From ca25751cfd8a2a75e319b052e9f50f03fa14c672 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Fri, 26 Feb 2016 17:44:00 +0100 Subject: [PATCH] * Fri Feb 26 2016 Lukas Vrabec 3.13.1-175 - Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file) - Add policy for rkt services --- docker-selinux.tgz | Bin 4361 -> 4355 bytes policy-rawhide-contrib.patch | 244 +++++++++++++++++++++++++++++++++++ selinux-policy.spec | 6 +- 3 files changed, 249 insertions(+), 1 deletion(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 584c3fa7ad768bf438f3dd97b7d4d6f84844b731..5cb9828d90c1117d7bb1d2ae8e84d2fa6b629258 100644 GIT binary patch literal 4355 zcmV+e5&Z5SiwFRyfY4R|1MOT{kK;BHo>%)<5HkU$dok0;TmgELEEdT=?85@VCXWFW zS)y&Fbw#Aw?H$a2-zr|BDC%mv)4hO&>9HkNeI$!iv8q^fTtv6Dx=7Y99`Cw>>(i$X z_<8;9$1D32u6G}+C<)6lO`?z|MNXn3=V6l5iqL!mpBLXB*_Win!C8jpvDWqbZK#s@5-Tx@6_RP@g}seoX) zSnz$R+Z^yW`WuC=1^n}J@%ntZTtr1hqbv>>4XbDytdjifo9pxCLIVe7$e~hv>L8d~ ze!fJgBg;Ah`8+RKW4A};JWaY$mA?+B7P}yRbsKMvkIp^38RJ;0C%!6f%4bN?K(MxYkKZnXXb%3(+5Qramk2 zis|#$2-i1z4by=l{tpdfTfSl-pH{LJG)eSLv}L}0d*|XpAj@Kpnl(U=DrB||EBb82 zELt;B(2{n7nA3!DoWNcwD-`#BbaY1e(){)TywgXuGp7F#Z!xZ%tfW!0PH3zaPh9nA zTXTsDV>#-`eBhe<%%9!E3oWHqR>>V!f|P&Z2s+5B6#=%wgO47o=t{8`npH{!HE|?FG^Z-b8$@Zy zSWi`=tXtQLs_No7_2K_7!QV#thw1k(c~$py5lNkDS2W2tldAQ+6Iy>w^J%?rM6cIs z&H8WN!QXrM`*1`<>gRv`^c+?KVSSWIJYyZG>bys*01lgKstT0uljFKvj8=Dt$72S? z-iZ;+a&q^K(=6iYctGZ}^PtWXE+pKHg+z;$F{Gj8fFwv>(X>FT8KjcHWDzAqU7A^q z+`5q9C1{FWjAJ8lT<_0n#tnWDGxEm&8)8vSA!-Ryx0-diC}I9o1x{?=JUWVF6Xr45 zRY}L%&1eS8&J(|#I}k}WX>xdda};n!B#IX542ih{BgB!I^;VU9KX;8K4tTG~$eg%a z&0zlUz0hSivD<>v)7=(dOz%q0P>NWB^1)A6mYV7&+E#&_>bn3cKaODWl0I4Eg~?S> z3m7BUH0N`~i&wXr0Wk}P>7s5HP^>%-R1;D16Gd;W$-ZLarC~v9%BRIfOnV=oTA+M@ z+ajaxK&xd+t%0IHJ&P5VzacMW!3A)H6FkG{A08E$)4@Fl+om| zL0VL)@G*5%XW8Mnz8x)UjkEA22S-hCF;ClnG+7+&9XcbZY6CQUp~9K9tMKkcF)L z3-Sd_*b2HxShC5(R9bc9>*onh2*3)B>nYXs4@cm7*{w)h@1!1NR!+6Ui~=0vmO@5W zZBiKK%{Z^>vg_xL@L6L%;%jQh5#QpD*QkS0L0P0pv=`G-`?t!W1#dIwI^=(Dm5=zp zuaDt!;!Cfm9pfSdx<-v-Dd;EH!g7BN8#khX^_$i6mI#`oMs7ery|B%J!KWY@**Y zt!ZbTmuU^l%MmSW7jV45dLN!Tlks#t*oJ{y!vp;|NSd2 zY3K!65rZ#vCTGJNa(!`iaWzX9FJFNfrW)C8 zDJ*)G3DbtTAcz_@4jPvH`s2@}EGll|*`?C05*pPduk&zaT5l9wnD5_^b(k^=J#m~X zUn;5C>4`&{6?q_azeaSEde4`#JYekzZ{!1(k@*GEKegE)k!*&&GS%Z$;V7vsRmS)b*@Y>WJJ5S4%F@H;=F8i#hA) z9Dd4&DqeopB6PSL2Ugao?nP6(KBmu0mVBv>JfF3SJ3OK)H;8;@7rWCiD=m4zjm;nm zy9{gAVu4$S2?;#1_m7yz-L)CJ_JyC{rE_3f@d)iLnuljyDu=(>Ws;jle1GPYI1Fa< zqdV11YT7*2rc@M+e3%lcGU0iswwCZNXF@C^{w zjPfKV*==6LB&S@4gTyzmlFbgYcu<8qz~pOy#Au4IHqd-JyjIZ^)~6K1Yd*>*ShJzv zoARn1t$})~G|3V!YGi5yt*2Jwb$nPoG1yP1Gf0Y-O2`hlE1k!k(VYS4ORq?(-$FS|M++F7@a}inK!BNs?gPPAAePzta3&y zhqh_2<=Vn+PE)n7C?h~(d(qMbHVL?nyP~=sq!F9HdlvDOc_?;>(O(X|V$qhy1K8+o z+Nw$gv@pX|?1Y37Pwrq6#x}enig7Eqjz!kBf|Dhz)1{@}XcA$nl@+i%Zx^vGO;eW< zJBePUaJ)BgTP0BdemQkeG#vx)4>0cxZL*$9IR_PkojtUor9!?K5bYt-;mGv=Q7kX0vy_7xuZ_y6*3kjzTlcDp0DMcY>l@$!MNhC!x168afIw76uoo2sbGZndgd+EHwurAdD45UB0Eur-h2d8^)5rHmI9>enjV1tL&$4|YVH zuv?o*1TpZv%o*DyJla}?Y7^e=A=oN$v9m$c83~>DU=@iHd|0=d)+EN@SPAruZETVj z1*jr)-hiZK|0FE3hExRSlK+NoU|ravCYPWkAX@W8X|0&9!#d^C&bn{S8=Fkdn-<8P z;mnJbr54C6Ra*v%LMWnS-9_*u-Be}PHWbh0GuhOY``96U?FU`MgeX$x6Gab4QgYl_ znZtrVA9E*XQh#hrZ1XQ)k@P;2IefTXG#X8f!zjSb{3?klF0Gp+#*Y%?qwrbd?VhQK zDt=oP1s7jn{ncMpsv273qhV47tUgf4qCQoxSOYsbZ(dXwete??c==86k;r9MJa2^~ z{qaamDqog%G}8;yABT-MRTGB&;tPoqeCwp~Ix(92WgsZqWPbVtv8t` zSoSuPGFTer)^F5oq%Cxpl<@lI>%wRD{8>}R193*IwUcTQsRjlaOfS&N9=l3Ycnl~H zMXz~Q=fWffT@U_ZwQubrc1Suew#hqNf(2?XF1Dd&l|VBvkieW`p{Qy=j(r8`ozM!r zDqL7RafOK8$7xZN{Y-vDwMgr>CJcN86o-E;SMJDMD!&cUA@i;3eoEtxkCPggyF)5h z8>Y{vcA?Z%LXzIX9R3)M>MF5Z6dyvn;g01a7vPS40ws0cUsln+vcdKnAt_VK9YeR= zYl<14F1QyHr`xuMLfC9GZ8`BnDcc(6Wx8tHY{D-@bIf=Hd~Xw&@{(uw?sGlQfv4SM zQK}lx`z=csZcJX9X=cHK)%f~Fa**ZDB&|h2rYQQD*GWZp zFetIVRj+&dTAPKXWg7QT-z63AG3I5NYj}%?y|d3(957h;R>i#+S{HVvh$PX$wLv01 zi&|7d_BQD&vMwq#vK3d8jvX-BYNwfROoowZjZzDCMOGEBBo)le5bb?MgjorRNOrXv z;~J8715|*=lg=RbG;kzUl9w4sg=8gr>2u4zAcrp=VAHmv5Md+^Hu*_gK^q_Lyd-9D zgYW=@H?>5VV(9re2CTDdK)%Xf5D@lWStL3CJeV)mNqX;?%4R!68H3{-R_t2wxC1WE zg*EOa%q=iG%hcMcQTi6q7v-Y2l{}ZQ3gFIU3H&<9>9jUuLGGx>RbD~$7d9nhLES% z zB}%qmz2xJ`Y{i-44?nGdjJ08$J6is zKhbrGtKsEuDrHxgTWSkTt%X5-qkb5%x=}BY%JyY=Lg=z))#WP5FBQOI@%HUB6m_x| zQ5=xBd2v^ybw=MxJvJTFKC)|o!H8GDefSTBZ}64fpgvVS7b=`Jz5Ui9h<5wE_-;Q; zeGjc}c?n8bfuCJo{O$bji)lb6fm))#x?@Rw7EzBdTd!aN zJz~S|)@)Lv+V*fu^oR(H^+Saw*Ll;n2I)8ay{+j}a0Cl&1^{D608>A|b-bQl%GZF+ zLhP7I))WSc%k(~)g{M;TZIsOeK>A*$OAOA=!t%ZV3at6r3_!dTzx?$msA!5E0T|Gv xruhwj?rc8ZQ!los>vWy2({;K|*XcT4r|Wc`uG4k8PS+D%{{#1mqCo(70038@Y6}1W literal 4361 zcmV+k5%%sMiwFR>#xA?y~|>NL{X$3vD4%L3*9;vXMQAy8GJAs)OJ~c2`F$ z5_{>!%KuNF<*Qf0ceKg#sNVnZ>y`v%MT)nyZ0eW=4g19VLloq58NU?#> zi|;NK+Y&&gJ)PR%%i^E+ByJc95U9*8v)@HiLa2l@zkc)ka3FT;u8RC;NfHsW^@h+;7u9YLNIr!#XkKhKn7f59IGptCRQ{Y;s8KJ65 zNzFxn%$fSE#LK78Un5-C?A1&MiugYyN=*6kfqYuY*3cy0H{O={^7YQe1xFUe4mGQR z9#zP68`b35h?%!$qM!xs1TkkRWjKMIQkE$8_tDWA;meBK2k=fG)!vx?gRf%TIcY`W zbe)n!Zl1X7k*?(q_p#L30kgrSqaGk;hoJu*714$~GaZ%lMm>&}lGqQ^ zQ;K_VJv^SK>krnm*|3cvL*4WUBj!_ik031pH z1`$v-3`EM(IN&{QZFJCGNEaDOt*X;ItOP0l!V$EPWh+8#g##ZwR^F9z%{8l#2x{V( zi)c<&f;Wt_h*D2gysTf>ipc7cIrZWHUxL4l@{h9bU$VOKbrDIeYF8vJHj}D#tO=#R zrunqa72)+-jamQAHT-)I|2`bikox&wKRt(?fLk9`n#|Y->Zb5$6~LiWO;wK4e{)=y zi<0{8@OaFi*n2U8Sx)YrGLpwE8xP2Qwq7(v%D9Bvu@Gp9G=>zk7?2dnYm${{HG@=A zm@K>`kdI=PBeyOEcmKv}LKNZsKhnimAQ}q4MJh z79Zi0wO*Lm6_tQ7a!m?0N4)s-s~He8XP7SPb_2!AlTbDhB|lO0#-8jd)?OMGbf$b( zZuqo!0m==^1-LD9Vh^<3rsN*T`{UWHu>4K%QWRVO$IJ7X2o&CgT^M{d8wbo{jqo)vQ)+*8diUQd4?*qy}q2+uH5cb5U3%n_)u&})|j>D!Jz}*UF8o@_1aE$Tz<>w#U z!%zBb$EAuVj}6kIN`;T9qat2&+a-jCa#bt3O)c}5gWsTdRC@$nAe+U?SsT7H0IOW# zx`9>&vVYv8;0ri~iedlf0gXbfC(w^+T^9K)OW+X(innmS*W!*Psi7NiaIDQAc2URM zP5-6XR)#EO>0bn2z=W-#ivdkHMU)AvF8KO+f)fI;T;n=QRsF*eI4`>qY4c9%L1yVx zTg)iHF>WDbWK|}GX5NhR$}Zb}?g*bT<|DqQavX6L_q;|Gj0&qVOXEGCmdd}C4lQ__ z1ydpabEAC3|9yQ7mlGGgns$`&5a=2;j-jBRTnmfyHEi67239M}vr0J4QKLFx)Ud70 zf9QsGc*%3h0pTs3oOHvfTg_;6^N{o#1E%}#umeQLm>imm^BCKd>ijg}KRg}BU_Z7E zEoA#l4L08Inbx#5&#SC~?d6D;wGB94V62Cy&SX424|!xPg^@?BV>ti!{nh(V-`e@V zAFr=Z`M-a~BMiMTFB9;k&ctkZ6TG{)y11I9iECYRb9< zn|Oe1Y1)O72Vb2@GZ6XZQBzp+$ShUV%l;Pex&LmwmwqeCY@V^(bfd0kol;BWMz~sV z@xD2HHCN18Md$ESyp-|svksxf-8!(MM){pLweMrPykxw=C|oAm`*%Gd5ikxS)a<{Z%>)T zp%L4kStS;OKK$rUHJzF^Pqj%E1tTA2fl!(7K9a{yLiPbA+4?4qs%VvFDcc8Mf_Pi* zir_W{HMWMo0AWoDOOqhKEy^S)2ovET{ufxu`h=OksG}WVvNb?rG{sdLXg(EQt4Rj? zQ-27+Ks|Mq<|*SfQh9*psZ~4qc#vm!{343r;&6onc@^E4Ll7*k z9?IGzJ=Rg4b{wyR6<_hRp%p0-(6@dI-c;z$biUq(qE8dLn#`41Hj}rX2{;vC^fbf| zWSxmj>xWXqj@aKcAr1ftPQv1$<{SLoKK-dei-^6K0>2-F*t{<2CxNDh$4!+Y8#{xluD&4uDu? z5ATV4GRtCqb;y{#pO-qu=BokbhiNjC;^K_w{BB zyDvd#s7(i{<-siB=~5np&?#95;!GSZFN`bsYY4$5Tiq8fW%u~^^BAo`-|3aqdR6FZ z*{{D!PgXi3hC|!7*Klp&Ye6!3t|%fv{CLsO1ttl&j=QqH9i-uhzk3?9j5;WGh~Y1X zUeS02gc?m|!Mzmw9_{|@a?zmRasFljm$m{b&eRvE!SlSELo zGf>7##3TfrJCW3eMT<*RyQ#~j>Q^g^g&jrrd6pKp7J)p@i#qcd-goNlR7zP{qkgTU zUC0A9_h3gPDZMp`cn|~EWkKmKW%1T1l!x$k55ZPR%AE-!??|Y;2cw9W;LE1dv^FsY z$BLupbYqfqC_ojV^9Cdx`zNKbF{C^=m;N`h1MA!t)wu*60g;BKQfnn-9W@yfcGi7o z-k4-!-gH3r6lY!{EwxZ&shTp76kHLd>pp@b>87souAz7?-ifBJ?AI3QYd7c`CPbN0 zmnb|OX~pnhWeyAee9WDgN&eUvKjvS)3bOlHSu*|y?7!+ynW~1?_-L3^0?Q8+GOth8%lE)u&YKezh96gS2#a3_ z9|N(?^7ox^q&ps|NX265Ml+o-{y1#1soOB@7gtC$z*Q%V*NM^GF9Si@HuKXZAeV97 z`j2D8eUH=cW0}WH(qL(oo8PF}2wUhbtzh{U>(XWR{Miu7LVicAbCPNh$p(fwOfS&N z4!cTGI1DHUh1Wc53T~2ut_Ody-gizBdnCPut@F;7V1b&Oi)pACCD05EBv7lEE2;*N z6IVfY$F%~hOB)t%Tp?orbyk*@pUI6VH)++@l!A|d;&AWf(jA#g<+dSuWUgJ^O{v}S zaZ>Ga_ejNVL)HD%K9rnFNa8Il;2$M%Q>TWD;zH;)+_HSc2Hdkxprk4MWi|1Y4Ypqk zNt#;r7~17dQ%w7G;XR)?{kF9f+-93;%kdvd*)}jQvsKq-<9;EUW7->Fdy_zyS1iA` z->Z2JJl!VqQrT!vsgh??pvsN$QhCU_buUr1fhE+M1E3EnytK?Ae!eSgK0bQ-WVd5f zwRANL^*43F)<9IJQC@3869^00n_~Oo*(7w7cP?RFU^dgw_Og*;JdV z9b5Ptv%yF0uw>Ox6)nI&#Z@=ca1@CkylflwOT@s43|`Fm#!)oeIhZT1Ve!xC?R`mv zSqUjmb~PGf8K(a2FE#! z*tO)b2b|vvYyB&)2j#d9(KAk+*wW{4#N@&AFaxzRCO^GLwp2ux0Q#a?w0}9EfVm26 zweXp7r^BVk3a*g~VV7ext|+;8GM8_n67=c=bwN-o0}o1H-RGbOup#zx2quxb_CDwJ z840E!#O*cl<2+aa_g^tw)V;jc&X*qljm;((V2@CP^f(;zw$E-}ew)gn95T@7ziv|+ zz<*J&YBq1+e=H~n{=gjQ`J&uiEEl&%B))a?gn`osKX>oMa!YGgp-WAl;jOQ!ZFle^ zyOe_cTZHZ=`Uj&IBt|2S1(l&%U~*GX}*Cl%cdik#svdug+wf znOvu19xg0HmO4AJ&3JPgLFx|3(Bb6B%@uFK@OkCIsQx3&gQ2~rnh!@FIOrS&9Y6FO zKcmwFecL^5v|~}4&U?6^DUA5N%F*k?ObGOA+L3U)qI>FV7tiJqa=BPP=Eaub`#)Fj z-+%mg`u+bWdM~eEU9)ZcdFl=t*4$bH>zv1s~O`n1zSZFf<7(D`*{Q0fp z_4HCK13C+_XDS&}7$`2Y`*;?fOvyJUAMdF*+tYJ;PS5E%J*VgNoSxHjdQQ*jIX$Q6iJt!fy2Fx90C)fZ DS3iF! diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b1c1c4c8..e61fc878 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -87836,6 +87836,250 @@ index 0000000..aa2d09e + +type rkhunter_var_lib_t; +files_type(rkhunter_var_lib_t) +diff --git a/rkt.fc b/rkt.fc +new file mode 100644 +index 0000000..1941457 +--- /dev/null ++++ b/rkt.fc +@@ -0,0 +1,11 @@ ++/usr/bin/rkt -- gen_context(system_u:object_r:rkt_exec_t,s0) ++ ++/usr/lib/systemd/system/rkt-gc.service -- gen_context(system_u:object_r:rkt_unit_file_t,s0) ++ ++/usr/lib/systemd/system/rkt-gc.timer -- gen_context(system_u:object_r:rkt_unit_file_t,s0) ++ ++/usr/lib/systemd/system/rkt-metadata.service -- gen_context(system_u:object_r:rkt_unit_file_t,s0) ++ ++/usr/lib/systemd/system/rkt-metadata.socket -- gen_context(system_u:object_r:rkt_unit_file_t,s0) ++ ++/var/lib/rkt(/.*)? gen_context(system_u:object_r:rkt_var_lib_t,s0) +diff --git a/rkt.if b/rkt.if +new file mode 100644 +index 0000000..8f367ed +--- /dev/null ++++ b/rkt.if +@@ -0,0 +1,177 @@ ++## CLI for running app containers ++ ++######################################## ++## ++## Execute rkt_exec_t in the rkt domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rkt_domtrans',` ++ gen_require(` ++ type rkt_t, rkt_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rkt_exec_t, rkt_t) ++') ++ ++###################################### ++## ++## Execute rkt in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkt_exec',` ++ gen_require(` ++ type rkt_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, rkt_exec_t) ++') ++ ++######################################## ++## ++## Search rkt lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkt_search_lib',` ++ gen_require(` ++ type rkt_var_lib_t; ++ ') ++ ++ allow $1 rkt_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read rkt lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkt_read_lib_files',` ++ gen_require(` ++ type rkt_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, rkt_var_lib_t, rkt_var_lib_t) ++') ++ ++######################################## ++## ++## Manage rkt lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkt_manage_lib_files',` ++ gen_require(` ++ type rkt_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, rkt_var_lib_t, rkt_var_lib_t) ++') ++ ++######################################## ++## ++## Manage rkt lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkt_manage_lib_dirs',` ++ gen_require(` ++ type rkt_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, rkt_var_lib_t, rkt_var_lib_t) ++') ++ ++######################################## ++## ++## Execute rkt server in the rkt domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rkt_systemctl',` ++ gen_require(` ++ type rkt_t; ++ type rkt_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rkt_unit_file_t:file read_file_perms; ++ allow $1 rkt_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rkt_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rkt environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkt_admin',` ++ gen_require(` ++ type rkt_t; ++ type rkt_var_lib_t; ++ type rkt_unit_file_t; ++ ') ++ ++ allow $1 rkt_t:process { signal_perms }; ++ ps_process_pattern($1, rkt_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rkt_t:process ptrace; ++ ') ++ ++ files_search_var_lib($1) ++ admin_pattern($1, rkt_var_lib_t) ++ ++ rkt_systemctl($1) ++ admin_pattern($1, rkt_unit_file_t) ++ allow $1 rkt_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/rkt.te b/rkt.te +new file mode 100644 +index 0000000..4e962a7 +--- /dev/null ++++ b/rkt.te +@@ -0,0 +1,38 @@ ++policy_module(rkt, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rkt_t; ++type rkt_exec_t; ++init_daemon_domain(rkt_t, rkt_exec_t) ++ ++type rkt_var_lib_t; ++files_type(rkt_var_lib_t) ++ ++type rkt_unit_file_t; ++systemd_unit_file(rkt_unit_file_t) ++ ++######################################## ++# ++# rkt local policy ++# ++allow rkt_t self:capability net_admin; ++allow rkt_t self:fifo_file rw_fifo_file_perms; ++allow rkt_t self:unix_stream_socket create_stream_socket_perms; ++allow rkt_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(rkt_t, rkt_var_lib_t, rkt_var_lib_t) ++manage_files_pattern(rkt_t, rkt_var_lib_t, rkt_var_lib_t) ++manage_lnk_files_pattern(rkt_t, rkt_var_lib_t, rkt_var_lib_t) ++files_var_lib_filetrans(rkt_t, rkt_var_lib_t, { dir file lnk_file }) ++ ++kernel_read_net_sysctls(rkt_t) ++ ++corenet_tcp_bind_generic_node(rkt_t) ++ ++domain_use_interactive_fds(rkt_t) ++ ++sysnet_dns_name_resolve(rkt_t) diff --git a/rlogin.fc b/rlogin.fc index f111877..e361ee9 100644 --- a/rlogin.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 6738f418..2a370897 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 174%{?dist} +Release: 175%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -673,6 +673,10 @@ exit 0 %endif %changelog +* Fri Feb 26 2016 Lukas Vrabec 3.13.1-175 +- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file) +- Add policy for rkt services + * Fri Feb 26 2016 Lukas Vrabec 3.13.1-174 - Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019" - Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019