* Tue Jul 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263

- Add new boolean gluster_use_execmem
2017-07-11 18:01:45 +02:00 · 2017-07-11 18:01:45 +02:00 · ab9bb05673
commit ab9bb05673
parent 37cf7d764b
3 changed files with 17 additions and 3 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -33050,10 +33050,10 @@ index 0000000..4501460
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..d474c09
+index 0000000..cbcaf9a
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,324 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@ -33079,6 +33079,13 @@ index 0000000..d474c09
 +## </desc>
 +gen_tunable(gluster_export_all_rw, true)
 +
+## <desc>
+## <p>
+## Allow glusterd_t domain to use executable memory 
+## </p>
+## </desc>
+gen_tunable(gluster_use_execmem, false)
+
 +########################################
 +#
 +# Declarations
@ -33289,6 +33296,10 @@ index 0000000..d474c09
 +    files_getattr_all_sockets(glusterd_t)
 +')
 +
+tunable_policy(`gluster_use_execmem',`
+	allow glusterd_t self:process { execmem };
+')
+
 +optional_policy(`
 +    ctdbd_domtrans(glusterd_t)
 +    ctdbd_signal(glusterd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 262%{?dist}
+Release: 263%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -690,6 +690,9 @@ exit 0
 %endif

 %changelog
+* Tue Jul 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263
+- Add new boolean gluster_use_execmem
+
 * Mon Jul 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262
 - Allow cluster_t and glusterd_t domains to dbus chat with ganesha service
 - Allow iptables to read container runtime files