* Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260

- Allow sssd_t to read realmd lib files. - Fix init interface file. init_var_run_t is type not attribute
2017-06-19 16:52:54 +02:00 · 2017-06-19 16:52:54 +02:00 · 8c093f225c
commit 8c093f225c
parent fa95f253bf
4 changed files with 16 additions and 8 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -34324,7 +34324,7 @@ index bc0ffc8..37b8ea5 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..2dad865 100644
+index 79a45f6..054b9f7 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -35160,7 +35160,7 @@ index 79a45f6..2dad865 100644
 +#
 +interface(`init_config_transient_files',`
 +	gen_require(`
-+		attribute init_var_run_t;
+		type init_var_run_t;
 +	')
 +
 +	allow $1 init_var_run_t:service all_service_perms;
@ -35179,7 +35179,7 @@ index 79a45f6..2dad865 100644
 +#
 +interface(`init_manage_config_transient_files',`
 +	gen_require(`
-+		attribute init_var_run_t;
+		type init_var_run_t;
 +	')
 +
 +	allow $1 init_var_run_t:service manage_service_perms;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -106450,7 +106450,7 @@ index a240455..aac2584 100644
 -	admin_pattern($1, sssd_log_t)
 ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..07606ba 100644
+index 2d8db1f..9b13b30 100644
 --- a/sssd.te
 +++ b/sssd.te
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
@ -106571,7 +106571,7 @@ index 2d8db1f..07606ba 100644
 
 init_read_utmp(sssd_t)
 
-@@ -112,18 +132,67 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +132,71 @@ logging_send_syslog_msg(sssd_t)
 logging_send_audit_msgs(sssd_t)
 
 miscfiles_read_generic_certs(sssd_t)
@ -106599,7 +106599,7 @@ index 2d8db1f..07606ba 100644
 +	kerberos_read_home_content(sssd_t)
 +    kerberos_rw_config(sssd_t)
 +    kerberos_rw_keytab(sssd_t)
-+')
+ ')
 +
 +optional_policy(`
 +	dirsrv_stream_connect(sssd_t)
@ -106617,7 +106617,11 @@ index 2d8db1f..07606ba 100644
 +
 +optional_policy(`
 +	systemd_login_read_pid_files(sssd_t)
- ')
+')
+
+optional_policy(`
+    realmd_read_var_lib(sssd_t)
+')
 +
 +########################################
 +#
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 259%{?dist}
+Release: 260%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -689,6 +689,10 @@ exit 0
 %endif

 %changelog
+* Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260
+- Allow sssd_t to read realmd lib files.
+- Fix init interface file. init_var_run_t is type not attribute
+
 * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258
 - Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
 - Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide