From 4d7576addc230094b5236578aaa85c4f30be1f31 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 2 Aug 2016 10:30:29 +0200 Subject: [PATCH] * Tue Aug 02 2016 Lukas Vrabec 3.13.1-206 - collectd: update policy for 5.5 - Allow puppet_t transtition to shorewall_t - Grant certmonger "chown" capability - Boinc updates from Russell Coker. - Allow sshd setcap capability. This is needed due to latest changes in sshd. - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" - Revert "Fix typo in ssh policy" - Get attributes of generic ptys, from Russell Coker. --- docker-selinux.tgz | Bin 4317 -> 4316 bytes policy-rawhide-base.patch | 103 +++++++++++++++----------- policy-rawhide-contrib.patch | 139 +++++++++++++++++++++-------------- selinux-policy.spec | 12 ++- 4 files changed, 157 insertions(+), 97 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 18e1490df8a8f0dab370af03d172b1c26df82b50..ec8f1874897edfe399623e4255c7fdc11c71be89 100644 GIT binary patch literal 4316 zcmV<25F_s&iwFRTS)f+{1MOVvkJ~m9&sY1e5RwAfJtX_ctH7r1;n3cP`*1*U?Z*PD zEYY^QdYwqE*B9h}zZt$nQKTMgZ?e6!fW)>q^CLMN4QGaSC2R*eKnLtbr3wu?&@eo zVlUlT`=9h$zIYLQN1Hs4>irMDZb?v9qEdG8^;)anR;c6J9MZmWDS5oHC;{|8BG`NEAs;G|gpontv{c}O} z{D&U)PrMZqV8PR9j$$x-3^GA$UX*HKK)eiuUtp%c#h^40Il#fB7N zP5#}aH4rQp3%0M+m_znTeIqcnkbPV(UY;+Pi@2;woF^eAQ5|o?Ra%^VbA7&CDB!S) z7<7tvEd>3Ooi7pU$g++>K2J;5IPFn6Pm^vO6`Zm!)dOYu3-3sYGD}xM0;7ysS*L`~ zkm6!UicuUB%Fz}x#3y9{V;U9WT~s4oD@WdQ@Xd9P;0C4_NM!gLR;11;aIMpfP}QZR z=Au8Qrame0a`pK#!gXn{W;#&B{~}Rh%9k(X*OhDyL*jGeW0@~suP!b)vS@agSq=24 zLZ;iOCQnApd^8gUEodi*IZG)+1$IhVqS(JjS7(GTD{ddaJAGAqYx+0-6ywfGD-x&c zlq7QV#9fbcEf?=F5vz{O2kyC#WzG)J2A7R`fS4VE{%2G~8}h_#RL%$WI95txKg>=k z?!o8b@hn|`v7XF^Z7dnurbk#YpUHbXasLRm53EeN`U7N4(Up&s?4gT}{P#$|OW8Jv zfU032QkKR6pKgY81P$S`VEo!((5Ncja<&_b4@2yqk+e2iH6RLV8CtU@AaiDNFJ zIb8|fFwP=MJzep(eqSphyG!QuhyOo^cpK#(W#2z%b>o{Nl3LxaNLp+rb?bO0l>M3( z(>k9BZ`5jN{Wovm-&^?i?ud@m&;R)8DeMH?`>4`n#y(Itg~zG@4xQ?%a+Lm^_TN z@RmScidnAQx)k6QSc+YOYa?*%=+79&4SocA<#qfw#3F|h$Sp|zRIJNI1^QE$sMsz& zI!a&@6-ltG)1J4RlN`34ul#iGKqUDj<#5L4DBwI0C`za^BxVaN2rP*iPgTYCbNAT5 z0{4n6n3H#FDCiH{b6bXr-4&ctcT;=`xvLmODPjxC2S06DDyo}!TZcl`cOi6s9Kqrx zVzM?06T6}kFlMev!RCk;uYNZJV&)9fMcrg zy$euoP%gl2nG<`V)0yv(Z&qSbbC+x!Dt=Tx>7Hfppah8JA zB?bs)11=R8kQ0SVP9bFXai?#!9^U>{AYk-w08H_w?4*X22I$T@-CU63?l^eck}`Tc zDDLGR1+6Bu%temysI}@-f6s{W> zRUqfbBMSZir_eF%|2&~lsOJgnV_KI*KFbq$goWZGoFBEgb4hCH1_B&w^M_s3ad*?d zDYlg%4_U?+!6$HGYnWm{(@ha&!mA5Df1D7604%q-j#kzGa0brHZe-fLN9GuC`0)>MHbKE=JLQ6;0os?5@O&(%`Jw=$rGXtQ7{ z<$rFpkHo((kD8zeqlRteQGPc|!CRhEIRhW*JIc6XO;T(TpQ6SGUzQPm+;pvt^HG6GMC24Bla;;|NZToe*O3Rt8Y*B-(TVqj((Vz z3B=N8LK|KM*B4h8SF>!?@9?e6j|Lc!G2US@!eV$QCQzM|!aImI`R(kY$g98isDp*GuB`_1qJiF`* zKj}*%l9xp&Orb)wi@ML3qCKR|>W?r@!gw1M8-lGlkDxT8rbKHvM7A_tCCP)g&ZK9A z{PL(VtobHJ74@?3B7E%M8=s{=^e~5KcpKfU`&p;e61j0)A-MS59I?9V%t2*m@l)KC z=Ot$yLW{diV2B>&Z$8w1j=_~B5qz0Cc{uAd_jq_$_94QV*=(y}UK#R$A0`8D>@%!s zhXsCGOi196y?ezR=?;^z?_aw4Z8{64laEr_0)6wWPi679r;OszknPW`7K=e2e)UyN zmnP0LZPG-+%12osOeWlq?q0BH{kI^t29g5KKK;G+j3U~w<(yhHGBhvH6<)f zg8a59lb|3>qyzak2rYGm0l!g4JHTXXfW&N?t2eNGD!p2h4ECoC)2lAZHd(hJ5U#Ph zo2`R>>MYGu#(Sjl0M*m0PV(SEu95K(StJ*SD;>>rW8SL6;PbitK$|=_N|QyMCm37?DAIVY>oRW*DVo1&GUS_e_t#Vz4zW&< zp_9GqQFtUMIXx1bJa6=X3J3*nxyY@TaO{A;88 zdm(RlD#RQP#;|Ay-$9tJ;8S2GDESnaBS1`8@Ie^&qIcfcoU!b_0))?qwHAG+pQJXb!cfb;{aHq`G8i!e+IGA~ zXbV3JlF6eskpbc-ZiX!|Ng#CGmG$i)4L|(f)0kz{L9s&&e>=>I##@pMU}Lmtnkt#l z!U|)46cEKMy#pmoOn6C@;OS3S;V98^qpdT9AbxqLAp>LF6;&n;us5SXHi%RH|# zavyT(dl+~KJ!$?0DsaP;jj>l7S|PplCHv=1PPTg3X;sYQv(( zCA!_zWmEOLmCeGBqWe5ci(8989_L0KJ%;<8emk8~R@P`=>u4A9M9n?;5lKpKO(LGe zz~{1{beFPtYc$Hr6?=x@t0d*l1d;E^s8RrqDRo-y_!cSDl9)f(IGtiI{6rgZI<8fq$Az=NJT0h zmTorF3FFVhCY!oV!+vt5L<4;4g!4KvoBL@XDce^5x&-8MuG{!=jJO|h`eQ8fm`OS; zt#R`^H5=gz-K7;gzQww9xjp}G2xTFEN3e5}Y7of*hB>GgSY?M_r6?Q@l!LC3v9b=3+W(MhgrB6A9F6=7y>Pe7bAH|`Lz ze>*G7%FpCRl$*2~Yf2$TKykSDav6@yrE>caJu=s>?xxh?_&BK!xqGByx1s9&2X1*jVgv5^C(zOq{1#1IQokn@R z2~8k8WN(##L8>E5ywQ&hh^JRlBzE9p45R^}~`?Lshl_ zzlv8KO~+9bg7CI&)Nc_BBg)>f;vZMh9OvM>0vZ+%UDD1b;3CSSc$*fT%~#Y`%lM%_E8tyQ!m6O8Fg|CW@B68IgWXk*31(}h&J2j=Qq8I?`jSy z?76G*-U+Q5d)g^TR9t> zhyg?8EZRSJo1y_DY`lx%+gLb5ySt3A^h_x@mOSbj;TyIb>Md4nHfAfflpB9bWT>=D z6h_XjeKOf*7C`B^)P-dvMRWyOTb1PAE!2A&LkCDBZ7^M)e;v9SrR~d3reV zz+u!V==j0Z_&JJR=-cj*kex5kblwE8rZ94>s*b7;Ga(tPX-86~itcNd#{XYjLgp9i z$9%D2`2CNow{PBl=>7fw52wHX|3$7#%#2_DCQCN?dsy-a?OQE-P7GlqDGIS0oF0=c17M`r3Hc>VY0P$)6C1%rRVW~LIrMB&>|A2VO z|5VqbprT)P1YkfDrr|gI`(*R+zV_~Tx=z>WI$fvhbe*o#b-GU1={jAf>va8ZT>k}X KMR=?LcmM$8iDLTz literal 4317 zcmV<35F+m%iwFQwBAZtL1MOVvkJ~m9&sY1e5RwAfJtX_eqd?O3aA@zteK?@F_G1B6 zmS|gDy-uXo>kIO~-wa=(C{mBLH`(4ushBL#_CS`m}>Wg&!?D4KExZb~i zi=WruzPmC%;ktSE=FOXD*Eiq3egFRE`ugVj+12&U+i%}J3$7kMMt9@YCFe%+FwtVr>imQ5X#AgZb?jU$$pMG%(-i_(JB0Vy`{ zdGXz)Vp{^pw5!t_{8;?`p2Q6!LBiEANQ;1N^{=GNp~nl(bZKw}-&Ii^ z>iG{n?4Ni;5M^1pBT2x@fYnh!Q=EU8N}@X6hO4wV`{w$5xlq7i z6*1@(?^+1@Cp%vv)RAQ!gM6NrtZ~|-a-JsLI4U@0U#bVn@)zEb5@nXIf&@kxv$9SJ zogu}=kQAdhCX}NsW{6M90LC;b#Ji|Qx>k<7=ir;`9>E8gULcX-Ygmywr@*yNGeT9D zlA4SDn40>e#LLy^%Lvz{y_)Gj5&w%si78*ckY87_H4KT*jgMu%e7(B3;K-ucVP-YZ zqY9aBqnbP!G4s((6ttk7Am%Kk3>DZZWrH%VQ2>PE<5pBp5vr#!8)Zub&&Ldky_X}H73A(IBYDiS@r2Ar>qb+gj7zv(3xSqMXGlSd1xb;-CRvGIGe{)` zW#KJ>ycDxsxpgVPE3g#11lLC3*wLRcj1Tw`=#|&;-w=x&N+7o&`BSkj7ZvDFU7}*U z^ynyoO;jYou1#M?R)s=f=M^Wz8> zFAEqypFRJ zq%JW)FdJ~GxPY7}TyhE_yN^44tM%~quL1$1e*<8OH)SU^q%=Tx*6HSg6nDqL+m@8k z<3VvR_b6yJp=EY=f%82OP%HxO>=Fn}UkwHzjFLPpgsx*E*14GCNl+jcdMOVJ=*psy z!GyG0CHh}c0DJy@Kp7acoIeAEedW^yJ`^-qINlk@VN)I8ZU-}+;G;P>#(Mnn^N;P} zCw;Q(QpJ&@kfk#*2d=Y#C7q*5e1~lCiQ6{{);Pb}`K?uNdi|c4r{SRm0yzEA%&8yUd%rdC9 zm{EXZ+(O96s$2@qycy?}Q?}#W5k6zhM`BGCIO0>>iyBojDy+&ZjrUwFReUQ0T8K6a zrc(arM*B$o`|_v>iZE)}RvzVdvlP7LDU~zukxs53;neLzZcOu#N)iL6d+)HbFvpr4 zT2}HH7FSJvn(!Z9Sz@psBfo-TR5q3}p6_4d_G)+|U)|*phsij&5qCq$)3YUTnq&LW zLLr~1!^V|mrZ;UFhbn7edpV+KZ3B)s%r_#Ah3ll3dDdZ7Hbp|Y5y4ZA<5+WXP^01J z+VOT=)6jUt2IVsZ(8?b6ym#U*oTj67l=BlX|k-t_Cg-(6pw>c79lB^>=Q zFB6ER&xAI-3a&4%F0N+TsO5{`ClY7y_@j>uj>(c6frQXlo>)}!tb$ z)H+Qcar>n51U#CDQ2*B-e-5g$X8Js%lBPyLqv2pp5v}y-^#%tP@>Q^oGD=`3mU(vB z7k<*0L?kbZP?$o6Xcu*#FGYJuo7Ep-nuPH-DmDaLa~?ryMoo#InvV_5S|j4JA7-$nS?zc)Thf9PQj&+s<7S@*L}t0i*dxI%F8xjABW*O`OL&f=%I zDbGvJI)oN?o4^n~%HMpb{TzcUOCtC(b@Fi5Y3}jxuIxjEGqc%N!@M%&0Y6Lz-q>eY z(+&&#w3v{DW<{tv`Ur6RpxLW&7Y$5O2#}5!|L=#@6r+5Z08i zGzs$CqD+ETb3U`l+)tPZ{r#$^%qSuR6(t2f0SZM`V#)9IkXQ@1lEi2!h4cLs^@o$2!W>uH#Lx z;!iwnXhn(y?5#h7GYz`4oU^x~=+mUGC3964&gAV^f=&e(Jq_~%S!ZI?=Aq26BlkN^ zhywtEldyPb_y&LXcy`+O#fH$!|4tjbhuPYDJOfwEpK##(I5haI52vRNeq;ZdK6F3p z1nqOOyHDYLyvDp$hr#D_`++ujJ}6BVb)H~w8K6kxxvtB+HKb_%rpb_R*4`qrnEN36wE2&WK<-WlV5qXC10Yt}!)M}FX4%YN9W%7| z<5DN4eLaAFn7*T5J;ZQK(=s*~UEr0MO~J}y>ht4$PiLAQjj>PABQJz|!m@d;G4ZdB z?(c=X;i(XFI2gmC9ef92x`I!EnV{rTV2%JWVZjGs+>73MUvtK?`wGN{#&nQb9;_0d zF6A)@U6OYo&cxO7!nlh6h7eq`)pOxecCUZGj@4T9oqm$qs0u?Z`}SuU$;x2F2x!~! z8lf%xEJ!Ag+C&D3pST&ez$AgtaaY#2gEai`e@|nUQ3u5iG5qZ?D;jS}GJuWIrfI5V zLJKR5`B6X=v-A#>FfrjJQG%zNO~R}0C7fuXy(ul#=`2rEt&D`-dAEsfNtW4+I7y5u zdEmW)pLH6C5SJ4RMbS}+{s8k%)28dGlyguq+3BI>BjxhNgs6u|r9ZcfRYPEkE-v%D z%E*1lrSD3F z9+&8LQeXXNi$P+d9;724Wy)}t= z5(A&hg3?{e;;qprD_86pg0GU4I}=2{Bcn08@m) z8<2GTpOnVNlJewS`k%;7taD#f7vOXRL>iV#tCf&-)MQNfS@#{iG0BA9bU^kLH7}8# zS}3ZNO&LfEZiv!#AHh*{Rabe}Q9Kv-#86lEZHx4!8*~i{QD)R73J*tGF+5nA!-9W4 z=uT*oKR3pYzn3q9>^>GXoOoO`noUijIK*O(I!y>}t(!E#j|%gn@Y&$cJ(U?%{I)7f z#=pS+tG>!oMfAo;)1(quexQ(ff3jb`2li?nov5(<_(X^B@ayDbAhub4zmtx1=OY!V zcv!mGOec3VZ2HVym9l@bl`sT0oY#BA=Tfuw9(`Rfvp%eijj$1&o5#OaT*%ws0$ zu(Za_@6>FBFLaky@c0(%(&hI2yCIZ?{2js0Nvc642N>p{USO3SewCtdI8Y7>uY1-M z+$9BD&+8#Nr-(h0-h-`6v6kS0nwyL1s2MFV3``_YtC<_B29Oh1Lw3il0;@|K7T>r- z#QyE9EGs{g8&Pi3YOE=R7y-rM-pge;GMCEjL-fd8ySkfFhvVagtt`G^g;=bu1JQ~29z;%gfmzZQ~owd^&t+nuhMj_JaC zt~mX%wG`ZEo9WB(Ka{g=KrgdZ*JtB#A-ZEa8en^qK(|*czqjuzJqModka?>dw5L_c zvnkNz#`s4CLe}kjiKY!aq1GJ$dr0A?Tf=;%i<|Ulq(w42 zGP-ynsNkW9Fw~GlSP+r&LQ`WfwhwC#KrXJMl0qD(EIPz(g=vew;Hxcb(DY)$p zE>RdcyY|Usn^^#*<5CxvkrdGtWNlTFd$&;UX$&18jl5mrZ5TdNIvCY|%yclc_vGo} z$ODH_qoCslQ{(3-dZBN-M?!YKK+|~>z?#Cyv8p<%KFowt84ERfelc~@plPF@QeIUUn{&shV5mn4CG_z#6| z@ufQ@KV?4`GMzDf{6-Occl=I#dmg&KhjzET1OqR@&n_?ia{kxFG$36-D^OrhGo(HX zsda1l{1wt|1HlzL29nf-yET<)!(iQDu_G%)gq{1LvlN@Y9$Sm_8~%Z;={hrlg$@LO z(IbG#zn68qnO+LLrLz!wev_edKyjJf$FuNc4Yi4~c>st{`!6w@HVaF|aW1uOU;PKf zOa7<29t9QsvLgTknlKH&;om2lkN35A$J2GXPS@!=U8n1Govzb$x=z>WI$fvhf8+Wu Lh&npX0C)fZy(oxi diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2a9b5861..fa761223 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -24184,7 +24184,7 @@ index 0ea25b6..37069ae 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index cbb729b..f118b2a 100644 +index cbb729b..ce0291e 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -24340,7 +24340,31 @@ index cbb729b..f118b2a 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',` +@@ -519,6 +615,23 @@ interface(`term_dontaudit_manage_pty_dirs',` + + ######################################## + ## ++## Get the attributes of generic pty devices. ++## ++## ++## ++## Domain to allow ++## ++## ++# ++interface(`term_getattr_generic_ptys',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:chr_file getattr; ++') ++######################################## ++## + ## Do not audit attempts to get the attributes + ## of generic pty devices. + ## +@@ -620,7 +733,7 @@ interface(`term_use_generic_ptys',` ######################################## ## @@ -24349,7 +24373,7 @@ index cbb729b..f118b2a 100644 ## write the generic pty type. This is ## generally only used in the targeted policy. ## -@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',` +@@ -635,6 +748,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') @@ -24357,7 +24381,7 @@ index cbb729b..f118b2a 100644 dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') -@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',` +@@ -879,6 +993,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -24384,7 +24408,7 @@ index cbb729b..f118b2a 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -892,7 +1026,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -24393,7 +24417,7 @@ index cbb729b..f118b2a 100644 ') ######################################## -@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',` +@@ -912,7 +1046,7 @@ interface(`term_relabel_all_ptys',` ') dev_list_all_dev_nodes($1) @@ -24402,7 +24426,7 @@ index cbb729b..f118b2a 100644 ') ######################################## -@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',` +@@ -940,7 +1074,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## @@ -24411,7 +24435,7 @@ index cbb729b..f118b2a 100644 ## ## # -@@ -1067,6 +1184,28 @@ interface(`term_getattr_unallocated_ttys',` +@@ -1067,6 +1201,28 @@ interface(`term_getattr_unallocated_ttys',` ######################################## ## @@ -24440,7 +24464,7 @@ index cbb729b..f118b2a 100644 ## Do not audit attempts to get the attributes ## of all unallocated tty device nodes. ## -@@ -1165,6 +1304,25 @@ interface(`term_relabel_unallocated_ttys',` +@@ -1165,6 +1321,25 @@ interface(`term_relabel_unallocated_ttys',` ######################################## ## @@ -24466,7 +24490,7 @@ index cbb729b..f118b2a 100644 ## Relabel from all user tty types to ## the unallocated tty type. ## -@@ -1259,7 +1417,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1259,7 +1434,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -24515,7 +24539,7 @@ index cbb729b..f118b2a 100644 ') ######################################## -@@ -1275,11 +1473,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1275,11 +1490,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -24529,7 +24553,7 @@ index cbb729b..f118b2a 100644 ') ######################################## -@@ -1296,10 +1496,12 @@ interface(`term_getattr_all_ttys',` +@@ -1296,10 +1513,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -24542,7 +24566,7 @@ index cbb729b..f118b2a 100644 ') ######################################## -@@ -1377,7 +1579,27 @@ interface(`term_use_all_ttys',` +@@ -1377,7 +1596,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -24571,7 +24595,7 @@ index cbb729b..f118b2a 100644 ') ######################################## -@@ -1396,7 +1618,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1396,7 +1635,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -24580,7 +24604,7 @@ index cbb729b..f118b2a 100644 ') ######################################## -@@ -1504,7 +1726,7 @@ interface(`term_use_all_user_ttys',` +@@ -1504,7 +1743,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -24589,7 +24613,7 @@ index cbb729b..f118b2a 100644 ## ## # -@@ -1513,21 +1735,435 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1513,21 +1752,435 @@ interface(`term_dontaudit_use_all_user_ttys',` term_dontaudit_use_all_ttys($1) ') @@ -28261,7 +28285,7 @@ index 76d9f66..7528851 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..60003bc 100644 +index fe0c682..0ac21a6 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -28383,16 +28407,15 @@ index fe0c682..60003bc 100644 type $1_t, ssh_server; auth_login_pgm_domain($1_t) -@@ -181,20 +205,23 @@ template(`ssh_server_template', ` +@@ -181,20 +205,22 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; ++ allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; -+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; -+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec }; ++ allow $1_t self:process { setcap getcap signal getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; + allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto }; @@ -28412,7 +28435,7 @@ index fe0c682..60003bc 100644 allow $1_t $1_var_run_t:file manage_file_perms; files_pid_filetrans($1_t, $1_var_run_t, file) -@@ -206,6 +233,7 @@ template(`ssh_server_template', ` +@@ -206,6 +232,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) @@ -28420,7 +28443,7 @@ index fe0c682..60003bc 100644 corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -220,10 +248,13 @@ template(`ssh_server_template', ` +@@ -220,10 +247,13 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) @@ -28436,7 +28459,7 @@ index fe0c682..60003bc 100644 auth_rw_login_records($1_t) auth_rw_faillog($1_t) -@@ -234,6 +265,7 @@ template(`ssh_server_template', ` +@@ -234,6 +264,7 @@ template(`ssh_server_template', ` corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -28444,7 +28467,7 @@ index fe0c682..60003bc 100644 files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) -@@ -241,35 +273,33 @@ template(`ssh_server_template', ` +@@ -241,35 +272,33 @@ template(`ssh_server_template', ` logging_search_logs($1_t) @@ -28491,7 +28514,7 @@ index fe0c682..60003bc 100644 ') ######################################## -@@ -292,14 +322,15 @@ template(`ssh_server_template', ` +@@ -292,14 +321,15 @@ template(`ssh_server_template', ` ## User domain for the role ## ## @@ -28508,7 +28531,7 @@ index fe0c682..60003bc 100644 ') ############################## -@@ -328,103 +359,56 @@ template(`ssh_role_template',` +@@ -328,103 +358,56 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) @@ -28622,7 +28645,7 @@ index fe0c682..60003bc 100644 ') ######################################## -@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',` +@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') @@ -28651,7 +28674,7 @@ index fe0c682..60003bc 100644 ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',` +@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -28660,7 +28683,7 @@ index fe0c682..60003bc 100644 ') ######################################## -@@ -605,6 +608,24 @@ interface(`ssh_domtrans',` +@@ -605,6 +607,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -28685,7 +28708,7 @@ index fe0c682..60003bc 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',` +@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -28694,7 +28717,7 @@ index fe0c682..60003bc 100644 files_search_pids($1) ') -@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',` +@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',` ######################################## ## @@ -28737,7 +28760,7 @@ index fe0c682..60003bc 100644 ## Read ssh home directory content ## ## -@@ -701,6 +758,68 @@ interface(`ssh_domtrans_keygen',` +@@ -701,6 +757,68 @@ interface(`ssh_domtrans_keygen',` ######################################## ## @@ -28806,7 +28829,7 @@ index fe0c682..60003bc 100644 ## Read ssh server keys ## ## -@@ -714,7 +833,26 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -714,7 +832,26 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -28834,7 +28857,7 @@ index fe0c682..60003bc 100644 ') ###################################### -@@ -754,3 +892,151 @@ interface(`ssh_delete_tmp',` +@@ -754,3 +891,151 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -28987,7 +29010,7 @@ index fe0c682..60003bc 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..4d56aea 100644 +index cc877c7..b8e6e98 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -29074,7 +29097,7 @@ index cc877c7..4d56aea 100644 type ssh_t; type ssh_exec_t; -@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) +@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) type ssh_tmpfs_t; typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; @@ -29095,11 +29118,7 @@ index cc877c7..4d56aea 100644 ############################## # - # SSH client local policy - # - --allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; -+allow ssh_t self:capability { setpcap setuid setgid dac_override dac_read_search }; +@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 769aeec5..7869f931 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10560,28 +10560,31 @@ index 851769e..3dc3f36 100644 term_dontaudit_use_all_ttys(bluetooth_helper_t) diff --git a/boinc.fc b/boinc.fc -index 6d3ccad..bda740a 100644 +index 6d3ccad..9c69f28 100644 --- a/boinc.fc +++ b/boinc.fc -@@ -1,9 +1,12 @@ +@@ -1,9 +1,15 @@ -/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) ++/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0) ++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) -/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) -+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) ++/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0) ++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) -/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) -/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) ++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0) -/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) -+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0) -+ +/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) ++/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) + +/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) ++/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/boinc.if b/boinc.if index 02fefaa..308616e 100644 --- a/boinc.if @@ -10803,9 +10806,15 @@ index 02fefaa..308616e 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c4..f668033 100644 +index 687d4c4..bce6267 100644 --- a/boinc.te +++ b/boinc.te +@@ -1,4 +1,4 @@ +-policy_module(boinc, 1.1.1) ++policy_module(boinc, 1.3.1) + + ######################################## + # @@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1) ## gen_tunable(boinc_execmem, true) @@ -10817,7 +10826,7 @@ index 687d4c4..f668033 100644 type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) -@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t) +@@ -28,31 +30,71 @@ files_tmpfs_file(boinc_tmpfs_t) type boinc_var_lib_t; files_type(boinc_var_lib_t) @@ -10893,10 +10902,12 @@ index 687d4c4..f668033 100644 allow boinc_t self:shm create_shm_perms; -allow boinc_t self:fifo_file rw_fifo_file_perms; -allow boinc_t self:sem create_sem_perms; ++ ++can_exec(boinc_t, boinc_exec_t) manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) +@@ -61,84 +103,62 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -10918,11 +10929,11 @@ index 687d4c4..f668033 100644 -create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -logging_log_filetrans(boinc_t, boinc_log_t, file) -- --can_exec(boinc_t, boinc_var_lib_t) +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +-can_exec(boinc_t, boinc_var_lib_t) +- -domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +logging_log_filetrans(boinc_t, boinc_log_t, { file }) @@ -10994,8 +11005,11 @@ index 687d4c4..f668033 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -137,8 +152,9 @@ init_read_utmp(boinc_t) + init_read_utmp(boinc_t) + ++libs_exec_lib_files(boinc_t) ++ logging_send_syslog_msg(boinc_t) -miscfiles_read_fonts(boinc_t) @@ -11006,7 +11020,7 @@ index 687d4c4..f668033 100644 tunable_policy(`boinc_execmem',` allow boinc_t self:process { execstack execmem }; -@@ -148,48 +164,61 @@ optional_policy(` +@@ -148,48 +168,69 @@ optional_policy(` mta_send_mail(boinc_t) ') @@ -11067,9 +11081,17 @@ index 687d4c4..f668033 100644 -corenet_sendrecv_boinc_client_packets(boinc_project_t) corenet_tcp_connect_boinc_port(boinc_project_t) -corenet_tcp_sendrecv_boinc_port(boinc_project_t) ++ ++dev_getattr_input_dev(boinc_t) ++dev_getattr_mouse_dev(boinc_t) files_dontaudit_search_home(boinc_project_t) ++term_getattr_ptmx(boinc_t) ++term_getattr_generic_ptys(boinc_t) ++ ++userdom_getattr_user_ttys(boinc_t) ++ +# needed by java +fs_read_hugetlbfs_files(boinc_project_t) + @@ -12256,10 +12278,10 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..f37b9b0 100644 +index 550b287..b824421 100644 --- a/certmonger.te +++ b/certmonger.te -@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) +@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t) type certmonger_var_run_t; files_pid_file(certmonger_var_run_t) @@ -12269,8 +12291,10 @@ index 550b287..f37b9b0 100644 ######################################## # # Local policy -@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t) - allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; + # + +-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; ++allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice }; dontaudit certmonger_t self:capability sys_tty_config; allow certmonger_t self:capability2 block_suspend; + @@ -15268,10 +15292,10 @@ index 0000000..77cdd5e + unconfined_domtrans(cockpit_session_t) +') diff --git a/collectd.fc b/collectd.fc -index 79a3abe..3237fb0 100644 +index 79a3abe..3ee73d1 100644 --- a/collectd.fc +++ b/collectd.fc -@@ -1,9 +1,12 @@ +@@ -1,9 +1,13 @@ /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) +/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0) @@ -15281,6 +15305,7 @@ index 79a3abe..3237fb0 100644 /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0) ++/var/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0) +/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0) -/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) @@ -15469,10 +15494,10 @@ index 954309e..6780142 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..de0fd11 100644 +index 6471fa8..b82bae6 100644 --- a/collectd.te +++ b/collectd.te -@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t) +@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) type collectd_var_run_t; files_pid_file(collectd_var_run_t) @@ -15495,6 +15520,7 @@ index 6471fa8..de0fd11 100644 allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; ++allow collectd_t self:rawip_socket create_socket_perms; allow collectd_t self:unix_stream_socket { accept listen }; +allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow collectd_t self:udp_socket create_socket_perms; @@ -15506,8 +15532,9 @@ index 6471fa8..de0fd11 100644 manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) -files_pid_filetrans(collectd_t, collectd_var_run_t, file) ++manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) +manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) -+files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file }) ++files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file sock_file}) -domain_use_interactive_fds(collectd_t) +kernel_read_all_sysctls(collectd_t) @@ -15541,7 +15568,7 @@ index 6471fa8..de0fd11 100644 logging_send_syslog_msg(collectd_t) -@@ -74,17 +90,45 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -74,17 +92,45 @@ tunable_policy(`collectd_tcp_network_connect',` corenet_tcp_sendrecv_all_ports(collectd_t) ') @@ -79180,7 +79207,7 @@ index 7cb8b1f..bef7217 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..67d166c 100644 +index 618dcfe..8e08251 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -79242,7 +79269,7 @@ index 618dcfe..67d166c 100644 type puppetmaster_t; type puppetmaster_exec_t; -@@ -56,161 +62,166 @@ files_tmp_file(puppetmaster_tmp_t) +@@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t) ######################################## # @@ -79441,71 +79468,75 @@ index 618dcfe..67d166c 100644 + +optional_policy(` + mysql_stream_connect(puppetagent_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(puppetagent_t) -+') -+ -+optional_policy(` -+ cfengine_read_lib_files(puppetagent_t) ') optional_policy(` - cfengine_read_lib_files(puppet_t) -+ consoletype_exec(puppetagent_t) ++ postgresql_stream_connect(puppetagent_t) ') optional_policy(` - consoletype_exec(puppet_t) -+ hostname_exec(puppetagent_t) ++ cfengine_read_lib_files(puppetagent_t) ') optional_policy(` - hostname_exec(puppet_t) -+ mount_domtrans(puppetagent_t) ++ consoletype_exec(puppetagent_t) ') optional_policy(` - mount_domtrans(puppet_t) -+ mta_send_mail(puppetagent_t) ++ hostname_exec(puppetagent_t) ') optional_policy(` - mta_send_mail(puppet_t) -+ firewalld_dbus_chat(puppetagent_t) ++ mount_domtrans(puppetagent_t) ') optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) - portage_domtrans_gcc_config(puppet_t) ++ mta_send_mail(puppetagent_t) + ') + + optional_policy(` +- files_rw_var_files(puppet_t) ++ firewalld_dbus_chat(puppetagent_t) ++') + +- rpm_domtrans(puppet_t) +- rpm_manage_db(puppet_t) +- rpm_manage_log(puppet_t) ++optional_policy(` + portage_domtrans(puppetagent_t) + portage_domtrans_fetch(puppetagent_t) + portage_domtrans_gcc_config(puppetagent_t) ') optional_policy(` -- files_rw_var_files(puppet_t) +- unconfined_domain(puppet_t) + files_rw_var_files(puppetagent_t) - -- rpm_domtrans(puppet_t) -- rpm_manage_db(puppet_t) -- rpm_manage_log(puppet_t) ++ + rpm_domtrans(puppetagent_t) + rpm_manage_db(puppetagent_t) + rpm_manage_log(puppetagent_t) ') - optional_policy(` -- unconfined_domain(puppet_t) -+ shorewall_domtrans(puppetagent_t) - ') - optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) ++ shorewall_domtrans(puppetagent_t) ++') ++ ++optional_policy(` + unconfined_domain_noaudit(puppetagent_t) ++') ++ ++optional_policy(` ++ shorewall_domtrans(puppet_t) ') ######################################## @@ -79525,7 +79556,7 @@ index 618dcfe..67d166c 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +232,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -79533,7 +79564,7 @@ index 618dcfe..67d166c 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +241,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -79549,7 +79580,7 @@ index 618dcfe..67d166c 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,38 +255,48 @@ optional_policy(` +@@ -246,38 +259,48 @@ optional_policy(` hostname_exec(puppetca_t) ') @@ -79614,7 +79645,7 @@ index 618dcfe..67d166c 100644 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_network_state(puppetmaster_t) -@@ -289,23 +308,24 @@ corecmd_exec_bin(puppetmaster_t) +@@ -289,23 +312,24 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) @@ -79645,7 +79676,7 @@ index 618dcfe..67d166c 100644 selinux_validate_context(puppetmaster_t) -@@ -314,26 +334,31 @@ auth_use_nsswitch(puppetmaster_t) +@@ -314,26 +338,31 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t) @@ -79682,7 +79713,7 @@ index 618dcfe..67d166c 100644 ') optional_policy(` -@@ -342,3 +367,9 @@ optional_policy(` +@@ -342,3 +371,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 927fb060..ee1ea02f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 205%{?dist} +Release: 206%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,16 @@ exit 0 %endif %changelog +* Tue Aug 02 2016 Lukas Vrabec 3.13.1-206 +- collectd: update policy for 5.5 +- Allow puppet_t transtition to shorewall_t +- Grant certmonger "chown" capability +- Boinc updates from Russell Coker. +- Allow sshd setcap capability. This is needed due to latest changes in sshd. +- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" +- Revert "Fix typo in ssh policy" +- Get attributes of generic ptys, from Russell Coker. + * Fri Jul 29 2016 Lukas Vrabec 3.13.1-205 - Dontaudit mock_build_t can list all ptys. - Allow ftpd_t to mamange userhome data without any boolean.