From 65f16bbe309a73215bdcc1adc751ee0d33a891f5 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 11 Sep 2017 09:50:18 +0200 Subject: [PATCH] * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281 - Allow domains reading raw memory also use mmap. --- container-selinux.tgz | Bin 7000 -> 7000 bytes policy-rawhide-base.patch | 91 +++++++++++++++++++---------------- policy-rawhide-contrib.patch | 33 ++++++++----- selinux-policy.spec | 5 +- 4 files changed, 74 insertions(+), 55 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index b1bd8aaedd8173ced0444db34e99882cd926d07f..001fc23b3453e947d372292bd49a3bd0fe90f2f7 100644 GIT binary patch delta 6652 zcmVerfw5lCQN-&(lRVp|c#tCL{?cYmuLsMz7hh+2+E>u3x7j3}+6 z?8pK2*T@e^zD1d1=ks8u0`ceD{t%mK1UYnagRr5fYbxHPUR{9JVs#wQUdM{`Z`6#6 z{E~R%g;30(&dWHeMs(iO2$J_RD3*&L@BI=<8$nY3-nZ8}nvYOVkK@BX*F{vO6)=HaZ}TNaY2)Ez#39*Xs$#(l}CAotV1CGk@nIF_26+G#ebmLCWu@k^#ArVf7hKzzK$`LQqfMP z+c^9&+D%{#4VaT^$zBV7RjudTa!h`*-5gqnb7&s9w~P&A-d6dVj597AoMNUojb(!R zd{X_|%w9!jxk`7u%CboQq?+bOunusEy!j2}U7>%%SDFHHX*I_avOL7~-t&R*P=kc) zIDhb{_KoiWrgo(Bl{vpC<9o~pDL-R_c93}~)>sM+K00%$D*2YI4ki>dR05LHn5-D@ zI!OGgGGs;X`gv_4o?SR5Km7j-FE3F3e)7i`b$KvV5lK7QZlXBbIc2LKB4R#wcJOKk zh|L?T41#ZO;J5?jP=!Z-yO2JCh<27#jr!Zs1O;k){2q5jFKD|rXZ;p`V+nJ zcoNLKS+_X@FF>(8gjf=Wqw&2cCHaUyp6nUY`!c}A3*_+$jQ=UPKckD1hOwW8-hV?G z>lTw~l)}vQpns3ssDej%dT^zNpFW#g`~3{ME=;5Pl5y%+N&{Ln-DFGA8C4X`CT! z_Em(9|BAADjHog7bFzq>7)FV`nSZD;|8UJqiLKz?49fIxppgC&eAgWyNxrkNDs!QM zVxOl`w-4}1kx#l}qtGxlBFSs-g?x7jd@n90y3J6MNwQ%Wc`!|~of1?W1G?W1>}BePCKT$T0wH+}TG@;4Zz}>fc7F{;n26I8 z#ApOfb56u~lYqLb)Sl&N|7)DqP4C~vyUQrMpA&VTS9LWvAg$MC#4MvKPwp>K0<*xf zma4!I*yNAVJk@8IXw=RKm&5uY@t@{LyqOWwuk$n(Isgop5@zkSAEt4}<|5qmGz}j% zSqY>|`2x_6bp7O6Cj1-H=zqYLZUp3&f~?Z^CMda)+NF_SbrX%R35J%xlu@G z#gH+~-Q?qKhq>OzWuB#@7A>b~E-L4--WsFhU9_m(z0+T{fSs;?vC}?h=8U5oK!m(K z!y>%|X?Rt<%lw25Snt#AIEM^mMzfQiP!!C*vtdI}wl9ohVu+u6Bs=^lWd{J(7|1QG zdC9+XV&~P@I0=Wjl{kJf?41*SHdG5eC!28iuZuj1gD2|Y!YRnTfIf_XS_B(hDDMZH zhOg#!_OAUyz2||RJ&!NF{K}IB2Qq*4+B{VI@n&~_6cot;RIIZx~2(%gK?7|vaq57gS)Bo=rXn;Ea8s`>u-uUX%9lJVV?@7uj9>5m<9dpNdwR43?>UO zIblL8pNbr+%PiHnn)h7H%tu$6;!ZtQVKe<09oxifa$>Ea6pK0C+A-V>n0S9I!`S5{5duh{nFdEHb4F}hWRKF~dSl0((Vdq;g?%3#Gmu#*9^(|ngGAOPZxeh)v%{A@Nd0e`WQ#&x*3qf*u%G|` z@ZskAeeeAL`*+Lv|Id+_r)8byAt<(U*&AMaHF5h0PI{Jczc{1;cSLS)0-;Fhu zS1-MvB9rzAEgO$NdqrN>G6tvMdXk}IW$HubZ`8WVr5Tv(uaiCrQ-6M2gW(qJQKdIZ zUk4|dP@Ow+NQZ{5c;?dC=C+k;NT`z-w;Obm4X5sknk~ZHB4*Eet)e;&`}9ujVs*=1 zDD_et6zw>X^VZvbACvCvb`g~@Cw^7}#ijRxYeSUUa3X9;Y#@`lKo5}*)_&(*{ywg7 z-M5jOod#A;{x?-!>woswZf&$N#dZfnOhk~3 zmVrMyh%HttGH#gmu-QhkM2A1k_}j|VtEj{EdzHSI>i0)Fs9on+8@%tTGv?7H?PsNI zW3+Q=ZIp@q2>I|_i_nJ`F`8}cCd8A4Yt~QaeU?5LkJxBq$$uzBCWJJHCL{OCd5=*e zXqZ)d;-zP|EA&HWQB8lJcUf>QjkjU6J^wYLId2W-JuXFF@`!Mp0K#LYAz16Z_1<{6 zYGBge$GbhuytDvs=bW&0|7;oKGDgjFv?bJ7G@w8H#AEgtykb5w-Nau-$@XL57yc$r z;`+&Z_JV!>kbil1F&IEw_!pkAtfD#&z4R{2Ll2vVHt^_Qn>ds4_w=Cj!KR7oEkNRg zx5nTry8h|Y?NBMeiV++3Wt4z@oZyE20FziF{}VC|4kdJ*dYGqea1Ky!LkvqACPOD9 zje;BvfgNI%51Zh?1hY>}UJEF!%u!72o=V&ufUrC(Zt?&2&#Y1$D;Q>dKOdvu-gt5QtK#8}L zAZ?|RQ-3IS0MgK~NQ}xjSc3xBnpqc;1v~CY7Lfl~7V4SMoy#b=XF*-K%pNY;6do#? zBfS*Z2zt5Tx3jD|ORSDpUeCkz`zGlg>mRTzm|56=av>1q!H5|kT{IF8*ul$;p84dy zE%UUQ=;^|fG!MZ{SZOaq7$}|y1@15Nbf?IV1%K<`voINPFyz@0SrY>-pn0KfYhq2O z8zV5W{MARoO=(X%B7*{p&s|OpVCUS(i)mG6D|B7l+?48?(K3g5# zS(|B<-Dw_7t*RAk^w2Wl>5n40fhmHM!QP+TG#w#)6hoNZascyI4VZex_lYf`+W~F^ z#edX>-}16|kGsA3t;(}Yc=^IsfoHADuI~f*)Q_fk>HRqjSxjN--$ku}pM4bEc@KGc zcL`+wnHSOakR(s&a0dyb`8|2#Gw&ht_CEaKdz%Oa;8l5YKo2f({eu%APngpd<~GNA zK;yn<5iSq;Aqjcr_;(7^Gnh-T9*h9M8h@U{-KXpa2yY!38h?lIfHWc@Q$Xtw>6j20 zZr5RB_kN*&!DL5F7``oco$Pk-z%VRcjOmVas0 zkyjHm9=Qpl%y#qR)Xw67Il6N=V9t#>Hr#gLf^#?E zkh*Rl>rNfQr5pFJk?Qo_2dQWHNnPmQ7=+b*{E3G%@V$_BRD-rIO{fDgVz@r8y=x5F z*X!py5PFpGaB>#MMN#E?a+NxZYV?1&lG9Pvrz)ruLs10r10p+-g4n8HAAf~znd64K zK?qGK_L>6j{h*HTVLXL~{5gGy?+zi|*T*wqZz`KmL@;2y3-(Ei%Su1Ca1)BO^g26}}&Xreu>#Ep(?X$L$HH=1iOGrm>oM$C^8`=)WMRQ6Eeskap43tS-C zbrMe1J7naC={Uws&4n%`CVdKDx7LwUGQZD2;T?ogwOhiH>%%(F*njP_{4N@OU8*`S z(S*Yw2~yvW7$q22cLsWj4Zuk(tEz{%4)%IFe*Z$Z`@q69%pVNU{K{N$AWlz3MEL$- zs1YZ~3p>9_9npKSjO1IgbP)xH+E^NT)!apb1D0%aIb z>}34^zWD?}!_YJVJAbCQrX8}7l=FX1{%lUXKXgo#4`qO`gIgv{b94k_Gg zaEZ>BDt|{X46e|794>3{9+TXY8^tAe+=l!OjAu9luDg)hg)W2tC{Qofd+l|&?fRP9 zoAV5<<5kauZMh#gkhw~rY9G(Hb*V1tfGY%4cEuxaY;} zTGZ*Ig+xdmkc^TiLg5D(BoyP~kf8w?_|ypI4L7vFV5QzH6rt@ZcxYa((?MzGxuOmu z&qteF0S!x8ujOCjTT)h@aC1QG!$)&*7n>$cc>u#@ttx3*-*7yvA-JSvhYzfqSPchj zxPK-ii>$OvA{2Hkk6GO*w>Kz5l`+!gExyUPT=6SVq_f~YhDIen>Xx0-Zd55ev6P`h zXsKX_l7;zLy}=z0yPi0cQ&?siSZB%vW+kE-e5g8&F;8W)nDVb|0)m{ap^$ek&#YQPW}Dm>9j4wrnPw*D&d|Nr1fR0AFKqkmwv%T&s7eQ@ zTrNaA__gwZs%{OWL)fLdnp+;tY}=|8k-^%OnIdK;Tw*m`VlHQkJUy4eh3glzy?;Rs zWZi@nlp^HDJ`Wml+ZBx|1OGNU7!2$*>>{n(^s_UxxCsdzOS@U?XA{N3-pPmWp9o zv)*FwW`*eJQxI*OncQdWrbb=P+qjG#V8n!j6@6tCDlX?IdH)Y`op0LEFfnEUZpmc0 z^J=`9VyWamvlR6@)&S{=Gz48mUhwmjK#%j@-pZFZ7x}5Y!t7iP-{xDOwZq@5& zjCO_i{>Q+1j^U4(*xn5u?U)JPdKhD-JZ$GOj?Kb;M8gGr_?U*_Ykx8WYX8{J%aFT% z%vqsvf^$0wAp3gftcJ$%B}r|unUY8exD)r&Xu;fq4kh_;Jenk(sPO8pwtMOQ$Szb& zp4hb-G5dlKOxj>hqcXn4FCBUs+f{xgpef%4zgUCa`Ke~hp0LRQZBMe!Zo7vkIyZ>2 zd-@4bb1!r2oDn~3;eT`{Y08NU+xlWQputNh`;`#qK6DcX&#F6Nu$w;hbBvzl#%o_t z=-sx5R9yb98B)SY)bjX~pTDzpB?$*?jn*?7DBXpA-HjpEh6VGj<1A+zqn%5snb(d- zz{=YZ`QB{HB`PSjotTHcvg1F}snLy?umm<(;yP^c93Ay!JbwyNYfdGx3bjLa``1Kj zt`!!N7<84RkFWVQX*d7AaUT$=su6buuNm4pPgJeOUX|$n?TxW|IFhSwM}}!a*=o1LjC|PG4sFm*wd)D6 z+WlNm?S2tuJ%8c?%6i0UCS7R<=&XmuYWE8!bwhRH6|~3Qf7`#qc}%9-VBk^Vw$m@7 zop1r|u@}$Icj4?@;m>{bB`yM2)tI;toGu3kQ-KG7AJ|WU@!{r6!Ep;`k9ThKi^P=x zNqJ+qa{H(4j)~R^Ky0P;ryPe{B^;6Z;_A|<6XG)qc7OKx<{H&Xd+wtO&5Lof+r?q~ z$FM!!5VWGox|{XdsI<;Tx>3oWU|ZaEJAA}8_~7=p!?w5EcDJiY_&Bv0KQ4Da5Alw< zih2lZgx-4f+WWQnp12xUZ92{8DmP*#sSTeHbjF047SvJYXo>a?=?wD>91wCaXvbvg zb|lD2G=HSK9pyr_PL<)5uljc;(27Z(8e?lF#YS#_Kzl5CjE?a97vXaD}+ z_4Un%>)!YOu9xrseU@~E=H1mVm+Xr^^mS0|647JLKVi2%eB^UR`LP+r{0j5xEe!vw zLsecS@dl^VD~5A*`Q6!@H_m8c-ORtLgQz-C_J1=EG#I=M-dupmWAFyy=BztlUd>cQ zau!oTfg+f#)(mVeG)eV8|9ADj-?6=dc^mu_^rYtJAnh@%@L3dW+TUWx~bAGet(^(@z{~1t+)cpFPWNCtY-9ML@eQPR+>k) zh;+q06w%oB(l`H6O4zEYIOYiymO$3)t)tbJ9)4EsWzJ$AB_{A^)@1^Ac9qrvK3=nd zY1G$jqxv51??$17JwCda)frG&zh+~yJ G@BjcWe<#5J delta 6652 zcmVMx`ZA3t1Qe{=oe`VZd{-`srs;rhcj@2@}HT)+Ru zdw-FU6)w@Vdi~n_u{xxwUq1cm@B7Hhizs_n<%cqeJijQCIPmK@&%8i%6feql@O$~= zk<=s-Ed0_>z06OeKfYpAum04_;b)Ty0UbIJQ5lCQN-&(lRVp|c#o0DMycYnnWRP69$L@mdob+iS3MwHf3 zcI1HiYvhL{-=fU1^La2+f%x-ne~8UAf*d-zLD*2#H5G4CuP#7qu{sWDuVY2}H)=*j zeo4IXLMUcX=VcsKBRcPC1j+ju6w5`B_kM|_jUXw1@7rq~%_pd*$MNBx>mn-C3K+L> z5>+B&PJd0EeCFBUrHPux=$90M(mZl$vSIEdyPJ&Q-r&9F{xgkwoRX^| z3gT@H4a6D}&6TL9@+i-cbqM4?(q1~D9z3q27=JX|1d(fm{-1v4@46Go%NS!R742lY zjl&<1 zN%f_fy^79qmF{?zWs&?zHO)_89pDmq^AC`Bh5iX&X$r`t)f`XA@(|a1&j-Ro4HB;7 zz<;CKH@*j$+L6vz=KP|J?=c^w{DKYILFT1cV<|NF=**?6Q;$sb?U<-t@%B<*CoiQ;VMl&yY|RSo{%?_TlUM&)>qekcgW(J#NRX&!w&hPLS)2RD@O7%N^)G7f}~>TPxQv) zNig$f-R2Cu0LAhUVo4Z|#`mI> zTTG@=3NzQ&AJh*ZqjZwDSJM)b2HGL@7`Bl82x)eO>3JP#wufa=KaHKjy$-%noZiUo zibDmRt$rf)h-0BGR53z2q79?_q9(f+U!tJ!S0i6R_$k;kLl*qJPHx!!<7@wt{;zDAT`zLi$VaU3Y*a`OdZ>^Kf+U9K zosPunHbY4!$%bL%!8FNsN>FhO=zcq}m#G_?P^gOvgyb=3WiPtFtq9!MHGdRgB2G^b zqY*UCIT7Ps0_v_(dzPd9uW?#8y?-0;E~D&zPSkx~)z#d9v|gJLvy7@dxxYjS%mT|= zssck`lRrlDRG(p@Q9C1C4(o@+f0`fhW=2TA&eK@v05Duin6=k_n8q2Ki*VD^GL-mq-UlBO>K%_;x z41QewGVC!exzX+r@v|eJ6-=`r+v=M8AmsO2zh&k zMS2O+@Tz#1`3W1a-sjtK4jIUdW+y$ND42a`!-k-2Ul_;45I^@wcKA`s4gjn%kXu;u zl7HvK&a1C+5)N}K{WoOTJ16{Xs1|xoHsSDJ7kLr~Pt?POQ;>TBeHa0?2sXG--VZnp z-^}goUHgZ6&jUSs9$$L-!jlFEGJkSy9;*F#v%5bEisS$)*4Y?xGJ?C9uJ6VV7)@(- zH>$|NxXBM$SkZvN-PCz>8QTz+@JEF8H$|MZ2cg!mPX*K0@n$E?f`0a-f#-7ulLeTZ zFrk%CMGn1|t^AAcIde3S@sQ(P8bdydAsyPPE= zx52>aA)=Wjo~)u7tD=2m=6^)k=4j+>{3;IG6R41{+jLo!(Kde6$nzI^LD^udHE3pe zLdP#~4?-0u<6DbYT6s372D^OfTnWm$ZFoo$kp~c+BhiI?gq~qke<`i%*0o>mqFT_T zNwo&OvE$C@&dZ>}zK@O>$Sf3(af;$WBI}a33BID);cFkH{ufQMMM5v@=u~;w&;Nh? zcys-I@BIJG56k)gFOit1Wu4|BD7JIi8{T?1mp30S-(Rdc`htadGVh94=6RjpjWv~5 zuf3lmllKTM8&AJ@MPAl22B+Y9lA&W|>O!L%%!u7Cle>Xy4u z>ZLd++HoT1t+)L?Cf(WXA}V1{{Hz3uOYa5OhA6e+MA(wpKqhm69wHyC{m#4meO%$X zZzDH54Xm8}Z>qZ1f9Rh#;l&E|(6iS3tf+(v7@1?=V?Le_Hf306vl} z1AlZ7TdY=O+%WB7vyEhl4u6{Qx0R_^QHSgIDt#~2?~im)yUwvTc;8iL%%e-%&q~?G zXy?+}C=>e;^5MA_p${)&G~3ush$jozte?*NEPXH@vC+noe^H1`2x$&YM(&mK9-~Ik zFst^&OV4gs=!edtn*KiTvfx}AZ^LMN{#!(I-Wtq%T#CHr5#cxigvU%nu-1F;z4LI@ zz@)#AcYBz5X#w8OIbrMm*)qmujGE_YOQ^AEK!5m&$Luk9#e8JCiNA`H?We#m{7sz1 z^^^DP1^fIVfAj8QFo3r3FFavcMRgo{>0OqG9ySea;L*P}aVF#M=|Sm(O%v5yfW!%J zjloxR{nO{$p;CYqBR1^IC;|I8!43NXCb35TCuABNO6WTEFi+dy9H8EY7?w0lhE7Hr z1vwf7gVcO)5o4#7jYhV4>CCJg8+GJOs~v5Z!mlF-e+JRB0Bkjoeu!z`FzsELpiI9D zF8sG6n=askXRSVTM5}{h29!hCLm9)~49FXAL$*M5sEQ~HZJb?Qsa6GDL^N2P`Y}^N z9t@K_h@tQfBZ?|_M2(MN1(g%e(Pp5&k~q6t-|+*Ahv*)|1CA(}K!k<}V}I9y5^pC# z+Dav-e^BfIq@iJv7?p9b1_iD)vo0hHcHEIHApfx})H9(wmr-!fg1T^-JzTOWJXADC zdMU6G^m4&(XIXWYSRJpto`>uAP0~HqKVVrfv#|fx#Xe1u6gO?dS^T~Z% z=4mt0(}gE#9)g*$(q4uzP&^R|++XJDPLUrAf7ZWeVKU-i$g?A|CI(tS^FrI!#F|bw zMqpz3tB-`6(w=ri1_c(MyPO)p&bg6S)2hr?=(@PMDb+Qjb$kR)bropOSXYYD_dd(B zHq$D*(>$13RV&u$p=H9;A4PHlQv@f2y+6BYIzsp)hA_M30OqY4F!hS>Gh0Hp1Kb9R zf2j?>pr7qtR@_EB)>J>=!x zC6N7lUPRkNl02cq9VC$E_vDSwyobo!`|yYFZ6XwaSLMk8J-ER2Uz`AW!ko4+w>j1W z8uu-WaCyiNNyszDzf+i=!CZp%U<3fxfAAdcK4m{Zc_Y3_CCOcxn@NK#4j4!4Q=aJas4Udr-jMg8n_-$vXlQ!u<8??%iEjn<{<>*#* z#Xm;y?sedvk5gtMjl+m8rXu!oA2de;Tkum#Izdy-t{8jYvn}Y2C~Lcv3gB;kE-8oVx*s z)O7<{cj^!>-MD{^RHyGgNIk<(>O%jVr zLTEy<*A#H?2X%Z8<0&-c&*?*acL?deKAs7CQ`v+ff&t@QuuocCR{F7pn^2@3?}md# z>V~^E5riUc@Qrn>FsjM10)m~#FEkz}^k8lD;VBnws%jr4i36RR=jw=U$<~IUV2igC zm?q}ciAFN8P2D@(*LC5Te}!NP@-!`y=y6Sba+tTZed;PfEtA_O^5m`B347H;Td!=o zqoK~#9Sc!6&@1FY6YXgwZggBrJK%Y^(OiR>@vTxfVt$0!H;rSZvWE&!y`>mm-~!36 zlW?luAtOIb$1!edE_5L==~MW+wT_&U`F#co?;wn--4d2uAJ%!se{P@UchTtUQq_5h zCL9JykotbaD8ab8Gtg6P08V0ARXxOYu-DV^`xm<12NtGb{$POSSLTWXae68u!uJP5 zjW|JG*!fNBh~A53B;S&yizqPE#?sKM<}MN(@Ko!x+8L-@#9$-g))-Km7T<9dD8qna zC*%L~%_j&NhNcPFe=)^1?Rc$&$W(tFtFUXg@B|Qiz_6%}PHBnBiE{rC`n7KvM`U}8 zL1!+&Yp+jjX*tVUfbq&(mKE>wis=jaT|&d)iVk(mZPzf``iG=uewIg*NK_8i{Y=nL z6;3fB_us79C4z=Q!->fhinmr=&8;+5wQo)gYq{R&8OtIye>yiW*lQ-5jfKJtV90d~ zgFjEIfwnO)#|5(xr*Y%wWbc_;bc&y%0BY#3$z#CI+T!sr_gLtEK2r!YvlScynANCF z;7$EtjqcMj4kP-5g-tu*P_Rx`O)0{S!fP&qYh3lS2XhMrbITv>G5A~T;?NU|%if(@ zu7Ql80%QQAf5%p}{isOiu*k=4*$o0dD$J5A=;Hw?NIBe5=#z#Fr zTcTgRK-_^h&^QJ^W3!PqjxgXBIgKrLt6e82(n`ys08 zHQ99C6Ra9~UY~UeqXdi@y9-7T+Z`+#Vi*4oeLv3$fB94%CLm?q(ScTNLo&vNmx_2D zSzE@|V72>}7P8oE7CWQaH0trOYb#M9Lzjy7Q38X}W`3_$VRWyqK@6TKg$M+Po9!ky z7f@2O!(?k1Et2HmK$G0loLiTWENL(Na0?C zOLV?ee>s9-aE0FEa9M-*nB<<^C@#6E9dWTj;ip|E3l%<4|Ly+IkOjFB#H@lD3%ieG^uodx$XG%EQ~x9pU5qe|h4r3@WH zO9eZWEX>F14eoH*^~9N+!ZOpqI#VVvD-q4$L)B@Fc`BR5lz(Frc;%-Xza#P>b`~X( zIyDbbj*~jE42zw_HB@G!5crioB#bTme{U`S}VcT!Fojlt?RXRZB zav|Emuayr}b!#9U!YA4IpT)&|0e+_CN z>n5zA6d^bEdC-vCu4qgd__xu)U|^?do`?I;j87l@GL)Cyvm^`y8xgZOnr$z%R1DLa z^%i?KD?~@1f@tH+4(a>&{yW}+7Hjjr^<MFzldd0`BC{B+T z*u-=TtwE!iJ^GpgYwp8gd!uJ9;^zFIy@wn&Ymo1`wHQbmBANa(I?wbmf7QXg1)X8k z188t zHy+EcM22$&OAn`SGc~)4#(hK01;ohN*QoKkIw#!drE-qEze<|n1~?^vLEhDNt6o22 zv@68-KL*Zo41dJL_HOWK$4v0n!x%H=VLO*`Y!>z-8ZPL=$21IIf0G$d`^SD>hTQdI z&I*kaoZCqN+1EQ~H8hSdNotGDltfCvow%Py3+5JdD9MN8(In|ag;#gA-D~eBcA;YO z#IDtd*%y3Z(gt%HmGLEh>Cn^IuJS7ZP5CbP#Tx9+Pc>WigiQ`;dy;i_+dVwdxj~fO z(@%h!dzoA3jQCj#f2T7^Q%+pi))%t@4PHXouY@@Fp_?#xR^17M-SnxSWArRHUi*SV z@3uXp;_`RRkP=R!mdBs`{GF{UNjP9@w4TvG=`Qr^ZVa(DESPT{XF1y#?OaODymmYS zR^E=t_hwrzQ9-Hg#60Yk9siL|jc&w*C9uH~*I|q2=%^>-e^H29b1I2ds2#G~za~<1 zt+0^9psO5xe9gB>yZQHx8%cj_qZYxC3bpRgl`iU$o7m*$nppgr#X+x{KSV=~nS1CI)~oqiGR zgbQeoy?A!M3uosFf9|U9o-bU8Sf3OoS(zw;5j$1f;ymOmhB(4NV z${WL#+dpl0Ote-2Vk@mbYe5T9AFf3wFo*Qi$7b01Y`UW}XFE)Ls2 zhVAKwpcPft-K^I}rFAyajY|Fm+v2X<;Ul)e2e-c+w!Pi9yIn=X$EnTuak=|>hOSE@LXP9T;fRKYhJ0?@N zBSB80e<9uNC>Nr2stl)m)4wx;R!s8L7+W(bHgfwTpAFse3BRwAWW!u;Pxfs)`}hB@ zuWvqHcfbF4{loJ8zb}%m(7e0)^^$$jhrSMqT_Sp{`6ukwhfjRYC_go$m|tODy@%m{ zb*Rd#B;MeZdc|%&VD- zNX}v^C{P5m)tZ6Lg(j)~`+u+g=R3AnFmHpuLoat#&sJiN%0Fc^H*A*Q=gA?B-i;T9 z@?F3Nx*{Q$aXwo|rCv2V>}iU5ic;o59L|MTsetonk+$}ny+0{A%r{~iXufjhztdE< zfAZNqjvm!wQaK0Zdhu^(&RBu?CItzg!Qo2fcsT5xN1?2)?tLaZ3?5@hu0TzA5S2#& zwL~=w7C>FGQvZtg$U1|H_$M8tq^c18^1EO03kvQ+WZz;K1{PP-x+A+6nr@|?2N(mR z#`Yr{9=}z1WG8Syyg350!EEF>Pd8QCf5or!G#)#Wv=vuC`6W|xiq(vMjEE&X&Pwyh z7Ll&Fhawu=Ui#)gN(oyv6~{b*!V<`Oy>+zO(!z8ugOBbny`Vis#{#foPma(|^jR|%Xg3W ## ## -@@ -2532,6 +3038,24 @@ interface(`dev_read_raw_memory',` +@@ -2525,6 +3031,7 @@ interface(`dev_read_raw_memory',` + ') + + read_chr_files_pattern($1, device_t, memory_device_t) ++ allow $1 memory_device_t:chr_file map; + + allow $1 self:capability sys_rawio; + typeattribute $1 memory_raw_read; +@@ -2532,6 +3039,24 @@ interface(`dev_read_raw_memory',` ######################################## ## @@ -7674,7 +7682,7 @@ index 76f285ea6..ac044aea2 100644 ## Do not audit attempts to read raw memory devices ## (e.g. /dev/mem). ## -@@ -2573,6 +3097,24 @@ interface(`dev_write_raw_memory',` +@@ -2573,6 +3098,24 @@ interface(`dev_write_raw_memory',` ######################################## ## @@ -7699,7 +7707,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and execute raw memory devices (e.g. /dev/mem). ## ## -@@ -2587,7 +3129,7 @@ interface(`dev_rx_raw_memory',` +@@ -2587,7 +3130,7 @@ interface(`dev_rx_raw_memory',` ') dev_read_raw_memory($1) @@ -7708,7 +7716,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -2606,7 +3148,7 @@ interface(`dev_wx_raw_memory',` +@@ -2606,7 +3149,7 @@ interface(`dev_wx_raw_memory',` ') dev_write_raw_memory($1) @@ -7717,7 +7725,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -2725,7 +3267,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3268,7 @@ interface(`dev_write_misc',` ## ## ## @@ -7726,7 +7734,7 @@ index 76f285ea6..ac044aea2 100644 ## ## # -@@ -2811,7 +3353,7 @@ interface(`dev_rw_modem',` +@@ -2811,7 +3354,7 @@ interface(`dev_rw_modem',` ######################################## ## @@ -7735,7 +7743,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -2819,17 +3361,17 @@ interface(`dev_rw_modem',` +@@ -2819,17 +3362,17 @@ interface(`dev_rw_modem',` ## ## # @@ -7757,7 +7765,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -2837,17 +3379,17 @@ interface(`dev_getattr_mouse_dev',` +@@ -2837,17 +3380,17 @@ interface(`dev_getattr_mouse_dev',` ## ## # @@ -7779,7 +7787,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -2855,12 +3397,84 @@ interface(`dev_setattr_mouse_dev',` +@@ -2855,12 +3398,84 @@ interface(`dev_setattr_mouse_dev',` ## ## # @@ -7867,7 +7875,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -2903,20 +3517,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3518,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -7892,7 +7900,7 @@ index 76f285ea6..ac044aea2 100644 ##

## ## -@@ -2925,43 +3539,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3540,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -7948,7 +7956,7 @@ index 76f285ea6..ac044aea2 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3575,32 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3576,32 @@ interface(`dev_write_mtrr',` ## ## # @@ -7984,7 +7992,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3144,6 +3768,80 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3769,80 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -8065,7 +8073,7 @@ index 76f285ea6..ac044aea2 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3861,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3862,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -8090,7 +8098,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3970,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3971,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -8117,7 +8125,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -3262,12 +3996,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3997,13 @@ interface(`dev_rw_printer',` ## ## # @@ -8134,7 +8142,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3399,7 +4134,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4135,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -8143,7 +8151,7 @@ index 76f285ea6..ac044aea2 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4148,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4149,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -8152,7 +8160,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3633,6 +4368,7 @@ interface(`dev_read_sound',` +@@ -3633,6 +4369,7 @@ interface(`dev_read_sound',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8160,7 +8168,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',` +@@ -3669,6 +4406,7 @@ interface(`dev_read_sound_mixer',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8168,7 +8176,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4593,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -8177,7 +8185,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4601,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -8288,7 +8296,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,60 +4691,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8525,7 +8533,7 @@ index 76f285ea6..ac044aea2 100644 read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) -@@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4907,81 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -8607,7 +8615,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +5078,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +5079,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -8633,7 +8641,7 @@ index 76f285ea6..ac044aea2 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +5107,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +5108,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -8642,7 +8650,7 @@ index 76f285ea6..ac044aea2 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5394,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -8654,7 +8662,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5404,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -8677,7 +8685,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5422,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -8693,7 +8701,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5524,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -8828,7 +8836,7 @@ index 76f285ea6..ac044aea2 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5670,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -8853,7 +8861,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write VMWare devices. ## ## -@@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',` +@@ -4589,7 +5720,7 @@ interface(`dev_rwx_vmware',` ') dev_rw_vmware($1) @@ -8862,7 +8870,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',` +@@ -4630,6 +5761,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8887,7 +8895,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5911,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8932,7 +8940,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',` +@@ -4794,7 +5981,7 @@ interface(`dev_rwx_zero',` ') dev_rw_zero($1) @@ -8941,7 +8949,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -4851,3 +6037,1064 @@ interface(`dev_unconfined',` +@@ -4851,3 +6038,1064 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -39239,7 +39247,7 @@ index c42fbc329..bf211dbee 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e6c..91d1296b8 100644 +index be8ed1e6c..73e51f7ef 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -39367,7 +39375,7 @@ index be8ed1e6c..91d1296b8 100644 ') optional_policy(` -@@ -110,7 +138,15 @@ optional_policy(` +@@ -110,7 +138,16 @@ optional_policy(` ') optional_policy(` @@ -39380,10 +39388,11 @@ index be8ed1e6c..91d1296b8 100644 +optional_policy(` modutils_run_insmod(iptables_t, iptables_roles) + modutils_list_module_config(iptables_t) ++ modutils_read_module_config(iptables_t) ') optional_policy(` -@@ -119,11 +155,25 @@ optional_policy(` +@@ -119,11 +156,25 @@ optional_policy(` ') optional_policy(` @@ -39409,7 +39418,7 @@ index be8ed1e6c..91d1296b8 100644 ') optional_policy(` -@@ -135,9 +185,9 @@ optional_policy(` +@@ -135,9 +186,9 @@ optional_policy(` ') optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9809300f..b3a8a86c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -47515,15 +47515,19 @@ index dd8e01af3..9cd6b0b8e 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84b3..882160882 100644 +index be0ab84b3..9ca958706 100644 --- a/logrotate.te +++ b/logrotate.te -@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) +@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0) # Declarations # -attribute_role logrotate_roles; -roleattribute system_r logrotate_roles; ++gen_require(` ++ class passwd passwd; ++') ++ +## +##

+## Allow logrotate to manage nfs files @@ -47552,7 +47556,7 @@ index be0ab84b3..882160882 100644 type logrotate_lock_t; files_lock_file(logrotate_lock_t) -@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t) +@@ -25,21 +42,33 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) @@ -47575,6 +47579,8 @@ index be0ab84b3..882160882 100644 + +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + ++allow logrotate_t self:passwd { passwd }; ++ +# Set a context other than the default one for newly created files. +allow logrotate_t self:process setfscreate; + @@ -47590,7 +47596,7 @@ index be0ab84b3..882160882 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +77,54 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -47650,7 +47656,7 @@ index be0ab84b3..882160882 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +142,58 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -47662,6 +47668,7 @@ index be0ab84b3..882160882 100644 init_all_labeled_script_domtrans(logrotate_t) +init_reload_services(logrotate_t) ++init_reload_transient_unit(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) @@ -47714,7 +47721,7 @@ index be0ab84b3..882160882 100644 ') optional_policy(` -@@ -135,16 +201,17 @@ optional_policy(` +@@ -135,16 +208,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -47734,7 +47741,7 @@ index be0ab84b3..882160882 100644 ') optional_policy(` -@@ -170,6 +237,11 @@ optional_policy(` +@@ -170,6 +244,11 @@ optional_policy(` ') optional_policy(` @@ -47746,7 +47753,7 @@ index be0ab84b3..882160882 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +250,8 @@ optional_policy(` +@@ -178,7 +257,8 @@ optional_policy(` ') optional_policy(` @@ -47756,7 +47763,7 @@ index be0ab84b3..882160882 100644 ') optional_policy(` -@@ -198,17 +271,18 @@ optional_policy(` +@@ -198,17 +278,18 @@ optional_policy(` ') optional_policy(` @@ -47778,7 +47785,7 @@ index be0ab84b3..882160882 100644 ') optional_policy(` -@@ -216,6 +290,14 @@ optional_policy(` +@@ -216,6 +297,14 @@ optional_policy(` ') optional_policy(` @@ -47793,7 +47800,7 @@ index be0ab84b3..882160882 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +310,50 @@ optional_policy(` +@@ -228,26 +317,50 @@ optional_policy(` ') optional_policy(` @@ -73824,7 +73831,7 @@ index 000000000..9c27847b2 +') + diff --git a/plymouthd.fc b/plymouthd.fc -index 735500fd1..2ba6832cc 100644 +index 735500fd1..7f694728c 100644 --- a/plymouthd.fc +++ b/plymouthd.fc @@ -1,15 +1,14 @@ @@ -73842,7 +73849,7 @@ index 735500fd1..2ba6832cc 100644 -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) ++/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) -/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9635f28f..56ba655f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 280%{?dist} +Release: 281%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,9 @@ exit 0 %endif %changelog +* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281 +- Allow domains reading raw memory also use mmap. + * Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280 - Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404) - Fix denials during ipa-server-install process on F27+