rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Sat Mar 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-246 

- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
This commit is contained in:
Lukas Vrabec 2017-03-18 16:12:18 +01:00
parent 301836b163
commit b3dccbc4b2
3 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux.tgz
View File

Binary file not shown.

11
policy-rawhide-base.patch
View File

@ -45289,14 +45289,14 @@ index a392fc4..b7497fc 100644
+') +')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644 new file mode 100644
index 0000000..db8e9dc index 0000000..121b422
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,81 @@ @@ -0,0 +1,81 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+ +
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0) +/etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
+ +
@ -47185,10 +47185,10 @@ index 0000000..86e3d01
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..0100a56 index 0000000..c9d14fd
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1018 @@ @@ -0,0 +1,1017 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -47888,8 +47888,7 @@ index 0000000..0100a56
+ +
+manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
+manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" ) +files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
+ +
+kernel_dgram_send(systemd_hostnamed_t) +kernel_dgram_send(systemd_hostnamed_t)
+kernel_read_xen_state(systemd_hostnamed_t) +kernel_read_xen_state(systemd_hostnamed_t)

5
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 245%{?dist} Release: 246%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -682,6 +682,9 @@ exit 0
%endif %endif
%changelog %changelog
* Sat Mar 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-246
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
* Fri Mar 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245 * Fri Mar 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245
- Allow vdagent domain to getattr cgroup filesystem - Allow vdagent domain to getattr cgroup filesystem
- Allow abrt_dump_oops_t stream connect to sssd_t domain - Allow abrt_dump_oops_t stream connect to sssd_t domain