From 5b18dd604251cf053cb9c36c2cf4db8f83ddc409 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 18 Jul 2016 12:32:16 +0200 Subject: [PATCH] * Mon Jul 18 2016 Lukas Vrabec 3.13.1-203 - Allow hypervkvp domain to run restorecon. - Allow firewalld to manage net_conf_t files - Remove double graphite-web context declaration - Fix typo in rhsmcertd SELinux policy - Allow logrotate read logs inside containers. - Allow sssd to getattr on fs_t - Allow opendnssec domain to manage bind chace files - Allow systemd to get status of systemd-logind daemon - Label more ndctl devices not just ndctl0 --- docker-selinux.tgz | Bin 4315 -> 4317 bytes policy-rawhide-base.patch | 103 ++++++++++++++++++----------------- policy-rawhide-contrib.patch | 81 +++++++++++++++++---------- selinux-policy.spec | 13 ++++- 4 files changed, 116 insertions(+), 81 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 486f14cf54171d546fe65c8d5057577342351eff..2a3cd5691d999c5daa61f3e7f8028371e3271194 100644 GIT binary patch literal 4317 zcmV<35F+m%iwFR9uZ&j!1MOVhkJ~m9&#V1c2uXqL9+KV7CTW08+ry!~hkH1nxc0Gt zDoeDjuD(vB*6R!MzuyeML{X$Z*4|`$X9091v*79x$E2@@vZxM%XW3mH ztw`*p8*BfQUdtCRg70XP=TW`?;nyt*%8C@PY1z~<38JdX(l}yiSp;!euqZ7^9gt!J zpBLXn??@8P+5+qy=gR}_PR{u)M9D2OqOqT{%@Ld(vQ63agPQHIG zsGk4O!~Tgk1W}fiJCX#f3|Ji%G{xz-KrcBed|##oBlS9p$=UB>C?RyhnP0y8eYx0> zBCN^3o3sXk`V1PS^mO1QliY#Rgl0aV^-EF zp);ho7?NTX$AogU#SHOD8NirEg?Ja$NY~1d_Z)olrbloC(+eard<`p7=M=csX-25( zQc`o#A5&AGlz6%Nd>P@ov{y47DB^#SC^6;B7xL>$wuT|`x$&{gm#6PZB&ydBW6CDiGmii6U3aQl%WDUr7ThG-=nKD!j~1d58$1?s=YP+8-I#%=cE;h z({)M`xq0HQN4l1acbJG(N9F_f+{ZF!2WW%KMm<2x4nhAjDxwW}Vm2!0gL)h*C9xl7 zrxf?#^YD0|WFc2wAC0O%X}0ZdW8NHj}z_JQK=( zO^a!rPlPvWHMIVlYxwsT{=GY*BlYt?etHT!0rx(tG?}pv)J@^BDu6?$x~d$df9JR% z7bW%G;rW^YX+&L zpe(#4ke6bXE4MBMcmI{k50t*65V#ZTdvHjdV zHn70GA`9l^-5Lt|!}i>kp<;Ihr_|jPUqbFGMp25`g7U#nTb7FICf?SeQ1x91ogYWA zc!`*-jl#sPs056eYf`W|;>D}q&48FW!*o%%8z^?3gmQ=|`H7-8_GDMHj?%E9qw-m~ z;cD*!lpB-_a9ifYUTC>Z$vu$I$Fo^s`>Wu&Xt)55=jSsKDBKCVFnDV=4!Fe{;dPv) zAa#iWg4uve#RcR<;gVAb*?rvUTdjw;e-#KA{Tl#NyeT`WA*BJjvrab`q_{f{-nOKS z9uJCpxko{(2`#g`3!LwPfMOAFXO}==`f4x$VU*-)A#@!RvChR5Pl5uu&`Wt(Kvx!p z3?`)2D$)On0@(BK1Ioal<@^~S>?@xx@S&i=!tu^H4x8!#cRQHr1Ru@8G1lXkpMPu* zKk1WQmnxpTHb{#m6+Wh}inz^vmkBTDpM%$J+d17j@j- z^lyr7WynL8@kQ_nT-X|>7|?W6M49mFg3li(1R(&+Ev}@HFgj2TQy*i^(PYwM%RN6qn4UG4hCgjMRUBxOUWkUtgc05NM079Fog=yF6usCiuRB;t3Sdt3FB>4YzVgIJc81Uni8$y5ZTgnl_U?|I+LCe z^2?*fu;!Z>Rn*JAi}103Z+w>i(8C;_;caxY?q{7=OXS9Jh2Y|IbHwVdGY6HO#ZPfl zo|l|;2rce5fgyU7zxh!6IR;mjMDS(mA_|;c6 zU79%0v`G^MD<5TnFqv>alE;qHv7;ng-+;#xtW(qI+`)g2mNCS(~KCI?B_o<8`p& zPdsgCMT!LMtv`Y@4Z5?Ov$vt>)1cG~#GhS1CZP8++2+1h(N16RzSaNztnH2AC!r>72nWB-~ybU*6^ z?Q^obPvL#M#=KRB!RK@Pfi`(=lqQQhPcXO)P^9r(*Ja)sQZ#?lWXLz`?yspb9Acdy zLnnLJqwq*ja(W~n_}51F z_d?$ARERkojA79ZzJoAb!Kc7XQ1U4-M}U~H;Da#kMen??Ib+#<1!6;EI>;;!R*6rS z@)(3J$vY5d;%a$eT*ZGw2rk*`xo|1F*S}xKYAyOsKS^y=g`t*x`?HK>WiVm{wC#9} z&=!6cB$G#NA_K%v+zeY_l0fLVE9=`q8h-e{r!mW@gJOpm{&tuZjkhEjz{Y6PG*vR8 zg%!s9C?JYidIw6FnDCM)!PCtq;Z^q%PPEY8l$PprmZzy!M#ApA+eEh{%WOuRBu14y z@ZP}BI*mh!%ZY`e=qN;gfO)5B)Adx!IjETI^w9E=a`|FH)I+4wpIgSNAuvT3mw8@g zMl*C`Y)uj!KZ`>hb z|8`cEm7mFtC^u;})|5hwfZ}lP(@o`cea`#BZZbQ}k$$coP zN=V{uEZ`p{aZ{&8h~h%%4&3s5#0K2+PoSkK{B1SywGED63rV_K_8QvlPFGCFbm2W$ zoc`Ea3huMb^yT;;%Goxcm)WZ8v+=kP-7y^vu)Rs3+bfpe+xL~815bCzyj2d`)2igz z6lii|{G$RP>-N1w(*~YU>kfcDq;S)6hxqxf@cH=a>66`#Q`OSdEY!c$3)TjrI*syr z6PiGH$lfXegH%VBc%vUzwq!zNEu=jSC#A}~Pa?Dw)a6rcs&;MRJH8Dt>W3w(hN^4< zeig4envSC=1mSJlsNW(MMwGo{#Xqj1InKd%1vD%kx}=>=z(tft@ir|wo3E&!boH@L zYqEp2OWcEh=@m(%_n(dj?V~QZr(TFnGV0_O%*M9Fa~$(7t(hl|5N)>4&u@Aa-_;ya z*mGCqy%SnB_Ow%wsJz}Fky79e6<<-4^hK~PYxM6WSNr-zNX4kFVZPGEO?ouaBAFc- zUAz!f@K8h;YDgk1h)8*%sWBMahcyQv7uQiqA&yfP9pbjaw8dZW)s{7Ada-4*QH!Qt zt9RvKTnp~ zi!41)UZ2)TUv-?rNUcjATPgT!i*5Ml4e%T6ub+EP2#5!Z&O=)LX3DY|K_{DL4L>$WUpQ zD2$w4`((1sEP&E+sSC?Uis%ZmwkpZJTd4Omh7OQM-Y)Sr44)|-jOssTIvCn}^7L@z zfy1a#(D8$*@pBZt(6`+qAv<57>AVSGO=09%RUK6yWA2 zkNIN5@cSQEZ?E5eYrp^T?!)Qt|9_F|5;NnMzsZtK{vMV*0y&dAYjY$2Fk*cpA5dBC zN%0Ml%ZApMtF*Y30E@-z*V9ns>&S>=fxIrtyE1EX@>6qqw&KelJBnj-pe<*y5 zFWo8mDf_vQ>5S>)H;Ul9<9FiQ^U(c0w7cac7^p0qFu-fdYG)A@x~E zty|0IuaIsV2(H*MkfbKut*JyC2I~fk9a$kF?A#BXrP%cK*jl9D@DF57*O?J4bRYnX z9sx}Ly{zNS^it?8orT!*n+%-;ip%Uio`olCs7;j313-M*e~H<&Sy(ELbE$3n>OUY} z@;}w}D5&U{9RV27glYH<|32A#ysy1Gp03k%x=z>WI$fvhbe*o#b-GU1={jBi8`pmU L{H)5V0C)fZ#|($j literal 4315 zcmV<15G3y(iwFR8<%L%O1MOVvkJ~m9?^pY;5RwAfJtVuE%?sGHJsjHma32mRuKid* zl_lC%SFaPP_4EDjD2mi$?M=3K7LeE$XMQAyqv6bOv`HD?lKLWDfAe_P6fJZN)gz8cUkznZ9R%NGcXhNP zv6pVF{ZD!=pFa=2qfMSi_5O!nwhuOb7Jt7dal=TEa5W6lB4AtnD=Bm6@q#m58eGA5Ra8fLP((TT{+Xb9 z_CpW*C*BZ5Syt{y60kC0byUz4r{e;>nJ8?zl))S&09@%prTJz7d#O$UZI?FV2_CMO@Y-&XbUmsE)VcDlN{weSN-MDB!S) z7<7tvEd>3Ooi7pU$g++>K2J;5IPFn6Pm^vO6`Zm!)dOYu3-3sYGD}xM0;7ysS*L`~ zkm6!UicuUB%Fz}x#3y9{V;U9WT~s4oD@WdQ@a^j!!3|6=kjU^gtVo?x;992{p{h$s z%|(AqO?^`0-clxUK*7R@uDaM_XRwPc> zDM{q!iMt-@S}xvUB32!l58QJf%bXpc4K5q?05LlR{m-a~Hsp!fsGJY#ajcZYewdw7 z+=I`<<5{}?Vm+A++gLKRO^>i*K9l!&;{FkAA6S`k^#{n9qAMRM*+Ul{`R|c_m$GdT z0ae35q%4gCKI7I$2it{okzv%TI=#bAkn#(zpoJ_)5#lHu_!zPBsg!GOS%pN<631Lb zbGj0|VVp&jdb;9m{k~R2c9+cQ5C4A#@ixjo%D#Wb>c%%kB(=I-k+j%M>elg0DEl=n zrgc6M-l)~k`fsn{-y8V%_K1$u&;R)8DeMH?`>4`n#y(Itg~zG@4xQ?%a+Lm^_TN z@RmScidnAQx)k6QSc+YOYa?*%=+79&4SocA<#qfw#3F|h$Sp|zRIJNI1^QE$sMsz& zI!a&@6-ltG)1J4RlN`34ul#iGKqUDj<#5L4DBwI0C`za^BxVaN2rP*iPgTYCbNAT5 z0{4n6n3H#FDCiH{b6bXr-4&ctcT;=`xvLmODPjxC2S06DDyo}!TZcl`cOi6s9Kqrx zVzM?06T6}kFlMev!RCk;uYNZJV&)9fMcrg zy$euoP%gl2nG<`V7Hfo8ah8JA zB?bs)11=R8kQ0SVP9bFXai?#!9^U>{AYk-w08H_w?4*X22I$T@-CU63?l^eck}`Tc zDDLGR1+6Bu%temysI}@-f6s{W> zRUqfbBMSZir_eF%|2&~lsOJgnV_KI*KFbq$goWZGoFBEgb4hCH1_B&w^M_s3ad*?d zDYlg%4_U?+!6$HGYnWm{(@ha&!mA5Df1D7604%q-j#kzGa0brHZe-fLN9GuC`0)>MHbKE=JLQ6;0os?5@O&(%`Jw=$rGXtQ7{ z<$rFpkHo((j+&qdqlRteQGPc|!CRhEIRhW*JIc6XO;T(TpQ6SGUzQPm+;pvt^HG6GMC24Bla;;|NY_GQU85?b*lgV5|?oF!@Nu& zmOc~O@G^LPadmMu%SJ7q2S1TGgU26zWN=KD+z2Fu#`46Xl4lhJQ~%(-1iLK(7pK-~ z`iR>nl_%iQJcRnc{`hlHl{M4n8I?3O0vZhmYl>*4N3SwYFZ(XS$Ns(XS^7f{b9jcg(apM_by_Wv8^;xbi_gswtGmt|RCX3W#Z7r$ za@HZVxZ4DV=u!UWL+$4nTv-yqm#LG7vrco5hj(QkBAl7cwi@P@ArJUrGVsPe!*Bz81&&+U)6MJ z;ylwPO%$wrlm)_M!u?1dJ4(lnl5Bkg9#6DNvy|kbi^FQdb!88+Eh;OtuC{%%-_|1IwqY{9ubsGZV8mqh6 zI_Rg)(mZ9nM=B3cJ-zBA4<6(i86S~Fa&frQ!Muy^%^?UDR}W=vk{;_QPrHuS!HPfe zw4oI#60o=a2+lO<&T`J)hN4fCx|YmUSvZroUkN%DVDvQ14`iK*O`C@@!;akVG$9TE z2u{M{q2U|+-Q(G5;};u3FaJAj>>g%o@9_*=F@M5=^W)Iqvp$@jI{1zKYx>artP`}) z$?iUd_wgF@RviYP&+P}=kd8rpj=Lb%G3? z>|Kw-BSFdOk>KQcqrYMQo-y}9_G$AU8G+oL4!}@lO9w!#vWL&at<18SzdB}U@5iN1 zO#6BO{V;t;zj}z_n5JcHFuK4iFPnmu#nk7=`<~7;JsM-5phsQ^_k?BhTw~&28{OY? zdBam7=5R2EMLYNo!gK|n0y9C$r@$NmV#0zC!nhZ`^Sou*CKQz_@5VzSdi%SX!PiwRK=kxGAV8LNiC6kS~Ad6kj- zkW1ggz(eRs^LJ8u=HHA0+WV7CkP} z?WQi9s^6__7Jd}n=UH0ZS_JYqH|ppy-0$?;>6EgvM*CVvyO1Yp?!k{pQhI9=@gxR5 zmj$J}l*L=4QC6!`_?@U!kadSj9az3G7LDQaFKJ+)9& zDVs8o6xpp^`=&G*ruA_J^?untU?AsRU3peN*6r#+iOB5cCv|@O$GKU5Ke9)cH zB!6y3$F^ZsPNd=Ko^JUUTf`SFPk;o;ZG$3See{C+1L>CQ(gQt_~K zvzbm9e;zj3)NLB}lPe_};8Q1@*NNHOPXkHWw({2{AeVF9#*bsf{fN^aW0}WH(qUE!3)}_ns`FBGo3;8>Oos(39NDeT}LA}5#JNzm|;c%cF6khkNDY#1t zww~8RbWRa_B)tb)mtrl!12s1n(@`^8U>KN4pjIQ6TLo5^HY~nzhlu^# zSy@(oCO4woq}5nc3NZqT!@ZZwaAYo(+lT0pxps9or4Gl(Np;BGBNe+1RqrSFp`cof;vE3!yu3%kvQ%aL+%1mZtEx)x_5}IDRc8>1x?)Xtz6EF&)!|_gr!M zV{0k6&ok}arqqc_mQWrPr(MXGAc4Tz% zTu{M75n-qyiLf9d<%OokU~C`O9DrP0MjntH9? zm4k7mD@@vMk|c`xdv|WqPEN^%JFoT_qBMNvz*+giJw*)6EdSa%)CfNJ%X5dy*?KRs z^gMZeS|fecaSkK3E_rOF;IA#V;h#6abG*RN^PQd8G9+>w89-oU=8@%*!Sor~QV~TA z7%FGc{+Zhp4H#kLT@2sG!Wr7#WrU??O2M(@QP&9Hu;oy1v1+q1Td}3w_*)`FrCp*h za(3;L$u_e9O2?%xEF&qRE6CcaB=>Hi-qRR5KpJ_w#M>}@rgSi>|Cs4uXz$6>!;uFL zqeel;52nV?QS?IJc8`SYe1WF(CV(}Ckz-YLRDGBU$yiN0k}_3vU%NE^|KbudzgR!! ziw(o?e_Xw}e)Hab|Ksh4)8GI9BG)Bm#xH-9C7b*`EO`WSCU@56M*d;M`bIvWvf7j4 z8zPqttuI$;aVY^7i&w9vp~%;f5yb*|Rg`yS*5u@su#wX-&G(!&FnCE4*oXg6_!eKf zQ}R>xb0O0i)5mWV!FR{+#JA_6`+I12%S$lu68!A);xFfaT}%Vg1+)SM_B2E4vyfW1 zmd{@y-8K+hv11@fO}JZAi8c(@4Hi4HLPXfPA3961>FcqzNWbA9$eOM*BUtD_02n<2 znEZQL$D8S;&|5kSvFA4#ItLV&*?l|__Y5LvuU%iR2=70+xFFeK)mFC zs_Riu(Jwm!FrW$3@EiVpviW#ldv`otr|Wc`uG4k8PS@!=U8n1Govzb$y8bt={{qBq J?G6BV008^1Y83zg diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 097cf35c..6b2dbbce 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6416,7 +6416,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..ab7c054 100644 +index b31c054..891ace5 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6475,16 +6475,18 @@ index b31c054..ab7c054 100644 /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -@@ -80,6 +93,8 @@ +@@ -80,7 +93,10 @@ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/nvme.* -c gen_context(system_u:object_r:nvme_device_t,s0) +/dev/nvme.* -b gen_context(system_u:object_r:nvme_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) ++/dev/ndctl[0-9] -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -90,6 +105,7 @@ + /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) +@@ -90,6 +106,7 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) @@ -6492,7 +6494,7 @@ index b31c054..ab7c054 100644 /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -106,6 +122,7 @@ +@@ -106,6 +123,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6500,7 +6502,7 @@ index b31c054..ab7c054 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +135,12 @@ +@@ -118,6 +136,12 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6513,7 +6515,7 @@ index b31c054..ab7c054 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +152,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +153,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6528,7 +6530,7 @@ index b31c054..ab7c054 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,15 +197,21 @@ ifdef(`distro_suse', ` +@@ -172,15 +198,21 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6550,7 +6552,7 @@ index b31c054..ab7c054 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +229,27 @@ ifdef(`distro_debian',` +@@ -198,12 +230,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -37011,7 +37013,7 @@ index 79a45f6..9926eaf 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..0a4a187 100644 +index 17eda24..28999af 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37310,7 +37312,7 @@ index 17eda24..0a4a187 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +326,258 @@ ifdef(`distro_gentoo',` +@@ -186,29 +326,259 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37500,6 +37502,7 @@ index 17eda24..0a4a187 100644 +systemd_manage_unit_symlinks(initrc_t) +systemd_config_all_services(initrc_t) +systemd_read_unit_files(initrc_t) ++systemd_login_status(init_t) + +create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + @@ -37578,7 +37581,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -216,7 +585,30 @@ optional_policy(` +@@ -216,7 +586,30 @@ optional_policy(` ') optional_policy(` @@ -37610,7 +37613,7 @@ index 17eda24..0a4a187 100644 ') ######################################## -@@ -225,9 +617,9 @@ optional_policy(` +@@ -225,9 +618,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37622,7 +37625,7 @@ index 17eda24..0a4a187 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +650,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +651,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37639,7 +37642,7 @@ index 17eda24..0a4a187 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +675,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +676,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37682,7 +37685,7 @@ index 17eda24..0a4a187 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +712,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +713,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37694,7 +37697,7 @@ index 17eda24..0a4a187 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +724,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +725,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37705,7 +37708,7 @@ index 17eda24..0a4a187 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +735,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +736,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37715,7 +37718,7 @@ index 17eda24..0a4a187 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +744,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +745,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37723,7 +37726,7 @@ index 17eda24..0a4a187 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +751,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +752,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37731,7 +37734,7 @@ index 17eda24..0a4a187 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +759,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +760,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37749,7 +37752,7 @@ index 17eda24..0a4a187 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +777,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +778,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37763,7 +37766,7 @@ index 17eda24..0a4a187 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +792,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +793,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37777,7 +37780,7 @@ index 17eda24..0a4a187 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +805,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +806,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37788,7 +37791,7 @@ index 17eda24..0a4a187 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +818,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +819,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37796,7 +37799,7 @@ index 17eda24..0a4a187 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +837,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +838,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37820,7 +37823,7 @@ index 17eda24..0a4a187 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +870,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +871,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37828,7 +37831,7 @@ index 17eda24..0a4a187 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +904,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +905,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37839,7 +37842,7 @@ index 17eda24..0a4a187 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +928,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +929,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37848,7 +37851,7 @@ index 17eda24..0a4a187 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +943,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +944,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37856,7 +37859,7 @@ index 17eda24..0a4a187 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +964,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +965,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37864,7 +37867,7 @@ index 17eda24..0a4a187 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +974,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +975,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37909,7 +37912,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -559,14 +1019,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1020,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37941,7 +37944,7 @@ index 17eda24..0a4a187 100644 ') ') -@@ -577,6 +1054,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1055,39 @@ ifdef(`distro_suse',` ') ') @@ -37981,7 +37984,7 @@ index 17eda24..0a4a187 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1099,8 @@ optional_policy(` +@@ -589,6 +1100,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37990,7 +37993,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -610,6 +1122,7 @@ optional_policy(` +@@ -610,6 +1123,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37998,7 +38001,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -626,6 +1139,17 @@ optional_policy(` +@@ -626,6 +1140,17 @@ optional_policy(` ') optional_policy(` @@ -38016,7 +38019,7 @@ index 17eda24..0a4a187 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1166,13 @@ optional_policy(` +@@ -642,9 +1167,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38030,7 +38033,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -657,15 +1185,11 @@ optional_policy(` +@@ -657,15 +1186,11 @@ optional_policy(` ') optional_policy(` @@ -38048,7 +38051,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -686,6 +1210,15 @@ optional_policy(` +@@ -686,6 +1211,15 @@ optional_policy(` ') optional_policy(` @@ -38064,7 +38067,7 @@ index 17eda24..0a4a187 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1259,7 @@ optional_policy(` +@@ -726,6 +1260,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38072,7 +38075,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -743,7 +1277,13 @@ optional_policy(` +@@ -743,7 +1278,13 @@ optional_policy(` ') optional_policy(` @@ -38087,7 +38090,7 @@ index 17eda24..0a4a187 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1306,10 @@ optional_policy(` +@@ -766,6 +1307,10 @@ optional_policy(` ') optional_policy(` @@ -38098,7 +38101,7 @@ index 17eda24..0a4a187 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1319,20 @@ optional_policy(` +@@ -775,10 +1320,20 @@ optional_policy(` ') optional_policy(` @@ -38119,7 +38122,7 @@ index 17eda24..0a4a187 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1341,10 @@ optional_policy(` +@@ -787,6 +1342,10 @@ optional_policy(` ') optional_policy(` @@ -38130,7 +38133,7 @@ index 17eda24..0a4a187 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1366,6 @@ optional_policy(` +@@ -808,8 +1367,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38139,7 +38142,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -818,6 +1374,10 @@ optional_policy(` +@@ -818,6 +1375,10 @@ optional_policy(` ') optional_policy(` @@ -38150,7 +38153,7 @@ index 17eda24..0a4a187 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1387,12 @@ optional_policy(` +@@ -827,10 +1388,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38163,7 +38166,7 @@ index 17eda24..0a4a187 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1419,62 @@ optional_policy(` +@@ -857,21 +1420,62 @@ optional_policy(` ') optional_policy(` @@ -38227,7 +38230,7 @@ index 17eda24..0a4a187 100644 ') optional_policy(` -@@ -887,6 +1490,10 @@ optional_policy(` +@@ -887,6 +1491,10 @@ optional_policy(` ') optional_policy(` @@ -38238,7 +38241,7 @@ index 17eda24..0a4a187 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1504,218 @@ optional_policy(` +@@ -897,3 +1505,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d40c3d30..9cce4605 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -28825,7 +28825,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..50e7985 100644 +index 98072a3..73c5573 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28894,7 +28894,7 @@ index 98072a3..50e7985 100644 -sysnet_read_config(firewalld_t) +sysnet_dns_name_resolve(firewalld_t) +sysnet_manage_config_dirs(firewalld_t) -+sysnet_create_config(firewalld_t) ++sysnet_manage_config(firewalld_t) optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) @@ -45847,10 +45847,10 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..5160f96 100644 +index be0ab84..6f475e4 100644 --- a/logrotate.te +++ b/logrotate.te -@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) +@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) # Declarations # @@ -45862,6 +45862,13 @@ index be0ab84..5160f96 100644 +##

+## +gen_tunable(logrotate_use_nfs, false) ++ ++## ++##

++## Allow logrotate to read logs inside ++##

++## ++gen_tunable(logrotate_read_inside_containers, false) + type logrotate_t; @@ -45877,7 +45884,7 @@ index be0ab84..5160f96 100644 type logrotate_lock_t; files_lock_file(logrotate_lock_t) -@@ -25,21 +31,30 @@ files_tmp_file(logrotate_tmp_t) +@@ -25,21 +38,30 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) @@ -45914,7 +45921,7 @@ index be0ab84..5160f96 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +63,52 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +70,52 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -45972,7 +45979,7 @@ index be0ab84..5160f96 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +126,55 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +133,55 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -45990,8 +45997,7 @@ index be0ab84..5160f96 100644 +# cjp: why is this needed? logging_exec_all_logs(logrotate_t) +logging_systemctl_syslogd(logrotate_t) - --miscfiles_read_localization(logrotate_t) ++ +systemd_exec_systemctl(logrotate_t) +systemd_getattr_unit_files(logrotate_t) +systemd_start_all_unit_files(logrotate_t) @@ -46000,12 +46006,13 @@ index be0ab84..5160f96 100644 +systemd_dbus_chat_logind(logrotate_t) +init_stream_connect(logrotate_t) --seutil_dontaudit_read_config(logrotate_t) +-miscfiles_read_localization(logrotate_t) +miscfiles_read_hwdata(logrotate_t) --userdom_use_user_terminals(logrotate_t) +-seutil_dontaudit_read_config(logrotate_t) +term_dontaudit_use_unallocated_ttys(logrotate_t) -+ + +-userdom_use_user_terminals(logrotate_t) +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) @@ -46034,7 +46041,7 @@ index be0ab84..5160f96 100644 ') optional_policy(` -@@ -135,16 +189,17 @@ optional_policy(` +@@ -135,16 +196,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -46054,7 +46061,7 @@ index be0ab84..5160f96 100644 ') optional_policy(` -@@ -170,6 +225,11 @@ optional_policy(` +@@ -170,6 +232,11 @@ optional_policy(` ') optional_policy(` @@ -46066,7 +46073,7 @@ index be0ab84..5160f96 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +238,7 @@ optional_policy(` +@@ -178,7 +245,7 @@ optional_policy(` ') optional_policy(` @@ -46075,7 +46082,7 @@ index be0ab84..5160f96 100644 ') optional_policy(` -@@ -198,17 +258,18 @@ optional_policy(` +@@ -198,17 +265,18 @@ optional_policy(` ') optional_policy(` @@ -46097,7 +46104,7 @@ index be0ab84..5160f96 100644 ') optional_policy(` -@@ -216,6 +277,14 @@ optional_policy(` +@@ -216,6 +284,14 @@ optional_policy(` ') optional_policy(` @@ -46112,7 +46119,7 @@ index be0ab84..5160f96 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +297,43 @@ optional_policy(` +@@ -228,26 +304,50 @@ optional_policy(` ') optional_policy(` @@ -46145,6 +46152,13 @@ index be0ab84..5160f96 100644 +optional_policy(` + virt_manage_cache(logrotate_t) +') ++ ++ ++optional_policy(` ++ tunable_policy(`logrotate_read_inside_containers',` ++ virt_read_sandbox_files(logrotate_t) ++ ') ++') + ####################################### # @@ -49799,10 +49813,10 @@ index 0000000..f5b98e6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..66c45cb +index 0000000..2d4fb00 --- /dev/null +++ b/mock.te -@@ -0,0 +1,284 @@ +@@ -0,0 +1,285 @@ +policy_module(mock,1.0.0) + +## @@ -49935,6 +49949,7 @@ index 0000000..66c45cb +selinux_get_enforce_mode(mock_t) + +term_search_ptys(mock_t) ++term_use_generic_ptys(mock_t) +term_mount_pty_fs(mock_t) +term_unmount_pty_fs(mock_t) +term_use_ptmx(mock_t) @@ -64088,10 +64103,10 @@ index 0000000..eac3932 +') diff --git a/opendnssec.te b/opendnssec.te new file mode 100644 -index 0000000..a0e817d +index 0000000..83507cf --- /dev/null +++ b/opendnssec.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,59 @@ +policy_module(opendnssec, 1.0.0) + +######################################## @@ -64122,7 +64137,7 @@ index 0000000..a0e817d +allow opendnssec_t self:capability { chown setgid setuid sys_chroot }; +allow opendnssec_t self:process { fork signal_perms }; +allow opendnssec_t self:fifo_file rw_fifo_file_perms; -+allow opendnssec_t self:unix_stream_socket create_stream_socket_perms; ++allow opendnssec_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t) +manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t) @@ -64144,6 +64159,10 @@ index 0000000..a0e817d +logging_send_syslog_msg(opendnssec_t) + +optional_policy(` ++ bind_manage_cache(opendnssec_t) ++') ++ ++optional_policy(` + ipa_manage_lib(opendnssec_t) +') + @@ -66940,7 +66959,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..370dd38 100644 +index 44dbc99..34682ff 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -67006,7 +67025,7 @@ index 44dbc99..370dd38 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -63,35 +67,51 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +@@ -63,35 +67,52 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) @@ -67028,6 +67047,7 @@ index 44dbc99..370dd38 100644 +corenet_tcp_connect_xodbc_connect_port(openvswitch_t) +corenet_tcp_connect_ovsdb_port(openvswitch_t) +corenet_tcp_connect_openflow_port(openvswitch_t) ++corenet_tcp_connect_openvswitch_port(openvswitch_t) +corenet_tcp_bind_generic_node(openvswitch_t) +corenet_tcp_bind_openvswitch_port(openvswitch_t) @@ -88496,7 +88516,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..cb5f49c 100644 +index d32e1a2..1271bf3 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -88539,7 +88559,7 @@ index d32e1a2..cb5f49c 100644 files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) -+kernel_read_sysctl(rhsmcertd_t) ++kernel_read_net_sysctls(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) +kernel_read_sysctl(rhsmcertd_t) + @@ -104299,7 +104319,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..c420309 100644 +index 2d8db1f..864ea2f 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) @@ -104367,7 +104387,7 @@ index 2d8db1f..c420309 100644 corecmd_exec_bin(sssd_t) -@@ -83,28 +86,35 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +86,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -104377,6 +104397,7 @@ index 2d8db1f..c420309 100644 files_list_var_lib(sssd_t) fs_list_inotifyfs(sssd_t) ++fs_getattr_xattr_fs(sssd_t) selinux_validate_context(sssd_t) +seutil_read_config(sssd_t) @@ -104407,7 +104428,7 @@ index 2d8db1f..c420309 100644 init_read_utmp(sssd_t) -@@ -112,18 +122,64 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +123,64 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 4c49d34e..e046a91e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 202%{?dist} +Release: 203%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,17 @@ exit 0 %endif %changelog +* Mon Jul 18 2016 Lukas Vrabec 3.13.1-203 +- Allow hypervkvp domain to run restorecon. +- Allow firewalld to manage net_conf_t files +- Remove double graphite-web context declaration +- Fix typo in rhsmcertd SELinux policy +- Allow logrotate read logs inside containers. +- Allow sssd to getattr on fs_t +- Allow opendnssec domain to manage bind chace files +- Allow systemd to get status of systemd-logind daemon +- Label more ndctl devices not just ndctl0 + * Wed Jul 13 2016 Lukas Vrabec 3.13.1-202 - Allow systemd_logind_t to start init_t BZ(1355861) - Add init_start() interface