Allow localectl to read /etc/X11/xorg.conf.d directory

- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" - Allow mount to transition to systemd_passwd_agent - Make sure abrt directories are labeled correctly - Allow commands that are going to read mount pid files to search mount_var_run_t - label /usr/bin/repoquery as rpm_exec_t - Allow automount to block suspend - Add abrt_filetrans_named_content so that abrt directories get labeled correctly - Allow virt domains to setrlimit and read file_context
2013-03-24 06:39:58 -04:00 · 2013-03-24 06:39:58 -04:00 · 6c034c693d
commit 6c034c693d
parent 07ce8fa723
3 changed files with 5001 additions and 1595 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -15,11 +15,11 @@
 %endif
 %define POLICYVER 29
 %define POLICYCOREUTILSVER 2.1.14-12
-%define CHECKPOLICYVER 2.1.12-1
+%define CHECKPOLICYVER 2.1.12-3
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 20%{?dist}
+Release: 23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -253,7 +253,7 @@ fi;
 . %{_sysconfdir}/selinux/config; \
 if [ -e /etc/selinux/%2/.rebuild ]; then \
   rm /etc/selinux/%2/.rebuild; \
-   (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
+   (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
   /usr/sbin/semodule -B -n -s %2; \
 else \
    touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
@ -526,6 +526,58 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Wed Mar 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-23
 - Allow localectl to read /etc/X11/xorg.conf.d directory
 - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""
 - Allow mount to transition to systemd_passwd_agent
 - Make sure abrt directories are labeled correctly
 - Allow commands that are going to read mount pid files to search mount_var_run_t
 - label /usr/bin/repoquery as rpm_exec_t
 - Allow automount to block suspend
 - Add abrt_filetrans_named_content so that abrt directories get labeled correctly
 - Allow virt domains to setrlimit and read file_context
 * Mon Mar 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-22
 - Allow nagios to manage nagios spool files
 - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6
 - Add swift_alias.* policy files which contain typealiases for swift types
 - Add support for /run/lock/opencryptoki
 - Allow pkcsslotd chown capability
 - Allow pkcsslotd to read passwd
 - Add rsync_stub() interface
 - Allow systemd_timedate also manage gnome config homedirs
 - Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t
 - Fix filetrans rules for kdm creates .xsession-errors
 - Allow sytemd_tmpfiles to create wtmp file
 - Really should not label content  under /var/lock, since it could have labels on it different from var_lock_t
 - Allow systemd to list all file system directories
 - Add some basic stub interfaces which will be used in PRODUCT policies
 * Wed Mar 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-21
 - Fix log transition rule for cluster domains
 - Start to group all cluster log together
 - Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update
 - cups uses usbtty_device_t devices
 - These fixes were all required to build a MLS virtual Machine with single level desktops
 - Allow domains to transiton using httpd_exec_t
 - Allow svirt domains to manage kernel key rings
 - Allow setroubleshoot to execute ldconfig
 - Allow firewalld to read generate gnome data
 - Allow bluetooth to read machine-info
 - Allow boinc domain to send signal to itself
 - Fix gnome_filetrans_home_content() interface
 - Allow mozilla_plugins to list apache modules, for use with gxine
 - Fix labels for POkemon in the users homedir
 - Allow xguest to read mdstat
 - Dontaudit virt_domains getattr on /dev/*
 - These fixes were all required to build a MLS virtual Machine with single level desktops
 - Need to back port this to RHEL6 for openshift
 - Add tcp/8891 as milter port
 - Allow nsswitch domains to read sssd_var_lib_t files
 - Allow ping to read network state.
 - Fix typo
 - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
 * Fri Mar 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-20
 - Adopt swift changes from lhh@redhat.com
 - Add rhcs_manage_cluster_pid_files() interface