From 83eed32c03821c8edf45b3ada8bbb786a6c590d6 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Thu, 14 Sep 2017 09:11:13 +0200 Subject: [PATCH] * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284 - Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files - Allow automount domain to manage mount pid files - Allow stunnel_t domain setsched - Add keepalived domain setpgid capability - Merge pull request #24 from teg/rawhide - Merge pull request #28 from lslebodn/revert_1e8403055 - Allow sysctl_irq_t assciate with proc_t - Enable cgourp sec labeling - Allow sshd_t domain to send signull to xdm_t processes --- container-selinux.tgz | Bin 6999 -> 7000 bytes policy-rawhide-base.patch | 112 ++++++++++++++++++---------- policy-rawhide-contrib.patch | 141 ++++++++++++++++------------------- selinux-policy.spec | 13 +++- 4 files changed, 150 insertions(+), 116 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 01fb911195533b3b65ece3d8fde274ca95843728..9960e8d5192dee3f82f3a0fae1b4f0908509e767 100644 GIT binary patch delta 6739 zcmV-Z8m#5lHrO_QABzY8A1k_900Zq^ZI9eGlFrxZUm@55JQLV6o^j#@JlQ=gk_GNQ z91!d-a33yr9krzH){fpHspsVe-rs&z#TQW$Nl|LGJqw6H(jKYmAz37g#bS{P@~rmb zEGjSK?KdY%?;(Bs_&xq!|KW%C>Mx`ZA3t1Qe{=oe`iGAa-{1W3{f9q%^Zxq7&GpA` zy!Vli7!%j8y&tPXn)>C_pZ>m&yu66Acagg#0UnXz9|q$qM)m4XlLi4YDS7+b>TDNf z>oWTN5SKu^Iy7=Z-V^{s^~Ew&X=yt$KM0Yw2H@SD ztK)$7I##5Aqh?g(m&6+{gklDDUdB;1qVt|cki4Hkv0Mas@0Up02$J&mzP;Abe1dv< z93TFiqQ6)0wf7H~;XPymSny6`ven~+abcW=cLtV7RO-=jN1x?BUYe>bJ zByM9LJtJ`TTCX}J))$a@wfD>DB}ttM_a{#)dI(tGp!R zj0*>+nCVSpnV`O$R9~9etLQ9O>5f-f7RjGf)BFV10WOg@{{VSc=%4VFrhr^p&GCdR z4{^Qsd>}m3AmKU=e>|#v<9mRq9qD{!&M(UN9`ixUFW8_RWL}CjmO_J%&RnWWz9p-J z2?Y(6fTT1gE5^GH62GbpS<$}R3(e^AD{#bg?#FmrwVLHz(SN+)@HH7y}&pdC_=VGG%hkY-nyp4X9Pdsr6r z)7UB8>);#3>5bg3I8@Nt>L*fLiMd7^X9$~p6=CDQqO2YxYE1o{EFvd{QDScT=P<5E4Vj$Mp% z%c#ne`%9F-EU>JlDlh~#`C~Ls^%*7_wKKxyuzpDVr}+_YW`y+XJdK480K=t(S$pk= zX`HdS2sb@V!-q{)0_jq|0JI}rKY5l3|AsU=f3WhN?}4HJ=v6hCBq_}=QT^5JXI2`t zH?Y)`qsX)iTtnoTVG-Rf$)ts}VIAZK-6`$ZSNa8Ehx3#0vU{!V!wJ@}wd4Kmm!Fz4 zR4=*r6@haPL|U}V;K$W3!yeO;YYk;31BKPR>MY?2{1Zw@l!wuIyjXR9Wb44XM0f|w ze*=`tpRfVzeZC#%kb%r-cG44yg4uUAYzWHsg>g&_@pF%4 zhaaWv0KggpxrH?^`FBq2y!sj^;V`$-H&2GWbHdMtYN6+36Au4%ktcERL_J(M1-Tc{ zhY?VVV1oahx&>Bs2UCSH>hYYnAX%<0yS z;cmdhe`6WO-sjYY$126?ytW`|<0m_1aYNFE6E;ZQ*AmGNC8K<_Nch%Lq<$!bVm0=> zq}^BsgV@`#03D&rmzGkscd$)HtDaZgXj53lV_UBMxx?hov7zXf-nO;*@uxA&M~NUe z#bxoe=V+|E%UL3F8w{KtBAQv^$ts$$D%wY8e@=vLjz-SLui~IRfeQJ$O_xO(ZR1Cc zJb$4Vlnu68gJzZ|bo>JMAXITOzO{Izm1lEmu*;{;m7uKKhKD2(c>vKl5?#ng=ov=! zm(r?kUHj!Oss&A&RBO;1JMN6`ybLPr`{;47LPzV<=tf6*jc zfAq4BPL+rK{Qt*~H`m|y&i{Y-VLAW*B@*+rtkXOM#da=x!&~p>^5(GIXp=e|^aOjapZ^Gy`+}t+(})D!S+tiI<33^?Vyq z_4GsTDG&VKmHDCY&beFaf@^7qQgEY;0W{?>tz@9Ov5ylCSrwoIt%i4-S{UOLkr(<= z3hJ3D?Q=~|wgb*w)mMkjKh|Kl1$$KKjndb_NhVb1jvUgVp(~!bbhf!|r5Y0IeAm3E5T!Pp2wM^x$Yd_iL*#?C-+7n6k1JgFZRBRBft8d0O;y*r{k2;gZA`J zq;%fp(xLSV$hSzkkvHcZCd=qge~X?5z(=xW;ExVsi`9yZ8>T&MwvjB+;ZHOEwlei9 z>TvyDrSGNs{gDo8*E!Y(@4M=Zd2~tpSt;8X?Oa+LWnw=i}T)Cd}8)t-3i+3gDb&{Z5VCO ze~W0&TZ4IzOOe++A{-}x@R(@`)_U)~cOI@9nDqDYZVxjrEx_A3Cv4q6TgJGIQS%&a z2{jfC=np^fm^}usn2$_1@mEo@{S^3xzloE$e)68ZV4pu^-dzj^&=&rMCoHR|jzcfK z%kt2}rlAcy`qw7TWc)one<*#hX`*@ykT~J3G5CtEfBJkoR0^kecr;V(hfC(a1J0otc$mqmI03 zwWIA)_;uvKAbJ*ntp?H$G3^_sy(<%x>36|}|8`{41$^+V)rXE~e|1pIfN}_XC}Y^0 z0eRzX$QGy$RS{*OjkBvO)vBP2hz6@uKW0kEgJF^fF%;fmL{a6AsPPf3pmO3l+6>fJ z5@&boJAOd%5Zz;Vz!4=Ah|myW?C&~I;_W0zTdCv}iXDJ7G%OOMG7i?Dz_n)9g=E2w zJCX(DKbD1hCUoaAe+uqdP!}$Vg^VTjl=_X@G_%kKDlqpJZ&a=y6_~;LogFo+RG3IiYG#W`^!At zDe_~%`u8kMMjQ-zc0|_1KnrMIXxo}t)9Jq=4j-e-B%W?E%;ng>&>YQ-8ov`l#VqeyOGir{3h z_h&avM+l$95N5X=z`Ruhre5)VW=rUHfZISZwc)qC?A_yT@BUHc*(JPuWvjrm)@9fC z0etR9Q@r;6e;kG^rZDyIqE^7qJ__!<0*M9T^&bhwy+jA|X>i>k#Rf5EyRPVPp4xf1!WDWJgRGzAbm1@x`>^JQ91n z;W09U(fY#`zwHcl(k2~fgH}1RMF-Bg9Nns}_{Rv|y$;;-amq}@vG!BuG1{UZlZVSR z)nOvbT$!J4?Ym^Q+_$Pvf9x<}byMw@Y1NTe6Eq&V38Tz*^W)Uc;($52b2wnmjW>F< z+b~^Pf0z@Gw5(ivu`J3wrkMU*?@6$mL%yekznLFjcQE}lSty6fPnQ9n17E#vXquc_ zmx0V@)D7KzH)Y^EVvbgNj<};0pCj&gqtg+1v=$t~bayTM1UGIdu{xEFaw19s># zwW+<=33IFw=?FZnn>hea>Si|FcHn|@H{g)Ee{LY_P94If8~3k~>h#?Qsb}~}UFhE! zgw=ignTIp*y^wZPgSIYBr~@%#xIV7EYYf@f>*qTVdX(^Rau&x$QRRAal{$-R^nbXL z(^1x^DyS1fQ3UY=B0G_S*s5S3g>ISShPpurO(^!70`C2wj_+YSg@*h&eTeT4A>G%< ze=}ikDw|M5Fkrk3_DPG&N6W_zOjxKMm0HBK(O=pg~sEA z9;}T%JmsQIRqdlBaiDYaTph73+1fA^Z1Hvi)5N?w(MSfise6a}x-J~E5G+BSrbQAx zuBlHB^R~86T_vbxa@$0nyj444uXC}SWaNkGIL1xQg)Sr}eF|T<){#>( zzt2G79fVP}Tf&m-!#dB{?X&zY8hu@=Ixo?L!ypM#-;Wq27*}@&dWsFeNi3_Xe}}jZ z_If&g|3bI>z```l9}Lj^%3N_EPESQd`2Jw15hutCJHJUC(R;CsiO z+(m)|o@$*|I|Fr#7;Gfm8Ut$6;ybPaWf)NGWc+`=`2<13&@=%%rnsgZuXPZa>aSxJ zcI_6P0D=z~7S+)yEipM!?jJ(GfA%foh-_~$=*$Ip?e(cGEoWH^FkX4fvf_PSF?}Jw zOK2Ee(V>pH?HWc~|B%$o&+=#ziORvcp9%V@!YL-?{+l(sM9?s3I5C+*@z#o~xs|4> z_RWc5E!P`8V_Bp|=jH`_%|x@YP?!M>xo%4#uZv33=e?3!+PVrL| zKn?vhc?{TDTRa}-9t-`?X9{6vwt_&-6KSWi%CY!E%f>lG$>$6T_lz=f~cfkl^yMskT z?Bd^{@8>xopUT4oq^vtS(5h`n#<=iO5w9a_%h(#McHh!M7Msmte`hqCMm;`uZ6zvX z=u*)>N?;x{C3oD0 z{0)p}I0LS`klKYVe}n%hP%qYd?RB{A`kLCC^9-%yRnLTNxgR-@xk{jFAJ4aSsV?b& zD+E+_#UpQQb&(6L^&?w&x)GC;WfngSO7#{2NFI=kf08Fc;RhHb6yxHMp#d5A z)ClGcH?+WDrQR$Qq3tSoXkM<q7Ea^N1I#$4NFC_|Mo(&a6_ z$+%qcD^R4ff8aibMkPP$mYvdWR4F{Ml%YdtsbGhah51;$!5t2}o;Z_JSY{enXUYU- zC88O8s5*@?Pi3>1@^5Scul#i5cSIh<&Y~nzr{*EbaZ)FiVX>3AhRSRd0>9FSgt3MH zZRK~knu4(BmU?Q*Ev3=Y+iNOVsQWMuE1~FV4x}W&f8j#w-F%3lkasW7tXe{5o7@*2 zrrtf7W+vv&(7o3LpR%(rZ2RrDlV>}qN(ZQ1E<`){weo?gZVjYE*rmFfTOQ49+o~0j z!P=CWB4#FBVl`Z1E@z88J(t0S>ld`WK@DWxgcXz`@>~u za37lSf9Zo?hVrs|mV{woBVrauv+aeJieXx_-eT`&h3M#05N({9+-K~jMqSR^xQrfP z#Ds$tePa|VF6SqC{||DVZ`#l>F=hd7$z-_mYP^``V)a@jY|em<%8G`<;O-J5vuxe4 z5#?Yt>L|rf9Lie`S=+=+)FQsom0p;9Ee7g@e+I7CbUSJC7;u2*+XU;DcG3Hc#l>p! zGUx$qE?H%46tAXGYf7GmM(tg64iiVHQoeO+jUAM;iGSOR$@nYmCz9 ze~Xy#B4q6qOmykrF^6q!HwpGWlc60gy=>&|#$)-F$Z(Ee>EZNkre;^sxNoSrfLTB2 z-E!ppR1+W%y;Ti2#-7`m!g&_jJ$v(%%DK$5v~riU$>t#P#_*7s%1aOssz>Fm>+HAA zax&u@RQ8yC9H|x7YDaD~OIv@D-ncw9I|(5BdgrW$#_=UdZLyh>e@F?q z6Zg|-!Q6rlCHZhXnk1d5@anF%d+q(iE>ujO*tHrl`+^Tl+F(wjGQPww9eNtuRemL) zDc=RZScBd9sbh>ZQo>2p^7xaVzq55E2?uPA z)-xI?-GzSLjUm>C1@o=rEN2^|olB{i*N#WP%G(k7-fYVyDk!y`n1{Wx<3G}=(T$j} z1U6XWI&ASA9ra{93Q=oLC9w*%Lw5VuL~5=T7Lpirm7|ZZ`8H`c|Gse}f9Y>+)FK#C zq1GL`(nURT6Px_K6)g1cnCCZ2bj|*h{ajG(ei3Co;sVNg#Azm7X$R=6hsA35 z3nq0#b>bDY$K8M1zr%Se8qa;xh|&_W0%+)k=HrqYBN7akJaSVf)9hJ>3wrqRP6P_1dVkf6hj_QOTcRTikU! ze8e{R;P$t}wzu1Mx2s6_IJFr+E_Xi<@s7EQdI)QT-g@)a`>pw&xEfb&I?d-QH)1BK z4WAHn#)O#`)KTSViS`cZ4D$>e5OOeR$7JeuB*;lLq`MvELbOhm;goOscP7w^NuC;G zYbM1;Zhz#np<6!TfA=+#Y?#aK$-Zr8|Nh_g_07lY-uM6BFW>+BBIydvyQ^O>*%y82 z>!8>rqQ{zl!ft)|#OI9iQ!|SB73S4@82(p>s=P|#4Nj?74Cm_dyR&!ioYBO(nSWIW zQFWl~XC7!UcpJRA0F%ey9m367cfh=wsfgq(rh)=RFk7t|f7o1TlIp+z_v(MXV|xYj zHuyXAa#!_iCFZF7Q$};cX8C=d9Mb6Bcu^?d1#F-z5^@>mvvpMJRkOpMrkJNFWgf)g zTzHiVIFA--YtPyHlaj-HBesF&D`);YO=T;e-Q(y{Ehd$7P_7sMcIJ!~h;LGm02&;w zRE~$k-gy+tf9mSqXR^cKF^1#{)Px67c?3{PRI^|K)DS;4Vb=ErwxWaW$9(} zI#1)VBS~9v1(aVhHK$n3=*Ngy!sDzok8Ba?ihC%cf3fYQZ~mi{uvJrW%o8XqfvneC zN2@J8{H)r`oW(p!OyJL~%LMG~Dy;*2yk-N_sIS>Z^=lS=CCf^H6D$k^)HEB)R4zd< zMa>us_v>X5hoj8J0XX!M170-`-aCFkY0mbzVmA2b{?ZHDQ*Up_=_qShF@kNwGQj}V4djSzh+9OpxB#UIRSS(UOp4EPw zMdf9@{pLjJEu;@0-sA7}58uC4e<8j5@b3Eho9lPi-+%uR!}|~Kf4KhU?e)8xo9l19 zw~>(;6PGW&AFD%}`sLG~|FMs}yoj5aucTQ%ltI@(+fuR;?I)@0Wv9i{oCqn7iH@*`r{CnK)X6StDg#`29l?Kt$7%M1lIMf zg)1$#6;ZsplVSly0XLJV0Wg2Q+JTB4evGK)c(jhTz|V-%I?9e5P=Aa3kmOsGId(n| zW-1VWzU>dOnMRO9CpQQiin^xaP3qMJXf0O90qu3HNdHdFsK_sgH(m(E4C=g$qiRIw zJ&hoFKZ9bq2=d-9k+cych| zrZM_C1#Qq7l5Y-m(H1u~?H3m`DF>_}6=#yTjeYctz}aiP>X2BULFU!oFQczX>Qo?i zxifMHsV8w&W8XFjodanexir}@caq&rMsRQNUUUD2Mm@TbvTFSk$cP7Fy?KQugN&$!oewKdec}YsLv4Vk80oe9$;!mI$xRd zi!#2)e30@pHfRT#mtu{j(BPvpm#UI)$?9N2K|>`VDUHdB@vei!uPQ@U^sb-RCgRzJ zWAelQzwq(`W!%$s$aGw=cw%R`7I zVK^G!i&B!0_~Xf*A-yjHT)aRYpTPK^g8MVNC}|k`S?GT~l(B9xnMNthTwi`rKY)zV zN#0&fOGp}Mhty-(LiQu1*%hYeb)?xImPP$Eb_(}8_(pMhBeyFK6?C@xiPR&Gg|<+| z2|T6{g2G>ode!Z zQzMeR_Fl+$m%#VpVlqyc2Y1s!D&SuCN`z0Rpn<8c;=Box7@BuF606$`C7C1}hLH!; zB-<%L#WA4!?Z959ZfHWGE-Da`$DozH=>E1MaASYhP=tv%Jwc2{&@|^nj5i6WyGrd@ zj`qLCY2EbxZM?gTvimtv_jy%Ua|641rDl7|m0ChKWY) zjBq)u9}@p*e#Dy@A^kc}W1$1Ua4BKdUi)DhXKXIQO;6MCVUv|Wx|A;f?MT;8o@K(n zA&q|yti0!YVCX-3RShOdO7lxpe{uVnl?Lq%EcN6lGVKD_5IJU8M7K*aX(4S`2f0Ca zN;~$IenHsb{3yKaUTgbsg7s_dcz^%pr=|?m*WCMxz_|w^E!t)9!ZhO&}@ z!fIZ1mhc4r5hWzb!{|I-tU5okbzog0yn}z`0ZQfZ`jH!jbXE)*!`w|i-gcPleO%^Q zI%?5!n&zT%9_y_!I^IQ#+TA<-RSVeZ`WHLxb7sysx&cJU+cPZEOOS?F#k^mDa1ZDfeI3|Ypxks|Yk5YC3V2y#?!kU--J12HteT|cFm|HmM zC&S)3;b%j&&~vg0hyS|BlQ?*y9xj}M+zaT#2&hG{!G-dEz-jnuZfEb>Kh%33=-Ko5 z(#x-t1qU*JU$4zWwI6SG_eVjI96-f78$(V;a2M0{-S`2cY0d6N6*(9;`5_A{8Zfw< zI*%@68^RL)h_L>qh?Djp)Ef4wVEQ`V?1Wj+&z>~!e9mC90Fx6YwDPIQp}NdcjjMUj z#mszkr77;zV-+^jkI}JBye22s8cMO4)2$uD-GGUI$1;q)WMRf^MjZ9&q;Pj<@U zhNKNAY>>LIC6XOVM)_!w@U5jt{ZI(SYV3JQyRi%gvA1IZIzpE(Ev0JjV4I9qJ+Hda zrm%{~wp{yjhsmE~L(wn2ZEN%6Ph*&m5GV(O7qvvqa=J7&tvdG_%B$RWxH& zw2#bxoCw<-jhu~N#X)-l74mhPE{ihS#*Z3#{z5M(8*H@(%`8vo_yz7ksN!UNYw=1e z&*s!%mrtE5L0PvA4@n~O0HSjwx{#01GmPplrB&U!_RC#V3z{^k)}S|b+!@_@8C2N! z(J=#=h2k+zQ9MXwUGg@;S2R0(>4Vh&qDi)Y=w%(9Di8bl{|_H-uHX00|G$5`od5qE ziFsPqX&!=NJD0uTwRdxQ^X~HP#j2w(SePgCu6Sjh*ZJL8Q+f5$`#A!fk}ej2IcG(x zER3pvhu9Q6xF*676)2APu#Z3wmTEYOPv)`k6O%VLNxXmj^ov*IWi4ZH3a%#^I##BC zK4ktzt*cy`fw}(L+xkfrU37}XOT?^tzKy7Q`XTp}2Y&C${7`u3+%0v%wX{PixKYLc znsS&{GEm*v$BBll3ebU8!@Er_jB$#{3;ies^~{v^xh5yu0cWo2tHb8^H5hKe9#wjy z^mTBO3DvnHhjeJ@if1mJZEjnshJ-qQiE+C@H`#FNuBh1}ye(q(tk){4)38tP)Gk)H z+=Wsv#X-@I6FG0a?e{V1&Tbb`33K9SB~V;?FSs^DsSPK>mc#}!nG5s~`C#pL-sSJ( z3fFxbx!Gx8<>Y@;)wOPa?bb#cQ*3uI#6$!sop-r(XuSgREs}2J&3T8(GWyehqNf4y zk!%_Gql4IDwIbt&X%CxiBujMo(~Q5ZOudRaT)$W8d#QeZq=VXZjBAWBoVBX_WXakS_wTUwse@_p8N*`>RsNMo3 zPIzk!zM|`&KHUzL0<0LZVP8fG*vAQO*bgv?HS#|p)8J4-*Qtkj+6LzU^)|$?q+v32 zGSVo>(I6P4=6j16JFRRqvdv3pX64wZBX3&mXuA}C9XT+Fo&{j5f%HR6`-W-n$^>Ql zLvZ209ocjNA3SUIp(9#<9TYR59Ks&T81`mB-gq0b1*$_;L|JI#?CMIjD(E7j!RpkH znG*6~nB+kWg?AWHRJkK+d;}|~oOq5l1ND`}+1>h%A5c6*_ZS{2Otd%i^QmmgEc5{t(kQpS+L`dWC8h)Wucx4-MNf^f_oO!h0E;Wl1<^E zqB+t_fsLS-3w}Gxs#>%YvDO{U;X!Q67w#0n$Yy@qit?%;=d< z?%Og?n~9z-JW2Bq%!HNpGK7KRiBRDFGEaAk{8+I5Jqwc&2Sc76ku@>U0-6`vwkFne zx-kM1%U^vY+?4izv?DSou=w2N)BtwQjl7svWwt`s#m!Brt{JW4BXFv#KzqizQk1^; zNuITtR@t5A!PKf+u|^Lq6Q2Gkk{g&JI2r8y$xYJ{!bdTL*)0b!Z`FXQSA3t?61pAW zHc(7$_$@Dc_qf}e->W>kgqJUD6?oRV?D{@{PyJ|$m)>80!jQ!jrv6>j3i#Pa!JYSz zmv@&y_V0NSZ4XKEgbsI*K$_o^H$L+oB5&`*AHKJVPyk+)CkOQ40@r_W0^|vE+QQuC zSPy92*DS*2AwMJ`&m8|wVR{C03D$!V09eCwxcij-0O748L*wrd9*{;PWC~~p~hzY~D<*qZnm^Pe8VvjdGMrJTtf4JheouN+JqyufxDo3{Hz&V$r zTh$f+7{R;OfqOnqnTa^oe#$&XTl8b{aG9n$Ok|lW^V6+;m&}&?R`uzR9VV=9s@*cJ zI`V3Q#v?ajl-X{6oZ49&Fh_R|2h6$gMvrzIrb`QdbK;Sfm1{4SMVZGG)1T`-33hYH z_muEA^W*Cdrk^GYguy&u%^J&dQ&kUysn@!cV$`}%l)ChSdR6N(51jCa94X>nQU#};lvk#@Wr z4i>2!?%G5Uinzg7*0I8=NY?wmfuCAuS-?u zC7N&;Bth!?5u*g->drtm-VWmWZm5ZA$8Psi_H=yo4in1=a-0h(W#D-OizsfY;Q z9}G3(1bJcSH>o3fFP4#fOO`I8z)%}YL$8{)G@bR!)WUtlA8Hh9!(-qIav2I zK|fVE#f02{vu2kF8U_s~CQ~ThT5&bE(p1&HIWer|dZlM9i`3}cykM`HXf_rKGk_u2 zEe!rVsRr7{z#JFMLY&5ppOd|RXKK+Yeu@I9p}!`N0Xu7p$HUxXq5t_zAs@w`Dg7_^2>TuAq+xq#)&RS2i)q&${4$O%G=*=B^tb z_55s!e)R%z2i`#A82pUQM%p;m{zjbZmW+A=j9cxkDRbDTv11OB`?vtLoNe;~2go0X zsH)dw({)dwUwGGJ_7hWpj zb!2TBTZ7f^TUy9svsvtajAqlQ$H%U%M1>4pD%wX03`U#zy;_CQy}AZ5c%l>{5FBo{ zo7`MLNzD$EtzooCl7j4&kH9gw=A)6U{aJ;7l4piT*V=U zdkrqp`BLQwhQSqjkHcjR-eZz`a-+E9j@yvGf$@3KnXoPQBL^~92~_Rl`L-_AB^_{ufXc3TVsf&~;)kIr zYkz>@m~1SNj=mT|i?h6rw@-GLO`Po`)X1R{qBKw=S<3m{Py_OOaLaquY+^}gwQ(gW zNsBstw2%nN1CmjH@`<~WAFDUG!(rDGXL1V5OatponZT?>G=mRSr!nTKY!*}gl}+H4pKkn)$b;Bf zltk*(JVZH8>clcEb`sZ6nT)B5cb?sPc6BnG+KIlO$7^eAI4!N z6g|y>lms|`Txh+U4>1(-?&X7k#M~LW_nP2ScJ_sBzuk87YzI~8 z0F}#yXa~PmK2X)IfpiGFR9AD$qnT}6wIVWDn=(_x%!Es}tuGPrR4g0?rP zfvlUbf>MOs*ylk*Zo8r}W#HdN2ZMo~rga>Cq6xPtsBG;>Bi~{Pb~AI0Q5t=J5ffg7ti6JXF8w>^u&wPT!QN*ww4EWZ*N&Jip?#`f4K)`q>j%ACj=Z000_35$s^P}ib30Qw&qBLrZ=O;) zmwA>}?vggy97Nt29uiY|2?9d(sJwNZ{nlAdW?X~H9o3xq7elIl zTzm?wQQjuKCd%1Wl9ssjN%wWDH>j}>kPKX-#_#H!aHE&XIr9E0X@(o%lmG^KSKF<6 z{fyDB5a0h8IL|Ts5fj_H!J{2B!CMbw%#?@iT*k3k*pFzqpbsC@FnmpBKbZ zQFc#10c!4LZk;pYXDyu0BuzPSVOw9!1~hmHWxo>Q+=p($;8}Gi40h9}evZ+9v)p*? z3ktp4_K=FpKQu#1IEh*wfAaHpwyq@MfUVJbMgyh0(675O#M-c6zIB}CY-6-@DK+!j z@d#LXJ0jnkZMj4RrM46Euvd2cM>;jS5fhfc21{IrEuN#Jo{UE!YR#!6R-tytZvUD{ z&9%Zp5`(UC^zk*{Chg|mH*O?<{jH5!1Vbv+x>s0G;))SnYnnq;9BAyn^<)`)~VqIFHGHR2vLDD%^JZ zMYIzxpgs2D+4(MnT!N1X?l4Q)6t+q}a&qk9;%&VD- zNX}v^C{P5m)tZ5S&4nhZ{`-Hg{^vWkS1@mbzd0Ku~Pqv_sBYfiuflTq@=14{qnnC@e2y>LS)}!7zP$s)4C(O7n*LRod*~L zqsI0l8y>$^cw{GVK)g8uvcYWRI8QfK+QqN)G#)#Wv=vuC`6W|xiq(vMjEE&X&Pwyh z7Ll&Fhawt(+g|$SKS~K(H5JD^fx;5VdcAeD+S0?%s=drv%%j8v{>-{ez|OAHI>5(k zHZYC)nr&3SX3z8ugOBbny`Vis#{#foPma(|^jR|%Xg3W ++## Send a null signal to xdm processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_signull',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ allow $1 xdm_t:process signull; ++') ++ ++######################################## ++## + ## Kill X servers + ## + ## +@@ -1210,6 +1549,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -31223,7 +31254,7 @@ index 6bf0ecc2d..29db5fd25 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1584,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -31250,7 +31281,7 @@ index 6bf0ecc2d..29db5fd25 100644 ') ######################################## -@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1629,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -31259,7 +31290,7 @@ index 6bf0ecc2d..29db5fd25 100644 ## ## ## -@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1639,27 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -31288,7 +31319,7 @@ index 6bf0ecc2d..29db5fd25 100644 ') ######################################## -@@ -1284,10 +1658,662 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1676,662 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -34703,7 +34734,7 @@ index 3efd5b669..190c29841 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791dcc..2d255df93 100644 +index 09b791dcc..385cd6d79 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -34918,11 +34949,12 @@ index 09b791dcc..2d255df93 100644 allow updpwd_t self:process setfscreate; allow updpwd_t self:fifo_file rw_fifo_file_perms; allow updpwd_t self:unix_stream_socket create_stream_socket_perms; -@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t) +@@ -341,6 +362,12 @@ kernel_read_system_state(updpwd_t) dev_read_urand(updpwd_t) files_manage_etc_files(updpwd_t) +auth_manage_passwd(updpwd_t) ++auth_filetrans_named_content(updpwd_t) + +mls_file_read_all_levels(updpwd_t) +mls_file_write_all_levels(updpwd_t) @@ -34930,7 +34962,7 @@ index 09b791dcc..2d255df93 100644 term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) -@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t) +@@ -350,9 +377,7 @@ auth_use_nsswitch(updpwd_t) logging_send_syslog_msg(updpwd_t) @@ -34941,7 +34973,7 @@ index 09b791dcc..2d255df93 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t) +@@ -380,13 +405,15 @@ term_dontaudit_use_all_ttys(utempter_t) term_dontaudit_use_all_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) @@ -34958,7 +34990,7 @@ index 09b791dcc..2d255df93 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',` +@@ -397,19 +424,29 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -34992,7 +35024,7 @@ index 09b791dcc..2d255df93 100644 files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf -@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain) +@@ -417,15 +454,42 @@ files_read_etc_files(nsswitch_domain) sysnet_dns_name_resolve(nsswitch_domain) @@ -35037,7 +35069,7 @@ index 09b791dcc..2d255df93 100644 ldap_stream_connect(nsswitch_domain) ') ') -@@ -438,6 +501,7 @@ optional_policy(` +@@ -438,6 +502,7 @@ optional_policy(` likewise_stream_connect_lsassd(nsswitch_domain) ') @@ -35045,7 +35077,7 @@ index 09b791dcc..2d255df93 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +520,159 @@ optional_policy(` +@@ -456,10 +521,159 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -58088,7 +58120,7 @@ index f4ac38dc7..1589d6065 100644 + ssh_signal(confined_admindomain) +') diff --git a/policy/policy_capabilities b/policy/policy_capabilities -index db3cbca45..0728639e8 100644 +index db3cbca45..40fd5a518 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities @@ -31,3 +31,21 @@ policycap network_peer_controls; @@ -58102,7 +58134,7 @@ index db3cbca45..0728639e8 100644 +# +# Added checks: +# (none) -+#policycap cgroup_seclabel; ++policycap cgroup_seclabel; + +# Enable NoNewPrivileges support. Requires libsepol 2.7+ +# and kernel 4.14 (estimated). diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8e51ee1b..cffbeb56 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5579,7 +5579,7 @@ index f6eb4851f..fe461a3fc 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962b6..a6b4312e6 100644 +index 6649962b6..1a0189a44 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6828,7 +6828,7 @@ index 6649962b6..a6b4312e6 100644 avahi_dbus_chat(httpd_t) ') + -+ tunable_policy(`httpd_dbus_sssd', ++ tunable_policy(`httpd_dbus_sssd',` + sssd_dbus_chat(httpd_t) + ') ') @@ -9010,7 +9010,7 @@ index f24e36960..4484a98da 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 27d2f400b..1297f5bbe 100644 +index 27d2f400b..f74f75f1b 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -9065,7 +9065,7 @@ index 27d2f400b..1297f5bbe 100644 fs_search_all(automount_t) fs_search_auto_mountpoints(automount_t) fs_unmount_all_fs(automount_t) -@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t) +@@ -135,15 +139,19 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) @@ -9082,13 +9082,14 @@ index 27d2f400b..1297f5bbe 100644 + mount_domtrans(automount_t) + mount_domtrans_showmount(automount_t) + mount_signal(automount_t) ++ mount_rw_pid_files(automount_t) +') + +optional_policy(` fstools_domtrans(automount_t) ') -@@ -166,3 +173,8 @@ optional_policy(` +@@ -166,3 +174,8 @@ optional_policy(` optional_policy(` udev_read_db(automount_t) ') @@ -22522,10 +22523,10 @@ index f55c42082..e9d64ab5f 100644 - -miscfiles_read_localization(dbskkd_t) diff --git a/dbus.fc b/dbus.fc -index dda905b9c..558729530 100644 +index dda905b9c..60806a524 100644 --- a/dbus.fc +++ b/dbus.fc -@@ -1,20 +1,29 @@ +@@ -1,20 +1,31 @@ -HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) +/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) @@ -22541,6 +22542,8 @@ index dda905b9c..558729530 100644 -/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0) -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) @@ -23505,7 +23508,7 @@ index 62d22cb46..c0c2ed47d 100644 + manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) ') diff --git a/dbus.te b/dbus.te -index c9998c80d..d8ef03416 100644 +index c9998c80d..131d809ae 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23632,7 +23635,7 @@ index c9998c80d..d8ef03416 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +124,176 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -23654,6 +23657,7 @@ index c9998c80d..d8ef03416 100644 +init_domtrans_script(system_dbusd_t) +init_rw_stream_sockets(system_dbusd_t) +init_status(system_dbusd_t) ++init_start_system(system_dbusd_t) # needed by dbus-broker logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) @@ -23823,7 +23827,7 @@ index c9998c80d..d8ef03416 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +302,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -23848,7 +23852,7 @@ index c9998c80d..d8ef03416 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +321,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -23856,7 +23860,7 @@ index c9998c80d..d8ef03416 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +330,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -23898,7 +23902,7 @@ index c9998c80d..d8ef03416 100644 ') ######################################## -@@ -244,5 +367,9 @@ optional_policy(` +@@ -244,5 +368,9 @@ optional_policy(` # Unconfined access to this module # @@ -25814,10 +25818,10 @@ index 000000000..b3784d85d +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 000000000..86c5021d6 +index 000000000..22cafcd43 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,211 @@ +@@ -0,0 +1,207 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -25982,10 +25986,6 @@ index 000000000..86c5021d6 + systemd_manage_passwd_run(dirsrv_t) +') + -+optional_policy(` -+ rolekit_read_tmp(dirsrv_t) -+') -+ +######################################## +# +# dirsrv-snmp local policy @@ -43317,7 +43317,7 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..923edd01e +index 000000000..7395ac19a --- /dev/null +++ b/keepalived.te @@ -0,0 +1,100 @@ @@ -43346,7 +43346,7 @@ index 000000000..923edd01e +# keepalived local policy +# + -+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace }; ++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setpgid sys_ptrace }; +allow keepalived_t self:process { signal_perms }; +allow keepalived_t self:netlink_socket create_socket_perms; +allow keepalived_t self:netlink_generic_socket create_socket_perms; @@ -53630,7 +53630,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..3c24a12ef 100644 +index 11ac8e4fc..94822ad40 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -53911,15 +53911,15 @@ index 11ac8e4fc..3c24a12ef 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) - -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -54049,34 +54049,34 @@ index 11ac8e4fc..3c24a12ef 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) -+') -+ -+optional_policy(` -+ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ lpd_domtrans_lpr(mozilla_t) ++ java_domtrans(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ nscd_socket_use(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) ++ nscd_socket_use(mozilla_t) ++') ++ ++optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -54084,7 +54084,7 @@ index 11ac8e4fc..3c24a12ef 100644 ') optional_policy(` -@@ -300,259 +340,258 @@ optional_policy(` +@@ -300,259 +340,260 @@ optional_policy(` ######################################## # @@ -54168,13 +54168,15 @@ index 11ac8e4fc..3c24a12ef 100644 -fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file dir lnk_file sock_file fifo_file }) +userdom_manage_home_texlive(mozilla_plugin_t) ++allow mozilla_plugin_t mozilla_plugin_tmpfs_t:file map; - allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +-allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- + -dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) ++allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) @@ -54489,7 +54491,7 @@ index 11ac8e4fc..3c24a12ef 100644 ') optional_policy(` -@@ -560,7 +599,11 @@ optional_policy(` +@@ -560,7 +601,11 @@ optional_policy(` ') optional_policy(` @@ -54502,7 +54504,7 @@ index 11ac8e4fc..3c24a12ef 100644 ') optional_policy(` -@@ -568,108 +611,144 @@ optional_policy(` +@@ -568,108 +613,144 @@ optional_policy(` ') optional_policy(` @@ -56308,7 +56310,7 @@ index ed81cac5a..cd52baf59 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c6a..94b1dfca7 100644 +index ff1d68c6a..3f662fbef 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -56408,7 +56410,7 @@ index ff1d68c6a..94b1dfca7 100644 procmail_exec(user_mail_domain) ') -@@ -166,57 +166,76 @@ optional_policy(` +@@ -166,57 +166,77 @@ optional_policy(` uucp_manage_spool(user_mail_domain) ') @@ -56461,6 +56463,7 @@ index ff1d68c6a..94b1dfca7 100644 +userdom_dontaudit_list_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) +userdom_dontaudit_list_user_tmp(system_mail_t) ++userdom_dontaudit_read_inherited_admin_home_files(system_mail_t) + +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) @@ -56504,7 +56507,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -225,17 +244,21 @@ optional_policy(` +@@ -225,17 +245,21 @@ optional_policy(` ') optional_policy(` @@ -56528,7 +56531,7 @@ index ff1d68c6a..94b1dfca7 100644 courier_stream_connect_authdaemon(system_mail_t) ') -@@ -244,9 +267,10 @@ optional_policy(` +@@ -244,9 +268,10 @@ optional_policy(` ') optional_policy(` @@ -56542,7 +56545,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -258,10 +282,17 @@ optional_policy(` +@@ -258,10 +283,17 @@ optional_policy(` ') optional_policy(` @@ -56560,7 +56563,7 @@ index ff1d68c6a..94b1dfca7 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +303,19 @@ optional_policy(` +@@ -272,6 +304,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -56580,7 +56583,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -279,6 +323,10 @@ optional_policy(` +@@ -279,6 +324,10 @@ optional_policy(` ') optional_policy(` @@ -56591,7 +56594,7 @@ index ff1d68c6a..94b1dfca7 100644 userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` -@@ -287,42 +335,36 @@ optional_policy(` +@@ -287,42 +336,36 @@ optional_policy(` ') optional_policy(` @@ -56644,7 +56647,7 @@ index ff1d68c6a..94b1dfca7 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,44 +374,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -56714,7 +56717,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -381,24 +427,49 @@ optional_policy(` +@@ -381,24 +428,49 @@ optional_policy(` ######################################## # @@ -92198,10 +92201,10 @@ index 000000000..504b6e13e +/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0) diff --git a/rolekit.if b/rolekit.if new file mode 100644 -index 000000000..df5e3338c +index 000000000..b11fb8f6d --- /dev/null +++ b/rolekit.if -@@ -0,0 +1,138 @@ +@@ -0,0 +1,120 @@ +## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. + +######################################## @@ -92322,24 +92325,6 @@ index 000000000..df5e3338c + systemd_read_fifo_file_passwd_run($1) + ') +') -+ -+######################################## -+## -+## Allow domain to read rolekit tmp files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rolekit_read_tmp',` -+ gen_require(` -+ type rolekit_tmp_t; -+ ') -+ -+ read_files_pattern($1, rolekit_tmp_t, rolekit_tmp_t) -+') diff --git a/rolekit.te b/rolekit.te new file mode 100644 index 000000000..da944537b @@ -107829,7 +107814,7 @@ index 49dd63ca1..ae2e798f5 100644 + +/var/log/stunnel.* -- gen_context(system_u:object_r:stunnel_log_t,s0) diff --git a/stunnel.te b/stunnel.te -index 27a8480bc..5482c7549 100644 +index 27a8480bc..fc3fca520 100644 --- a/stunnel.te +++ b/stunnel.te @@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t) @@ -107842,15 +107827,18 @@ index 27a8480bc..5482c7549 100644 type stunnel_tmp_t; files_tmp_file(stunnel_tmp_t) -@@ -23,7 +26,7 @@ files_pid_file(stunnel_var_run_t) +@@ -23,9 +26,9 @@ files_pid_file(stunnel_var_run_t) # Local policy # -allow stunnel_t self:capability { setgid setuid sys_chroot }; +allow stunnel_t self:capability { setgid setuid sys_chroot sys_nice }; dontaudit stunnel_t self:capability sys_tty_config; - allow stunnel_t self:process signal_perms; +-allow stunnel_t self:process signal_perms; ++allow stunnel_t self:process { setsched signal_perms }; allow stunnel_t self:fifo_file rw_fifo_file_perms; + allow stunnel_t self:tcp_socket { accept listen }; + allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms; allow stunnel_t stunnel_etc_t:file read_file_perms; allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; @@ -112168,10 +112156,10 @@ index 000000000..e5cec8fda +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 000000000..bc54338c2 +index 000000000..7726f7594 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,108 @@ +@@ -0,0 +1,109 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -112256,6 +112244,7 @@ index 000000000..bc54338c2 +corenet_tcp_connect_oracle_port(tomcat_domain) +corenet_tcp_connect_ibm_dt_2_port(tomcat_domain) +corenet_tcp_connect_unreserved_ports(tomcat_domain) ++corenet_tcp_connect_mssql_port(tomcat_domain) + +dev_read_rand(tomcat_domain) +dev_read_urand(tomcat_domain) @@ -114588,10 +114577,10 @@ index 3d11c6a3d..c5d84287e 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bcfc..9777de289 100644 +index a4f20bcfc..58d0a33f2 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,109 @@ +@@ -1,51 +1,111 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -114726,6 +114715,8 @@ index a4f20bcfc..9777de289 100644 + +/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) + ++/usr/lib/virt-sysprep/firstboot.sh -- gen_context(system_u:object_r:virtd_exec_t,s0) ++ +/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0) + +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 1bb2c757..7509df1f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 283%{?dist} +Release: 284%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,17 @@ exit 0 %endif %changelog +* Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284 +- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files +- Allow automount domain to manage mount pid files +- Allow stunnel_t domain setsched +- Add keepalived domain setpgid capability +- Merge pull request #24 from teg/rawhide +- Merge pull request #28 from lslebodn/revert_1e8403055 +- Allow sysctl_irq_t assciate with proc_t +- Enable cgourp sec labeling +- Allow sshd_t domain to send signull to xdm_t processes + * Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283 - Allow passwd_t domain mmap /etc/shadow and /etc/passwd - Allow pulseaudio_t domain to map user tmp files