rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186

Browse Source 
- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
- Revert "Add new permissions stop/start to class system. rhbz#1324453"
- Fix typo in module compilation message
This commit is contained in:
Lukas Vrabec 2016-04-29 16:08:26 +02:00
parent 02b9e47960
commit 7a1df1e370
4 changed files with 30 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

25
policy-rawhide-base.patch
View File

@ -46,9 +46,18 @@ index ec7b5cb..a027110 100644
ifndef LOCAL_ROOT ifndef LOCAL_ROOT
rm -f $(fcsort) rm -f $(fcsort)
diff --git a/Rules.modular b/Rules.modular diff --git a/Rules.modular b/Rules.modular
index 313d837..ef3c532 100644 index 313d837..4f261a9 100644
--- a/Rules.modular --- a/Rules.modular
+++ b/Rules.modular +++ b/Rules.modular
@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
# Build module packages
#
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
+ @echo "Compiling $(NAME) $(@F) module"
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
@@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs) @@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs)
@echo "Validating policy linking." @echo "Validating policy linking."
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
@ -868,7 +877,7 @@ index 3a45f23..ee7d7b3 100644
constrain socket_class_set { create relabelto relabelfrom } constrain socket_class_set { create relabelto relabelfrom }
( (
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a94b169..d0a8a5b 100644 index a94b169..2e137e6 100644
--- a/policy/flask/access_vectors --- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors +++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process @@ -329,6 +329,7 @@ class process
@ -879,7 +888,7 @@ index a94b169..d0a8a5b 100644
} }
@@ -393,6 +394,15 @@ class system @@ -393,6 +394,13 @@ class system
syslog_mod syslog_mod
syslog_console syslog_console
module_request module_request
@ -890,12 +899,10 @@ index a94b169..d0a8a5b 100644
+ enable + enable
+ disable + disable
+ reload + reload
+ stop
+ start
} }
# #
@@ -443,10 +453,13 @@ class capability @@ -443,10 +451,13 @@ class capability
class capability2 class capability2
{ {
mac_override # unused by SELinux mac_override # unused by SELinux
@ -910,7 +917,7 @@ index a94b169..d0a8a5b 100644
} }
# #
@@ -690,6 +703,8 @@ class nscd @@ -690,6 +701,8 @@ class nscd
shmemhost shmemhost
getserv getserv
shmemserv shmemserv
@ -919,7 +926,7 @@ index a94b169..d0a8a5b 100644
} }
# Define the access vector interpretation for controlling # Define the access vector interpretation for controlling
@@ -831,6 +846,38 @@ inherits socket @@ -831,6 +844,38 @@ inherits socket
attach_queue attach_queue
} }
@ -958,7 +965,7 @@ index a94b169..d0a8a5b 100644
class x_pointer class x_pointer
inherits x_device inherits x_device
@@ -865,3 +912,18 @@ inherits database @@ -865,3 +910,18 @@ inherits database
implement implement
execute execute
} }

12
policy-rawhide-contrib.patch
View File

@ -9425,10 +9425,10 @@ index c3fd7b1..e189593 100644
- -
-miscfiles_read_localization(bcfg2_t) -miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc diff --git a/bind.fc b/bind.fc
index 2b9a3a1..750788c 100644 index 2b9a3a1..49accb6 100644
--- a/bind.fc --- a/bind.fc
+++ b/bind.fc +++ b/bind.fc
@@ -1,54 +1,76 @@ @@ -1,54 +1,77 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@ -9463,6 +9463,7 @@ index 2b9a3a1..750788c 100644
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) -/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-pkcs11 -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
@ -99864,10 +99865,10 @@ index 0000000..88490d5
+ +
diff --git a/snapper.te b/snapper.te diff --git a/snapper.te b/snapper.te
new file mode 100644 new file mode 100644
index 0000000..3984dba index 0000000..939b8be
--- /dev/null --- /dev/null
+++ b/snapper.te +++ b/snapper.te
@@ -0,0 +1,82 @@ @@ -0,0 +1,83 @@
+policy_module(snapper, 1.0.0) +policy_module(snapper, 1.0.0)
+ +
+######################################## +########################################
@ -99893,7 +99894,8 @@ index 0000000..3984dba
+# snapperd local policy +# snapperd local policy
+# +#
+ +
+allow snapperd_t self:capability dac_override; +allow snapperd_t self:capability { dac_override sys_admin };
+allow snapperd_t self:process setsched;
+ +
+allow snapperd_t self:fifo_file rw_fifo_file_perms; +allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms; +allow snapperd_t self:unix_stream_socket create_stream_socket_perms;

8
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 185%{?dist} Release: 186%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -653,6 +653,12 @@ exit 0
%endif %endif
%changelog %changelog
* Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186
- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
- Revert "Add new permissions stop/start to class system. rhbz#1324453"
- Fix typo in module compilation message
* Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185 * Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. - Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895) - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)