From be2df80e69342d4fe5df5248612080a21e58cfe5 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 14 Aug 2017 16:11:30 +0200 Subject: [PATCH] * Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271 - Allow tomcat_t domain couple capabilities to make working tomcat-jsvc - Label /usr/libexec/sudo/sesh as shell_exec_t --- container-selinux.tgz | Bin 6902 -> 6903 bytes policy-rawhide-base.patch | 15 ++++++++------- policy-rawhide-contrib.patch | 8 +++++--- selinux-policy.spec | 6 +++++- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 7e7df53a0ef31f912c617ce4e38cfda0b7440018..205a2b583a4c686dabb9ffa06f165570ce01adbf 100644 GIT binary patch delta 6231 zcmV-d7^vs=HTN}tABzY8SgDa&00Zq^ZExf@lFnE6uMlPej2(>av1gJ6#@RhAk^}BO z91!d-a33yr9krzH)>?0o)P6Z*_P1YE@kJCxQj}Vr@gBxN;;~fqkSvnLVzF3?%AyU^ zBB?LZ?KjW#^A3J~_~8TozWT%W@6_M$^ZtkTS6AO$y}$Z@@ZtUShwtCR^Q-sQ@7{kC zynC(+sXvFN4eKEICcCS{O%hq@#@_#v{;XcV4t{J7c^=k}fBM@#3Cb!d&YSX3M@bM? zRhC9!o0dfoiGdO%#SVU7{CFwYRsiDn(<=@BIQiFyBs#Q-f}R#ZyH_8?We)$iAl6HT zH~6s%>o5<0iZD<9_=-`z`qQ9Tvth*H^8_}v!oFP zb7~so3$F$*P1H0;Kc}EAIz#d;p)UI3rmp?sf+ppFEu`wq61R1Xo)9>DZB`u;>odr_ z*@t!VlB7-*@|Qa!_mFy)HZ6{Ao6tFs;gL_5jdN$k?Q8`94j**)pJ~?PlH62Dlx|b# ze<0S8Xs#p!l}Ba9Y(OCYk@nIv>cQg%ibb={5V=9<{}C49PG3k~#vIG3YR{(IIQ%i% zO<;^om}k|JgC2ZQz31I?On$Q8JbH(77#{iej02=2=vfQWbJ_v#E(1L{9GzzHo zo$mpbcBBiHHNUFUJ1hq&KVye#$h;P7tc3v|ow?MMa!XbR6ABtC5lLxEQH*yTWnt4; zilTSJvNj1XE}l{z{{K}_Rw(~4`{S#&KG>Rwq*}3?BrSGc#hRyxSkJv3yv7OQfAYpE zli=HH`0qXZ_hH$+$S?o?^9xyL$zre4c$$q=9}0`Y0jOre=8u4k4;OcFG)aB8$Pvau zer}78>9J{(JZiJ4zB>Kgp-5X2f7ekAJLa1TQ4s5`6v^u(D{*5Al1gDb(VKw(2xi`` z+meA-pjhr>tO>(0_+FHne8gXYe;gUo`!d4CD-`erjQ=UPKckD1rg2!r!F`>YHj{ah z!^-vLC-ptZD4*r+HS~m}fquvXhAm`2L7KWSgFusJe_B@Uim35tSdv5J#4t(h-9nA!$7^0o>;?aBP?moSh4h!;JAHy=<<7yXtc4beeVHfv z7~qQ{Uv$Mmp=D`AlDEMt`R)SvUY*UxiOcAAK1c)H>p_k1>5~}+sUN-ov?Ez84VY0I^Sx{`syTHa_|cmn^3lRO4Pe-}IBb7szXx&cJU+Y@Zk zYmi3Jq`M-_*n|x}-Ar@HKw-2xnF&S3+$S3@1m*a`Iw!{XxkpmtM=5&%u+BhkVa-ea zofkWAzQIX2&aI4-aqpb)v!PlTIN5~5e_fSX8a>ho7fwO$1q@*Zv?AExOnE=zG<>tP zvv(aH+C2~Se;jyx>E#Oxh^6{Y30o(Ip0-e$d}KJff;4!1T#SynqmB(#ekQ#xq~P5h zM@1(q2*;kY8jNiw=a*~qQ0u3g-NRW>Wd~5P-o}uZ5v*hSzMDQ_485rzRFQ*mQyz-A zp$UVhsmtgxb|5U_j|l7UsyOQmLT%xY3YM?q%}!Vaf5YO@0MFM9CJQh*VL_`Os}h>a zEY-AG_Fl}wS68~~&b?OQGW{4GJH+csV!feMi#gr;G29)Pcr3%%hn&XnSfx7JYX_1s zep0K8ACfVgutU;cOC&dxjPfxe;af+QhM^FO)j05y>ah$KvG-#EG@;9vj#~9kux&=G znO8k%e^Xe+V^^uewZrDmaiN&E-mbm*@wYMTSBaoB#bxoO*Jy0J&s`#N8;sl@BAP|w z$r@U*8ahX2PK0fVM$RT|(x|_H3iK00Qguvk3CC5i`$tZUvU_=;ACFMW~vpY%ue=tY}6R~hd6|3Ccj?)&$H`~TNp z@Be?6ALeOU=Vc6v?NpA2x54$r_0`3@vz4YVSePgCt^{>iw&m?qQ+f3|_&EWbni31Z zf10x*RTd{r#6xT<9$b@Phze9ExZfwB2WvH)BqZ}#_=(Azn`Ob@e)=V-%DR;?I2G5E z3>_QO9*S_IwpDJ;z+8VDY{RTc&a^7=8ZoP$A0w)sekeWXf#18jJXFCccT1gdE$vYY zZj>>At{%3X3^X?laiJlr0(79$@a|I!e`A~?^5QVbK|M32eQGGlb-|gd`sT3t`x*?l zXpbtrQ~D-2$%N|MlS4W*Ox3g3&b79!R6{~t#JJsHT5LGAE^4+3?~9l{8}y3mG#t`< z^^4Ojcc!#UaZvQ*L{58ehht2-v-?$4!kqYB2^5#v3vLWi>cfe!C2@dE<^nxLe?Hjz zo$CBUT;aO!BX=hate*UDYP!+wZ#>%QV~XPrhM0*UrBj{Dgf^%kKO)g1Z%#EP$L!Cm zfd;@wvS;8A4Y9}SM8*Tt0X92Gmgw-O9e>-{MimXX;ixi?QuFzUhN?Tq`rt!XowW>| zbXb&fjL|QpcTgtIBjm$VBf=0~D#U2^vAYmY7OvSoo(@@tU_4@@k0qlJnGo_4x{TZ_ zrvpZVpkY-Vh?ky|q6$$9ykb5w)56~*+4f_T{t7OCpbo*NN!l$y;)1uv;44c1^yy}- z7GTAQ1N%D3z&_6KzFLrsJAhOC5@AzlaXdYi3Y(aH9uR# z*lFdUksV%oGb`6dJ$dtHN5`e`+mi!>=ve@^8c09JwC|YqzD!W3-vt-`+mp={@WG2# zA9|vHwNbSI${`-0OkwXPhAl1AsI% zY!Z_?jn<&Rjb_%FWWj+ukp<*Gm4!wo4Cgw3iSAfX7jCo1Yc_|6s^&>A1vY_RZus3S zD{YIVdF9PKT)%HJ{aXKsWx>qC;gd6gC@)4V0O_NVc)$)OGkW5S`?fCgZlR}yCwUoz znXob@Ll~)^2n8N)^GvtMj|Cg%S(uGD8uILkY>0st(7e*FJ+WcXO%a&b{+c7<=Jcn3 z8<9bQ#pf@l4p6%{@@ig_*$&+lH#eubb~MdL;MG=v_JnPvDE;7*ylXSBu{*e4p4Bx*y;+QcYv{Ew8(N-R=DE zO<7#P%U7-jJQ-bfLm$AWVKl|-;LmY?%wh`j@HXiM{OptHHn=bA+Y2E3x3WsMhb((U zhdW3hFYm}3Uj+9_un*ynFxVt0fS@U}1A1_Q>pwXG^28+_VQx!o2XyXR7U6PV9-;&( zm~3!QDZ^(K(U{0^R+f(&_aT<6^sVZ0pE^xg+f=h+UUOvTfX-nyW0tuRGtM0>9+;B{ zhX>};c#~(l3)82EIq^ip$9EKe%c?A6DVeX`J_~kt2lqMQub0O+-5Yh6h~KvTvD z|0*wNz>eiQn>%{FFsB-kp1|{lnFsK!Vdlc^#}#-F0}g2#2D0rmAbf^@@i5DiHg@l& zp5Yg1VSHnZl>Yb=k2c^(75$(CV_UjN1Y*Q!dfXbf7*TK5&$l4-B;(QEEX<06zRlz+ zb&<5_p7157o2HLV)Ml2d2;zH0_96wbHPJqa{R+qPZi^7QNa;1j!-r9u-obo|E#-6i z7~dUYN~gyQVQ(6jP(-YMUb>6+S&z#}Keci*s~&Wb!-Xoqduz<0yITWRxv;G}XDfV-e(k7J7v|>Vh$y#GQ`o zX$QQnHkoU*Fn*HhN6c^dhPHXEH1^QorL-K6|9v1?wg<1~9SZWpXnt#3ccBZ3NuQ$2 zoo(cl%I+iZQpPY0DZ-IE-N+_5FZBd}(uQp{JvJT*Qi| zxlh|@Z>Hnv5%l4I0~^!0ythE}jJD#wnwg4-@cqHkB2G|NZho6OqW5AO$xlovPXtE7 zI68XOr3%3bPp!_IorStb3^o#;TmiLh^PM)4G7TuSG5z1r9^l_GbX~x15w7V#Y8@rE z_M2FRUAu)RfDi(PLv?7iB_=P*{e2v^p<^DA?JXvqy#lX)gCVt}=Nx+h#w(K`E8gc7 z(--oyftJaY9NLuIu5q#r4_V9nEDtu3s2ptg*`OaATw-GGzge>!f0jwZiOCd7w@zF` z(wL^%cNcn%TyM;bb(LG4n`i7b6V1j!VF$33x`oMKX3a?7SeVm_S%~wv@oTSlOf7na zH&J{ujMwacA!1iy@%EN~sPaFaD8iW83Lf#rYEUKc=3%r(_i3HR3H`yMn!Ru+mZoUt zRN-3TwO7G6?D;8xwS{7>XT|9i&ZT9UjE_ z9?7T|w7AvYTQbLe8aw77xl1ch%f+@Fae(}ONSby{Hl2RK)IiVMv(90bfHC8C!3biv zgT+AXR*>LorRr`>Pap9#RUQgDZu{GN4p{0c^E}O;8Xg7@pd@QRZ zDr6XcQprBaU^2SQ@6{?!?$kYq#S^6vf#C44-R9;3O6qo4Y%Q}zk{mo}vO8LH+q!gA z4L^y1wQ^EqWm$Pa`4x$k1Cye5x&VaC(k6{58f$cm&bKN@FpTcd2OK_o@Bx!NlbggP zPu#}*4UA{J0Is``+J~-y|0s?wHGAz%xc&Bj+WMRGjP2u9&xC8cpLme@N}%cAo_7r? zopi(%0xG-VkvFck$c@(efo(kfh{?&ah#!WQto;F|W43WXdir7rEiKA6-9EZqHfga> zP$S1mh|)-lWG$C>LygGu-mmOccZemO)z+P)B(2)~!9gM<4@g$Y6QS?}j1r1@aVXG# zfQ&-w1p9#-T41nK?>36icMUwWZ`bJ_GxJ>0fRWdiZLWZhrEb^qFY&1-Cr`XNp!E@= zxwuPhi>ACE;j>qjv}|m6-lY&+(z3$`&O@w@gLPb2kV95RCJ_odmB+5`l;jG^RAr2m zTP3s^mn)v3L^=!ZQs`9jqi)$H>Q0q^!V^awG(txMHA)udAQkj5H5Y65x2H&2B!#P{{S%mQ7E8$n22& zOk*0Pv9vQWcZTV`A^4PCO<~7xH(HtfpehrflKY2F@LT2kQF;rcL)fReh9r!3wr$gk z$Y6cSOc6U1Zm~Kpv6izNMr5pv^R2Q8)Ts?L;we_I_47Is?Z zdAJX)`1Cz4OMO`yBw-l1h?vEH(H(oCrD9puoJr>WtPm4@4x&v9oBNCo%DNV2q89OuzVyQ6>oL$Ev~azqOiD>&EgH@4(Kl4skgkTEjh^&~yX$@K z5pvk9LB6NXY9MKhWah8jJkhsKN6!{ahEZ2q)TJ*JX3>mf2P#`X(kOITf_h=TF-nv3 zBw?OnV}>Nk$#=|MSXZKdzrj~5jI(7>j7&Z}m0yVr=Ln7wPM=QdP8F@^hKBse=1K2Y zA|I!Q0C^a#YPd0uTx|*GMHtWQ?Mo`>vaixgs%M+cLFAp`Au*MgARtta%3I&nZ(WpR z#&xLdG5dB=FRay#+-a7+{vy43Hm1tOm%2LTZPRO_p1P8B#I4VNN~f(RIAh-j8Od_S zQ)$jfxTSJVOfMzPa0{Fgz#vnp-Kg1NtagR?Jjcj=j`44dxZaIk?N|ujc^PA&GF zFu$NfNj@HrCP`;7D!f+LcCUk{1lyDODJpSb8*N(0v;fSr#dqxvQ-{`k`46!jRm>(S%B|8|^ zaz-<+9gl#O$qV_}Y|kYsD2;=dhrP1vKhmk8M@%>Z8ys;Ru6PbjJz1|pw1!(rtU>*d z-C-6-L)Kp*iBVTM`uMs}hw9}IjT=dSOdf03KmiT2~=uNUl#KJ;}^91_Vx z%RgbaK78bhQvI=06Fh}^^A7aO<)NuBvvh-N_9er)y!h_q{M;K&Y|Qyrbr97A%6=^a z4Hk8Ww-jLZ5S=63l5Gdf%LS_lfA6AYDu`&3>c9Ty^1r`hCkM;+&N=$Ln|84pb5#D_ zp`~Gq@~+Gdd2&8o6v{{ZI_QRkT&Lwyqv|>E$|#MO!fRB(WoA)ddo12XN(swNf)1K* zP5JM6Dogq797j)Dp;S*nxt#sWi8odxzR5rW=y3QvJsu86=TRuD%e#=te-5Lw7?Lkg z7k@+b5kNgrErJD5m#o&mVxm@WP!V8cf|OJZqF;RXD}F)1Ux@5m1mnOW_p3j$f2Aqy z>oUL?c{Ft#x$t<}-id?21M&I@$PTlU<1)ik>6frA^K|M=GB#WRI1-xb%ymNlbW*HIk)r;A= z%~a4qu=;XlFwK7Um?r{7&{o-V^1EyIJ<{Ma=_h( z1A^TJ?!)D-qn6a&iuH=5_T!A%zx}F;4^b3JQEGX{dzi*%d)%t}kt~wMVzF3?%AyU^ zBB?LZ?N`tAc?X~GzyB7$uYUOMo%#)*_us$2y87zs{nfXB@V_74zx&~&HL;eV+tnl@#Yqd8nf#2&*bf zqp(fOB8bF536f$5-xoh#3bqx1_DO0hs}oV7brrTzP;dOzUYzMkd$z&?7VJuntaRy4 zd%}9nziUq>b?u3*YqbLEGD{5be}$hVco;=V(~O}aQWRE~qr(TjCyku0_r)X8->mns zVCeTc-C!4deUs1u9|5nE@Bu3V->8!v0wV@rUzun=K$AuS9wnuqEjmN;Euk*@;-;?s z?1CocfGwoz%o4YCjGhoUdu&!666+I_i2@scC!a1G=gx}T*$Dm}KIrbh(5%NLxv7#U z-KNk%tRvA}Nd_v9%8c27K>j1`rDxQG#|;#VW}6{$gV6sYEW(|>ki3jJmQ&T9O}BCQ zW3-#V7@IK9swD?K_@a8xyXTnvWWRaz4(BlZfrD zrm+-7&xU1f5?)+9r9AxqS3y~!{KM>jPp{hgU~3|hYQ=7nwAgtSYn~!vJ@>u$udm_1_we7h%kD*f`S+h+$T~|FdzHr1Y^3^7SQHLGH4`>}1Z4biaTiCE)OU*< zVJzh5w)mJHn>NX#Hk<0J)1MuRv?cL(9mTL?zNruevEE9NyiT$bH>Mz|6vh*OJqh?n zF!OHRmJGZC#d05GO&E^B_oCF~1AYZ^WJvGJ2p6wVz!xz7r{MmCE=rolVG#%Sb!ys7 z=1C4K*XN(q_aLKumbcf?6Osn{ArBa~ko^Q{>cR{HO`82_S+$Q-m+(Ntw~8~EcwBL4 zV6e51q#kiD^o1&Bh$h-NxvN@#vU~9%3JSjs@)d+1qCGQoQN~bq@iQ#RA#!4vB=&Bh#`5DeuO;?^e>W)0zlB2jOYoUKL9%k^U{%&a3&p<7 z6MYQuMUgMM;-Jv7G$P5{;FWxK0er8{X5++VbUPoU0q*snM)>O-G%)p(9|ff!J^-{M zT|Z?}2>*sOI_PANaEA5k9C&~G z<)^L=%}XAARpdPakrwST`11A3u%BtmwT8Nqfx=qeXj^y!|A3P|219=bJLB)nobhx6 zh>*7@*reAWji5<)MVPS(8+^Q(=8%EHXmv6Zii){UHe3kG@r89xjPY}iq{fd@_5fg= zf!xBHm;5^~cHVr0lW?3{87Jf3IpJqRwJ>n935Wl>Dzh|tq!BKhg4_!j!VG9du)&$~ ze8g$^W@%^dIy|&{9_W8L@c7ch7Zwmp^_>#7P7FP5p)~o(aC8M}@bhsoI_8c#HdOhU z^tzCOcXu2Wova`nd(LVwwwat?uFXTOpKf*!XF-)6K*f3+LtaL(j_Lbs`h+p`rhZUG z4#rJ+DB^}D44$Sgqs!QVu!KJ%tiP+`tTPC;g+nS>zK%CLVHJN2i$?=IUo)62z~qDl zt$wUZXfCr<(`MOwF$-T^>8d;TT7}E>V|45guPcf5hEgr&bnC}(cVOaY8OA>3G=|42 z)zKb1kc{z@T3!5*jNybGlKxmCxuIl~j}ZxOp^-!YY1tl{#EIZ2lYpn)Zo}h#|#t}i=T0c;z1(on)eAlqSfJZU!?vg{m34@Xp`qE!+rn%`|sa< z_kM8y|N6`Q|4;H^o|bi9#-P|vtTwh#YUA#M6Y5IbNc{1-xP?u#}-cB`@SFeMg z6Tqn{u>gOpIV)0SaneLQ#HQlGH3^2OKy`xqeFA#0R>Mg`GLMCyn7p}J7X1CEUxKQv zTN#5>aXrb(9<|^`83X9*VcW?-bJGwP8nP-t2RaS!KDB=^#wj8%4wD?zGgI29hLT(toVluR z4x8WCV7NtlROy}4H^E6JROg-?(xG9hp1pRiwQZ#u66zwx?FQ3g!>M&qvrTwk#O$|0 zuc%JLA-z|>INfq*O1l&XML$mDwD)v4#-uyDUqvO%iQkn#ahbi~#t@}GoCsSI2gqbD z(2sw}2YbI$oqvccT=#wC?xca$lmAUkH@f|eM;m=iaooWWGZCb8s&kpp1{LH-Bzok{ zsmA1({dqOe0Qi&a8Tdm(?6EqL@xXL|%?^?!I{azJ-!`^UMFVa)s?4L*d_JO~>dvt~ z_|R2nEkh?A7Ns0x^h@a-l!@~Q`Qxb(VF)WPVl?~MU5Fm{!rvs>_Cu5Z3NC*`9fD1hv|E701#gYP zSCszgezu6Q)5<|3JG}H}R<4bD^5)Hsj!WU&lLLe3Spc>gNI%B3@0j+!Oi-sk1Q-6> zlg$+H!HZUZ^hAGaqiO+^Lp(s4!ro2D>tI8+KyzrSq=;Rdx~^24f-WMOtX|`oDWL$S zNg1V3d5;-IjXR>nN3ep*Ntfs|P+wVE+^%o=1;s;hhv5N7)Jz~kN5pBk)1buDS&*(; z$t4sA0BLC0BqntltwDhs&8#!Yf&+IV3&?*e3yn+|&UJqh-Lar9+-8s0Yz_}q&68dV zYy!R9@Vi-7+7?Um%A0w(e&1yJwf+&yf|-TGU(N)gycn?nq>o180Xvw?=!q}x+q%rV zg`N_gMm1x&Nz`^dJ?{Q$R-Y8u0D zdENEvZs)%@WpM!yU%49aWOUgLeE=Va(G;(Pzr=qriz&>*+oTupvrnSi;J&PHFM#ad z$|~6&vg{EZ?jV7@yd!UX5!@%iK7>EQV3VK#f~L$4=)nc9|KtS76PI*^xh=6B(7A6} zgv)(-$YNeN{++|}4CWH-2NM8rhUakiDfF~F@pDR19wb3 zXCdO&`E!;r+2Ed1hR-UZF_Gb{EFU-SLo8S6Th--0b(*lYsbKJy?WizbS3q2bu4FdjisiWGx0q!Co4Tq+{ud16L-2Z$`g39797L%(S*I! z-4i!~ri>B(RbJ459m{n#cl3H;PBkJuf#(e~58zqD%!S*JEASo$9MUulWZP*#_zZvJ zVU{Ot?A}W~!!Odp_{JD1{pXK7+JGNb^n(tJZRsKrh!LadackUSM7>!*--6JSj7NL3 zFe?iBHj}H=Mbe^s!k3(Gnm#sBn^~$Ni0={EixkAxMEfN6D;&?eEkfubrPmY>A4Y9@ z2lFYml+Wp7e0GQ_ogOcQJ!xD*5wU-I=`Px5JuWBx)XL4M(vAy7&u%D9=w`&D98_^`K@i; zg)Sr}eTpu3wvkgZzt2eJJ%rKpd%{ub{kkkza#)@!#@v>sEo(I4FouED_X7s;rOmB{ zo{sKu5i6SJK5e7DnU1GN(1(8yY)s?w-U7`t+KT&XW-21W=LbuRI6+yt`EBZmo{McH zKQW~|5f};M=;&3KDg-AywK{Kh7U~``*hqMC1=P09ciKeCG@#JN^nXKpfPcr(bpg9Y zxTXWCb(GlJZ(bS5#x%{oyU=UodShm+tK90`JY$cUXf_TCJAkFsElmD0YexFU!kkvjLY&8q zZ+pFCYSAmaiQ=1Kyk>t75xWYDx3~O5mH+WX5ys3`@Q5!~gDQbH52H1@PwO;J=nodv z?1e+IG(|I~3fBs+y$Zfz&rboYEfi}lzi`ChceP97Kx{4tDX)Cv3_%6R_`-ngYKK9K z-cgGW+ggv&Jt_*4E9m0^DTX-S)m;ejlPR_`z!i(R>!t@KKRJJbQ-esPs2k}Vi=VMO zNSnqwJc#o>l2I>cajU(zWRCkZcFaL?msX&bi)}gL0QuvPH0_#fI{kvFfu6T#ox>~v zW5(@*5yWl>i-Fk3zeBIL^Fn?u4-=5G;pjoD_8}SL!b?TGo~%7%YqZ%zOAA?CHjA6l zZW;~vSXN0?$S{ATl6{iFWOSL|t5uxbse2HMCrTj#!Qo-M&CLar)a|g?T4swRIe5@y zceLiVb?K-Yz7hdz<)p~UvhsrRD-tUQCPnRZ0SK9;O&U`)*60?UZ&i+97~P={IDGct z115PUH;GH0xQ+Q67|(bCTz4V04_yKOQ5;=r_S&0p`|W?V^*84k+sCV(3D4+-?RCdE7Z(MDW8?E&N+j#mBlapl;KMXBd`vXkJY~z6R^u-WbT9j?N zeRR8Q(qf;WMvj#brI8lNS}yN~8jgA5cX-V zAqk_MZQJxBGFYE7Q^d}MTda;ttmSNzXXdiFaKnm@H>iW0hp>WDgxt8-K}%`7sxxKa z-&O~Mg`Jjp9_~XcKE032QeTz^Nf-t$B4&SabjMz3saTdZXOek8E5t;fgJ{#j=00PI z6ip>>(>l3_8555-^o>=hxSgNn{XfWkzU@H6##lsnBvatYt2J-R+3K}Q*j>?@R1{5x z(bFYH<~X`xGs?qiG*ODFI99ftvaW@hs6~9EFTF7NdJHrOEnKfDd1&?!ae(gC0qcLB zb}{>mMcy-+t9eA5OI8^h#hWSAno@1sP$34;DuAdD8op$j7N6KpsY`8g7guS6jk)5ymrn`;yAJ?5nhr>e*&<5P4^KNKEA+2nf}q z^3-?rTNfpnaUClAnZ3KH7uM=V?lenZf05oi8&l=tOrPEdu zoU!+VjAS|EsWfLK+)_Cwrk9dtxCKrLV34WQZq)2BR=YyHo@3-b$M`!&T+c?Yb}R(% zyo|9>8LoR7#}?tfqTz!+eoe#jvX>FHf9%^|$X!3>uFy2W`P~GNV_mzeVQ_p&QdexI zBvJzIMEV#bm|xJLBp;7QlcX^-6<(`ryVt=_EZ<@F$g*Cf>;*fpXoES8%J>3bL>L%s zSDD1WtKS*Vd%;q2s>QNjlg1WDe}5RJlyDODJpSb8*N(0v;fSr#`;8`wzR_>>7-C~s zFh4pjN_H@+<&0)tJ01ZmlNa){*`7;OP#Om@4|`?Tf231GkC<=-HaOxsT=5*5da_=H zXbrcLScCc@yTdGwhOECr5~Hqi^zn7C4%N#a8aI;u#zifHAr)%Vr7Kg^ergOXTTR)tJcFO}V?lRNw*N2lkUF7=r=p zldKpjitG z54{}}heYzw@>kfc4vh9F*xnLFHe_6Cl1rbeB{n!6o{`WWR_LVv@~o{-j&%QPtK={LV1Z_2i=g6>$F^IR6Pe?8Kv=3c#R6U%q;3_kHx!4 zDPg%u&_VO9DgU0QvXs}(arC4WO7#?!%h|u2cw@YhyE;CG(ehJ$$Pp8f#W5X3tp2cZN zvD(p(5wV2FRcRU7BGM&y0VGrV%iR4(e<@+7rs9~-ps)n8S#KS!w#@L0YA<^c%P28{ zzpyS7u#2lS4fuG?2By(WJEaS4lJ!I|Nib(B8}L}=e!ZyDc#=sr0*9_%z-yMlJLk7- zmJuOey_lWbOa&c8o+)|^fEAlhXQ@EDc{oCod~T=Am(Q2am(Q2aC;0py2)Z>D IzW~Sp0Offl{{R30 diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9f3f960b..4bbdffa6 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3839,7 +3839,7 @@ index 759016583..f50f79935 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8dad..1b078065a 100644 +index 33e0f8dad..1eb3faaa3 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -4063,7 +4063,7 @@ index 33e0f8dad..1b078065a 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -245,26 +298,40 @@ ifdef(`distro_gentoo',` +@@ -245,26 +298,41 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -4089,6 +4089,7 @@ index 33e0f8dad..1b078065a 100644 +/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/libexec/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -4109,7 +4110,7 @@ index 33e0f8dad..1b078065a 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -280,10 +347,14 @@ ifdef(`distro_gentoo',` +@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -4124,7 +4125,7 @@ index 33e0f8dad..1b078065a 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +369,22 @@ ifdef(`distro_gentoo',` +@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -4149,7 +4150,7 @@ index 33e0f8dad..1b078065a 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +402,27 @@ ifdef(`distro_redhat', ` +@@ -325,20 +403,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -4178,7 +4179,7 @@ index 33e0f8dad..1b078065a 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +430,7 @@ ifdef(`distro_redhat', ` +@@ -346,6 +431,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -4186,7 +4187,7 @@ index 33e0f8dad..1b078065a 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,17 +472,36 @@ ifdef(`distro_suse', ` +@@ -387,17 +473,36 @@ ifdef(`distro_suse', ` # # /var # diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 97d1a04c..5fbe0bc6 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -111868,10 +111868,10 @@ index 000000000..e5cec8fda +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 000000000..1d0e69bf8 +index 000000000..bc54338c2 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,106 @@ +@@ -0,0 +1,108 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -111922,8 +111922,10 @@ index 000000000..1d0e69bf8 +# tomcat domain local policy +# + ++allow tomcat_t self:capability { dac_override setuid kill }; ++ +allow tomcat_t self:process execmem; -+allow tomcat_t self:process { signal signull }; ++allow tomcat_t self:process { setcap signal signull }; + +allow tomcat_t self:tcp_socket { accept listen }; +allow tomcat_domain self:fifo_file rw_fifo_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 1b4e09cd..91e6e4e2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 270%{?dist} +Release: 271%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -683,6 +683,10 @@ exit 0 %endif %changelog +* Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271 +- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc +- Label /usr/libexec/sudo/sesh as shell_exec_t + * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-270 - refpolicy: Infiniband pkeys and endport