From c1300100ed07f8f804713fb85f0bc701a634f861 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Fri, 1 Apr 2016 18:15:00 +0200 Subject: [PATCH] * Fri Apr 01 2016 Lukas Vrabec 3.13.1-181 - Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075) - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224) - Label all run tgtd files, not just socket files. - Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. - Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815) - Allow targetd to read/write to /dev/mapper/control device. BZ(1241415) - Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t. - Allow systemd_resolved to read systemd_networkd run files. BZ(1322921) - New cgroup2 file system in Rawhide --- docker-selinux.tgz | Bin 4316 -> 4316 bytes policy-rawhide-base.patch | 41 ++++++++++++++++++++--------------- policy-rawhide-contrib.patch | 31 +++++++++++++++----------- selinux-policy.spec | 13 ++++++++++- 4 files changed, 54 insertions(+), 31 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 07d72384b4842da52d1552b9b6cad807bb294d90..9c9c4d47815a65f8713442c5e82940cddf6951a0 100644 GIT binary patch literal 4316 zcmV<25F_s&iwFS2o&Ht;1MOVvkJ~m9&sY1e5RwAfJtX@|lK@HE!=b$o_u+uz+K&ZP zS)y%q^*WJSuP?~|elvWDqDVc~-eh}c0f}vK=0|ck8qN$yo0Rb_sV~y?v&Xxx;ClD& zTl~C!|MtrKgzM(*n>TNsUEjQW|NiauyZ2Xbo?TtvyuH4D7F<2znDo_97S%!UEW4|t z6^XrcW9@&^Yx&|u@EvXPJgWCU{JJGUS&`y3Et@(fK~z;)8b>TGiy$rw7NrHL15#|@ z^WwWp#kK^HX;-H=__6r=J&7Aef`qGKkQM>k>R(BjLys4n>C)f|zN?}-%7Y@x$@k9% z)$<>E*gx@xAj-0GN0NY*0jr~erZ^oJ=p{#m@5{7cq+UlcIs07v=vh<8zqbgdkD&%rm>J%SG~y+9(v*RUdWPJwHkW`wFP zB{diQF*Wr`iI=O-ml3W@do|O6BK{YN5>vi>A-}FEV68m9x zN^uW9507W*`iu2sHf&?b&^A57iup|5c4)}~)A02EL(nW?*tLpR)J3-1XxPlh497TwuaNuLa%BNDUxn&g+K}#HS z5zXmJ@P=^~QR?Z6xAps45!qcbr$7AvImFv2|0w(ZIjbAr6p_^Gc16-+GpSq0GokF) zw3ycUM0lfCL+ih}fq!q{-?v9}q<;R#PfuYd;NC}-CNuVdx+y$X1#sw8SCymm?;JPe zqNKh%JRdVC_Fj%)R*<`=jN~!P#uG9hts6~|GA`kEEd*L3ogoD+79>UTnq(z<%^;N& zl!dnh@>0xl<<_MDufS655?mXBV@H3+Fh1Z%pjTeUe?u&CD1qF9ooX1A(H1IzwW%z=FV%nDJCqY(IC8 z4J>f4$bva}w}yiLusyeBsMuY>DRno+myo-PQIsOKpnUMtmZhTl5O3>HsQNC1&W|Hl zyhKdaMqy%CR077#H7VE}@#59*W4HP?1LODc~{6x_kd$OxpM`_s5QTeRg zaJ6><$_>f|xGi&HFSOjIG+Y43^YfVq6z+sw7`!zb2i#(f@H);? zkh;VG!EC^#;sSD_aLFlz>^|=Ft=7ZazX}A5{tbXB-jtoxkkSC%S*M!|QrsN}Z(CAE zj|auQ+@qk?gqGRe1FiP^Y5W0?uSm$DjCqaQ+=%qX?peu_) z1{2b1mFRy(0qptr0cBv&a{deu_LWZ;_)ySb;do~phfQ^WyB*AQf{*6l80+!N&p)<@ zpY+MDOBGLE8>B^(3LjHfMcn4TO9%tyrdCXwTJ9|e|A69A;}LX$92P5QZTQXvtO|we z21XUg`SFN?Kfoz;4EsM%XcX#s0{fWOWs%SF1Ri0b_z34mE$&>BTDpM%$J+d17j@j- z^lyr7WynL8@kQ_nT-X|>7|?W6M49mFg3li(1R(&+Ev}@HFgj2TQy*i^(PYwM%RN6qn4UG4hCgjMRU>zj4%m-+X(j|Nat}aP-5x zOdys%6WZ`9xW2f$xSD07mM?;zNSwjrk3KRuCQEJv5<+8nVo}Mn3WBMB@Lq!5mVk>> z>ok4D?UTwA@Ms=F{a=6lIjG8->GOI(hJ!Ulw9=#38yr~3SHU{UD1n(+=GkRm z_(@+9k-RKIVG0$ZUDSQP6zw5xR)2(P62{x8*br>Zc?6{yH6>cZA+n|EDoGx^btXL{ zpDfAgXCa}2I5iQvoB$-`NvxyQr1vJVl?%w}5+^U9D1{4g1KW1nG7 zJ1p?iVnPCk?ALd>ynKmVjyJ)I zKk>Ao6)6(1xBdvuH0aK9&fbQiPm{Wq%vD)9leb?9Iu&5_G|UfVorz7Ghcd&C-0w6Y z4gd&F!s4Of8~okl*=ge!8$vJtJ8kS9W^3>93|ujP!h!SS(BQK^oSr)Pjs0u-(EY3v zw9m=zK85%38uL~i2A|LE2ioNMpfp+3d4j=ZfFh0Ox-Rq9kfQmUCPThicYjTl;SlQt z89Ld!9)(AOlG7u>$@4~k!~Q*E?t|>p=07q5xjP+zp~{vHfLLV@pNU(UWix+u%+TJC zOP!eZ^#J-|`i_3}5W_J|%h+IafmdEO1uKiG&yV*#ooRYB#y&xhyb$gQ%jUVp#J@JW zzZdd`r$Wr(U<`|P@EwHd3O)s9f|5^xIReCl1s{ZQFM8*F%^Az?D-atR(?Mo=uu6Qo zl*b@+N#21t6IaU%<0}3eLU74e&xK3bz5e|=R%_9B`blb|Dh##k+n;45D}xaupl!!% zgtqXrAelUB6B!_W;%3+alLSJ?U0L4_((uFoJ&jpL9TYpn@VCRPXuKuK05(ROrm2z% zEvzu+M*&gH(mPPX#Dteb37&2?39q`BaH56wrnFS2vph|;G7@&@-6pyvS!OfhBr&Sw zf%gV})@d99^A<)RzlWMlQH3E-FNiHBolhm0oha3yhM6x zp{PxJlCo{(uS-BK=ems_$B6q8r$5FrkC~*y z(i%6vQ?n7i&|O-=<6Eptm)rC2hENvrcLX~psRof8V3>n?fmL?+Rf@vlKshM9?pafC zmlSM0uZQTIBKAmn54JAFT7m~^ZZ4*yX0*UCFp)s5W^Sk&Ku%l@*&VkEtS)U>eB%xg z`?s^Qto%%FM7c?;v8EJa1QdsRFPGuSTq?H@(Ia#1>TXIMj*pY-kh@1Jb{neRPwqoW zRYDSPV*&ptiJLk#LKGK5ci@)iBR1fke*!H{;cu&nuWfMrT1e8>ve(dVce-LarVH=6 z;`GPXQgEMbrZ30;P|mgiz06i!pN+?b=#J@VfbC5J-CnW$-oCH&9C*4z=B;wjo>nE# zra+S$;~y0WS-0;cnl|u+T6X~KA%&ZkJH*d-h0n)VPoL~|oT`?tW}*J2Ua&S0)oGO1 zo6rQpL-tk)7^FI~#2fv%vLzEDYa#7vI4M=;eG;Lipe~8z5jGPXdiXKJ@rCtl2IqOU^ccTp5vHzY0W%wglMyUety%d_^#%V z!k)V-@14-9v8SDaMCJ7ciIf6&sQ8MSq%VSXS)+e1x!Tt!LMldW4fB;QZqlQX7Rl_$ z=;DQ-f`=l)P(u=7K}5<6O^w0WKCC$axwwu>3UQpW=n%IRrY-)0uePi~(~B*ejaoGI zTD>a=<4RYUwB0006!Z7)+@zhHk_&fU?J-1Y_{xE^@`Zbf7?@f9wRNZweD0U$4wbX@ zUS#Qc^7^z!`l{m`MrvL1*h;})TWrHWZ-D1`fuZL+JF#U*0VfakxU{wDx)4|Z*lc$Fx z4;)5~f{q_dji00Fg}&_`3EBAqP3KJjYYHRBs_LlvFcXronsy{*s_4FUY5f1iC1ifF ze#{pehTs3VdUNyUUGM#mtJB~A|035VX2vgnlO>z{JuGg>>6MaK(;+BsJk~O(oheST|Vg$O;i*=YHrc#ip;v)*}6ee;{kR&WvE80|8+4 z2w?K>WgTy(mqKspEX1DQWau1FTxR$2EIe65ZK7-*0OHgBOU$Ot!cuXZOKsa%{{ium z|EaD=K}Emp2*7|QOv7*Z_sQnteeK=xbe*o#b-GU1={jAf>vWy2({;K|*XjD-xc&=( KGIbUJcmM$I(RkDV literal 4316 zcmV<25F_s&iwFSgulrU21MOVhkJ~m9&#V1c2uXqL9+KV7rb&QJ+ry!~hkH1nxc0Gt zDoeDjuD(vB*6R!MzuyeML{X$Z*4|`$X90FcKtO4TH1@*jE2a${c#U;7peWSMXgG)lnW4QBJ;p zE~uXW(8Kn#dsNQTq#H*Cr|e7hKw196J5r*|(p8YaC}URE zDWNl@xEPXR6vu>ew8aeZNg2SHMum76)kxRMk@p;Y^QK2|1Jes6GJFjyQs)%7)@eql z>QYj3(H~P&pOkpH`g|GTy0lj_9Vp^|kti|c%NO$NO16d}@wxG_%$KiM7Z)5^G&{_! z26|K>(`{6fCnIJ)nu&rIv=hXfrIeupJEbg9?BAoSGs2e@w-4Z*zN)=7{TqLZap$BJ ziPLpT61jQeu1C6-i+7laRY&Fn_uR)aX9sA5%SJsw%nm{SGb*ADd15vy=Yx72D2vur#e^U=D|6e;5pZr4JfCDIvE&|*PSB(F(UqSp*k zNkLh7OCT@BELUz_3h)Xn#V*0M5jb}AXAI*8KLWk-I{q7CkwXdO79@Wv*5#rC{i#b- zY?mG#C9sK#B-qty&)dyO4%^OGemZv`l6;bKIAe1Za2^O0CDa)bvjr9emc)#ws$%=O zdu(8Vdqoz^$-6Za^oQ-aEknib3QnoJDZYfLc$1t>Qt7vQ$ciM`Nro05AVpO0s=!uD6ebJ1`C9M8{ZB2c&!c46?=Y#eZlHNxvS zOF`-q0|c`Hmx>F>iNYnP5VHHY)3;g=Z~rO~F#0zDrg&3!QbS4ubZ4DzE=X~A9K3Bw z89g2p_i~SdRufugcNaL{0|CV%;La|A!1UE%0KzEA(?aMvCSsk7DV_uca-o;C z3K>jDt5u@^6$P;8-v^X|LCg6wK-gD4UEo7OgN5UraU3?)0q%A%(+NJBgJZ16FF*g- z9)8j%yDn8cd2NsuO)7j$T@`Vg`z|32l$%;HZECr<9Q+2wqsAlX0y!*J&f4&u30M^h z*A0v+kn`ga1%H53=ot2Yp3o@N^91%Wt;-^x@X8W{{TTTb6r-}Sl<|E38n;)&8~N%khd4~e!Hu{ZN}irAfzuq@ zhZYL?L>)G+EHk}n%Q#e71KZ0HJ!>0qykWi(aV%UXz09)?tFkE)%8dw~avaB+i-Q^s zKi7`8mUH0Gk3U|T-i0fyZ@D)tIfZi8Ze;PJu+UGJ+BrXU>Ulu8MHIfaMsb(xVk zsxCcs2YQUNO8t7Sjc61Z^cIs#_-mKe{wXe*OJn2_`xvSJ{&4N6|At$q`tL7r2}eK7 z%LHQSGocNyf;Sge7gw`v)bd5}6Nxi;{Lx1S$7IQkKtgCNPb?~VRzWcJ58g|#+Y)eb zYMrK!xP4N20v^pnsQ>GaKL=G=Gku;>NmC=B(QvS)h*o;^dV>QC`6^gP86_|i%RIa6 z3qR>gB9fOyC`_S3w2QjWm!dtS&FYUZO~QB^6&r%BIgg+;qozb_I7GHIT_wqbx6Y(z zg#7ZTF|7F}Miuq4?;?Ec-y5H$KlCt%XLuXktovD~)e^aJTp_sl+#IpG>&!uAXYo_q zl;=VT1-gbkiC1w9O({|vF~5H`E5E2rjw6S*#dp@tWRa}x2KHa(2(uVtQLzwAAa>! zO_wIlGi}mD!OBNjAWSCQkL0nVbnGa});HksM5{DQ**^Fb#M^RL1h*-eu{C@Hgf%5B zO@jQkD3hQdOr!((HwZ0tg#o`&M?1h|Ykv$ck z_!CbXT9G0Fd+U$jOoQ$$=j?4L`ZTF)$y}9%GkN=!pi==xPs98`)|uF}c_=gN$o)Pvj&JzqS0~BdI*L9hEy8COY42M`J z$k55&^(Z_Nl$;(3PM$aV8}{!Rb01`%Hvf?k$ld7x3{|#t0K_VL_)Of&ESveOV}|yA zTYgYO_rSMVt?6O?=k%n=|aEchUdd(k`ZYtC49UxC=rm<}?_gH__w zr91|qOY#oHnYdbB7+3M%5Q0m#dM;eb?)C52v0971(@#Y&&mhQA$VMdK|=2Cy;OG)IUIo#kn&m65PJ?>5mb$ugS}Cy7xd z54<<;&Ni4C^`z!A7I{T+H^gYatou|(sV8`X(+f>8OcDCL{PLED03x33Bl%0B(-7D z;}YF&>awZ&-O6U+N6~$rrNym9AdhpSjvmAPPQRT_DJyHVuXVHwd7|bX{D>r_wXM)IgWK=1D(ZpNuX44s3TNs6F#nE%RF-bZUV2Ut! z1CoyalhW8&Ql6Yk{}b7Xb?%Gm0-TP3NW)TTwGy(9nv4lQ>%OBmCYjKi4#=LO<|Wco z3q_T(DFaEt4NMHL#is#~<80yNtZIQlogRVg#%8a^1;o(Rth6gKiSn$sW z-3d+d=f?Q)_wq%M-N&Ma6OW5Vv#CiGhgi%}rwPHWb(1FeQDJ@*J{$bGr!u38-&SSG z_!roJ)mK@nh~D^Unp6VI4-_)*Pxj0Az+TOx6BU*ppXd-Cew};_#5T+CchZsWe54{3 z4@)4fp;VUtbWreQz1QlbGqb;5a_n9cn(kd$pJe_aA{IoECcI7Zx$IQ=n}dCVjo zme#oWotlmCh3?V{9^YbJy4;?BH-xf~za!W=Ni~S%0K**A3#_ukuTm5a2g*U=bbHN!-+_5u&&dx&ya7AF%=V{1a$t3V&Nod~Ji{*Fuu6mc52{yVDiZF+==O@`_x63I=fKk)GH;cG_OvQ_ zHU*m882_k1$hv(m(X@dl)Vc#;4=LQV+#!CxD||k_dirFy<5abDH4F7G^@6p5s7|B2 z-h?I)9OM_jQU~8s-Y@d zfM3O{j;7-%3PE_=HtM&Cg%M@%Sn-dmXpVF6T>%Y?hc0Pn6L1mbQM^ry&gLuXCtZE4 z)0*sH?GpFkUwTE-=>4bTLHno+?x`1IlZ-mK1+%d&@f^pzOKawdBSf3+^Yfct#dkG_ z6!zRzdGCZ)jXmuYBr2~rNTd|FL&aCrBz+OA%NqTA$<@9-5mGT~YnZQeag!d6v`A)0 zMi(yx6+9FXh8mIx3nEfpXle|`_F>Hd$i;P3Qi$V}MTfYpFm3S{e6?i_nqF+#Y}BHu z*Xmt47+1Q&r0ph2qL{yT=O*pslw7#;YL6jG!&eTRl`q^=#K6q*udPFk;B&t`cc`4L z_aaNrlh>y;(pMelFjDK1$5smd+F~32c>_Gh3k*Hq*@-PfBFB*d1V&~aSsocopOGyU zQN)0uau)5MyG_x65jNh%@NF!dq1|0ZSbC-u97`T`jqnXy4)qqRHXE}QTgr{UB{Edn zB?=>F*FKqSGYg<}T_dS7uF4UJDyJ9n*ZzSp$QYB!PYS4~1{> zr8^}*Wj_}(oiTm{7!s(9=gAWcDK9)124hPE-(Ia{@2AcAYDK!P+(6pq&^F& zb!++j71C`3!4*3OlGKE|HI- 3.13.1-181 +- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075) +- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224) +- Label all run tgtd files, not just socket files. +- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. +- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815) +- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415) +- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t. +- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921) +- New cgroup2 file system in Rawhide + * Wed Mar 30 2016 Lukas Vrabec 3.13.1-180 - Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415) - Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514