rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160

Browse Source 
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
-  Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
This commit is contained in:
Lukas Vrabec 2015-11-24 15:49:54 +01:00
parent 2fc3e7cbba
commit 78826f0b99
4 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

9
policy-rawhide-base.patch
View File

@ -45145,10 +45145,10 @@ index 0000000..c253b33
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..9afb637 index 0000000..3358b07
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,788 @@ @@ -0,0 +1,791 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -45486,6 +45486,9 @@ index 0000000..9afb637
+corenet_udp_bind_all_nodes(systemd_networkd_t) +corenet_udp_bind_all_nodes(systemd_networkd_t)
+corenet_tcp_bind_dhcpc_port(systemd_networkd_t) +corenet_tcp_bind_dhcpc_port(systemd_networkd_t)
+corenet_udp_bind_dhcpc_port(systemd_networkd_t) +corenet_udp_bind_dhcpc_port(systemd_networkd_t)
+corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
+corenet_udp_bind_dhcpd_port(systemd_networkd_t)
+
+ +
+fs_read_xenfs_files(systemd_networkd_t) +fs_read_xenfs_files(systemd_networkd_t)
+ +
@ -45556,7 +45559,7 @@ index 0000000..9afb637
+# Local policy +# Local policy
+# +#
+ +
+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; +allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod sys_admin };
+allow systemd_tmpfiles_t self:process { setfscreate }; +allow systemd_tmpfiles_t self:process { setfscreate };
+ +
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;

17
policy-rawhide-contrib.patch
View File

@ -7818,7 +7818,7 @@ index f3c0aba..f6e25ed 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
') ')
diff --git a/apcupsd.te b/apcupsd.te diff --git a/apcupsd.te b/apcupsd.te
index 080bc4d..5db6cde 100644 index 080bc4d..5b4d973 100644
--- a/apcupsd.te --- a/apcupsd.te
+++ b/apcupsd.te +++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@ -7856,7 +7856,7 @@ index 080bc4d..5db6cde 100644
corenet_all_recvfrom_netlabel(apcupsd_t) corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) @@ -67,26 +73,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t)
@ -7867,9 +7867,12 @@ index 080bc4d..5db6cde 100644
corenet_sendrecv_snmp_server_packets(apcupsd_t) corenet_sendrecv_snmp_server_packets(apcupsd_t)
corenet_udp_sendrecv_snmp_port(apcupsd_t) corenet_udp_sendrecv_snmp_port(apcupsd_t)
+corenet_tcp_connect_smtp_port(apcupsd_t)
+
+fs_getattr_xattr_fs(apcupsd_t) +fs_getattr_xattr_fs(apcupsd_t)
+ +
+dev_read_sysfs(apcupsd_t) +dev_read_sysfs(apcupsd_t)
+dev_read_urand(apcupsd_t)
+ +
dev_rw_generic_usb_dev(apcupsd_t) dev_rw_generic_usb_dev(apcupsd_t)
@ -7900,7 +7903,7 @@ index 080bc4d..5db6cde 100644
optional_policy(` optional_policy(`
hostname_exec(apcupsd_t) hostname_exec(apcupsd_t)
@@ -101,6 +119,11 @@ optional_policy(` @@ -101,6 +122,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t) shutdown_domtrans(apcupsd_t)
') ')
@ -7912,7 +7915,7 @@ index 080bc4d..5db6cde 100644
######################################## ########################################
# #
# CGI local policy # CGI local policy
@@ -108,20 +131,20 @@ optional_policy(` @@ -108,20 +134,20 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_content_template(apcupsd_cgi) apache_content_template(apcupsd_cgi)
@ -66690,10 +66693,10 @@ index 0000000..80246e6
+ +
diff --git a/pcp.te b/pcp.te diff --git a/pcp.te b/pcp.te
new file mode 100644 new file mode 100644
index 0000000..65502e1 index 0000000..573632e
--- /dev/null --- /dev/null
+++ b/pcp.te +++ b/pcp.te
@@ -0,0 +1,272 @@ @@ -0,0 +1,274 @@
+policy_module(pcp, 1.0.0) +policy_module(pcp, 1.0.0)
+ +
+######################################## +########################################
@ -66838,6 +66841,8 @@ index 0000000..65502e1
+ +
+logging_send_syslog_msg(pcp_pmcd_t) +logging_send_syslog_msg(pcp_pmcd_t)
+ +
+lvm_domtrans(pcp_pmcd_t)
+
+storage_getattr_fixed_disk_dev(pcp_pmcd_t) +storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+ +
+userdom_read_user_tmp_files(pcp_pmcd_t) +userdom_read_user_tmp_files(pcp_pmcd_t)

10
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 159%{?dist} Release: 160%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -664,6 +664,14 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
- Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
* Fri Nov 20 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-159 * Fri Nov 20 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-159
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048) - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
- Allow abrt-hook-ccpp to change SELinux user identity for created objects. - Allow abrt-hook-ccpp to change SELinux user identity for created objects.