- 4 files changed, 255 insertions(+), 206 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index b681098df99e28e21f3b261c24903a9e47fe1c8f..3b80c6cf1abae9b9241263a14b0cf1f39ceedc05 100644 GIT binary patch literal 7247 zcmb8z16v&o!vNq~S}ognTDEnTZQDHUw5(+t>trt5woX3Tw(aHK?=O7Ub^nT+BKj+g z3!$<;4BUm$S^PRLcxvgSN4yr!leX4oXwMGSvtEE140kC^ih0iJNWtns)>L@87-yU? zf5#7bZ86chp^EyCLB6WaR}@Efm0Igv7T;vhybd>6ilkUd-K2QUA&0?8;$gM0Y ztB6rW&!5e%p6=(5%$6&A`%T}^$JZ8-&eucYkJgVlzP<++JXxjiVze{LC)$o0h!VEm z$Ky9 zh9df=&c^q&cWy$Fcsxyu;-wFNVeE^UD)6=k)~&(a+#Y7EgaGLK0nc~eq#t%m#L#=D zqbbMhZ>b`Kn^9K`)-H#*nN3s4mOa`w2`m#niEMsI9XscoaCN2f+!lli@};N2?` z|7febOE)|6OI1Z}sPmqNw|g<)#UKioZY_gA{cNGo1saIwv-n5me4|Zs@d9Tll$oRV z6OUZsnmr0!Oe7&yNMBhk-GT9@d@5jc7Oj)trFUjAG=1sT-befNI203zImMwZCTnsb zI*2YJHSY`%lrg}?mpmc0l0h%+p*2&ytvbaPGJ#>ji|AQL4__9i9w|sP2tkuF(zvmH zI7P8$(H>4%Inzz}h|N$-FiEiwB8(zxvdX5N2$_5Z1ns}0MjcR(yw*z3D*s9HzrHZQ znLsMF>Al(cd&XFHhe+6Bo5KB{g|bq%&(6X&2!|(jW{Lp_&7yivNn?H4EiQiF4Jsam z1<4Mk)7XP3eo#9;t^(X-E2k*$tSJ^pm%h6({^?mKY73ulXtb?!SPPj9M2+{!u*(u+ zy0oT#;(N+%`xGxAPu(w;&v(rfhpP*dbfY0s{GDVoE(m{1QO5RT58!DiQ#WqMC25cO z;vXW_I!6Gmv4}a)Y_!Q-k3k8aGPmWA+7XihJR=WS*Y#Iqz{K1`&(kpCg^PAm&h5ir6;I zWM>6^Bpeh*Ml3m7dF>bvGApw=-THhFNGC7y6l)Hc;^R|FRh#~k{q-)oS$MfTqENp% z^E->X@k&N`gzi)qTIUe#Zv7Br@b((X(-qm>vDwdyNqD z$U!VwYuPG3@HqBAAt*Fu@n)@XlD-=O|>TGwGY>3YIO2<<_9M(M|x$zf=x zx1b;76dxK;q|W9Dsp^iZy)luSQO4paHd97Vz=3?P^Z3SdNKx~fp$_jYQ%vuJ1$Wjs z=;|I8oGgS?QID@r|7ewS>>I!q9{UMRruFay8Mcb3uU@m0mRP=EByQz}VD}68#bB{$3mA)~`DW56K`Z>L)CnG+f zF+bR`aqb~5?Fv}0Nd8mc1X2H5L3$Pg6=lDSbyCgqi+pABo)!|$%6k_S+T8McZ)1|U zP#$onOHNw5?U3B)1 zfQAiV0;d1qg4%8t^hbKSu;ah+pK<(2kv}T+tWlU)BS2m$nL#X-z^~MZdVc*`KkLx&^ zTV=&9*Tk7P%I1Vql1F`zZFDSOd{{~Oqg(8RUj*&^HmB&sw?Maf*8I0+6|L2 zeV`yy_CmMJTeL7XiLA7bF86*r}VB2M5DOqJ17B;00bP9MzZcxH=^#{r_NQ|Z-hOt+9D|B z@PN|z+}8=Kx?+gWUx8_X#KifZdXt*{hW}YwETgjsVj($UVh&o_$+`p z1R;j*s(N}s#2e~Ht2oHtO9qAe#va|rXYpT(t_uIo9x2pE8#Rx*9PGq>UVprVXZ{O* z!r&`;!uU(Wp|B>%W}&-0Y31Nawr<$%?f=`iZkCq#@DN%F5;IEq^_$P_#i$F_PY$M} zxEDLur4oo3lSsSEs*UGSEk7-V9EAfo$I(RsEo9RdUL^3-QG)zZ5d1%%mvR};v|miM ze7vlVb<-bJLr9vcok8epO-p^e;~D$nOxSE#YYR6PmJfwU&QooBpVh1wT8@(wU;-cK zfAk1CV??4l=xfUO<(Xlnz(3l^4c#t#3nloO9JeDekniCK=`3bPVOfR*>(A<2q`aTH z!Mo%aPI6cHzBpNy{Riub62y&)gAJ*ZMQfGwcp6&ft(!n~Uj8Q5pVlEK(P=+O8l!%4 zlh1lLMb9yN=gli{s6M=hOnN(n`zn&#+((zTw%v4a(zD(%M9fH4VbHBFhQPs=Mc-pS zn_l@>-(ffn&L~l|3E7$-?E7mh#10D&6;ufq^Iw`rq&un$Eww2EgTLHTb8g(78d^BV zd~_0z!#v40qrT-)J?dtUc$y0LTF1d-lYKPqIgl9Cz&+qFB2^ew2jl~la zeqZ?X0x`KO%i(Tj8`ki0Byi;v{QsUYx26=Y@vr23=1ga_gk6wbni=1cz_!8+3^PmA zF7=>q!ncAfXSYf^epGf^2Amva)osj~6YcS8Pq@_6&f9Xc`-kZD-g9^kHairD_Q=&= zgwt2{D`ga2Xk2qdJRV43trz9O{Ms?`gfz>oa--jN~-|Wdna{DT% zG;0rwP0-0BxTW?~qtaqg1j8cDZ|Aemy7lJZr*1+=1e_o`mf17ycfVDkS9C4SQ)t=) z_)58kc##xztnw3Gf^A)sO6gxBrNd2B&^ryO^vgO-Iffdq z(jL1NRf|R72|m^mC-%P%G-y+J^C|KfOf96}JSR6HCCQQ-HG zGlD4N4LkAeV%3vGa053m@<;Q^hO@GFI~EacY5a%tDNGYoj_pt@JsnnYGTo&dBr}JK zW$cCrq^PTQ#ryvBoy~Qk;(YSj)LtuFH!(Z~ZOUhB0z(lit5fZI)S;L<1jGDmgDP>Y z{m#%R;KtYd^}d_nK$as`c(e2TC3}qT6F9buZQSjswOug7%FoU1L)?DeiTZ&(JnqDU zaRtuNSrLxB3<|IB?triNXR5ID9;v5mJPn4wz0Fblkh=Z@|9VY6Wyyz(LJ1r@53n}h zeo;{l0657V?XO{3cJZ{o2!{mEL14g|Qc>Tq(n;zx^znZWM!U&RgY3 zNE+eD6`AEN;}vl+{xj+StYbKJJZIXn2jN_tkFI+Si5+f%9%e6%>~uM$de4vMdP!EA z9CrsdHhq`&U=g~viQA{*W2C9XQ0%ttXU<+zxQbLVrBn^J-En964c&l20k|z3m)pXl zNTJ`mcLUkgu3leMau9|ceXaYAVO}CT6gAdyKL2AY?TwQ<&s_8FVlQD#$mzXnPe;10 zv_I^>@RsrPfJ3)EMXbM^r}AmPVb@My^q|-WKrqtt{0mA_Kb~;@rEl9%`7R+_7zz5L zm=6e1wf?ieF^>4{*A16PN7U2Mn>BcR8kBBW#0tj0py=LrHF+tETpd@(6?+R9F)pNR zrd_40Gdc7W6iK-QQt50g1n@k!g{x(5LZ+ixP_u-GJi^mM>MZcqo z1{F6OQc!&MY<+S5G-zk2F;%?al?I&?-|&MqQs-ZRbPzX}U-_xbcuiw?vs0z! z#~VnGwNB5bfrnIC zg9u7ocvw5H!9~(pxs~g0%_k9?(PVTYT}8e0$H{xZV=V#_BqYFspo2U9DLDr{k7pF( ze6z3Ds^l0urOD*Izr<^7SX>_Hi@T7cQnGw22&?SGe0t^EH7B9Ekp5)dFVjxW(-!kmYKe{>2R~L}grwq7!cbk>_YSTW+e!$R(AFHugEaBds<*;n>$AnM9m79cggNIr78yGl ze^PLW)-AknlAx-XhYZXt>G8Df6`!y}-*gMWoJI97o8kXTKj=b?F37C@= zRe#`YbXB8Sy5h%tO!$t3k#U~0xZcc4CIxW_FfGf%)zi~9R`t^}-w`b;&8CH+YG{Gj{AOU*!gqh0s& z{dF<%d+70|+^WB6Lj^G6LoIvz1xET_u^*|r3@eR1*vgMvDk@FI6ZCF}&cnW3=0PF_>_8-6Z8>vw%G9eag^awe z@@j|o4*FuH3$|maXi-9Z_iy_Yqe^ zN2r*n6R$I}$1MI{CIPX>RIOrg6=@rDly3hp&+0n<6)ymjxk2q?Jv0~qPDx_au9~U^ zmgHi}pxU9G9JkAf zKAko)Va<`Smc{ABYlFLI(vrF2GfoBsb>DVjy+=20Q_W<^|_jZJ36-P(Kz&QHH1 zteRZhZjno^MethnDK5=Z%Yu)Y868c~D_MfD*x#0hq*SS7?4RM$5hq+5dBmq;DN=LK z6Nn;Y!;*i4fph)VSr)LYN&>^VJE0R41q+Q|?B)c22PhM~it6ekRG~GX)1l9znh817 zao}U+5aM~V+r?VA)OnR*ySJ>+T1inm-Csv12q>p42Ry3&R7x_ZC4?GG60&v$mWGxT zvvp0&dZW%qvly~5q&YkiIt5&6ke_YtTl3mR^Sct@U#hXz*lO0xhqJMga_BH6H@UH! z2b?eu-0>*Ks|Be?0YT}q7sI$=Un<1Hy^y+Xe(YX;6n2=9@q&QKE;by0xTQJoTFQlI z38G~%6ctyEQw`=3@^ITXV}RI<23x+2uB9zr*4=SBi3LVxjZPL>O!&^v5zwJ($Jk(p z8A2H-B?*zZ4`a_R(G(WxkE|dr51FDxh^j=A%U$k2Xu>~@;9~eLt%da3qn{aYQ~k#g zrY55TsYU{-Uz*o6$^N^#CyOlWgooW}EbV+S;#!iDYqt#_BX3~)^WfvQF|si}`?m+U z*{HPR42!w7HdpKe>7*SiQvsv*ypuys@ouK{m%6%SJC=ju=@v3Bs@+Dqt2bsi zbUA3spflRo44aAnu_j=RPX%j&x;jm80%%wQsY`wrJYy5z)7Y@91u6k_- zW1?z%`DTrhdhxv`K@9D_;B<9mqNl4`G4WDv;}smXhcI6X}?y0_#l?ywdrr7dRiR_)A^RH$xI z`w+g*V@eswn%{p%jP2YgNqcw;KTRp@aZ~$dVi3COS~9h-3FQ-V&4OWcaves;2e0qH z35;`S8+tqZMoJOB&L=Ko^@Lbj)PHX-2bsi{d<$0FiW5R<_8pc8F0nlGsA_KVS|lQS zexi3VqEgp3YY=G6b~LGb=owsmk`4BP;zG1b|Zqfc2IaL3zZA_=Z?%4=7fKkS263LS~-1; zyuHBr#gRHvz(y(Vq7Yd#D~gDxJ(p|ZtSOPZ7vv157Y`N`P#+7JpMJ1N%P3F$8)(P= z5lk0ZgER_1m7o@ng`t8af`Mg{a6Q^zH2o~8O|h4aee8=0>fe7pbqg4t@lnY$mZ~)h zct|GUNSq&HTkx{zcgAor-zzi1xNM5Oi&-zbQ=KibJoSj4RN!t5@Ei*Tb}>R2Owb@P z)2yn-jh3&XQdd|0C2a)_PpxUfTIE^Y*P#us&SkGY0|P5U4aYSo#kwHcuN~2G52faw zK?DCGH0UcbhV}d3=!x_(D*SHqZFVqd@A-UwJluGtK-~K5>=y9-ymKjJ(p0VS>##Jr z&!1G@xT`z(TWd%me2q}@G3{pi;TCvE?DevcS5{N+8hmzx2We}6yF8yDao{$S-8NYe z*TkWJ)k7rKd_;F(=soA~3U-9<41U{_ipIAWsAaJ$%kXXgMIeUzj(F3YovdwPC4V@eZEm2SQtsS@do9IQs8f>vsC2 zsYdr{G~_mAXwi_snN~DJScT(nL6TL{kirfR<2Gl5tUrfArwD@pGoQH-&>mr@=T2Mo zfT{G|8MMv5KpxrIF0Y^WBMZ{#d&6e4shjY`iiuYT*_m6oaa_KN7uPe|2v>AG?j8H% z6DUX^#i)XW%LX@}`23$PjN4%OCkZ0LKSaFAELvH)12tsQlfN@xFattId{8h}1&Uk%w?;k}v z)b~O&*B=)KS^<$jxoCBJ2l6@iZCNM z^Y>3sv)_l%Qz8GMude9F(_cd@}omU4|rxMBKJ(TR3!eZ;T@nY0=t@B9T?3=X+#7qc8-TG`%o049vWHgvDdE}}g)yfR=dU+$cH6RQXZD9Ek0+(kZrM8PRz34xtQD6EH*wdbiyK)*!F<$R z>xM+ArE*OZFj7jJdUCG^?s}`wp6Z))VP8z^lXHf9)q&7?`rB5l(Ej>FH=szo*da1{ zJuv{&59ayTf%V@N!1RJ{V(;9@=E=@l8LQ8*x)ow?M_znG03va++)YXc`m=x0yj40n zZ1xQT@l(d5(Ra>^vC(gh9ymj)Q{~JME?ZiU?J_LtD{ECIa`Ejj?qsi!;Q=Nj%LP$i}Om9V*)p5JuobM4nYTo+5+$4+Nqut+FZHLgzkz zFb(APBnFV0GnD~_*EUD?60)}7M^^v%F6g<Ruv1l&8RsOtUBQJi7MX#iQs#iDQA_Q<9t7}a# z+mb5LmzPUXmoVtDZ+oVODVvW+Z=*xksf9Xy6oQ^Ut;O{U-v-ZBX4hYSRZ%9}tvMw( zulicrlTn%pKk{4?Ax2ITRiTAA*X{MTUGF?jUP=c&&*t|gd!}%EAf3< zQd)h(O1#e{QxD-j;2W*wAd^V=tg3zZY#(L2 zAF;FwL?fnHh>xCj>q^J+7(Z4r$QK{K7X_rZtju92Bdk+k60|11!`q$>pusBtdpFf< zNzll+78`7f=FIdlbhRmHYDwS{-q$@r)r$S5-0bS6(^CAnuZWBLL3H>7NmRhiyH;uHQ^kQZ>KflyZw3MN3=Ecn4UB@Lu+Skqqmd|afa{kCY zAVfLsOOomdeVfA73}4_QOb`97vUl&i0sEEOq# zMjTGdWY`zal7Z_gfLgols{)524_Z;|vAp&V@j>>2*9$R|QYRb9LKenvjS=M;-6tQl zlrEMl>VLEN;KY?=*toz-u{wlG-f`U-uMNMJ@IYZX;JvCBhxE%FHmn43~s!`ICesg*VG27AMlfr`o~rkJX{J&ZwNyiT4c8Q?zZEC=1N{8P#avF!U&AW@I(%=fO|-~c zzu4407E5dx1J1O>*h zviVv$)`>{Td}eulV4q={U_03o-k2ORV7F~!-~;>l2OImy)B}c9+kk9Mpq>?Lx&P%$ z35w7ASgeG*HVWb3x-!ppPd3CzKSNr?7Ie!sEqx@ktZ&ZU6$9|h_73j^%z>s^y+*)F zxi?&JNEvMj_40M%MB*uz(QM{$JWn2+)8FB;=Fco>alg9fJG6gGJwSzI5*&a5@^R!P z=P-RlaQ}tzus(YmpLe|=Q0?)xEvSstxDU*Pg9iG>Xwg0(l~W5RNq+5YC~iM~AyF0J z%^=`UykZsY#gxQ#L$2p8|0@Fb?JKhOazyAdUg5TRnw?Ao6w(qrWOWh|5)z>E?7WK& zwG%2_b*KzJyrXK{<0u0S;A#ZR?D1#Fl5hC~Xz6l~zPu4msbPB}F$25W{G}&be|lstHP9AMiEc!JTjTnRW+{-6$?WPC)SfmZ?v>fHtVzu8ec(?ZkEL8$)rI-l59}=we#11VO(<~|{ zPk4Fa<@*)^_BRvsvzN;SGi9}DYN{~W6>o|+o8m&rNgy6^E>&jK_4(7gS zm+wgys_N>?5ijr6-i*ko;Jhs-me#{R-u55HF!PFiu z(+Q7Hv&EEdSA#IN9oHNA6FLl5%d<37-e5Nvk&4P_tN49?%n|&!I=fZ<3f^S$?Wglj zPS+BFbTB~0-tx#{MuVS71^jeGXzvffXdLSKn+ zA8is8{n}2lcd2n$z z+f_z6R%@sw#?ir*S9BiR{(|S`w|qq=Qp3}6J89ysSt{bOEOvo>d#$u2NODHS5o3t{ zpYFN8BY(s@y^L+i8^ zyz~p9Pqxu=7Zbf<^h|054hqBLPMvsiT}JwQW7QAOv)#0g<53;@oEct8Ec?1EsZqm? znd_06<`%m&TjH(CI8$^u=uS28&G_l$p+OMeOS z_Fy=f&;nB}(#VXwt?FwMpq&28tD$v&3)j}j_`_S<-{mfDhbtFMXwD8&-`DRVR)itl zACO(GKb`vxOLUi^LxiWB2+03s>Z&1E40jq@2GyN5d|RX z3&3~ReuE+?Y1rqB2d6g5oY~*O5!uVz>Ca=jd(Y(H<(%LkE(}@+y3fA@QV~QQnu0SR z9VyxJHujFHxRgDXEE(CT=mGkc#s)HnvhJ)j$WUIFZ&Q)E$J6~`-y|L|tpgQcuJjsj zdo>Af`6B7E*DJiH6fY)Ze_u$aPppMnK(Y@rf&1W8V2nt-fb~yOgGTy%e-W(O!f4|P z6hB`|SUbe+V`C`7MY&=Jmb=L=J|SsmMlaB;qm{NWF*~hXqe|Gg8fBZ%!+1?P_md?H z-ihmd!P4jcIhcz;vpo~yk)}`!TFtg0{F7^=UN%ppjayhx(_?e8>GXBRom{- z`?6r|cVKKvzz(5W!E5!*`r!v>r|(M``cls!vq`{^cg;(FNuykd691JL0h$@dccya{ z<>1ncKi4%^8`o9{QpU<$HP7B+1~-=xCy58YoUoQ*sCMSuIT)v95%wMC@RxOXaZP{Q z)6xlkz=9~~h=-`$O00BET%utfYcEA{``WBsPd#qE_2Kr96MxNrvl5Va`X0`PS^@(B zIOR;??9jEUT=}cT!NdIZLqbHJHyTzRK4p z`>t!^LEeLSGvoe(Ch=WXk7h$MT^OiEPMw(HZE?#Q@=CoL;q61)DX;oPT*C^H3kPmR zln>^1h$c71S+N?C>r(Mp#?yqXG1EH!H@IFXv;#hS68=k$$gfSA$)G>iBPoTPl}Mb5 zblB=&W3};>!^HA`#>IWjkfaJ%PRL{r@aGYS#P|;SQa*SLo0}n|fH6(pdWM(mdFBh4 znCaEPPFfbMP;r(Ja?^9%ci7;e)>!Z(c0f>++ORIa?vhKrQM&71mc1x0;|YK zlt^i-ohr9E>I67Gq^-BJ*(VJ5q`_VQ%&GC*K{$8YuJNL+uv5@Ljt|i4Xd}i_EnRJR zDq}PszOz&QBlUV^@*o>XE~E@lI1DM9{1S>@o#)ME^s_sXbCSW+90mYJ3s9LFPsyXZ zJdB#f@$OhSMHcb}kPO~uA^XFe&|PvUyQ;j!bQQn~0vep1uI>kNDy95jXCYQ(eN7!% zsBKrIdt2yy#TCS39U2kWrz3;9mijy08BjD)i|~)QJmZ%Gl}+oA{IEMCx>(QCH-<>8 ztG~P3ox}bV$Is7zzj+pKGqCP}qAFA?x3ms9{pR0K$)Lc~QCd4rMK$;vVM_m`kkx-S z`9ncj2d8hkGeu#Bo;q;LhhQ=pM?XYK)>bx`7lIv9vuN`1$-!+dmS<$}kO%%n6In(| zklmgYuI;G*xlNMC0Ltk` z>Kd{pXn^Z*>V*KB>f*YhN8Q*o9|_#h&eKCmFQ0-kDv~WP(vAB1)7A7~b8$T9^3IAZ z<+@f2dnrt6%MhIf^q8|i0e)dZXI(0}Lt7*(*`(J&#}>8oQ%@C@T8mr zZEWry($~Qjd&*sv-t=P@MQd}8(_zcBw1IAA-pffE960lGd%}O`?+gZ#AnzSax?C1y z#N&n;rOft=4|Dk;rB{e|`byabsKWnY?NVxUO$V;a_;ZpbAOgL~R|iLqy1)L5Z~@?R zO>0X1y~0cnUYmrwk`nXBsYl?=nf8$iC2De?qf0O8QQ6km1jT(<}`%NC< zctRjsTpA;8&Dsb3C3j)NKiV36Gf}=1UFbJ_jQX6bG`XvQ;W)9h$+s3BQEf?^g_td; ziLw0dFqeSN!p_cnU#+LAI9aeaRE$z$Kvzqlpbk3kBtDm^#kU&in5glZLw)!cWpz+c z52x$4HL%OtWL50QG-W%?HRQYbvMQ#wD zP(Xo}v)bD{(FfgD)Une11$sgtRZ!xkE36f0d6cAqO0cDZR;hj z-yaG?37mUG64<`VnT-B%{1btZx=ogfxuNeZA~HdhqB1uMm+bD*RVBD%(=;nwt80w$ zh~NxKz^L2!j?GReOEhYhd_J>T+JG^89-!j9NNj6pf5n`2aGXHeRI*uur!+a-O45+_ z<|_BkOIaW{sAySi7Sc3hn)-+1pmiC^jMX4k;oKYrc*Xys=bJZ1@U^&F&~L8NQEsB0 z%?7KE&R%7WsOCWxBmu~n*|%!0l7SNe$l%dgoT!hBjQ?WmSiD+d{CT-3965|#@-2Ax z+Hl+I7*@f~OV@$9NIIEB$fi+H-+iOQ0~fs)CZxno-NI7OSNz#BDhw_S==JZ*->C)K zxN%MgkC>S@Mp?Gl%Q-|65&vtL6rrB%AsS5Z$T@nfwGf<$H$@Ak5zJ?jiisW1b+*gv zeM<{3m~dmXDjj*nOZ4VDG))YIiNAZME^r#j0AG3@E_m90M#-xWL2SLbqoSpnr1T=t zZ+t)`h+i9lIkk?d*%FFAw zJcou#$&n>iC(}uoA`;Nx9_*_Yz!HWnB0V(mFZTT^+jhh)ydd(i*{KB$J6in*#Gtye z-%x@fRotpQGTGm-`kCkBE_OjB<>{KS4p8>h8MLlrwAI_W?pmQ}FSd%n%!$w?MYL~c zp^B)ERT{AOVoV6^&;ZKQOQx}_vt`Zs@r+A0%9-~Yp~NY8Ei!jsn919#aGH0;&aaIaDm&%Wqi?VVws8aO@}()ScC^D|DdW zj<_mtCfir#4b3fEQGz1~C`}#qej7X+wby<>|F0-d#!c2X_U`f@3gAp6c2J()?;j!q zvP;*T6(_kF{h=S*N-3R%*H~a7JNka>dR8X?;NA9a*+lJl{XrWs^K8#&8nP;~mlWMo z&22wdH^RdAa}6WOMK!^V)>B`LdLGNl$Xw($UD6EQ$u-(5xitUg|c+kBf_p6Q4gRD z<|TgfAi)X504k$qyT*TQ=Q<(@4aevC9jgsOsaJ*^k_i}{!lc$Vzj^x|0uYe* zujfvJ>VjRBwbezq>{rj4bY^ZuNXZoBM%U8QQ{jHEs7E<=Vjn#;@m zkuarA-)2|%gk_Kw7=SgFlr7{M1Sr)Aq-Ug0dH0c>uPK*7o~zY`S~I!BVhaT0Q#+L} zawbe(+tVe=z#uC=;jM^r4todet$ zJ<{eR%%KhzNH-O4(bht;E_W^{Gn=Go`k0dFYBSTJ+pMzND(L^P@3gh72lA?HF@#Wy zs6qm1z=mE&V#upb8lI6|AaCl@TWt8hAmHt?_p~8C&1oqqqyJQo*fMm+eU;F3PjeUZQ+EoamrYVf&lEWHKD?M;VS^qRH2uB80Wl{uI;!k+NPWP*2fa6U^ z3=jAv*50IrV9tgbWJ)tcLk0@zZ(6`d1IR3Qjb!T8h6bfh?v{!cFT7w5CSpUNb`W1o z2{zr+dskZbldW?N4EF|PrMt6WY*H#)x}szkDF{TksIZFIPJc^!>%?((pZY#B;kX^{LeBF!A&h-U}N6-m)x-Z`Ihg)JYNXBO0zb4!7O z*+z9;FS_?gbzk~o?20>f(Np5alUFNi1G)29&}0GyFX>kwNHNj#l52Ka)|b!ptUV47 zil#inJ0=1@j+wH5y4+B zPzZa|+`^A6+$77xqAQT5y5@(Ef^!TNMo`3$)%s+CxP7Jk2rZS@yU3PCL-y3+XDTQJ z^NHWBFA$!dBkG4mW&_(hlId}ky0QbW?`oVMne{(FLVSDyII`lkjewM&dj|)ia0j19 z-9tu=BP1&$EF&Z&{U#(8AU!~bnjrzk(F=_ARw#I6uSQM*$7H~e$wGz0{P6m{V3u{9 zhLqHado>|($dkfTQE_En!tED-#y2z;aRa9x`?e z?vx#S1p&(Eu=P8971Pnt!+4M5>Bk2+8`5^QgWmJ`e0*{Gnx9W)R2brS521Ml;(L0X z z%(pBMx4gPehn*q=>L9g|7D679eej2~edY^kZuH8JM%!d85Br+C1GD$QbYNfxLI8UUjD~*wORQ0clb@iuPMocZd9$I$J*aM1f9QX^@Oam zwjp3>TqKQERTbl{5ArK*;C}`k$Kgd?!Kz^il86|QVn)1w(5Egf8I8e5U{s@x@TZ<@uS@2y>BsChElLl=*r0B*LJ1hVi^%4$hQ5 z6Q2<5`j}Y_qU#$FUb)5KshxVSRZwzcH9Vi>XT8`osNUfS8{WN?(0(tdyL!PVnS&oT zf{yvm3RCD~^v!Cp|8mnM?JA*fnU^ZkA5 U&(r^}_B+<{> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb43..1cc0d9ad9 100644 +index 8416beb43..a7af809a0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` @@ -18307,7 +18307,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Read files on a DOS filesystem. ## ## -@@ -1793,137 +2162,336 @@ interface(`fs_read_eventpollfs',` +@@ -1793,161 +2162,986 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -18679,14 +18679,17 @@ index 8416beb43..1cc0d9ad9 100644 + ') + + dontaudit $1 fusefs_t:dir manage_dir_perms; - ') - - ######################################## -@@ -1935,19 +2503,645 @@ interface(`fs_dontaudit_manage_fusefs_dirs',` - ## Domain allowed access. - ## - ## --## ++') ++ ++######################################## ++## ++## Read, a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## +## +# +interface(`fs_read_fusefs_files',` @@ -19301,18 +19304,20 @@ index 8416beb43..1cc0d9ad9 100644 + ') + + allow $1 iso9660_t:filesystem remount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read, a FUSEFS filesystem. +## Unmount an iso9660 filesystem, which +## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## # -interface(`fs_read_fusefs_files',` +interface(`fs_unmount_iso9660_fs',` @@ -19860,43 +19865,18 @@ index 8416beb43..1cc0d9ad9 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2518,73 +3731,148 @@ interface(`fs_dontaudit_read_nfs_files',` - ## - ## - # --interface(`fs_write_nfs_files',` -+interface(`fs_write_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ +@@ -2523,6 +3736,7 @@ interface(`fs_write_nfs_files',` + type nfs_t; + ') + + fs_search_auto_mountpoints($1) -+ allow $1 nfs_t:dir list_dir_perms; -+ write_files_pattern($1, nfs_t, nfs_t) -+') -+ -+######################################## -+## -+## Execute files on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_exec_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ allow $1 nfs_t:dir list_dir_perms; -+ exec_files_pattern($1, nfs_t, nfs_t) -+') -+ -+######################################## -+## + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2549,6 +3763,44 @@ interface(`fs_exec_nfs_files',` + + ######################################## + ## +## Make general progams in nfs an entrypoint for +## the specified domain. +## @@ -19935,65 +19915,52 @@ index 8416beb43..1cc0d9ad9 100644 + +######################################## +## -+## Append files + ## Append files + ## on a NFS filesystem. + ## +@@ -2559,32 +3811,68 @@ interface(`fs_exec_nfs_files',` + ## + ## + # +-interface(`fs_append_nfs_files',` ++interface(`fs_append_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ append_files_pattern($1, nfs_t, nfs_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to append files +## on a NFS filesystem. +## +## +## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`fs_dontaudit_append_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ dontaudit $1 nfs_t:file append_file_perms; ++') ++ ++######################################## ++## ++## Read inherited files on a NFS filesystem. ++## ++## ++## +## Domain allowed access. +## +## -+## +# -+interface(`fs_append_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- write_files_pattern($1, nfs_t, nfs_t) -+ append_files_pattern($1, nfs_t, nfs_t) - ') - - ######################################## - ## --## Execute files on a NFS filesystem. -+## Do not audit attempts to append files -+## on a NFS filesystem. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - ## - # --interface(`fs_exec_nfs_files',` -+interface(`fs_dontaudit_append_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- exec_files_pattern($1, nfs_t, nfs_t) -+ dontaudit $1 nfs_t:file append_file_perms; - ') - - ######################################## - ## --## Append files --## on a NFS filesystem. -+## Read inherited files on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_append_nfs_files',` +interface(`fs_read_inherited_nfs_files',` gen_require(` type nfs_t; @@ -20121,7 +20088,33 @@ index 8416beb43..1cc0d9ad9 100644 ## ## # -@@ -2777,7 +4124,7 @@ interface(`fs_read_removable_files',` +@@ -2771,13 +4118,33 @@ interface(`fs_read_removable_files',` + read_files_pattern($1, removable_t, removable_t) + ') + ++ ++######################################## ++## ++## mmap files on a removable files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_mmap_removable_files',` ++ gen_require(` ++ type removable_t; ++ ') ++ ++ allow $1 removable_t:file map; ++') ++ + ######################################## + ## + ## Do not audit attempts to read removable storage files. ## ## ## @@ -20130,7 +20123,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## # -@@ -2970,6 +4317,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4337,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -20138,7 +20131,7 @@ index 8416beb43..1cc0d9ad9 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,11 +4358,31 @@ interface(`fs_manage_nfs_files',` +@@ -3010,11 +4378,31 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -20170,7 +20163,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a NFS filesystem. -@@ -3050,6 +4418,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4438,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -20178,7 +20171,7 @@ index 8416beb43..1cc0d9ad9 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4506,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4526,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -20203,7 +20196,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3239,15 +4626,198 @@ interface(`fs_search_nfsd_fs',` +@@ -3239,15 +4646,198 @@ interface(`fs_search_nfsd_fs',` # interface(`fs_list_nfsd_fs',` gen_require(` @@ -20405,7 +20398,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3255,35 +4825,35 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,35 +4845,35 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -20450,7 +20443,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3291,12 +4861,12 @@ interface(`fs_rw_nfsd_fs',` +@@ -3291,12 +4881,12 @@ interface(`fs_rw_nfsd_fs',` ## ## # @@ -20466,7 +20459,7 @@ index 8416beb43..1cc0d9ad9 100644 ') ######################################## -@@ -3392,7 +4962,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4982,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20475,7 +20468,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3429,7 +4999,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +5019,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20484,7 +20477,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3447,7 +5017,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +5037,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20493,7 +20486,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3779,6 +5349,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5369,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20518,7 +20511,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5403,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5423,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20543,7 +20536,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5514,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5534,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20552,7 +20545,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3916,17 +5522,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5542,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20573,7 +20566,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3934,17 +5540,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5560,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20594,7 +20587,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3952,17 +5558,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5578,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20634,7 +20627,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3970,31 +5595,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5615,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20690,7 +20683,7 @@ index 8416beb43..1cc0d9ad9 100644 ') ######################################## -@@ -4057,23 +5699,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5719,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -20867,7 +20860,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4081,18 +5870,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5890,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -20890,7 +20883,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4100,54 +5889,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5909,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20957,7 +20950,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4155,17 +5943,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5963,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -20979,7 +20972,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4173,17 +5962,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5982,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -21001,7 +20994,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4191,37 +5981,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +6001,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -21047,7 +21040,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4229,18 +6018,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +6038,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -21069,7 +21062,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4248,18 +6037,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +6057,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -21093,7 +21086,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4267,32 +6057,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +6077,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -21132,7 +21125,7 @@ index 8416beb43..1cc0d9ad9 100644 ') ######################################## -@@ -4407,6 +6196,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6216,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -21158,7 +21151,7 @@ index 8416beb43..1cc0d9ad9 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6311,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6331,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -21167,7 +21160,7 @@ index 8416beb43..1cc0d9ad9 100644 ') ######################################## -@@ -4549,7 +6359,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6379,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -21176,7 +21169,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6406,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6426,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -21203,7 +21196,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6501,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6521,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -21229,7 +21222,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6761,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6781,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -34661,7 +34654,7 @@ index 247958765..890e1e293 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b669..a8cb6df3d 100644 +index 3efd5b669..2ce58d86d 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -34883,7 +34876,15 @@ index 3efd5b669..a8cb6df3d 100644 ## Manage authentication cache ##
## -@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -337,6 +394,7 @@ interface(`auth_manage_cache',` + + manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + manage_files_pattern($1, auth_cache_t, auth_cache_t) ++ allow $1 auth_cache_t:file map; + ') + + ####################################### +@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -34892,7 +34893,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',` +@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',` ######################################## ## @@ -34917,7 +34918,7 @@ index 3efd5b669..a8cb6df3d 100644 ## Execute chkpwd programs in the chkpwd domain. ## ## -@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -34943,7 +34944,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -34951,7 +34952,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',` +@@ -534,6 +630,24 @@ interface(`auth_dontaudit_getattr_shadow',` ######################################## ## @@ -34976,7 +34977,7 @@ index 3efd5b669..a8cb6df3d 100644 ## Read the shadow passwords file (/etc/shadow) ## ## -@@ -664,6 +777,11 @@ interface(`auth_manage_shadow',` +@@ -664,6 +778,11 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -34988,7 +34989,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ####################################### -@@ -763,7 +881,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +882,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -35040,7 +35041,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ####################################### -@@ -824,9 +985,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +986,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -35071,7 +35072,7 @@ index 3efd5b669..a8cb6df3d 100644 ## ## ## -@@ -834,12 +1015,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +1016,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -35102,7 +35103,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -854,15 +1050,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1051,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -35121,7 +35122,7 @@ index 3efd5b669..a8cb6df3d 100644 ## ## ## -@@ -875,13 +1071,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1072,33 @@ interface(`auth_signal_pam',` ## ## # @@ -35159,7 +35160,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -959,9 +1175,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1176,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -35193,7 +35194,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -1040,6 +1277,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1278,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -35204,7 +35205,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -1176,6 +1417,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1418,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -35212,7 +35213,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ####################################### -@@ -1576,6 +1818,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1819,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -35238,7 +35239,7 @@ index 3efd5b669..a8cb6df3d 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1987,63 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1988,63 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -35306,7 +35307,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -1767,11 +2067,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +2068,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -35323,7 +35324,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -1805,3 +2107,298 @@ interface(`auth_unconfined',` +@@ -1805,3 +2108,298 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -35623,7 +35624,7 @@ index 3efd5b669..a8cb6df3d 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791dcc..c6721f846 100644 +index 09b791dcc..03feb4c8d 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -35982,7 +35983,7 @@ index 09b791dcc..c6721f846 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +525,163 @@ optional_policy(` +@@ -456,10 +525,164 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -36037,6 +36038,7 @@ index 09b791dcc..c6721f846 100644 +manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey") ++allow login_pgm auth_cache_t:file map; + +manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) +manage_files_pattern(login_pgm, auth_home_t, auth_home_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c0fc4738..aa773fbd 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5635,7 +5635,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..b7ac74501 100644 +index 6649962b6..1df48fb13 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6323,7 +6323,7 @@ index 6649962b6..b7ac74501 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,13 +524,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,13 +524,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -6334,11 +6334,12 @@ index 6649962b6..b7ac74501 100644 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) - --allow httpd_t httpd_suexec_exec_t:file read_file_perms; ++allow httpd_t httpd_squirrelmail_t:file map; ++ +allow httpd_t httpd_suexec_t:process { signal signull }; +allow httpd_t httpd_suexec_t:file read_file_perms; -+ + +-allow httpd_t httpd_suexec_exec_t:file read_file_perms; +allow httpd_t httpd_sys_content_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) @@ -6346,7 +6347,7 @@ index 6649962b6..b7ac74501 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; -@@ -428,6 +548,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +@@ -428,6 +549,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) @@ -6354,7 +6355,7 @@ index 6649962b6..b7ac74501 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -438,6 +559,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi +@@ -438,6 +560,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) @@ -6362,7 +6363,7 @@ index 6649962b6..b7ac74501 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +572,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +573,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6606,7 +6607,7 @@ index 6649962b6..b7ac74501 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6666,7 +6667,7 @@ index 6649962b6..b7ac74501 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6769,7 +6770,7 @@ index 6649962b6..b7ac74501 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6850,7 +6851,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -749,24 +919,32 @@ optional_policy(` +@@ -749,24 +920,32 @@ optional_policy(` ') optional_policy(` @@ -6889,7 +6890,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -775,6 +953,10 @@ optional_policy(` +@@ -775,6 +954,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6900,7 +6901,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -786,35 +968,62 @@ optional_policy(` +@@ -786,35 +969,62 @@ optional_policy(` ') optional_policy(` @@ -6976,7 +6977,7 @@ index 6649962b6..b7ac74501 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1031,31 @@ optional_policy(` +@@ -822,8 +1032,31 @@ optional_policy(` ') optional_policy(` @@ -7008,7 +7009,7 @@ index 6649962b6..b7ac74501 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1064,8 @@ optional_policy(` +@@ -832,6 +1065,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -7017,7 +7018,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -842,20 +1076,48 @@ optional_policy(` +@@ -842,20 +1077,48 @@ optional_policy(` ') optional_policy(` @@ -7072,7 +7073,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -863,16 +1125,31 @@ optional_policy(` +@@ -863,16 +1126,31 @@ optional_policy(` ') optional_policy(` @@ -7106,7 +7107,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -883,65 +1160,189 @@ optional_policy(` +@@ -883,65 +1161,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7318,7 +7319,7 @@ index 6649962b6..b7ac74501 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1351,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1352,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7472,7 +7473,7 @@ index 6649962b6..b7ac74501 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1436,107 @@ optional_policy(` +@@ -1083,172 +1437,107 @@ optional_policy(` ') ') @@ -7710,7 +7711,7 @@ index 6649962b6..b7ac74501 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1544,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1545,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7808,7 +7809,7 @@ index 6649962b6..b7ac74501 100644 ######################################## # -@@ -1321,8 +1619,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1620,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7825,7 +7826,7 @@ index 6649962b6..b7ac74501 100644 ') ######################################## -@@ -1330,49 +1635,43 @@ optional_policy(` +@@ -1330,49 +1636,43 @@ optional_policy(` # User content local policy # @@ -7894,7 +7895,7 @@ index 6649962b6..b7ac74501 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1682,110 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -16089,10 +16090,10 @@ index 954309e64..67801421b 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8c4..90d2b5324 100644 +index 6471fa8c4..00a1f00ef 100644 --- a/collectd.te +++ b/collectd.te -@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) +@@ -26,43 +26,62 @@ files_type(collectd_var_lib_t) type collectd_var_run_t; files_pid_file(collectd_var_run_t) @@ -16144,6 +16145,7 @@ index 6471fa8c4..90d2b5324 100644 -kernel_read_system_state(collectd_t) +corenet_udp_bind_generic_node(collectd_t) +corenet_udp_bind_collectd_port(collectd_t) ++corenet_tcp_connect_lmtp_port(collectd_t) dev_read_rand(collectd_t) dev_read_sysfs(collectd_t) @@ -16164,7 +16166,7 @@ index 6471fa8c4..90d2b5324 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +94,47 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` @@ -28615,7 +28617,7 @@ index 18f245250..a446210f0 100644 + ') diff --git a/dspam.te b/dspam.te -index ef6236335..25dcb975a 100644 +index ef6236335..281bd61c6 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -28641,7 +28643,7 @@ index ef6236335..25dcb975a 100644 files_search_spool(dspam_t) -@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t) +@@ -64,14 +73,36 @@ auth_use_nsswitch(dspam_t) logging_send_syslog_msg(dspam_t) @@ -28653,6 +28655,7 @@ index ef6236335..25dcb975a 100644 + + manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) + manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) ++ allow dspam_t dspam_rw_content_t:file map; + + read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) + @@ -28682,7 +28685,7 @@ index ef6236335..25dcb975a 100644 ') optional_policy(` -@@ -87,3 +117,12 @@ optional_policy(` +@@ -87,3 +118,12 @@ optional_policy(` postgresql_tcp_connect(dspam_t) ') @@ -78385,7 +78388,7 @@ index b9e71b537..a7502cd0e 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index fd58805e5..593a05367 100644 +index fd58805e5..6f75dbd4b 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -78406,7 +78409,15 @@ index fd58805e5..593a05367 100644 dontaudit postgrey_t self:capability sys_tty_config; allow postgrey_t self:process signal_perms; allow postgrey_t self:fifo_file create_fifo_file_perms; -@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) +@@ -43,6 +43,7 @@ manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) ++allow postgrey_t postgrey_spool_t:file map; + + manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) + files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) +@@ -55,9 +56,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) kernel_read_system_state(postgrey_t) kernel_read_kernel_sysctls(postgrey_t) @@ -78419,7 +78430,7 @@ index fd58805e5..593a05367 100644 corenet_all_recvfrom_netlabel(postgrey_t) corenet_tcp_sendrecv_generic_if(postgrey_t) corenet_tcp_sendrecv_generic_node(postgrey_t) -@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t) +@@ -72,17 +74,15 @@ dev_read_sysfs(postgrey_t) domain_use_interactive_fds(postgrey_t) @@ -99519,10 +99530,10 @@ index 000000000..6caef6326 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 000000000..98dc14ef6 +index 000000000..92695bf0d --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,401 @@ +@@ -0,0 +1,402 @@ + +## policy for sandboxX + @@ -99641,8 +99652,9 @@ index 000000000..98dc14ef6 + fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) + # Pulseaudio tmpfs files with different MCS labels + dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; -+ dontaudit $1_t $1_client_tmpfs_t:file { read write }; ++ dontaudit $1_t $1_client_tmpfs_t:file { read write map }; + allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; ++ allow $1_client_t $1_client_tmpfs_t:file { map }; + + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) + allow $1_t sandbox_xserver_t:process signal_perms; @@ -99926,10 +99938,10 @@ index 000000000..98dc14ef6 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 000000000..22e956fe3 +index 000000000..6d87bc156 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,512 @@ +@@ -0,0 +1,536 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -99973,6 +99985,8 @@ index 000000000..22e956fe3 +# +allow sandbox_xserver_t self:process { signal_perms execstack }; + ++allow sandbox_web_t sandbox_xserver_t:process2 nnp_transition; ++ +tunable_policy(`deny_execmem',`',` + allow sandbox_xserver_t self:process execmem; +') @@ -100052,6 +100066,22 @@ index 000000000..22e956fe3 + +######################################## +# ++# sandbox_x_t local policy ++# ++ ++allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition; ++allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition; ++ ++files_search_home(sandbox_x_t) ++userdom_use_user_ptys(sandbox_x_t) ++ ++# This access is needed due to Wayland ++userdom_manage_user_tmp_dirs(sandbox_x_t) ++userdom_map_tmp_files(sandbox_x_t) ++userdom_manage_user_tmp_files(sandbox_x_t) ++ ++######################################## ++# +# sandbox_x_domain local policy +# +allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap }; @@ -100226,9 +100256,6 @@ index 000000000..22e956fe3 + networkmanager_dontaudit_dbus_chat(sandbox_x_domain) +') + -+files_search_home(sandbox_x_t) -+userdom_use_user_ptys(sandbox_x_t) -+ +#1103622 +corenet_tcp_connect_xserver_port(sandbox_x_domain) +xserver_stream_connect(sandbox_x_domain) @@ -100251,6 +100278,11 @@ index 000000000..22e956fe3 + +logging_send_syslog_msg(sandbox_x_client_t) + ++# This access is needed due to Wayland ++userdom_manage_user_tmp_dirs(sandbox_x_client_t) ++userdom_map_tmp_files(sandbox_x_client_t) ++userdom_manage_user_tmp_files(sandbox_x_client_t) ++ +optional_policy(` + avahi_dbus_chat(sandbox_x_client_t) +') @@ -100273,12 +100305,16 @@ index 000000000..22e956fe3 +# +typeattribute sandbox_web_client_t sandbox_web_type; + ++allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition; ++ +selinux_get_fs_mount(sandbox_web_client_t) + +auth_use_nsswitch(sandbox_web_client_t) + +logging_send_syslog_msg(sandbox_web_client_t) + ++miscfiles_map_generic_certs(sandbox_web_client_t) ++ +allow sandbox_web_type self:capability { setuid setgid }; +allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; +dontaudit sandbox_web_type self:process setrlimit; @@ -112041,10 +112077,10 @@ index 000000000..d371f62f6 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 000000000..1b34bc7b6 +index 000000000..6c04973ea --- /dev/null +++ b/thumb.te -@@ -0,0 +1,175 @@ +@@ -0,0 +1,176 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -112138,6 +112174,7 @@ index 000000000..1b34bc7b6 +fs_read_dos_files(thumb_t) +fs_rw_inherited_tmpfs_files(thumb_t) +fs_map_dos_files(thumb_t) ++fs_mmap_removable_files(thumb_t) + +auth_read_passwd(thumb_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index d398a581..9f49a3e5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 307%{?dist} +Release: 308%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,16 @@ exit 0 %endif %changelog +* Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308 +- Make working SELinux sandbox with Wayland. BZ(1474082) +- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169) +- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723) +- Allow collectd to connect to lmtp_port_t BZ(1304029) +- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776) +- Allow thumb_t to mmap removable_t files. BZ(1522724) +- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118) +- Add interface fs_mmap_removable_files() + * Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307 - Allow crond_t to read pcp lib files BZ(1525420) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)