From 7c73871fb5e98d04a75f9eaaf46db371fec2602f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 18 Sep 2017 15:03:29 +0200 Subject: [PATCH] * Mon Sep 18 2017 Lukas Vrabec - 3.13.1-286 - Add new boolean tomcat_read_rpm_db() - Allow tomcat to connect on mysqld tcp ports - Add new interface apache_delete_tmp() - Add interface fprintd_exec() - Add interface fprintd_mounton_var_lib() - Allow mozilla plugin to mmap video devices BZ(1492580) - Add ctdbd_t domain sys_source capability and allow setrlimit - Allow systemd-logind to use ypbind - Allow systemd to remove apache tmp files - Allow ldconfig domain to mmap ldconfig cache files - Allow systemd to exec fprintd BZ(1491808) - Allow systemd to mounton fprintd lib dir --- container-selinux.tgz | Bin 6999 -> 6998 bytes policy-rawhide-base.patch | 158 ++++++++++++++++-------------- policy-rawhide-contrib.patch | 181 +++++++++++++++++++++++++---------- selinux-policy.spec | 16 +++- 4 files changed, 232 insertions(+), 123 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 5bac115b0f6460c86914aac68953313ae095b716..f68e7840dfa1a7abaaf2efdb0e7f10d57dbc9971 100644 GIT binary patch literal 6998 zcmb8s<3k*d!vOGX+ge_>v1-}1Y?~JsmhIMsZ?@g#TDD!+GB4e-e$T(~y!*WWP{*Ud zAPw{zz`#RHT#~m1(q`Ar%xKqP#qig8^F3B!#Wuv*(h#pCC~z)0+^IQyDcee~R+GSV zRVPPC;N4)|5n@d|MNP*xar79eMXIWES_As{5zADxyV{2XHdf99h#-^FHEqz_llX_} z=S}qEIcF(0wWP6Gh}Zkx3%2Cjjks1Y^y6h{=9Rkd7F)Z=(1@Ln2Nag(fU*{kK(OO4+DPn#3Ebeh~ivQi^?@A;H% z>KB}Lh^=|L(y5mf{9{C)h4PfJ=uf|%#}E0VRqSHuuC>GJ5pB%@pP@`}1oRlGaE=IeHV;0;)#3MYewhrMPYLH^}$dc zih6$L@$>1VD`v74Zqy}DHgg=Pt<6;6FW~1;T+aQ%fao$$n&yTDSRfMQhv*UWu^`vd z656GK5`+FF3~V^{o~P)WNgc0%IZLwW0jw$A+oYZ0%jux%Cb!&(*XuH&XJ^p1QlV z1YQn`Jj-&yM4PY|Ppu#a+lJy6<1$fG8w2_fEmbJKJ~Bua{04t$QWWw>F9*)kfqx9Y zS#01pN5hm5@v35d{#}d3 zNWiB9m$nG3CAk(+c&p~Imb-rOccIHS5n_~l`~1qusqqnfH>L;h=hDSh6y0zw7TOZF zsiCH`l<@VraYT-pA+N#szw*ER*f+b6(0aMx=i~yjaWQ40K-}m9=hC|rQUWX~-7iET z2&F+n-SH)HldlHtT();!M$iv$Q4>B{K>daB zX;DoDkzg6p3!-#~j6c)&_sI9~c z@-QBgIpongKj=mze#SKiBvf+Wdo{=8k$jKs&93DBbe~acQf@ArfY}~~LC?Ams3`Q27Eu@XQ++*~Z zZu=h}CbfV8YN_%w+9NBs*l|*$_Ykay zFe{GZu)q;ct=EqcsG?lYpOJ|{@B>=i62Ww%&P=OG_5I}5a^*R-4*mjfkCF{rgEe_A zd7HVk#d4hF*!AwVeaQIwfM;$|GyeAyA8{sB-z{ovN7 zN%IYyZ;@&m#@E9Nwh8`&RQveslP813Q?j9`&WvWeyU|F?yhS|9%{@FPo<=5a~+(OYOmbfSwK1mcjyYhriExgVwN&Oe*$A z+Nm;t>@qSvXnuV5^Qn^dcGVcGb2)X1Rj!|^S}lKuC3l69XjC^WezFZoV1YI{RSiJ} zbTh0pvEVXe1XGb*ZJh>Src5uIk#M&_w`ZiB`ci}wx3UgR^RXhuuyh-P^N!#!GgMju z4+@ah1(*U#R4oXTT{<65u+k;RqKeG|wpNeF3P!o88N#*+vPRbOOPa1Y>|)1VxZDF` z>}_M2YV1d=?WwbcaodH-gvtBk!XFS=4=)5vh-_LDsrm2TB26^})*Uf(4D#o1(YM1j zMkbzC_cMRw&r}U^6o}}BHM^2irO6(`%AP2A(^41Nk*t_0)pP+MS>2UHd=6T5(r%X^ z-YzIlW#e^;6%r5nh*e&(U&?sbp-WhUz0cDoa@D6?y7R)6h=?xL1N4(x5^Nl@EBYA% z^$`C2WWa;A)-H)5jQDT_4jEk^-yIJfy~gXxn>BK&ADi4xiZwvHo67Ib+aA3TgcwZN zV7zAIbPPyzVX>Q7{M=O|XjwHVt}Up4QL(MK;}uL>?J+UBxu*Gre4Y_Ej87Sk{v|M0 z=kcyp2^xP(G}P$p#6?K&lh&5AL&|4FWS|4-(M1^W%0`CN1}+i7$j=Hw8q zjqcx`T!JlmH|nkRUe5iJe?b}c=of)aeIB$_RN9%MiSb@f zu+=gOne9rx-`NHP?S0-rXKDAugeXt>z=gzRE+pQ5)+pRRSvhr0jE;gS^akjFvKnyR z>q}Kn2K@JU>x#|G$v&_p%;dZyX*3E-(1cRBpz;%8o?=Vh0>zOUfXOO?w|bh*?*vbg z{juqw;Jf@@^8!h0un7jzJkdua6I)GXk_>0>)ZP40c@d`A%NpaX^_#djb5Ns0aR7RX z&|V$)Q(S$>%TG}qv_{L}s31}Xb804#h2#MJ>iB1bO1KQFNd?uh19=|&@)pieTGYh+ zghC08e7Jc^&NaK`Woz@oxB%yW*_l=)Nj(m2B@nGAz~KN*08wZi(jqoDguJ}>D}KhA z?_lJokM$Db&zstn=p=i9#&oDBN+7eR0fy+2iC6+F(O;KV?&DWLc!uS}Z8f{5i zrSWi!G-Pf9u!XGVQBvhCZf&9GzVIf-vL2qD?}ccv)Gf}AmEQm^1Afdrj>YA*h{isI zUcsp9kRXmSl#h=MuY?C{wQ!)#b~Vy^FiA8G@lf)2WB{Z02@l$pfd(;0OSG~;WOUrI z0wruJJo`b%e{ zC@O3r_o?pMn@dUKg#-IuS=#XH!h&~>hM5~^Cd7h*WnH$dNy!6M^>7f<3nk4Lu$}*^ zt)Y!?4zhNQ;|Q5}tBT)CiGr(n++XX)M>|1Pd6a@-9NP|xfgWA>a?{%&Tjf)q&@CzM zw!My?%bf$)>krMN4ThedHZ=n+t2S$ous^TlwR;{uD5BWPx$duve+6Q^+XpJ7F?oZ+5fh%q zJ{w#P>}Oh3|KlfLv?X4kawAm&%m7*b&`!lAGKw1|DOpJLO(-87t+vz!&KVGg#C6TW z>M^(|WYAh(g`|(&_rKeb);%%2z@9yBp74d2A;NwL24Inq(mwo$aI+lpY$wG|b^X&A z3b+?*8|pEsGTii_eayXCOr0J*#kXQXH)Wh%;0o!sZr|>xRu8%4vH)m9emktB>f!TI zb)uF``#=wtXZJ&eyS#+VXA=bjTDQ1N41xH`t+mF1O>C25<-iZ)YsJP~nZAmM{%mS9 zU#@pP1Lo*S^(@$Yc(Yzt`c@*H8DH8AaF9ejfq`6wbT8S^CiEs-~Cz=|zUTsbt>6(2I)g_Ih%KVT6 zclBPFbZsFP8TBR{6myM5yR$aNYvIP4t0Bu}-h=+27(b;X+3t=X*Ltwy-l(wSzQ!1) zF^t*QltlQQU-*YqBlIb9^dN$&Hc>+Cs904OQbO-h=mj;VY+~Qo#Uyidr-T*k5F-`tmJzc3IJ$ zBLzf?*%yn~4JRf!IUtK+3+6a+@%HJSf1ggqc`f&-)p^j^tLh*)KsTn@0N|;uh*}>; zp9zhs&O~z1GX|lVb*!dp^YqV2?NLT(wi*3NyBHFgTZgo~agYU>REuyfL=4fOYV9VI zFp%i^A_c@@4k)tKR7Zob9s)#yKfiUn4*cPprpB0mn>6;IQB#+beflu3#AO;s7wuQ1 zTnKDRI5cYZ#zla4U*#N-FK5wuh^nnoN!-Qdz5Unh*uyYG*UQvJRe_%g|adzWAoksM7+*h%) z+Zmv9nfgyP?+2N32hsK`+mjeC6eV>+$i5qWrYuj--Pz;CP7ZbzpuSZ7VPQP{$mQ>r zo#(O_;?DkdyBb&1nOR=_FcWLRzD6!?Wl;M41uIvqR2llfOHHp zC)($8eapKP*N#`a)h3X_eCPMaST`^dqdKNSf1k5Mv#@OslYwa=YeVg+qOM&CG90y# z4QXt2V4^@6NlQhFE#zoQo|a6)Y*M+sl|+9~h=9Gk4LV zW|0xfZRICxc z#?p>2_q(`+j|&5<^{Li^gpxVe=JfRnYr@qEf6O3$8P2c2?kziq$8buHK0s&861g-A z3j4Ic9Ip$W4g$>n&d{=EEqZ@bA?Z$=*hu*F;?^#hi0OS+ES7C2_t@DiR(URr`uRW# z4yPNc^zC%=5eDDws5i_6J0bY`?v%|)j_^-r4bIg-2ml0m$=S?>V$>bz&PBL%QVXYa zDiu0X&vgK*IL<=9BIx*xd~tIIq@vf|e=+jw!c9-NA(F&UHF$-`7_+we<^692$1v{* z&=b_$?Y!?yUGyC*6Q}GK*@V{Ybrf03Nw^WX#ui^$q$csJqN3sQSxKa<0#!;v8q>Eu zWD&u*ct}!g8vO&X<*}jq1 zk9>D8sf!_bFAw5eMpb{9A)7i@2ZLRAv07SCsZBI?ZLU5hvJ;5$OMGps3LSwDTe86p zONSt{OeXi@5qsYR$oTfFMrq4miKy=klIOqwTXfZ75o^jQlCiHck4}qx*6$sp#Olr$ zO4ru6CDXT?M6hKjCjD6{lE|%Y(*nG6bB1ep^FHvEr5c_srq`-Crk(WAV)|{-ln#oT zbS8l7UyP1uiu`mr@&)CDHJ8bU#H3#aodq&?kEv{DJV(wIY5^r`LcSG6lBwu_cFHyqI{_VB`gHYp*n>^-cs~2HoMP1U8xH7GWX_ z{HK5j3C1Pg4Ah-E=k_ezEb6W~@OOlT`4>wf`4&jz?>Gy?7O>^DZRF{xHjYbP_O{(+ z`FE4qEl>iL`EW!yVUQI8E5`|w|0lNRe{P%eT->&>t`pWEsACWC$nxHh!Fe_`aWXFI z&)+M&FD=eHjkrhV{O8Og8WfX8SO#0eD$8_z3z??CpX^BI5lHoG-l7h7B<`WdTL>4w zeHLC5Mn)X(curwmI1Fr@2^z{ZoRpeWO(IF88lFIeBWJg8xj@$eya_qmVaLI;7DTEbRcRY1d9r6B z<;L7>r-a4Rc;F44HH1*b`)rpx+Qmf>^+6)Nh?2e6`4BQ{^_)5Go@9Qu_s^x=R&N31 zR@oV9AbGmudHAk_PlMg7izzsozm@&RpJ-D&5SlUBIo;CgnbkUROmjDSlLDMn#=)tU zKdQU9?3nfBIUv({00vQ15w1GQyYeX;g`|ReNVJajwapXn1kU(1XY12ihwIe48jO0S z6N5sn|B~?s>zzc9_v*~1KI$p*Zo^a{aE*6wx~^QeT)tGC+#Hz*TI-n5Fjcz zfW)d?%=v^TY35I`>=0tm6EJGei3i^CbA4_qr8{`qpvWW4OB9vnHQ=N+YV?*t(WNOn zO#u~z|F~p7xE+SY@a!&@L;qjp&3S!$Amn|RLq{cly^W0fH4Iy2(_F2Dr*D{(GJtGL zH<+Q2Wf!quKYZu8%62NhaRSywy?NHPJDN#EFs3>11y#d~)9WG+SJG+Eo6%u17Jci* zQlM~9nfWyn=S0FAA8D>y)S@w0;@&GE|7g_7OyhK?JzB^3qn=djkK*#(Q+h#v3xEL? z**S5QmyCHQGI%GEb~OqST6e%^M_%%ua#i+PlKjBr7Vb0Hd5VFRx$Qq-bZ_&4Pz(Me{&*RIPo69mC ziB{1nW!IvdxF>$@TQ4EoziZ%$pb}ug|D8gH;oh`LVQsA=Zu z2PCm6Kq#%oRX)n$+lFJuP{Pmkbu5>8wYCe?#?5zQ4M;Gqjrcy?WWcZkqlp9ZX>Ig~ z<0CpFKnAc+*gCcoveiH2uTs8g{#SFaeTlR9KX+J26Y<=v@7|^H-dxZ<0|%Vm3J`>o z$AOHj{R=sidR_h3?cTBSpa;5Lvac&NemE0G(ccQ>`C0)_n~8`y<^L#qekILsEt&T!&egfHmNf%0L3W+8~|N?t$WS~k?FaJ%$%?aS~6B) z7T|b~Mr0E$YaZFhK46_;KrtwAJh|-0tj~Su#})ZXyD5*pwW?+AWw^cgGS0^-=95`D zF^+t94LNKnGLqPP=1U?XJPXC9weB&uXmV zbE%Cvv3c_w0Y5KT#^gcKh}@Q|P=9`H+zA5}M8r7rc0=CA&UyNkkk9Lt&!1xtXvZ!$ zzNbg^=Nn4Xn$Hyp$5AtPuVTWb3*EQH8hz;NQhM}Y9^cF+-g< ztc31V?2D`UEssnL(a+zV;b-(_-+Xf>e@JwXEtD9lu$~kebACXkNx$OkmeRoT2^m*W zU`O{tnKM>adgrX82dywB2rE&si|gZ7 zcrs|q5{~!J01gxwWTCEa=o%tF`OP4eYnrtrp0BaJDE-caVbUi-s&o*@s4@;SkIUgE zx>}o}!;;UAhj%|^K<;s*>hXOGUCe`cj5yycyq6KTR-Ed?{J5OJ-HerRDu;uV@1d|i iwo%$D8!o2(ZY^bCcToI)QcvX*`}M07Cd>^C%>MvPMb-}h literal 6999 zcmV-d8>r+TiwFRZak^Om1MOXHkK8tr_SflOA=m*t6WBAJapC};>>d`$0(Tz{2zD2^ z50|@+T2gl_qqj)vdAWi2w_jE9MU+HRlv-_j0TD>rBUL>li)67_EK)(9)qb2s8m zaia7N(uWV<;qUbi-@j9TA-(_b{`&gG_517ZKYaJYyARhtym)v0{^t6_3-8^j3Z$k( zRr{sqy-4m$e-i~px}o>~qG|Q&mG@(HNK?Oj`tv{bk(U=y_O{9oWe|COQ6zET*KwYC zf#@h+l-|{xrJs74 zpGJRr$*5lbxtGJw^uqI#B!7rPug<-?^s_3)O6fqa2o?UlinBT@w|)?v|0YYbE)Q89 zr_mbnBb?W7ep{XGqHJA8e;ncxXjf-v^;4nLK=RaYG!G+?z`DM*aHYkzB8t}+tJPVM zmr;<0>nifgV87nP+4(ou7ppT-pmpKbP;Pu`&QABHzF1)fGd3khR+@CzdBa-Gy=l)z zHSL+HX*(H|c@k;h{|1jGxE};jRSlscQs5U?gWU&yNA;Yh^~EdE-mLX8V`%p>-e41a zbEC&Vh*OMJ5YksWP_e_05w#qT*3lOD8BtnC*^vY4Z;>C8e2X&2&ga2Q1>(=Q{UJ8f z2y*D;24O={*HpYoy}AIc#p*bqy^a;>->DfD`6cnj3!#`notJS`jp)3m5hU+tP%IZg z-uoqzHiD%5y>G5{G#{a!9><4&u8XKlD`4ElNmPl9IW=|inP-EqP1H0-Kc}D#Iz#f! zp)T6url$Skf+ppFHKgK961TCBo)I{Etydiq>odr_+WTenHA$Tc1Y0~JCS@HV=SejolLiJ_+zx2z!(}ZC)JX@7W}GO&$;E8{A9a1 zv<~OcJaTUt8^*k?@--P}TsSzzOm7;?1oio(`n8$8iq3MC?s%1Dk^D(D%}-z*;1YTB zJIK32|AenJ1?19djwfV!i0i%Q1L2_t3DAC-gS`pRb|ME-u3g^L_E82On&(PmtJ0={Qcxl zFYEGPsv?qhvfV^+wsXo>KSacQ?(E>z4iK9+Rv84}+`xbD;lJn#A8U z6vGbrqC#ZES}R8KGD>n>n1ZBY=uh;<<4G{{X5Hotya2`W5MoIfj>h+*l;k7+c(P|m z@5=xeFObJ4F#f0D{){e48peJWdJko+TTG@=3NzQ2AJh*ZqjZwDSJM)b2HGL@7`Bl8 z2x)eO>3JP#wufa=KaHKjy$-%noZiUoibDmRt$rf)h-0BGR53z2q79?_q9(f+U!tJ! zS0i6R_%YZsLl*qQ?BgH7_N$ zf_pP4)4zd2`b+R#cYq}M&cdq9g$9a!o<`k1z$ZmM>57d)!_PIVLrEsdhGFEvG|6^KP;m_Cemk(2sT-P5 zsEZ1O%Rn-Q~&syw;BLju{rw?UGDdNE_BcZqS|5j(w$H5Oz2}3NO3Y+CH3M z{aQQT-+%e3DMR%&_r4-PWzmhGmdTm5%Ts7i}Vtt;Z^Z2^Ak2;y-&B}95Rp@%}#nkQ84??h7Cd4 zzA%o7A%5|WEIU=740K4C&D&IBWL4RanPPXg?!zn%c6|7@uNnb zzt9WH23xH`Gs_b?et~-ssyG?nTD;QAvpF@` zX;rtb{c;!8f+kI>HRz2UcSd(!1{L;wbj(0zp?Hi_6b}+vm%L5z70nJ``XKecXp${@ zSx2YJ!+!q%!-t#e?|SF|-+#ZH|Nk6`d0N(K9)e;!m%ZVQcXN63{_@?$s-rJhm?!hD zcx9f~`Q2DkdG*TsIRc!LE*5|}XGN+kjH-Z#*c3dtCc+RED315Ak3bKWYB-5c=CSY- zlQ%a>ynp=ki&x}jEn{#Bt|u8fR;E5={zk2Iz-Nfljmio{FAta`qUsCxP# z_ml^I@5=m8c<0kXy}S(E}d;|Td9VGI*D<+K{wfO z>aM8SBD^hP_N><`s?)Gf@6;|wNFU3L8juSa=z3ulg>CSE!Q3-S6XC+WvdM~&( zM5zrY!j{AaGMNkX5cy#3ci!di;|kY(8@btOVCCe0Q`NO@f9=*r8&hm|FvLUzDV=w@ zbZET-@-32Xz_W|4wV9|7_nhrMhV!*32xXAFo`wtKOxiL zP(s(Khk4ot=K%FK#IU4cGITQ1D9F(u7^LQVix@ktY&5dXOJ`=~*r+3KTJ31N6n-5! zFo>Q7V5@=jLrnXIY46GeW%@&K;lCZ(bO9ecYxSWcS{)QKpd7*;${6-$K;C#8vIVL` zRYX~6#>%YvDO{U;X! zQ67w#0n$Yy@qit?%;=dU0-6`vwkFnex-kM1%U^vY+?4jTBQhwk_}t~x0Cvueyqs2LwnEp%%}uGU z8Li_ZaH^|7d&as_l)m>#p0$})*`4OW)T&ysMh`6$p8hD38<-+E8SMSZP16y=M=^xi zEe9}f)qts2e4p47x*gy)P)u$3EiZfbxZB&`t311emoIGh_mG!&mq7OKc@b?7N%DjacaT7u-;*~!^By8^@53Lyw~0^yUX>>Y z^xy*5e{llj33J-Q+~!yhXxuj}!sQ`9Bq7fn|4w0g26GA4gAo8&!*jU%l>GqVts_I@ z?+_l4MkHhkXdNOQ69U8SI&AFTFZ3^%?1%}&x8<%gzL++gM`DjRJVs_PT7S6Wx1FI* z+N1+*&?-l^=)gIbqg&M#{}{o$*MWOJPML`~)_%%7MqBh_@^G1^I!t7lEA!K>eV5FZ z`&RYoj~yngZmQiftvd2*g2p2^VU*c!ew^A_956?B4hPJ+@kWn!8>UMObK;Sfm1{4S zMVZGG)1T`-33hYH_muEA^W*Cdrk^GY zr3rN)Mhw@-wRepn`+EI+2SSe$9!}2UxG1VzPp(pDQH}l&S8_Va`cwsVVkn9ren4a= zQV?4e?4!^vbKFoj2%!nZUQ@umAJp+ZjHl3$Kc^4z-65p=`gkVnO=S~`2nLLI!9Hnm zS?R|XZbFfEyc-S{sT=OvL=cL&!PnNY!l)+43J7){ztDJ`(1W$nho@Y$sj7XHBo1_L zo~t9aC0iSYf-T-oV49d$CmPAXHg)fCU)P0W7J?{SnKy|U?!hB{YwEJWQvuaE~#w5OH0(Qz&9fal>xa}8$3w@TfJ`4M8@G>(gD|RgOIUJ!SmznL zeU{%vqpwR<=OvnO7$iaJ`w^oAo3fFP4#fOO`I8z)%}YL$8{z0gq0*qVjttoTZr?F!WlKZ#-wVZA9 z0SCw*hp4L8WYcv|uxjXeebyOVzXK7jAqlQ$H%U%M1>4pD%wX03`U#zy;_CQy}AZ5c%l>{ z5FBo{o7`MLNzD$EtzooCl7j4&kH9gw=A)6U{aJ;7l4pi zT*V=Udkrqp`BLQwhQSqjkHcjR-eZz`a-+E9j@yvGf$ zw_RUTdvl(lb-e1Cur2o^2QpU)RPE#Wwl38r9dLz!%C30ijjb+np|yTw3r{yj>v=9 zS(HTT)I3BvPU^%mEOrvtP??QF;8*&PFt+f&t^5vGQxNvtQco?pr8HW4drbukbsxrI zB@{i)fs_O|Txh+U4>1(-?&X7k#M~LW_nP2ScJ_sBzuk87YzI~8 z0F}#yXa~PmK2X)IfpiGFR9AD$qnT}6wIVWDn=(_x%!Es}tuGPrR4g0?rP zfvlUbf>MOs*ylk*Zo8r}W#HdN2ZMo~rg zYt~!r-K-EDeF~zDGn4y_-PEYdc^j9}1B{q(u%fSxLdE6$B=7%0uJcVB8Yadpz%7{! zcV3Mbvs|oRsf5iLuu)mjP#D}@Vq})B8#baGtVSKB7>YxA%OPu^0e4Ak1(k^w<)M>?MNfvVhMILbB$3NeGwC0gsi=Si7x#+=CG~pCc)lkGPI+mmyNvL zcr3pX8O{+bJ)FMH)a)u6_YE}{FzW}sTaLV+Y69e;x2oaB*mFBmIL|`6XK$WTIhT2s zR_>BE*&IaP7#?Z}O0Y3nc2n-@c>Tzm?w zQQjuKCd%1Wl9ssjN%wWDH>j}>kPKX-#_#H!aHE&XIr9E0X@(o%lmG^KSKF<6{fyDB z5a0h8IL|Ts5fj_H!J{2B!CMbw%#?@iT*k3k*pFzqpbsC@FnmpBK82cGIVRj?uH+csU%jRcF1o3nn=yH!a@>* zu5$G8HQy%f=HEANB>k<8S_DHX)Vf1gx~NBPVw1nOf`$Ga^ZZ7sE;_HDW2nSl-trDC zgOo)z;;!H|LtE#Gs@2%565YSOF;)*pa@Fm~Fij|1?RJ=v4;$N|4ce)8Jpop`p9`wp zFQTkRTtHcmIL)Lh?EsziuvqPW!K7}ePP~HlxchJWcQ}v9R2vLDD%^JZMYIzxpgs2D z+4(Moag3g#Q(}Fsx94*n_A)R5KfdfJg2JM(k-Hrq~iH3By zqg;sAsWP1Mb^p!;S~1B}V{FZ&*vRdVd^U8;C;Yxdk_~gYJ=wSI?BD;pzP|Zz-TVIE zyXE_TpCw(Pd3W{eCHtZeeH|3LMD$qmPuQ&wANib7er!fDzrwtF2gCpBP?c9nyum5; zis4*cetY)ztuvZfH}kLRAgT_O{mcUm25*Bm7hv)jyhXS<>kgP#GZm4X#Z*wB2xhA_ z1Dgv?QvLV;Uj5IvY_DM627ilQ?y8=x#2l4>%4lxbEWgi_LmIsuFAC+mfDLp-LN4Qc zwvI}@YIfMu6!R3N%!4?b3$IcE=g}ffx`+o*ocqOW9G z32=giVSt)uLz&7Y2&SkRW8r?iEaGsKxi|oaUUI;z=D~Z*4=Byq9#_l;AKhPiL3@gh z1z^RV9HE`)vt}yLZW@lza$nkEwxlI3X-P|3(vp_6q$MqBNlRMNl9sfjB`s-5OIp&B pmb9cLEon(hTGEo1w4^01X-P|3(vp_6q$Pd9^#7?f;AQ~u000-e$cF#` diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 51ae2285..61241e12 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -37845,7 +37845,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..4593a868a 100644 +index 17eda2480..6c22a0a1f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -38167,7 +38167,7 @@ index 17eda2480..4593a868a 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +347,283 @@ ifdef(`distro_gentoo',` +@@ -186,29 +347,292 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38202,22 +38202,30 @@ index 17eda2480..4593a868a 100644 +') + +optional_policy(` ++ fprintd_exec(init_t) ++ fprintd_mounton_var_lib(init_t) ++') ++ ++optional_policy(` ++ apache_delete_tmp(init_t) ++') ++ ++optional_policy(` + journalctl_exec(init_t) +') + +optional_policy(` + kdump_read_crash(init_t) + kdump_read_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) + gnome_manage_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + gssproxy_noatsecure(init_t) +') + @@ -38245,16 +38253,17 @@ index 17eda2480..4593a868a 100644 +optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_config(init_t) + mta_manage_aliases(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + systemd_allow_mount_dir(init_t) +') + @@ -38433,18 +38442,18 @@ index 17eda2480..4593a868a 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) +') @@ -38460,7 +38469,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -216,7 +631,30 @@ optional_policy(` +@@ -216,7 +640,30 @@ optional_policy(` ') optional_policy(` @@ -38492,7 +38501,7 @@ index 17eda2480..4593a868a 100644 ') ######################################## -@@ -225,9 +663,9 @@ optional_policy(` +@@ -225,9 +672,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38504,7 +38513,7 @@ index 17eda2480..4593a868a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +696,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +705,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38521,7 +38530,7 @@ index 17eda2480..4593a868a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +721,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +730,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38564,7 +38573,7 @@ index 17eda2480..4593a868a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +758,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +767,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38576,7 +38585,7 @@ index 17eda2480..4593a868a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +770,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +779,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38587,7 +38596,7 @@ index 17eda2480..4593a868a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +781,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +790,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38597,7 +38606,7 @@ index 17eda2480..4593a868a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +790,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +799,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38605,7 +38614,7 @@ index 17eda2480..4593a868a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +797,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +806,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38613,7 +38622,7 @@ index 17eda2480..4593a868a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +805,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +814,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38631,7 +38640,7 @@ index 17eda2480..4593a868a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +823,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +832,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38645,7 +38654,7 @@ index 17eda2480..4593a868a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +838,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +847,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38659,7 +38668,7 @@ index 17eda2480..4593a868a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +851,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +860,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38670,7 +38679,7 @@ index 17eda2480..4593a868a 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +864,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +873,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38678,7 +38687,7 @@ index 17eda2480..4593a868a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +883,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +892,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38702,7 +38711,7 @@ index 17eda2480..4593a868a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +916,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +925,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38710,7 +38719,7 @@ index 17eda2480..4593a868a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +950,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +959,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38721,7 +38730,7 @@ index 17eda2480..4593a868a 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +974,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +983,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38730,7 +38739,7 @@ index 17eda2480..4593a868a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +989,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +998,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38738,7 +38747,7 @@ index 17eda2480..4593a868a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1010,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1019,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38746,7 +38755,7 @@ index 17eda2480..4593a868a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1020,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1029,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38791,7 +38800,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -559,14 +1065,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1074,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38823,7 +38832,7 @@ index 17eda2480..4593a868a 100644 ') ') -@@ -577,6 +1100,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1109,39 @@ ifdef(`distro_suse',` ') ') @@ -38863,7 +38872,7 @@ index 17eda2480..4593a868a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1145,8 @@ optional_policy(` +@@ -589,6 +1154,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38872,7 +38881,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -610,6 +1168,7 @@ optional_policy(` +@@ -610,6 +1177,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38880,7 +38889,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -626,6 +1185,17 @@ optional_policy(` +@@ -626,6 +1194,17 @@ optional_policy(` ') optional_policy(` @@ -38898,7 +38907,7 @@ index 17eda2480..4593a868a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1212,13 @@ optional_policy(` +@@ -642,9 +1221,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38912,7 +38921,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -657,15 +1231,11 @@ optional_policy(` +@@ -657,15 +1240,11 @@ optional_policy(` ') optional_policy(` @@ -38930,7 +38939,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -686,6 +1256,15 @@ optional_policy(` +@@ -686,6 +1265,15 @@ optional_policy(` ') optional_policy(` @@ -38946,7 +38955,7 @@ index 17eda2480..4593a868a 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1305,7 @@ optional_policy(` +@@ -726,6 +1314,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38954,7 +38963,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -743,7 +1323,13 @@ optional_policy(` +@@ -743,7 +1332,13 @@ optional_policy(` ') optional_policy(` @@ -38969,7 +38978,7 @@ index 17eda2480..4593a868a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1352,10 @@ optional_policy(` +@@ -766,6 +1361,10 @@ optional_policy(` ') optional_policy(` @@ -38980,7 +38989,7 @@ index 17eda2480..4593a868a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1365,20 @@ optional_policy(` +@@ -775,10 +1374,20 @@ optional_policy(` ') optional_policy(` @@ -39001,7 +39010,7 @@ index 17eda2480..4593a868a 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1387,10 @@ optional_policy(` +@@ -787,6 +1396,10 @@ optional_policy(` ') optional_policy(` @@ -39012,7 +39021,7 @@ index 17eda2480..4593a868a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1412,6 @@ optional_policy(` +@@ -808,8 +1421,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39021,7 +39030,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -818,6 +1420,10 @@ optional_policy(` +@@ -818,6 +1429,10 @@ optional_policy(` ') optional_policy(` @@ -39032,7 +39041,7 @@ index 17eda2480..4593a868a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1433,12 @@ optional_policy(` +@@ -827,10 +1442,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -39045,7 +39054,7 @@ index 17eda2480..4593a868a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1465,62 @@ optional_policy(` +@@ -857,21 +1474,62 @@ optional_policy(` ') optional_policy(` @@ -39109,7 +39118,7 @@ index 17eda2480..4593a868a 100644 ') optional_policy(` -@@ -887,6 +1536,10 @@ optional_policy(` +@@ -887,6 +1545,10 @@ optional_policy(` ') optional_policy(` @@ -39120,7 +39129,7 @@ index 17eda2480..4593a868a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1550,218 @@ optional_policy(` +@@ -897,3 +1559,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -40917,7 +40926,7 @@ index 808ba93eb..b717d9709 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 54f8fa5c8..b9dbbe005 100644 +index 54f8fa5c8..e14ec857c 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -40937,7 +40946,7 @@ index 54f8fa5c8..b9dbbe005 100644 ifdef(`distro_gentoo',` # openrc unfortunately mounts a tmpfs -@@ -57,11 +57,13 @@ optional_policy(` +@@ -57,11 +57,14 @@ optional_policy(` # ldconfig local policy # @@ -40947,13 +40956,14 @@ index 54f8fa5c8..b9dbbe005 100644 +manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) +files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig") ++allow ldconfig_t ldconfig_cache_t:file map; -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -72,14 +74,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file }) +@@ -72,14 +75,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file }) manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t) kernel_read_system_state(ldconfig_t) @@ -40974,7 +40984,7 @@ index 54f8fa5c8..b9dbbe005 100644 files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) files_search_tmp(ldconfig_t) -@@ -90,11 +97,11 @@ files_delete_etc_files(ldconfig_t) +@@ -90,11 +98,11 @@ files_delete_etc_files(ldconfig_t) init_use_script_ptys(ldconfig_t) init_read_script_tmp_files(ldconfig_t) @@ -40988,7 +40998,7 @@ index 54f8fa5c8..b9dbbe005 100644 userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` -@@ -103,6 +110,13 @@ ifdef(`distro_ubuntu',` +@@ -103,6 +111,13 @@ ifdef(`distro_ubuntu',` ') ') @@ -41002,7 +41012,7 @@ index 54f8fa5c8..b9dbbe005 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -114,6 +128,11 @@ ifdef(`hide_broken_symptoms',` +@@ -114,6 +129,11 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -41014,7 +41024,7 @@ index 54f8fa5c8..b9dbbe005 100644 optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +150,18 @@ optional_policy(` +@@ -131,6 +151,18 @@ optional_policy(` ') optional_policy(` @@ -41033,7 +41043,7 @@ index 54f8fa5c8..b9dbbe005 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +172,3 @@ optional_policy(` +@@ -141,6 +173,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -50022,10 +50032,10 @@ index 000000000..634d9596a +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..e7c2cc70b +index 000000000..1927b4fc0 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1021 @@ +@@ -0,0 +1,1025 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50334,6 +50344,10 @@ index 000000000..e7c2cc70b +') + +optional_policy(` ++ nis_use_ypbind(systemd_logind_t) ++') ++ ++optional_policy(` + rpm_dbus_chat(systemd_logind_t) +') + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 859d32f7..902c1f0a 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3925,7 +3925,7 @@ index 7caefc353..966c2f3e6 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb4851f..fe461a3fc 100644 +index f6eb4851f..422f408d4 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -4218,11 +4218,11 @@ index f6eb4851f..fe461a3fc 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) -+ -+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) ++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; ++ + # apache runs the script: + domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) + allow httpd_t $1_script_t:unix_dgram_socket sendto; @@ -4499,10 +4499,12 @@ index f6eb4851f..fe461a3fc 100644 - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unix domain stream sockets. +## Allow attempts to read and write Apache +## unix domain stream sockets. +## @@ -4518,12 +4520,10 @@ index f6eb4851f..fe461a3fc 100644 + ') + + allow $1 httpd_t:unix_stream_socket { getattr read write }; - ') - - ######################################## - ## --## Do not audit attempts to read and --## write httpd unix domain stream sockets. ++') ++ ++######################################## ++## +## Do not audit attempts to read and write Apache +## unix domain stream sockets. ## @@ -5016,32 +5016,12 @@ index f6eb4851f..fe461a3fc 100644 + read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + -+###################################### -+## -+## Allow the specified domain to read -+## apache system content rw dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_dirs',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ +###################################### ## -## Create, read, write, and delete -## httpd system rw content. -+## Allow the specified domain to manage -+## apache system content rw files. ++## Allow the specified domain to read ++## apache system content rw dirs. ## ## ## @@ -5051,12 +5031,32 @@ index f6eb4851f..fe461a3fc 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_manage_sys_content_rw',` ++interface(`apache_read_sys_content_rw_dirs',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) ++ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to manage ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_manage_sys_content_rw',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ + files_search_var($1) manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) @@ -5390,7 +5390,7 @@ index f6eb4851f..fe461a3fc 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1625,183 @@ interface(`apache_admin',` +@@ -1224,9 +1625,201 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -5554,9 +5554,7 @@ index f6eb4851f..fe461a3fc 100644 + files_search_pids($1) + read_files_pattern($1, httpd_var_run_t, httpd_var_run_t) +') - -- apache_run_all_scripts($1, $2) -- apache_run_helper($1, $2) ++ +######################################## +## +## Send and receive messages from @@ -5577,6 +5575,26 @@ index f6eb4851f..fe461a3fc 100644 + allow $1 httpd_t:dbus send_msg; + allow httpd_t $1:dbus send_msg; + ps_process_pattern(httpd_t, $1) ++') ++ ++######################################## ++## ++## Delete the httpd tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_delete_tmp',` ++ gen_require(` ++ type httpd_tmp_t; ++ ') + +- apache_run_all_scripts($1, $2) +- apache_run_helper($1, $2) ++ allow $1 httpd_tmp_t:file unlink; ') diff --git a/apache.te b/apache.te index 6649962b6..1a0189a44 100644 @@ -20908,7 +20926,7 @@ index b25b01d12..06895f39a 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502e6..73da04ae1 100644 +index 001b502e6..b264e198a 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -20926,9 +20944,10 @@ index 001b502e6..73da04ae1 100644 # -allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; -+allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice }; +-allow ctdbd_t self:process { setpgid signal_perms setsched }; ++allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource }; +allow ctdbd_t self:capability2 block_suspend; - allow ctdbd_t self:process { setpgid signal_perms setsched }; ++allow ctdbd_t self:process { setpgid setrlimit signal_perms setsched }; allow ctdbd_t self:fifo_file rw_fifo_file_perms; allow ctdbd_t self:unix_stream_socket { accept connectto listen }; allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; @@ -30088,6 +30107,59 @@ index 5010f04e1..0341ae121 100644 ') optional_policy(` +diff --git a/fprintd.if b/fprintd.if +index 8081132cd..4fb5a13bc 100644 +--- a/fprintd.if ++++ b/fprintd.if +@@ -19,6 +19,25 @@ interface(`fprintd_domtrans',` + domtrans_pattern($1, fprintd_exec_t, fprintd_t) + ') + ++###################################### ++## ++## Execute fprintd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fprintd_exec',` ++ gen_require(` ++ type fprintd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, fprintd_exec_t) ++') ++ + ######################################## + ## + ## Send and receive messages from +@@ -39,3 +58,22 @@ interface(`fprintd_dbus_chat',` + allow $1 fprintd_t:dbus send_msg; + allow fprintd_t $1:dbus send_msg; + ') ++ ++######################################## ++ ++## ++## Mounton fprintd lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fprintd_mounton_var_lib',` ++ gen_require(` ++ type fprintd_var_lib_t; ++ ') ++ ++ allow $1 fprintd_var_lib_t:dir mounton; ++') diff --git a/fprintd.te b/fprintd.te index 92a6479a2..f064c940d 100644 --- a/fprintd.te @@ -53630,7 +53702,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..94822ad40 100644 +index 11ac8e4fc..7cba596af 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -54084,7 +54156,7 @@ index 11ac8e4fc..94822ad40 100644 ') optional_policy(` -@@ -300,259 +340,260 @@ optional_policy(` +@@ -300,259 +340,261 @@ optional_policy(` ######################################## # @@ -54299,6 +54371,7 @@ index 11ac8e4fc..94822ad40 100644 dev_rw_xserver_misc(mozilla_plugin_t) +dev_rwx_zero(mozilla_plugin_t) +dev_dontaudit_read_mtrr(mozilla_plugin_t) ++dev_map_video_dev(mozilla_plugin_t) +xserver_dri_domain(mozilla_plugin_t) -dev_dontaudit_getattr_generic_files(mozilla_plugin_t) @@ -54491,7 +54564,7 @@ index 11ac8e4fc..94822ad40 100644 ') optional_policy(` -@@ -560,7 +601,11 @@ optional_policy(` +@@ -560,7 +602,11 @@ optional_policy(` ') optional_policy(` @@ -54504,7 +54577,7 @@ index 11ac8e4fc..94822ad40 100644 ') optional_policy(` -@@ -568,108 +613,144 @@ optional_policy(` +@@ -568,108 +614,144 @@ optional_policy(` ') optional_policy(` @@ -112156,10 +112229,10 @@ index 000000000..e5cec8fda +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 000000000..7726f7594 +index 000000000..9c3b00220 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,109 @@ +@@ -0,0 +1,117 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -112167,6 +112240,13 @@ index 000000000..7726f7594 +# Declarations +# + ++## ++##

++## Allow tomcat to read rpm database. ++##

++## ++gen_tunable(tomcat_read_rpm_db, false) ++ +attribute tomcat_domain; + +tomcat_domain_template(tomcat) @@ -112245,6 +112325,7 @@ index 000000000..7726f7594 +corenet_tcp_connect_ibm_dt_2_port(tomcat_domain) +corenet_tcp_connect_unreserved_ports(tomcat_domain) +corenet_tcp_connect_mssql_port(tomcat_domain) ++corenet_tcp_connect_mysqld_port(tomcat_domain) + +dev_read_rand(tomcat_domain) +dev_read_urand(tomcat_domain) @@ -112265,7 +112346,7 @@ index 000000000..7726f7594 + tomcat_search_lib(tomcat_domain) +') + -+optional_policy(` ++tunable_policy(`tomcat_read_rpm_db',` + rpm_exec(tomcat_domain) + rpm_read_db(tomcat_domain) +') diff --git a/selinux-policy.spec b/selinux-policy.spec index 4abaa6d8..290d0690 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 285%{?dist} +Release: 286%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,20 @@ exit 0 %endif %changelog +* Mon Sep 18 2017 Lukas Vrabec - 3.13.1-286 +- Add new boolean tomcat_read_rpm_db() +- Allow tomcat to connect on mysqld tcp ports +- Add new interface apache_delete_tmp() +- Add interface fprintd_exec() +- Add interface fprintd_mounton_var_lib() +- Allow mozilla plugin to mmap video devices BZ(1492580) +- Add ctdbd_t domain sys_source capability and allow setrlimit +- Allow systemd-logind to use ypbind +- Allow systemd to remove apache tmp files +- Allow ldconfig domain to mmap ldconfig cache files +- Allow systemd to exec fprintd BZ(1491808) +- Allow systemd to mounton fprintd lib dir + * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-285 - Allow svirt_t read userdomain state