* Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110

- Allow cockpit_session_t to create tmp files - apmd needs sys_resource when shutting down the machine - Fix path label to resolv.conf under NetworkManager
2015-02-05 12:12:00 +01:00 · 2015-02-05 12:12:00 +01:00 · ae5733a49e
commit ae5733a49e
parent 1fd39e9da1
2 changed files with 21 additions and 5 deletions
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -7799,10 +7799,10 @@ index 1a7a97e..2c7252a 100644
 	domain_system_change_exemption($1)
 	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 7fd431b..e05b2d4 100644
+index 7fd431b..5ce1846 100644
 --- a/apm.te
 +++ b/apm.te
-@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
+@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
 type apmd_var_run_t;
 files_pid_file(apmd_var_run_t)
 
@ -7812,6 +7812,13 @@ index 7fd431b..e05b2d4 100644
 ########################################
 #
 # Client local policy
+ #
+ 
+-allow apm_t self:capability { dac_override sys_admin };
+allow apm_t self:capability { dac_override sys_admin sys_resource };
+ 
+ kernel_read_system_state(apm_t)
+ 
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
 
 fs_getattr_xattr_fs(apm_t)
@ -14201,10 +14208,10 @@ index 0000000..a8a678a
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 0000000..4d89495
+index 0000000..4ae76c5
 --- /dev/null
 +++ b/cockpit.te
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,102 @@
 +policy_module(cockpit, 1.0.0)
 +
 +########################################
@ -14289,6 +14296,10 @@ index 0000000..4d89495
 +allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid };
 +allow cockpit_session_t self:process { setexec setsched signal_perms };
 +
+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file })
+
 +# cockpit-session runs a full pam stack, including pam_selinux.so
 +auth_login_pgm_domain(cockpit_session_t)
 +auth_write_login_records(cockpit_session_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 109%{?dist}
+Release: 110%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -605,6 +605,11 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
+- Allow cockpit_session_t to create tmp files
+- apmd needs sys_resource when shutting down the machine
+- Fix path label to resolv.conf under NetworkManager
+
 * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109
 - Allow search all pid dirs when managing net_conf_t files.