From f2424e7390b96a45a46065bcec5d1ca8873d31f0 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 9 Oct 2017 10:09:01 +0200 Subject: [PATCH] * Mon Oct 09 2017 Lukas Vrabec - 3.13.1-294 - Allow cloud-init to create content in /var/run/cloud-init - Dontaudit VM to read gnome-boxes process data BZ(1415975) - Allow winbind_t domain mmap samba_var_t files - Allow cupsd_t to execute ld_so_cache_t BZ(1478602) - Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035) - Add dac_override capability to groupadd_t domain BZ(1497091) - Allow unconfined_service_t to start containers --- container-selinux.tgz | Bin 7085 -> 7098 bytes policy-rawhide-base.patch | 62 ++++++++++++++-------- policy-rawhide-contrib.patch | 96 +++++++++++++++++++---------------- selinux-policy.spec | 11 +++- 4 files changed, 103 insertions(+), 66 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 8bef0f0b82361e344e5c4e01e39329750a14ab8c..cbce65e4349acd38efc0bcda371d236ffe012178 100644 GIT binary patch delta 6537 zcma)=n(po#SB{D4_%Ypmug)tku5O!}yt=!ai>s&GbbH^A@5lFf z&d2iyoag)zY83)e$6_LdbF3I3p`02YC#(u4Pc0sH$=0CwFxC7gzTJ;}azaHsg6vI= zi|Iwuj0bItH`MmFSE^P%^3C3QS*b3+|EQ2eR03aemnKw3(CfY^6PpfL)DopCkpEK9 zHvP5YoXgS?e*OA#cklnQjpw{zs(cO%@V|NyT0F1X=mLR2SFbNC)SbTmFK2suk6D|i zI-isQk-u<`Y3`ZYD*6Bf28V;|Z&H8?C|77+rd)31&34{fr$$KK*BBvyZ)p(&W(AvS zQ4L^>E=pbrE7=003o2!d)%YpszQn}oVraQbl3}I*Ky(emM07mTaJt_QG1i)}w)bf0 z>PPx&h8g)@{w4t*4dh{nJj-&0aF2~XG2kM2ZI5egwJTGwu46Q}HY#AY5I=Iok%#j- z{^LhYm|boqtyHh?&Ews|GAAqC^KyvxPq3G#7hF>BD-MIk6XJp!8LM(70b+m*K>iN- zjm!=j&_|<{SP71y1jdx^`gp`Qvam|eErF$V4D5C3PUqj^~;`=!!3dqFDxwAtZdHPH=rj+Py z9#@=0!}_+lVox}MQTku^zpcDuwz4a9(k44l8b6(-Iv^)tYhkk`I&<&Obk#} zBMEfXnFD&t%%oSyTlO+1q;~npasN}rg;qq2IqrG8wG(1@m zEO4jkqt9a^-=B^gkM7hIbib8F>J9w}wxMM!FivZwOjhzz!51^miMgh^`I ziRw?E$cKbyqrvc6hYE4#T`)EVH2ndvt)JhS{VgvGQ88}NIh!MCEyD0t%r`NWPq|6# zdxe+i9eNwBY4?7(WRW6a*e$Q|i3SzaD~C3yC|y3o?wTF|vveA= zAtTOqO;qTUsDLBW6+>j|@iE?!f1;M;7{cBbO9kaL5#xi=FffGQ(;PjRY2vk}5;0V! z>XW}^H1JtXyh@mVdKsaVN#)9Z9nPj0#e@)Uset68x*|702+#zP zaA@(%5o8CAAN2C*{ykz(CQ}GOoZBsxA13ch zYTO;Wkfzj#d!icVStBW3_Rd6#w`e*$Rd%q(3li6KzUK#pTPJBCVB!FGEs=xWyK}o#IfxA^$FJ$@466|6Ojs;Wg9nO zrzqY6uoWRefu`#f#0oe1e5oDcskY%ghXF1SxCv$B<#rmC!x!Q=yWscCXaQ4Vs@~JD zKDNh;w4@OOi*1VTsNeN)$;J{l?yJK_ZhIHq-w)L$&5RyDg< z>o$LrQXInl*P5+w&oW@4*wl&Vjlo2vDs)TxdqzT!HU1V6Y;~PCKl(S)%7ghN@p_S9 z1c$LB0IYlu*D5af5>_aHTUp%76{>I&Xo>_lxGX99_Cn~8HT!c<7Y{+C_iqW5dhBvq zv+VwZW$#auy)*FH@xzlY-7tX1AmCJh?D)(b8a0ki-xL{TgAb~U(5sA?Ov=DFH!4i7 z$I9YA;>wrp1ddtjGOt|s&`g;gqFIOjffp?AVo`SW@?q*`gPl1{KJPBCkvH;z;F{qoZCSDacP@cAFwKs zH-W)oJK$m=$-ZHa{$pJ(3L85m7KZMlLe4V<$~G|0+LcAT!@OX5X$MZ4@H%IaXJ+j$ zW@Cr_g7BWzI2>bK9^hQrDZ6wT0{Ogc-`upxJV$yKFd z!x=~nlYF9=s^Y2XD?rQ=iT;z6Z{D81r6KN4Y3-YkHYL_(?Mb9owkaItmVm9BJ zEw{sibIqotD!rVb??w?)*Hh-H#YeAZ+JCZ~ulud&U*dX&F(}(+8N0+JCb;~Z*<;;b z?8Nd?xX4s~U?OfKRmL?#Lk7(GGf;S|k%Y#7Oz^n_~g+PnF{^D z{gTbs=x@kwxjIc*b^K5>&|=lmQy0xCQ~_Fq*Hc0fxg*B-i=4GQU+29MXS7niTiN-oM>EZ0oa1 z$KvCXgYufkgx<39<`-4a4c*ZnXN1#ha-Ip_6H@*>&^{H`FvX`VSRXv75>$_9vm&Ep zWP4vUKRW1FlXGjMS4HT5xi=9XKeM$6LE-uyrFX=s59T=)`_;ikm~x2M6aIE<#V7La zU*$q%uC3!Yjv%)v3>KZGwqQR(2W2H&TtF&OEhttePi~<+e;^vY_Pdk~L7_u4zGhX8~1Tx77Tbg0t--=IJ(gMmCvRztdZqy7ld)V$x?j8 zuxEAITGTC_3$2m73RQ9x?e!VKt*hZyJzCsJXk_ke*q-jBO7+ zdFTBQ=6VSG?fzr#Ide*uVtk&sy#IB8p#cdeXxTjE?KVTHfKmdWI$VFp z-M+5r2Ms{daVbDZkI`*vI;(_lbX=v~@d_tdEB+nazuA&(1tB16u!a>t(>b&v(W9@G=TOMZcl1_k4F5oBz=UE@D|4i-O);^o!9p-#Ps= ziSh+@q7^WI?yB$39ymA($@o#inM{02-MQmo`dAx{7}o|7$pj<}n-tSDG9j32P4|36 zrP8i!X}_;61PMH}L~3QN_e{rfe8`p@^o~sbt8{r;BNV3!>=ofzQ+TQz+AYpAZ2qi( z_(vsX$guX(cx6ij1XpMG#b{03YJEIebuQ#nFQ~P*^n$h==m(T{jw2|051zWV>n~O^y_}8F5`-SE;B*jZ*{ePt?$;LV}sG2Cz4^$&j&0&QW~#@MK-!te!HFC++^>q&3qs<;b1Mq#q z-+BryQOwS-Tzzglj9QPSWR~hE>1H`d-L^f@B_YSa5MK~=_98x_;$ac+i9w%l4D>_D zk8*=(Oee2Fa!+v)@dftpyu@4pk(S3SwF?{lY~MCH#F4{3a#QF;>KR&G7Orj#nUjkS z;+Gv-OfO?!@RDka8BW$Znzi#DHCdFJ)IP`pndf+$ljXA91ccNZw`lD%RQ7t92vS2m zrO2->Lsiwr0TTAa^Rv9R!aQZNhwy0osASMQ|I-d^dDhF6#*X%c2O1u= z?Sc`J&lR^}QAvaPcG#<#)2fN^&Y}*#dyGrb1tNCyc3WrH35&#{>0pnRykFS&!qXU_Z%|c{x8A z_8*TRbQ%>aB<5j>110s%pHItYf)c{D2CzQ2eyh{qB?WWd_&3Br#60mVYUNqwX@te0 zO&Kjg$(fYIMq{=~3>bKsC-LyrMovnFKIb5_vTPy)13eQ>pn=7fbV+Fr69|d69;RY> z`GI_`@aoSf{)Zy5Yvjl&s(@~WgmWg>k-iolf0XUdQ$bV4%BOPQyFoj1&`g|Xrd42| z)wVn4e{Xs#_8)mwC2_nby17=!K`gt>Y`Px!*TG(U`O$nsFC5iD9VVm z$`|Aa%SKmeKZFG)2gj)38c4DgAZUD$J(*=!tXP*amQ|p*<9iOhD;GOY9{hQ%uAQvs z__|4hpNzp!u@kMigsg})&@4<;Dy>K>5c1-HE5N-}=1s0(+lEesXgcUT^pK0poKefXvlLr`QB7+wks1>$7jT)#KCABnl`Tr9^c-`F^VVS%cTJI@_xPq+ zWJM*TZeKIFmCHQ2L!h^W4$r6y5{b4&qpnc@J+8A%QU3e|+MUI{5tcbzG;fq5f3zSj zF9JB~=jHSwSk%t|{gK_IjZh{vy5G8owTY&M&Hr)DpKcA*z$NJ>H8L{@rFaJ3`#dsTeZ;UKVD2WliVFb_hohVyeIdkMQQ(Syp5ukqKXv~ zKI=W0WtyPaeY`EJqCG0jaa_3;=he^R)$N}QGpdYNt=x5hfd1R7OLysui5Dsj&W@}J z(e~MIUX)RFYAe^V-rUeb2@TIl^F8}4|3xw|Xj0pR_)didos;gDtH+Q@X_NSRaOS&S!Cx<6+RYoy-9sY^4!I@%R+3sUb2VI= zhol0^X6|k50MgduCsNdal4filM8vV+{h5(xjrgm-?l#;?Y*R>FmDqVLyL-%|$qaMp zD7I}`mg`4ub+)ebua8}}VSm?QtlzBE(hf%&VUs9tcIme&{RW5kL?PQ0eZ;E~mWbF= zVYRBXrh?_6kiM@}ygAG%&Ao|g!;U!vdM;HK=uYMgfTU+hN5-i`ALa8eHk`~(5G%;8(@alysvT^f0zhXqCY2`NB|8< zQu7m_CMX%^;Clmhvq`PhoDA7rV%j3XusbbK+_B|CZ~vmdBIhU=6f%6{bUisPdogLm ziM_kkdg10keAdP#d9ZzF%DxdoW^fk&B1}Z-q}CE90B`}`F6X{MQEUnPNY&z8(IXT72?klwa8`_-=n$^;zA{YHBitT5lA^5vz}RAAEe-Ym~ z(D}*OJoK?#RR>{a7nRp&p#ydT)jT$7S^3n8y!T7g+IBCI=E~7GE#8u{zv&P%c?=XY zwSH5!`3E*hdUwr&qFPs>w}nO?Qx4pr)Nl2O{aM_)i6ggS)npIS)o37# z+YRM`$3Jy61WJj9Zkrx^tES+QFMc8sUA*hyT729n{P{v3&`3z<-$-}{%=juMyWeiO z_^5QokF$^w9Fh>LEe`IMVALr(zGm3pdDsg1FAPgkQ2fFzDFEt5Os#H82W}IMi*`99 zLQsA~JL3eINqzF0Tajzs4qgON(HC8DU&M%&f$yrqbUo3|4^EN#d$wIh{$Va|Me`Fu z)r&Zz^3v^nx)bQi^ahQ10S+7Bl?eb?Iq0icrQ^#2)8V~olip<{%WRX_m4%t4ZlzR5;4|3{F`O^e zN9p&!ssH>};*G=&{-|lZ;4xbWC>5L0Pd~Q}4 zp9%>n$<3k4REDoueK(*j6jRS5yfyLeqA?+7^Ho#I%ttm=p=K6Sp6rUT^U3x0e~N@+ z&ab+R@&dtidDi(d)@K)K@5ZSLg)p0}){w7$7SJWPWW0Y*G-J_VW2Rc5QvUXsSMl~5 zpCib=vgtgnz7C5`O)t9C(Br@{O7XV#8iokXDHH^d)P*`J4|{?PIpJDm-#Kuf_y+=F zw9~Z6xWX4pgT}_`UY6bey%z7(tVW&YKdfiHO=i`lPI0y z<>)h9T~9btPFq|c`P&Szs~Nt)67_P|G!eJYXEP7hEJVT&AMwqre)Y{@A9qx%$mJ2& z45xCK>Qb7os3*hcFI7R8`6j9{3-Lg36r*_6*Rf&Zq^jmP`V550-k#J?0k+Ja n!a!GbG{i(7e*NmAV0z9h>;E6p|Eo%bUV~6|Ll%%OkdXcdmtFi- delta 6524 zcmb8wRa+Adpn!3ZmTpFOcXvpGbSoh-Iz-wzhJ>TL8>Aclgmg)F$LN%f(F{1};(USg zJn!v${c97e7K6}5VIsvB&6y#goLQX2t%)X1Egf}#s6+8*t#go0s>1be0GTpltbxVp zmo2tr&CeyB)z_<|EfeP9;{DGpRz_D0k&GM~)%9R`VzpH!qZc(Ys{xyOk`!gC5@mg> z5|~FWM`zg0`8xgs=;c+%W5G&ovl{|}_lqrUT6I5fLtZ8(CT^cSHY_0!ua_6GUf3aL zd?ub2)uO_smai2wi@9Mort=MwY0PJZE+-0=#y=_TM%d<|0#islGOu-2)d`G^QdO+8 zQk4lJVu_ds@B;ZD9Yn5NNLQMjYg=*uLBJmi6|>m?IT1F3ZWYWAF5@(9I`#cS=ql^* z;Q5%J;d@hj6bn(^INu&JEK#jfQ}ETP8-de{)-y$>9K`=f3;McEoMu>WMWYkpn|4l% zw*`)K(q@W*q448dkIMfn^s7$x;uJrjoE@K5fh&?J)pGBewyob0nYOefnIUT-izSsJ zb3=wq(HOu@D5O#d61}mjf7EVzrUb=a$utuAuc@H|BP|u0r$3OZ4C!CLNm1Ki$I!=V zyAz6%_-GAeEmU%)H<{9?+Sl4DKlwSUCZWUSbSuhHMUVMcu|kCX z;!Eu~gnVz;lC#XfLOoUCk$ZJ}1{%;PS1UfjSYgm~p^1jrTRG zJs-?ynECG8k;o8ngLKiEEGFdV<#cc;O!$4-UCtSDs&5f?ib!|G9B3SaL(VqD zdANhbg*yzHE~eEm<(uXw4C42koP_F58phFnG(hV)(}qI7{ti*BDc;;fy4N>lU1Rn) z{%3epv+Qz3c+sckEM^{G%au%Mxam|UZpR?sUK zH7P+UgLB?RPr9b8)IrXyuCJKG4_`frRg>oLqo}R9?GBrl({nSEo>7F}1%xN@qf#5F z5VPR!)`f>aB}Lp=;mpvKlQH~bjCeiSu~ipGEOnH#cnqA+!-2uVKGx_zStnlWs#Z(O zHU0CqKMw#tO4o=BPp_=9Wzu?b--L0hgtM-Sx7H@*p?V_wB@v>DBHJdZp>gp&v*_Ie z=R`G8W&_<6#wDFbPhW{x>M*%o%F#)FYCWcN8-RaBXq*LqWjUp5xO7S?L=(lv$s{vO z%w9|@df7?ZMH7a+T^pGEI&e7$8||&5B#_+-K3p}8)eSZ7e^NA4SFjfGXylRp36aN& zxaMyQBCq6$bER2M!#w!{4$?>K2((ivkl+f7wmxH}^4OfXm8~9Q%xiQC$UP|hM(a{t zPr0ES)ixp3Z-M>q=zv^m*Q;dGKNC5045qqVv_v11ukMGboL-Mi^`k8(DHmM{St)53 zoe^S{p~#)$7YUOTxUt7B9#w7o&7~GHH1zl{o$A=sWZxlkDU75eYnT1P4sCnc%Q&QA zVh?e9EN%FFgtckTK0N&K1*0r90_G63_zNZAhH-%bp#9^@j*&0*4uDTEN0(lO1mubdz}6e_yhuoEZ@)Yqht*1 z2=MBysoPn=MSD$DYZfx&T0rGtorS)*_3SyE5Z=$kge3iK0 zi$~`%xH>KNIuhmb88A$ts1eId#?`Kl$^=+HG1^a|R~J&oKyNJ1AUncimh89sIEG-k z0{8~Znl5Pw@WROH?vALzi5&a!-o{(+q#vtAWLsYTm{CSacKJE)1fgi|={=`BCFBnjeG+|9Iaaxs*=*Tdo#e2uU`P2L<97E@R9l zNSlsdm%;Q?2`YC6d4LTrR+jbSf>K)3GN*=w4cEn2G3YX#s{{TO^;ad^Rt55QhUk0J zve4yH5&pXDQ*DV`Z+#H-TfaN{F)WC>ODhHDJ_;KRjZd4lv$K?<}F{^sI~?{LFs7-6(nAyD}gZx!RhTLy2raU5y7L2xpi7& zOTnHSugT?er}}75s>%ZiGvZ@m%5=Ft?k`Ui9X2qrxxP*2l{-Ze<89W7**lI03Z>`k z0?c!L-Js@6z7A^`vl}JGqlMlevM4Ui)@-+^6T^kobciHs4y#iOQUvw}WzGdVVyP5X zuOCFlL@f%D{g&qODkfK6n}pMNfOGTPliynEk&T2^a(=pa)ibw?QSw7)%#4LwHjdwj zu%w0|iAs4&%d!wyS<0K~}8nb9BMjZ)YR+ z-%xkVD)D7zR?9vi?GxbZmel#7+_Emm$4*mca&p)}$V+9R6-EkC#JD!Kf#a;DNWatp z#k&4+gvu#Wg@dYfeTK=rGxq$|Kqt?Zu3d5y{1KV97-~JipP0CWrQ6yeL>>+bZ5k|T z#-~WaUi}9G<#Ud>#O-=7ZSma8o@@<4h|&h#snBzCwiy|(yZ*C#|B-`B-5Kel;vUv% zO~oKc7O>c@vvH162tRLAEQ9vkT50#o@y_K)n0zw1Jz3CAM#3K^a`e`x;k0`BNaQ{{Hw>Ya+LXV;?8svV6&IlqroJkyoN^WKN|l9qkQn+w%N0ot)z|+k=h2S z{*YE99~&*&PomOrQV}_R<*(O7J#5_>u>`W=4C94XJ#Aqi8u;J)2)F9z*f^#E;Wi+= z;be(^6S0vzz|!$!yP`++H;0EK)r0U&LjV9F5}Q%$M7zNvqgn?hT1UeNg8i`U-i#r} zBX{vY9mjACti631v!kdj2CTbn8QS0OL?rUl$t%b_?LD`7*+>C9iLuQsEQ=_V_ag8g z-`Vla#)XEuy-afzEP`LYyhGA%;c+(x%E|kmj7+a6gaV6*vC7}6C`Ocg$fqh99Ng(G zSnn-S9jEA$5z4(C=-8Gf1hwr52!t4qz@dDBn`*}*S&q}GX8XfrG_7ym-jz=~bWHwl zl3&M$yzCkKXrvuzlSH040v@;xD2bg8MxVS-WM#beyNujk44_z*Srskgm9aQxGiH1C z(SjyQ(@Dm7^qk-ehu(8uh#VVY;`*T^2yH4UjL3ECQLyI$sWOd5E6spUZTy?Yy6MNi zN%?rxknx9z_KyZ-L~o3IWj(QID_Jm5Cx0ntLT(SdEd%4S%Kf14OiI|_4+YQZ7`@?q zp5aH^6@N$iq95I!bpKRX0pzz=>gxlspVyWH1K0z@)8aO z8=%|12hsko`DccCF>fN-8C}<&_rPO$#Ok;{ghT-mG;CQ!-^{woR&RCSpD&vVcVsZh z5qrxtpX)Evy0HE?K!&bOx7)7xk%2BCU^#1$MQ&Rs{k#yoxchBZhi5IC@ytJth9~h{ z04BlkeyQJN(t4oGzMT})_xyMoP&&QbBmnwjep8+aP6X0=2ddOCY4d{|qJnwWC%(d|r#*3xi=qXSU=`MG_`ynPn^0`ikhasxsG4HV zl;8N+`iI(h)tvsaq(51^-~U6gEYBVn$ppw5-7+1tOe?~~jX6P%mpgW`HJGyT+>8+> zw|Hn7uEJDp)veR3e~WZzFDE6xY1lJDC^@Yr8YUJeCpV(-lVMwSGq!5lqGb{V8^&QUnz`s*8 ze*jK74bS1SD8D73?6ZJj?eY%>IX5SO`AC6QYbF&N>@vP-oEh#&95LG4mWTUP-pj&z zP?9SWrRW3@&Q3Qh@ILt~f+`Ae&IJ1%tqtFfj+>gaF5rFdwG^6hr6%!3(yaMRfdDQ> zH^ziXRHy$EkE7~V`!Q9b%xA)N-TUh`Q%2>qO>~1F?pOMHsCpf2-xdsoH5_kYbp%jU z&&+-*_51+gpK{@&zCPi|lu-Vo=YOVr>C^j4(X;yDb?X`fg!5|LE{q5HE9*^=I&ajK+9B4@=Wx>1H))7;Y)o}yi~eP1o1IFD zF?vUB*YsoJdIn5*aXTaD;wa{OM6}CUCyUn_qTaSS`MELJsdYJ(sX0*&PkpXNy>yPR zm-1f#cu^vnNY{RCkx~J23XIZ=0Dn}t!BUaqni2y14odb>#sAcVs}3MX=h?ZnJLCBL zdx6&Z)9}u$*;=&kf@9ARW8O|Ejs@om8vsWo?WyzAz({8sM!jhv2_pe@?ig&`TwZ+w zFRB{YsFoOlq2;UN;{G`;ws6})s?Jb5vWlCFkG-3_{%gMeyf!f;DBf(fNFd->jQh-^ z@jm9S8Jee{eg}NnFNs5bNq_dX*U~$GUPU|f9P$?36>x3IT_0&qpa&AWcXu`49Z1_g z`!5J?ub#8f+I0~*K8YbLEHv0?1j2ff*T1sSm{{zoxV#LD<_7+?vorgPr>MF3iqtOv z6Q`GP69`Qu17^8H^43_hcvrO!CxrEx%trSobeXPyT#kVja{Sb7n|#4W$1pZppx~dueA-+lxJ~A*_efo`IPz`F zVND3lAF<;j#2$EM;LtMObA4DL$A$C5sSyj$303aBBx)LD{`B%EoS<^|3+@tdFFqwf z-G4%Rzh1{r0|^sY_P^M@5q+9s4Im+P;{Kykpf?iR1|;unFDJbILfd4OyF@M$usujdD>v&}UEwaSGyNe$RX)jv#JSIO zBCO`v5b)5l(DTK*6qpM_pNZ7jjQ%e~xRgUMcQeKGT zT%WzHtsaw>gvXp@KoB8uobgSHQQ4oIJm8DmFu3bXzJJhE$)DL^Yot=7d2HagSYz3O zJPVRciW@dF$D(o|-e%1-s^}uD7g->l+Ctq>6P8gH##O}Esr&dHXC8~koR6c&?T*4T z=p0UVvTaHcf*@Y@8fu>VEj){aZ?(vQ4$&cHZ3 zMEdov@~8iIwh9NCo%7(rb}JfD7snJY2LVXDu!nKX1x$c>jz0Zr_!wmBb`(jp}ZD%0~9cSdU~?TLJ^Xoo7g68#*(m;%l__- zq8DK<%<}l>K9@O1V!P?d^MR$AONu!aw>%jU^Vo4c^P?kEzO%mP{d(0jaMG}p{mfAVUa*n>JtG56 zA!xDth>bp_Va0FiXauLUwQt3GN}vmYy~b;t$l)kzR84il2_;Eq@Sd2r!($gfDk#cg zQH^awO*0XhbdBUJQYwpuK@jY9C?X8FtR9%SE<}&5Vas-)-FMoMER1~g%7P~rzj%%| zC)r`ucr^0evq)rZ+lKU5N*sUJgK|e4TRobVJ72l+nW8TDO}91SriIseTe3notEMdD zhtlI>aMf;pkc!{9cJ3al)u453{Z9G!F{wK5BeDfGpI)k8%_Hth6_8wK5y~+P+bWuS zkjrzRH~LWb;zcSuooEdguXoJ_$g1YHTY2G0^}&@*>CTmH?L{!fH*_+fspd9r&55!? z$o83*+|-{!7^G36vUH?AIRa-wOopF=T$MKW86SD~xn;Avl=gglD2WM|IVh#d-mh7_ z_5^a?l(eW?524h`K+uH_6JVr%`hY?Utjgo}8#6HE@Q|VH#9hLgeqtwf-W(MR0y)8@ z%OE;s{p#ozyUgV-KucDZG~O6D^pQqk3PZ=wjsNM=$sJ=+{S}an`6CB|RU9{365C%K z>p=qJAu=@1AnkgW*bo%$rxAT2P=y6wtXx8-P5$=s`SwE#WF35yLM4ziKX_sA-L_8y zdroh+JOZyqI0hbVUV5$TSZa6d_j6QJSlACV8s^x^+0S8x%k*(NR(+%17R0KodJZva z`Hez<`wW3OJU8b&KSP$5#4c(uHs3(ccQ-HHQwcS?us=_?iQpONBz>JGa~#iG==#&; zPaW%9XpI5nN_T(a^FJjMXi3-TEbio`3C`j1b^Cu}9vw4(MPngG72Ar6 zVx<3u{^9oVnECZ|d@2jKYcC3Zr`%{-4OrH9Og!#>Jv{F2wkx+t`yY-uX`BVzp|I4M=j{Rt#7}@=DXE^hO0Wc8f15Nxx>870H2k zH}aCHQ>p4{gg1w;HUkWruUBMZa~o~+B%mX=J64k&^^8|%SVZ#Bezug|?K(f&u!goa z{EX9SXcWWaJ0D9)Lt5l{;sr)iB%c9|7p}pmTXa%)HC8qC1^TCbzwVthB1G75S1Ugr z_lIf76Vo$!X5kbsO7yF`!E*w3oGO0qGL|%fM{Lk3zmx>;oK}i27EDm5G?v+RfK->3 z!CAe2btaCmK6J>)39!OAOS;L=W&j&oL#S%?O=d*e%Jzq{#81E%XXa7?fio*(xdVbp z={;8dyu@`;I!=_AS3*=}D*YL5`rY=E@(qwGRB^@rI{AsY0@r;aRId_%%XVOA)vSMF zoA^7Z%I6-J)Lu}(2RY9Qt;t7>yfrIyS-Vkc?4C$j32WcNskCzW_5g94)aP0B{|qFH W|NjyH-@}*vijT!9sfBcjg!Di6an8*E diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index db0fe0f1..49a586b7 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1e7..fc127e1d7 100644 +index 1d732f1e7..d3c0b2d97 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3317,7 +3317,7 @@ index 1d732f1e7..fc127e1d7 100644 # -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; -+allow groupadd_t self:capability { dac_read_search chown kill setuid sys_resource audit_write }; ++allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write }; dontaudit groupadd_t self:capability { fsetid sys_tty_config }; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; @@ -6872,7 +6872,7 @@ index b31c05491..b15a7aa05 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285ea6..8c3bbb82c 100644 +index 76f285ea6..f0bb3da0c 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -9910,7 +9910,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4511,35 +5938,35 @@ interface(`dev_dontaudit_setattr_video_dev',` +@@ -4511,35 +5938,36 @@ interface(`dev_dontaudit_setattr_video_dev',` ## ## # @@ -9923,6 +9923,7 @@ index 76f285ea6..8c3bbb82c 100644 - read_chr_files_pattern($1, device_t, v4l_device_t) + rw_chr_files_pattern($1, device_t, xserver_misc_device_t) ++ allow $1 xserver_misc_device_t:chr_file map; ') ######################################## @@ -9955,7 +9956,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4547,17 +5974,19 @@ interface(`dev_write_video_dev',` +@@ -4547,17 +5975,19 @@ interface(`dev_write_video_dev',` ## ## # @@ -9979,7 +9980,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4565,17 +5994,17 @@ interface(`dev_rw_vhost',` +@@ -4565,17 +5995,17 @@ interface(`dev_rw_vhost',` ## ## # @@ -10001,7 +10002,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4583,18 +6012,18 @@ interface(`dev_rw_vmware',` +@@ -4583,18 +6013,18 @@ interface(`dev_rw_vmware',` ## ## # @@ -10025,7 +10026,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4602,17 +6031,18 @@ interface(`dev_rwx_vmware',` +@@ -4602,17 +6032,18 @@ interface(`dev_rwx_vmware',` ## ## # @@ -10048,7 +10049,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4620,17 +6050,17 @@ interface(`dev_read_watchdog',` +@@ -4620,17 +6051,17 @@ interface(`dev_read_watchdog',` ## ## # @@ -10070,7 +10071,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4638,35 +6068,36 @@ interface(`dev_write_watchdog',` +@@ -4638,35 +6069,36 @@ interface(`dev_write_watchdog',` ## ## # @@ -10116,7 +10117,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4674,41 +6105,35 @@ interface(`dev_rw_xen',` +@@ -4674,41 +6106,35 @@ interface(`dev_rw_xen',` ## ## # @@ -10166,7 +10167,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4716,17 +6141,17 @@ interface(`dev_filetrans_xen',` +@@ -4716,17 +6142,17 @@ interface(`dev_filetrans_xen',` ## ## # @@ -10188,7 +10189,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4734,17 +6159,18 @@ interface(`dev_getattr_xserver_misc_dev',` +@@ -4734,17 +6160,18 @@ interface(`dev_getattr_xserver_misc_dev',` ## ## # @@ -10211,7 +10212,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4752,17 +6178,17 @@ interface(`dev_setattr_xserver_misc_dev',` +@@ -4752,17 +6179,17 @@ interface(`dev_setattr_xserver_misc_dev',` ## ## # @@ -10233,7 +10234,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4770,17 +6196,17 @@ interface(`dev_rw_xserver_misc',` +@@ -4770,17 +6197,17 @@ interface(`dev_rw_xserver_misc',` ## ## # @@ -10255,7 +10256,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4788,18 +6214,17 @@ interface(`dev_rw_zero',` +@@ -4788,18 +6215,17 @@ interface(`dev_rw_zero',` ## ## # @@ -10278,7 +10279,7 @@ index 76f285ea6..8c3bbb82c 100644 ## ## ## -@@ -4807,47 +6232,911 @@ interface(`dev_rwx_zero',` +@@ -4807,47 +6233,911 @@ interface(`dev_rwx_zero',` ## ## # @@ -26637,10 +26638,10 @@ index 000000000..d9efb902a +#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 000000000..f73028658 +index 000000000..bb9082586 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,745 @@ +@@ -0,0 +1,763 @@ +## Unconfined user role + +######################################## @@ -27102,6 +27103,24 @@ index 000000000..f73028658 + +######################################## +## ++## Dontaudit read process information for unconfined process. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dontaudit_read_state',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:dir list_dir_perms; ++') ++ ++######################################## ++## +## Write keys for the unconfined domain. +## +## @@ -52298,10 +52317,10 @@ index 5ca20a97d..5454d1668 100644 + allow $1 unconfined_service_t:process signull; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902db3..b31eeba97 100644 +index 5fe902db3..0a7c3bb00 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,32 @@ +@@ -1,207 +1,33 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -52521,6 +52540,7 @@ index 5fe902db3..b31eeba97 100644 -optional_policy(` - unconfined_dbus_chat(unconfined_execmem_t) + virt_transition_svirt(unconfined_service_t, system_r) ++ virt_transition_svirt_sandbox(unconfined_service_t, system_r) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db7597682..c54480a1d 100644 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 6f06d16b..8c89eb9f 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -14708,10 +14708,10 @@ index 4a5b3d1a5..cd146bd5a 100644 ') diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 000000000..3849f134a +index 000000000..e07f85124 --- /dev/null +++ b/cloudform.fc -@@ -0,0 +1,21 @@ +@@ -0,0 +1,22 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) + +/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) @@ -14719,6 +14719,7 @@ index 000000000..3849f134a +/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) +/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) ++/usr/lib/systemd/system-generators/cloud-init.* gen_context(system_u:object_r:cloud_init_exec_t,s0) + +/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) + @@ -14857,10 +14858,10 @@ index 000000000..55fe0d668 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 000000000..0763656a0 +index 000000000..2f19544f0 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,250 @@ +@@ -0,0 +1,251 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -15021,6 +15022,7 @@ index 000000000..0763656a0 + sysnet_domtrans_ifconfig(cloud_init_t) + sysnet_read_dhcpc_state(cloud_init_t) + sysnet_dns_name_resolve(cloud_init_t) ++ sysnet_filetrans_cloud_net_conf(cloud_init_t) +') + +optional_policy(` @@ -97227,7 +97229,7 @@ index 50d07fb2e..a34db489c 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441e7..6d5786b06 100644 +index 2b7c441e7..0ad80a509 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -98368,9 +98370,11 @@ index 2b7c441e7..6d5786b06 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -871,40 +971,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) +@@ -870,41 +970,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) files_var_filetrans(winbind_t, samba_var_t, dir, "samba") ++allow winbind_t samba_var_t:file { map } ; -rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -98425,7 +98429,7 @@ index 2b7c441e7..6d5786b06 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1016,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1017,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -98484,7 +98488,7 @@ index 2b7c441e7..6d5786b06 100644 ') optional_policy(` -@@ -959,31 +1077,36 @@ optional_policy(` +@@ -959,31 +1078,36 @@ optional_policy(` # Winbind helper local policy # @@ -98528,7 +98532,7 @@ index 2b7c441e7..6d5786b06 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1120,38 @@ optional_policy(` +@@ -997,25 +1121,38 @@ optional_policy(` ######################################## # @@ -117249,7 +117253,7 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..844aa6e9e 100644 +index f03dcf567..c7a95a908 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,424 @@ @@ -117418,30 +117422,36 @@ index f03dcf567..844aa6e9e 100644 +##

+## +gen_tunable(virt_use_usb, true) - --attribute svirt_lxc_domain; ++ +## +##

+## Allow confined virtual guests to use smartcards +##

+##
+gen_tunable(virt_use_pcscd, false) -+ + +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to send audit messages -+ + +-attribute_role virt_domain_roles; +-roleattribute system_r virt_domain_roles; +##

+##
+gen_tunable(virt_sandbox_use_audit, true) -+ + +-attribute_role virt_bridgehelper_roles; +-roleattribute system_r virt_bridgehelper_roles; +## +##

+## Allow sandbox containers to use netlink system calls +##

+##
+gen_tunable(virt_sandbox_use_netlink, false) -+ + +-attribute_role svirt_lxc_domain_roles; +-roleattribute system_r svirt_lxc_domain_roles; +## +##

+## Allow sandbox containers to use sys_admin system calls, for example mount @@ -117455,27 +117465,21 @@ index f03dcf567..844aa6e9e 100644 +##

+##
+gen_tunable(virt_sandbox_use_mknod, false) - --attribute_role virt_domain_roles; --roleattribute system_r virt_domain_roles; ++ +## +##

+## Allow sandbox containers to use all capabilities +##

+##
+gen_tunable(virt_sandbox_use_all_caps, true) - --attribute_role virt_bridgehelper_roles; --roleattribute system_r virt_bridgehelper_roles; ++ +## +##

+## Allow qemu-ga to read qemu-ga date. +##

+##
+gen_tunable(virt_read_qemu_ga_data, false) - --attribute_role svirt_lxc_domain_roles; --roleattribute system_r svirt_lxc_domain_roles; ++ +## +##

+## Allow qemu-ga to manage qemu-ga date. @@ -117490,10 +117494,10 @@ index f03dcf567..844aa6e9e 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; ++ ++type qemu_exec_t, virt_file_type; -type virt_cache_t alias svirt_cache_t; -+type qemu_exec_t, virt_file_type; -+ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -117862,10 +117866,10 @@ index f03dcf567..844aa6e9e 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +allow svirt_t self:process ptrace; +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; @@ -118041,20 +118045,20 @@ index f03dcf567..844aa6e9e 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --can_exec(virtd_t, virt_tmp_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -118214,7 +118218,7 @@ index f03dcf567..844aa6e9e 100644 ') optional_policy(` -@@ -691,99 +653,441 @@ optional_policy(` +@@ -691,99 +653,445 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -118540,6 +118544,10 @@ index f03dcf567..844aa6e9e 100644 +') + +optional_policy(` ++ unconfined_dontaudit_read_state(virt_domain) ++') ++ ++optional_policy(` + xserver_rw_shm(virt_domain) +') + @@ -118707,7 +118715,7 @@ index f03dcf567..844aa6e9e 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1098,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1102,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -118734,7 +118742,7 @@ index f03dcf567..844aa6e9e 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1118,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1122,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -118768,7 +118776,7 @@ index f03dcf567..844aa6e9e 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1155,20 @@ optional_policy(` +@@ -856,14 +1159,20 @@ optional_policy(` ') optional_policy(` @@ -118790,7 +118798,7 @@ index f03dcf567..844aa6e9e 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1193,66 @@ optional_policy(` +@@ -888,49 +1197,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -118875,7 +118883,7 @@ index f03dcf567..844aa6e9e 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1264,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1268,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -118895,7 +118903,7 @@ index f03dcf567..844aa6e9e 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,15 +1285,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,15 +1289,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -118914,7 +118922,7 @@ index f03dcf567..844aa6e9e 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -982,186 +1299,307 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -982,186 +1303,307 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -119351,7 +119359,7 @@ index f03dcf567..844aa6e9e 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1612,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -119366,7 +119374,7 @@ index f03dcf567..844aa6e9e 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1630,7 @@ optional_policy(` +@@ -1192,7 +1634,7 @@ optional_policy(` ######################################## # @@ -119375,7 +119383,7 @@ index f03dcf567..844aa6e9e 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1639,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1643,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 0c792e1e..0090d850 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 293%{?dist} +Release: 294%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -678,6 +678,15 @@ exit 0 %endif %changelog +* Mon Oct 09 2017 Lukas Vrabec - 3.13.1-294 +- Allow cloud-init to create content in /var/run/cloud-init +- Dontaudit VM to read gnome-boxes process data BZ(1415975) +- Allow winbind_t domain mmap samba_var_t files +- Allow cupsd_t to execute ld_so_cache_t BZ(1478602) +- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035) +- Add dac_override capability to groupadd_t domain BZ(1497091) +- Allow unconfined_service_t to start containers + * Sun Oct 08 2017 Petr Lautrbach - 3.13.1-293 - Drop policyhelp utility BZ(1498429)