From 681ffa2e20ebb9c8c6e903fcea0643bc04d7b521 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 22 Aug 2017 14:47:56 +0200 Subject: [PATCH] * Tue Aug 22 2017 Lukas Vrabec - 3.13.1-273 - Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170) - Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects. - Label /var/run/agetty.reload as getty_var_run_t - Add missing filecontext for sln binary - Allow systemd to read/write to event_device_t BZ(1471401) --- container-selinux.tgz | Bin 6902 -> 6905 bytes policy-rawhide-base.patch | 107 +++++++++++++++++++---------------- policy-rawhide-contrib.patch | 23 ++++---- selinux-policy.spec | 9 ++- 4 files changed, 77 insertions(+), 62 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 0b63ac3ad988ee774e5dd85e37379250636570dd..b205649697fa72d60fd886f9c0f3af602092ecea 100644 GIT binary patch delta 5656 zcmV+z7U${qHTgAvABzY8YbTsp00Zq^>yO+vlF!%aze2DBcqZ^XJdPc}likB2IpFTY z0m1G9_u+EaQA_G>W%P=qp2r#9zx}F;4^b3JQEH7nd+-3sc%-Ty$s$=S7K^2*EZQ(F zlKLXue)B{>SMc-x{rC9$%@6Oc)Zg&)_Wj#8Z@zi+_RaS=KU`hEefRGAo2xf(udm*J z6I?x2h18!z(}r~re3RYP;Uq8P9+C)K5 zi=f@B58^V1e_RmjrNSHhScP?%2Su1Ce|o{FUi^7b!q4;~2(zrbPvW30gSHNfCdEdX zKraau{=G_zHmSE^l$`!1YqPEoMVscy8pW2m)wUsjidSc=)k##=NtDOyCJF0kzuu(9>9=prRwtrD>nd!a-uTpB zoas$_w!#7y>`IQTbm>le!+OoXYfmP1?TM{xwF2rgOAPRTg~t*+jH0Az#!wL{3aiV} z;RC-XjhwFc#VgU@toN~C==VC^U>AIQZN@-|r!Ha!zs4V4DuM{7GXnG*Hpb(qq+jE#o9Qcy^a;>->4fE z`DN)Qh@qNMTh?jPOc=aRBS=2ZpjtkHybEh2?F32X2j9Li(R_e*1{@#$xvr8rZ-8-| zW=SIo=F~LE7hVm2o|~v?j($!-TXcrxTS8s*#Z6uN#RW~u0b5AbnI&%P7(F3y_S&pE zB-Uq;d9x4eU)BkiRp)Pu(j6pLn?A##IW(ElSW!kxa5JdZh+Q`MeK zw{iGmw41;fn=ntRB?mqDta{J8=a~Ftzj^cy=P*3-?->`yvc2-0j597ATw>;TjbnlO zd{TXGX0M{Ne5E^GWjQ4Oq?+a@unusGy!n$m17Hb7P*y1aF#FSslcWP83@!Zk{jz(J zU;h2)XOq$cX90kdIs|e7qLZxzRtc|z7xLW&@Vz*b3(@E({`SjH zT^*X|lO6^i0RfXf1}*_KlWhhde~++9uR$6?lkSQzV-q&`bTiE%1BKD*WF{09bDwOu z5R~H!>zo+l=N?IoAEoR8z&ZoDg*7kvcV6tg`35K9IJYuR#=UdG&xUGY;A9gH|8-Sn zY4k`VTsQ@}7chhw(28J#Gv)n=)9}^O&fax+X!ktObKvo%m(MI9mg+kte{7u?dfGy1 z@{!@_3ew>5aWOjPjyg6}`HA$pkb-x292K3cARK$nYB08$oS(1FL#>}~b`NJkl^sCE zdK*JtMzD_Q`)>M#G4!T>P(=>LO?fEdh9(T2rY@t)*nzNwKO(HZtKzIP2(^VnDp=3UjiS>q3 zE#`FV$8dLG;;{^4A95PQW0mS?uN_Fn_(`oUen`e}!VXD)Es@+%GRnt@gl`>H8iqnB zR^z}+s>d=|#NLku(1b2uI%?HF!L}K#W?uE6O<@&}U8N4!4x2y6e}!V+db{@K$KS@V zUnPRl6qm)9UZb(?K6i=8Z7_0sh-emxCu?ZMYUmu9IT5xc8abP=Nu&M(D&*_8Tvm0m zO&<*M{DodnG1zMznq8hS@GCrnP{qmk*5Z{>p53iMoljjWL0R_=4@n}*0HRYQI+Ksk zGmPplr(NB;4eMRfe+rsBYu2DQcH9}Qy^IqZe)RRAspD|G$5K_3rK9{{QvY`~RQihk07oc^QLZJC&p1b#Q%g{pRB8Y^CW7 z7Us#kD?weBZFxJ@R9?Ldeog?Vro;lU=B!AS#Yq$K5Sxkzf7c`!q5{kL&wInha%jlZIxRyFxOuP+c0aAGp$OzM$D?` z$B3$@A4<=8;Pxz@IoYDlPy z7`Gctiw&pNMa?$heG#)~gI-achC_OR)07|lL*7vjmn zHQUG2e<8~dj7Mzrv1Ak?6GC1>myvtrbiim3G_0xv@zS%K75brzq@}-4brxJp(`}q= zPk&2j&0B+ck6V$KJR%$yfcThY2=;nc!FhnY1}6P|y4%CbOB?Wh$r;=CFIF&aW7IMy zTSA>h1NtM(0%niFE9N6JE&NTAZ9ha|6>icje{COwk3qCA?~C9z1p{ac|H2!VP12@u zklz+%9AMYb0UrHplNK`mo*vX8*fdGI1xQ@*));(6>7PE`jMW0H7;#`BpG%9n;>I3F`ER;KF}1R``qoQ69MXiB`D1?j4lTtaaGkcNg$Vp6Bk8WgzE%sP`S zIB+Mjfc&Sj(8z@0Tqn^T3+lpc_IS7~FX(8~?Kn`NbKu{5u|nTPB5O{QP# zAF(W$SvY)hCJ^Pthy@^hG!hTk!DL1s`IBl4O@ElzWVS;$#m&uWt{qMD5qPy#pnb%) zQj~u1N#3=Y*Vvum!Q7@gu_jL~8=mw_3n7E51)` z3*8TJ8>yx-{Fc{UzwUPads7w{@bZPL0UwPnyP*%@(=eLiW$>3cW-*0%c$@SBe)dUp z8-LuF_3Z_a{aaZj+e4N;qQe~|ke7GljW2@xB-n@WM;L4p6hP3F*#SMc!1bS;0D0n) zjxe_+wgWo%HH&b$FArJF3&+26Sf0ULg8g6u0M76n?mlI|fbhnXq4ReL4@f5xG6jqd z5zU0aa665S<^4kcg3XSYF@1aPI_ryh(|>s)_T=g9i{JNEdQEl>+A`^n6!^$Bl%s|2 zi+_yZ{oBAD6Hi%)xOM)NWlT1>rN2O%ckS@24vOuW7Gdb~If{y<8p3*<53(>E=v)Pt3_m&l7jD;`79v?u_yT zo~#AOaD6mkFLn3CO`s`bgnyM6G+@Vaoy{G+UYJvjNKfE-!^{JC)-ZG7_Tvh?hXIE) z4FlPB8W29ic$no$8@u;X&+v=1Fn_)=MoNGDiANjoql$jefw3)JBmyyFG(B#OTa2hT z>*re#dXn*IZx&`nLEmO_mAXh;bWiw_(@oRICTcTFRRr-pB72d7*qUgc#D0b2dACIf zU8MAy;^D)nP48en#g_6peT?r8F{RVvg|Ih`ODG~%FWp7^tjFb~pIW&YRe##?VK`bP zJsPzO@DpKuubgv*QO!Qe7wkN|pmPYJgK1-q9y#k%HTxvXJm~x!OGlg<_RjMJTe_XW zG_x!%SZLv+y?xtOo<#_jsLb;!OCHuVCdYYur<=YKG&1>}@yrb~4JAJDTcT z-LVLA3%x=fb-|cU;!el)w0{F$SDVZ=S{Ogc^dsgsd_&tjRvLR~@KRci$NxT%EZc)u z^9}|1VKl$Bt-H{L#H3Hr<<2&8O6K<&sl10Unto3>O1)o~1xpUgQ^lCu(zIobCLG2v zkotbWAilJ@wb0YiJuYHJ)7+uJQ9npKSjpQe$lqUisVH_R3>QaT^gr`>L&CWvIBL*7@Pp*L4w)sw*NSOu{+L-=t zXb+7!=XB~+7go&<^Dbn+t4wO$o3YK&R&6+ z!I0X~bB?_LN&i6=0y`aUd_TG{??$g*Y2gzMpfm$xM<%k31k3-V5YqII| z3#JBo-kx<1vjmJ8w+luPyB#bBVjuqwecsLs`KdfiK+1-r2d&zNWQ+?h74dqq_KdC3 zW)CebWO3OnZbrLlG~i=dB~c;6kV^JR29wccey>(>a(}1pK`fpqg$M+PhwU~u7f@2S z!(wZhEt2HmL6hCln%mZ;qiXm`1gw>lA}hGbg9{EZ^G@j*Vf;hXKWv@ zdL~@k{eQ%R%vS^_t`Jb!4UfEWwMA~U)(>ps=|@aXmPPz9v}ElMFdegv z1JctMLuhGHw(0iK?XpRWeS#V}Rzj3US|n?^yc=pnp7(xbuew7l>8!TyBqeFp<_``M zA$dTuN}dRXA7GSF%!@;T24oacC)f|%&;o;k{C5Y5G1YFjkr{Rp4Es-$IO!}BhM;F6XdK5!mlbsVhYx`G_C zGBSx!*r_~rb*Cg(P^Kzlq}(c@&A43g3?U-?6rMQhpbusCd@aXCh{ot7A28-bq`Ta zlRB}Ci=D(ZR%fdac*Y$P#uom!m7mG#D#D&S+G!+r)W%5fZmD3Q;lntbgkq$5kdgq$ zD{Xf3A%;S(=eBHmLS~2DXByKWjisH5xqmZE?+wAH>}m=-e!J1i><3ku0F~T7bb{Y1 z-;dH;ARWR!%{3%pw6krSUPK1#Q)Y_TnQ)8Maf!8@ZSu@q78h<<(eVa#kn<2$P>PTn z_c~}PZC7=s4E)>bV6d>$GS9<(XvL@Raaroi(jW=Lz(vF?j_%kCEfveM=1em0XMcs5 z=yMQlTG-rYERmwA(=KM8vB-NSb2X1>bAQPyW21O8g<4apZ5t}Y0D2|FqbN>~`DIc{5^K?D zc8|WH!iID;>}>R;N8DZSbB~b2W)1Q^byfpOVn)O>vZ&N!DJY9rA1x(LSYuo zNOqvI^&^c!hb5>N<{P6lIZqPiDK=(EqMUrk+=X=|`Wt-3!Z=$7#mMBtQ-ArD$Z(F} z7~%Bkr0!JFdTwaQk8GawekJm8Y6y^r(W-_UD0>FY1jn`dLHTzsjkQ{FbcChDmx zNk`oJtaRFHf;0AgkdZ8BJb#tujD%Y%=fw0<(hRr2DFF;JmD-J(9mZ-`h|hD3+~*ko z#)#|P=+%ye;GLH-7AnJaFXPxE+*dSw(8sT7SU&bLqV|vd`U|=1r`#2qCOE&F0CKEr zcQp)-FG=c(&6Gq+z@11RV+8XHI+Wz&@o18CrowA=ZTB+xiRC-Y9)DTZiX?<9RPwN=~&{_Jl1CXnT@%cB5aO&=P#IH2MT+NSoZdXTsM zdDttv{v(|ldc=eyu)z`6;fm+b)RXlpL~FQ}#2VBO*&SwaG-Ul1k{ETBqmQrqbf{kb z(72KGH!f-s45?6?E?t?T9=VB4{@w;Q`nSyUo8+eGykUv45`TMn!w0YoQWnifb-^2^ zw#gIKsbW-hm1FZGG7u5RaiEJn2hioU@ zW-`@wgwA+hHu=;XlFwK7Um?r{7&{n0#*@qeEX)SpAshIJ5plik(fCW)+cWAFb-e^#$w2R}B4JP+%~KmKizw<~}7A&CxcqM)Zm z(C*a-ahbzEE{OF~;SGMQ!aB@@BFvLNykb*xz2@JwCzHDN#MZT10d<)r2Kc|gV+kHcQPMPHsE8DW)#d2$ zf!~uxPS^Y5mFREQ`&cmad!25u3%UEzD4nzH z$O-kAB#cSERbArX3t*)J@t51-6kBKpc?@!ku%W7Js@|+oU4hnOZ5+{F$BOi?)QyV# zvUC%~P|c_<>ojR54BqDvBp+u`EgwPNg*B3Pf~4|;Z{L|{K0-SKjt~D_S4o{Wz_?Ab zq!9&kY8vDVuLgfFP1H0;Kc}EAIz#d;p)UI3rmp?sf+ppFEu`wq61R1Xo)9>DZB`u; z>odr_*@t!VlB7-*@|Qa!_mFy)HZ6{Ao6tFs;gL_5jdN$k?Q8`94j**)pJ>+OlH62D zlx|b#Al8v+t|SAMM`gxrKp_8-_R=%z!Q%#sMYGKixj|m&{}C49PG3k~#vIG3YR{(I zIQ%i%O<;^om}k|JgC2ZQz31I?On$Q8JbH(77#{iej0`31abkRldc3-32%c}^4$gSy*iT(1^yIKc-e#A@!<^X*E#V1`pZvU z9h#Su9|j)*5tBa#E&)7~ZU!KKC)lLdAdR3&cSV@72^)O6ndXpz!f16e6N-wtPc~c# z%JGGDPK@z$kEF(rQuY8~oq^oKnwR`LFLvI1gOhNaTNx+g-Z|lCL$xq)vI&R(x+=3Y zdZZC9oPyj77{Ux_MXaoRdmiXH@c7cp7Zwmp^_>!bwoVK^ZJ{*z z$Z&K8Y4G^C7#(v*9UH3rOnO~N!Mi(-icVG#jy-2J7~4$FFW2Uw)=xLPhqIu{4xnPa zjUg{1SjY5zH+{kwdQ(5BA_wE9JQQ(569!LHm(gYHKv=>b5!T;Tan>1x+QK0fEMLc) zov;dq#iIe9uNh1hU~u9PB{Y{=s%f+Ay_kisu5{I%d#%D{`Y}3oh}V_GdPAue zbGr3oxH~ZMScb6=IgR15N_Di?4kTmzq*fO{Bx5*XhorxjNNy+@+l*E-uX@m?u!_g7Qip4Y&7b3cLNRZ>U3>H6Z)4c6 z5F~(b#sMyF}zR7`Z(}G>gQOHMC+ibdJoN2-^~koK4uIQGWpy^7UITt2)`H z4+eSuLNBNo?6nTfE>9Tv6`nz;;$(bl@yaOA?$)5rr>>Qttow$CBoSo*(J2z0$w%lJ zM)jA|u5R6i^)6|D1x=ncYtS1z?u^!6Mh%XAbj(0uv3QJ26b}+v*St^g6|D|m`Xco| z>5uHui#B<#GTit7KYY0Q;r-zL|NF1^|3AwQ^R%qlP2OJHWd$lu1PRN1*#L=?-S62wHi(m zl6frr#N^G*vfyt&{Ss7V-O3o8it9;+j*V##MYvJhDz|1}uD=boVb&yPT9tT>m{re@ z5miq=l%Dgz?_FIUs^FBnrOvpP_NWCn${0Xb58F-#nwy5W(2!LDI?!o&_o;<3P7!%= znB<_InbJOgHI(GK;LKHhbJ+ZS4Tf8^N0r_weG{ByLUr!RAsrf~>e*}OTH98tA)zi} z+-@)}Hk?`)HQR*uMa-TJdPQ{_4(Yx6#p#wiQ`)6CDEe_Cr@gnsF(%#F{VFP9PW-L} zip%T;H-;$n;Y8SyI6x+IfgU0s?EOx4{vob#-S?4yyORc1PyRPG-RSl=9&Pk7#c>Bi z%tVmVsm^6W8&r@Vk?4^(ry7%E_UF|=1K=asGw_Fo*kg4fZbe@6h;Up0;$xN}*y~*d=K<~-nDqDQZVxLjZNU2_XKdfUSi!iBQOlfc z33V0?=#MZ9m^}usn2*e~@Ha`e{TPK+xJk2rw0#Vof@ojf7r|``2GAD%g*Pmlq)p=> zzb(o*z^VM*g;=wzf>P@+LFO3lv}F?L!xXk>?%-ptCiQBU4~ zyxGxlDg5^2z#w`SfUO47k1_2#roAr{)aiG@h5zpz%(hN6e{mAqo{F5wD<^CP&w%meFo|) zON-m}Ex(|6NbWE^;E0+DMCgb(4R;!7lz2M}(p4+DgyH}o4Go*bq)wwXC~%{hbtYMG z;7()#`A=n`kqN`OPNF*&)P>vZ@tV!yp{jY(OMy+Gmm7XJ%Szi~XRRcRT-kQx+HS@|CLrPezyB&_hk?3^oZ0AZW_$fF4}n`cF=PJaI`! znA;ND0iFAnMY!CThb-oW@R;^7Qt_@B1pfCc6f0ne;~reB>I+(L(pd zKSuEWZQzcH=PX3rI)BbGCL7#S%J5l5G$t~fmF45ceTd~MeXF|Mr%n^rHr1?{*BqHS zpmUhbm}RcSjB^Kz2j=9#;eoj{-sIWt!u083PCU`@@g2poD$7_(=4-dlg5BN0e|=8) z>*euH_r{;62<6WA^A&*Cv{$b?ny#c?u8!qwuCdf~b0)qg=47Ski91>GdE!oYMtK5H z)`DZWKANzXx_ja#(3CO4zsd_5uw%K-=8j%3%&A7CC-A&s<^eown7MHKaRuJPfJ2&w zfowYs2%lj*%<`m--FvBL_(fV6f8Q7*r9b|}qYd~`ML+1k*p@C5ffzBG9=FCVM%0`2 z^DPKH$#}Fk3$vo2Z!@_{T_i2KCw$52rs-o7wV9B6cMYJ?xKCx<8snZt=x<%f9?1%9IcWb zjoJnHiLkym&bh*0bI7%Kn8D+~IO?9sB zSOmF+ULlXVU`!`*r{j9se*v$nP39UcjGtus5%U|qp=};3jXgAYDJ{q2e;-Je?ZK;g zhl2btn%~;iUFbq$(x>QhXB#;s^ZSfc-a{Bozb71}-mlAoC5PpyV$5x6+OkFy4r3Td zeLr9jU)tPS=;`Pl7qOyg?$b8fo9TFZ1bz6x#xySPEzmrpt+=mdf2JZLe1EXCh!d2R zo8P96=)KrR@)J|a6M>O1j*eb+sX}nVQ>*i4XQA#9gN=kIS3qsse5XyMOalsSO#e5u z2l#gkT^F!hgljsGT1Sbk{U%mn*KXknAcTP7P#s!riOGv{e;F*a0l1ZejA5Su@f% z7Ur~K7UDc^{MzdsQ;S~VO%&e@<28GT*i~4(z2zUO{EsJ!e=ugYf=7I@8dM3qc^IwH zeOjk+LVvKRW-lCyr74;@Rk&7o?N#s%dwvRFZJ}6e`3px3{;qau9Ei>3Amx>BoFS+H z8DAK%UF|Sv(K~AKVO#4lx<^Gpas_=nAjJ^JySfV@elo>Y2DoA|cir@$6UKEpD~ahU1 zXlWsf%Vu#i+D)SYAImC<3K@n}vQILYj4tzgwThEFe{~OH@kA*^AUHg1x4F51lDZuh zTgz;bBnJ+6Spyc1LGMlfa@-#_Mt1_KZ>JE&0c#GZoj>@{^mSm`*_te z;o9yee;#DM5@`Cj=UqceCmnHxfXZ%oa-+3=U>i?AVsf%9;)kInYkz?0m~9-8 zp1v4DON+8iw~ua@O|)X1?CqBPPXS}s8+jY9f%sf{#VC3~>n=7DW zsoS;uOML3d$rEo5XnlleF78s>qABl3`0Q0BEgKu2cPRvywCwPK^AM}!U>(;LKd_#8C&0(9uARl7;y= zf4#vPhg(ma$R(_>O{^1T0do@33O?4H&X}jVIZXLCE`c{;z6mvvN2#|ciPWomh;o|L ziDg{uB(AYKTZOgA5cX-VAqk_MZQJxBGFYE7Q^d}MTda;ttmSNzXXdiFaKnm@H>iW0hp>WDgxt8- zK}%`7sxxKa-&O~Mg`Jjp9_~XcK7EhNQeTz^Nf-t$B4%-P$6jcuSe7+sl6gNXf5b$e zgJ{#j=00PI6ip>>(>l3_8555-^o>=hxSgNn{XfWkzU@H6##lsnBvatYt2J-R+3K}Q z*j>?@R1{5x(bFYH<~X`xGs?qiG*ODFI99ftvaW@hs6~9EFTF7NdJHrOEnKfDd1&?! zae(gA0qdT2G5d@~-ZPo2c|@B_e^wbA#hWSAno@1sP$34;DPxP(R(X$1UVbqltb?FO*Su`Wr zfy&m8GzuM-pkA17jMC&hNtmbDm?4RB@*Q&*)|KdQ@D&T=Y#9_IlMheje^(;IIf7$^ z)2EZVQ$_2!p&>uAdD8op$j7N6KpsY`8g7guS6jk)5ymrn`;yAJ?5nhr>e*&<5P4^K zNKEA=2nf}q^453tTNfpnaUCjq%)VXJ3u|>FcbcWIzesPMjj3|+rLInS+w_{Kr>-O& zaqF|vX{!m&*!Mw3vYhc$f0{EAZmFCT(@RM++ybWrFvwJDH)?hmt6d>J&oOeJWBeN< zu6LtXI~Ia>UdC9c4A;GkV~cQK(eObZzoudN*vp98KlbY{sVg>95-9<9B7KYz%rEFrl8?uuNz$1Luhq5P>)ELjC|U-E^W|BweJnE*8g5m>z^mGosb{0op77U zRNE0c=Vh_hKmVg?s?N+1dt7?jVT$D`g&Ko_CxzS2&l5W%KkTu2VVBDXyHxn|P<@F! z-KrWB`MN20e>a#4JOKQ_epMJBZqM0`M>u;-iOutTD*=)+p|_Hp)0JbQw*wGIX~QMQ zBddfb(okGFjk+K{v0&$bAFffWjQ2j8*uELJyInkve=Nt-9YHUuOh2qQMx|*7=~gBG z49DWW$Kex>!AFn3J&wKoj=OzD!sn^W`0+{2JjOdEe^c}r)&#xv=56p>_qlI1uG)5+ z&sT25Oi~-aA?S?>D=ny_#?ulVT+$im8Mz?jVbD$~)bC1=muN_Ld&-4qy&A(Q-wbmm z(2hyo8e@AV#YXObgR`Ui`h~s!mp`)SFSgJ2Z9Dh(|K44FfBnPY`+rwozyJ4HelF2| zy!`co6@Af%z7C2*B6(=}C+yaTk9<+8KX#Kg8Fm2!ldTyn0iKiE8Jz*olXx0=2mp$A I1pvqZ02+K6jsO4v diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a46284e6..eb3682f9 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -34251,10 +34251,10 @@ index 3f48d300a..cb4f966c0 100644 xen_rw_image_files(fsadm_t) ') diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc -index e1a1848a2..492763873 100644 +index e1a1848a2..130688b95 100644 --- a/policy/modules/system/getty.fc +++ b/policy/modules/system/getty.fc -@@ -3,8 +3,12 @@ +@@ -3,10 +3,15 @@ /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) @@ -34268,7 +34268,10 @@ index e1a1848a2..492763873 100644 +/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) ++/var/run/agetty\.reload.* -- gen_context(system_u:object_r:getty_var_run_t,s0) + /var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) + /var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if index e4376aa98..2c98c5647 100644 --- a/policy/modules/system/getty.if @@ -36480,7 +36483,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..055193c5d 100644 +index 17eda2480..c9e91f8e1 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36661,7 +36664,7 @@ index 17eda2480..055193c5d 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +213,26 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +213,27 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -36686,10 +36689,11 @@ index 17eda2480..055193c5d 100644 dev_rw_generic_chr_files(init_t) +dev_filetrans_all_named_dev(init_t) +dev_write_watchdog(init_t) ++dev_rw_inherited_input_dev(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,45 +240,102 @@ domain_signal_all_domains(init_t) +@@ -139,45 +241,102 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -36799,7 +36803,7 @@ index 17eda2480..055193c5d 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +344,283 @@ ifdef(`distro_gentoo',` +@@ -186,29 +345,283 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37092,7 +37096,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -216,7 +628,30 @@ optional_policy(` +@@ -216,7 +629,30 @@ optional_policy(` ') optional_policy(` @@ -37124,7 +37128,7 @@ index 17eda2480..055193c5d 100644 ') ######################################## -@@ -225,9 +660,9 @@ optional_policy(` +@@ -225,9 +661,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37136,7 +37140,7 @@ index 17eda2480..055193c5d 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +693,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +694,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37153,7 +37157,7 @@ index 17eda2480..055193c5d 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +718,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +719,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37196,7 +37200,7 @@ index 17eda2480..055193c5d 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +755,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +756,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37208,7 +37212,7 @@ index 17eda2480..055193c5d 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +767,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +768,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37219,7 +37223,7 @@ index 17eda2480..055193c5d 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +778,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +779,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37229,7 +37233,7 @@ index 17eda2480..055193c5d 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +787,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +788,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37237,7 +37241,7 @@ index 17eda2480..055193c5d 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +794,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +795,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37245,7 +37249,7 @@ index 17eda2480..055193c5d 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +802,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +803,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37263,7 +37267,7 @@ index 17eda2480..055193c5d 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +820,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +821,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37277,7 +37281,7 @@ index 17eda2480..055193c5d 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +835,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +836,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37291,7 +37295,7 @@ index 17eda2480..055193c5d 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +848,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +849,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37302,7 +37306,7 @@ index 17eda2480..055193c5d 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +861,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +862,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37310,7 +37314,7 @@ index 17eda2480..055193c5d 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +880,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +881,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37334,7 +37338,7 @@ index 17eda2480..055193c5d 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +913,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +914,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37342,7 +37346,7 @@ index 17eda2480..055193c5d 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +947,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +948,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37353,7 +37357,7 @@ index 17eda2480..055193c5d 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +971,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +972,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37362,7 +37366,7 @@ index 17eda2480..055193c5d 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +986,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +987,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37370,7 +37374,7 @@ index 17eda2480..055193c5d 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1007,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1008,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37378,7 +37382,7 @@ index 17eda2480..055193c5d 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1017,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1018,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37423,7 +37427,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -559,14 +1062,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1063,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37455,7 +37459,7 @@ index 17eda2480..055193c5d 100644 ') ') -@@ -577,6 +1097,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1098,39 @@ ifdef(`distro_suse',` ') ') @@ -37495,7 +37499,7 @@ index 17eda2480..055193c5d 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1142,8 @@ optional_policy(` +@@ -589,6 +1143,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37504,7 +37508,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -610,6 +1165,7 @@ optional_policy(` +@@ -610,6 +1166,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37512,7 +37516,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -626,6 +1182,17 @@ optional_policy(` +@@ -626,6 +1183,17 @@ optional_policy(` ') optional_policy(` @@ -37530,7 +37534,7 @@ index 17eda2480..055193c5d 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1209,13 @@ optional_policy(` +@@ -642,9 +1210,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37544,7 +37548,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -657,15 +1228,11 @@ optional_policy(` +@@ -657,15 +1229,11 @@ optional_policy(` ') optional_policy(` @@ -37562,7 +37566,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -686,6 +1253,15 @@ optional_policy(` +@@ -686,6 +1254,15 @@ optional_policy(` ') optional_policy(` @@ -37578,7 +37582,7 @@ index 17eda2480..055193c5d 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1302,7 @@ optional_policy(` +@@ -726,6 +1303,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37586,7 +37590,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -743,7 +1320,13 @@ optional_policy(` +@@ -743,7 +1321,13 @@ optional_policy(` ') optional_policy(` @@ -37601,7 +37605,7 @@ index 17eda2480..055193c5d 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1349,10 @@ optional_policy(` +@@ -766,6 +1350,10 @@ optional_policy(` ') optional_policy(` @@ -37612,7 +37616,7 @@ index 17eda2480..055193c5d 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1362,20 @@ optional_policy(` +@@ -775,10 +1363,20 @@ optional_policy(` ') optional_policy(` @@ -37633,7 +37637,7 @@ index 17eda2480..055193c5d 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1384,10 @@ optional_policy(` +@@ -787,6 +1385,10 @@ optional_policy(` ') optional_policy(` @@ -37644,7 +37648,7 @@ index 17eda2480..055193c5d 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1409,6 @@ optional_policy(` +@@ -808,8 +1410,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37653,7 +37657,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -818,6 +1417,10 @@ optional_policy(` +@@ -818,6 +1418,10 @@ optional_policy(` ') optional_policy(` @@ -37664,7 +37668,7 @@ index 17eda2480..055193c5d 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1430,12 @@ optional_policy(` +@@ -827,10 +1431,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37677,7 +37681,7 @@ index 17eda2480..055193c5d 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1462,62 @@ optional_policy(` +@@ -857,21 +1463,62 @@ optional_policy(` ') optional_policy(` @@ -37741,7 +37745,7 @@ index 17eda2480..055193c5d 100644 ') optional_policy(` -@@ -887,6 +1533,10 @@ optional_policy(` +@@ -887,6 +1534,10 @@ optional_policy(` ') optional_policy(` @@ -37752,7 +37756,7 @@ index 17eda2480..055193c5d 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1547,218 @@ optional_policy(` +@@ -897,3 +1548,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -38970,7 +38974,7 @@ index 000000000..c8147952a +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c00c..a70bee5b0 100644 +index 73bb3c00c..4ddc8145a 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -39008,10 +39012,12 @@ index 73bb3c00c..a70bee5b0 100644 /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -99,10 +102,17 @@ ifdef(`distro_redhat',` +@@ -98,11 +101,18 @@ ifdef(`distro_redhat',` + # # /sbin # - /sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +-/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) ++/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0) # @@ -39148,7 +39154,7 @@ index 73bb3c00c..a70bee5b0 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +315,158 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +315,159 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -39313,6 +39319,7 @@ index 73bb3c00c..a70bee5b0 100644 +/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) ++/usr/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 808ba93eb..b717d9709 100644 --- a/policy/modules/system/libraries.if diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 6b4ae60e..91888eb7 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f070f..53dd1ab4d 100644 +index eb50f070f..3c19e28fc 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -748,10 +748,10 @@ index eb50f070f..53dd1ab4d 100644 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -+mmap_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) +files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt") ++allow abrt_t abrt_var_cache_t:file map; +# abrt pid files manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -10666,7 +10666,7 @@ index c723a0ae0..1c29d21e7 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 851769e55..4bb326132 100644 +index 851769e55..9db73ae8a 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t) @@ -10696,7 +10696,7 @@ index 851769e55..4bb326132 100644 manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -+mmap_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) ++allow bluetooth_t bluetooth_var_lib_t:file map; files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) @@ -25747,10 +25747,10 @@ index 000000000..b3784d85d +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 000000000..03988c910 +index 000000000..cb6af79d7 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,204 @@ +@@ -0,0 +1,205 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -25829,6 +25829,7 @@ index 000000000..03988c910 +manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) +manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) +files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file }) ++allow dirsrv_t dirsrv_var_run_t:file map; + +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) @@ -106587,7 +106588,7 @@ index dbb005aca..2655c75ab 100644 +/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a24045518..8e00992e4 100644 +index a24045518..47530e258 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -106775,7 +106776,7 @@ index a24045518..8e00992e4 100644 - allow $1 sssd_public_t:dir list_dir_perms; + list_dirs_pattern($1, sssd_public_t, sssd_public_t) read_files_pattern($1, sssd_public_t, sssd_public_t) -+ mmap_files_pattern($1, sssd_public_t, sssd_public_t) ++ allow $1 sssd_public_t:file map; ') -####################################### @@ -107085,7 +107086,7 @@ index a24045518..8e00992e4 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1fa3..b4eaeb4cc 100644 +index 2d8db1fa3..a9de15cf6 100644 --- a/sssd.te +++ b/sssd.te @@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t) @@ -107124,13 +107125,13 @@ index 2d8db1fa3..b4eaeb4cc 100644 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) -+mmap_files_pattern(sssd_t, sssd_public_t, sssd_public_t) ++allow sssd_t sssd_public_t:file map; manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -+mmap_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) ++allow sssd_t sssd_var_lib_t:file map; files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 02daddf0..73ff7051 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 272%{?dist} +Release: 273%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,13 @@ exit 0 %endif %changelog +* Tue Aug 22 2017 Lukas Vrabec - 3.13.1-273 +- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170) +- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects. +- Label /var/run/agetty.reload as getty_var_run_t +- Add missing filecontext for sln binary +- Allow systemd to read/write to event_device_t BZ(1471401) + * Tue Aug 15 2017 Lukas Vrabec - 3.13.1-272 - Allow sssd_t domain to map sssd_var_lib_t files - allow map permission where needed