* Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160

- Allow apcupsd sending mails about battery state. BZ(1274018) - Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779) - Merge pull request #68 from rhatdan/rawhide-contrib - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785 - Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092) - systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
2015-11-24 15:49:54 +01:00 · 2015-11-24 15:49:54 +01:00 · 78826f0b99
parent 2fc3e7cbba
commit 78826f0b99
4 changed files with 26 additions and 10 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -45145,10 +45145,10 @@ index 0000000..c253b33
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..9afb637
+index 0000000..3358b07
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,788 @@
+@@ -0,0 +1,791 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -45486,6 +45486,9 @@ index 0000000..9afb637
 +corenet_udp_bind_all_nodes(systemd_networkd_t)
 +corenet_tcp_bind_dhcpc_port(systemd_networkd_t)
 +corenet_udp_bind_dhcpc_port(systemd_networkd_t)
+corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
+corenet_udp_bind_dhcpd_port(systemd_networkd_t)
+
 +
 +fs_read_xenfs_files(systemd_networkd_t)
 +
@ -45556,7 +45559,7 @@ index 0000000..9afb637
 +# Local policy
 +#
 +
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod sys_admin };
 +allow systemd_tmpfiles_t self:process { setfscreate };
 +
 +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -7818,7 +7818,7 @@ index f3c0aba..f6e25ed 100644
 +	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
 ')
 diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..5db6cde 100644
+index 080bc4d..5b4d973 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@ -7856,7 +7856,7 @@ index 080bc4d..5db6cde 100644
 corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
 corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,26 +73,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
 corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
 corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
 corenet_tcp_connect_apcupsd_port(apcupsd_t)
@ -7867,9 +7867,12 @@ index 080bc4d..5db6cde 100644
 corenet_sendrecv_snmp_server_packets(apcupsd_t)
 corenet_udp_sendrecv_snmp_port(apcupsd_t)
 
+corenet_tcp_connect_smtp_port(apcupsd_t)
+
 +fs_getattr_xattr_fs(apcupsd_t)
 +
 +dev_read_sysfs(apcupsd_t)
+dev_read_urand(apcupsd_t)
 +
 dev_rw_generic_usb_dev(apcupsd_t)
 
@ -7900,7 +7903,7 @@ index 080bc4d..5db6cde 100644
 
 optional_policy(`
 	hostname_exec(apcupsd_t)
-@@ -101,6 +119,11 @@ optional_policy(`
+@@ -101,6 +122,11 @@ optional_policy(`
 	shutdown_domtrans(apcupsd_t)
 ')
 
@ -7912,7 +7915,7 @@ index 080bc4d..5db6cde 100644
 ########################################
 #
 # CGI local policy
-@@ -108,20 +131,20 @@ optional_policy(`
+@@ -108,20 +134,20 @@ optional_policy(`
 
 optional_policy(`
 	apache_content_template(apcupsd_cgi)
@ -66690,10 +66693,10 @@ index 0000000..80246e6
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..65502e1
+index 0000000..573632e
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,272 @@
+@@ -0,0 +1,274 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@ -66838,6 +66841,8 @@ index 0000000..65502e1
 +
 +logging_send_syslog_msg(pcp_pmcd_t)
 +
+lvm_domtrans(pcp_pmcd_t)
+
 +storage_getattr_fixed_disk_dev(pcp_pmcd_t)
 +
 +userdom_read_user_tmp_files(pcp_pmcd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 159%{?dist}
+Release: 160%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -664,6 +664,14 @@ exit 0
 %endif

 %changelog
+* Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160
+- Allow apcupsd sending mails about battery state. BZ(1274018)
+- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
+- Merge pull request #68 from rhatdan/rawhide-contrib
+- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
+-  Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
+- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
+
 * Fri Nov 20 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-159
 - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
 - Allow abrt-hook-ccpp to change SELinux user identity for created objects.