From fcebe07f6ca82f340b436367ffb0fb8e1cf2043c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 5 Sep 2017 09:36:30 +0200 Subject: [PATCH] * Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279 - Allow abrt_dump_oops_t to read sssd_public_t files - Allow cockpit_ws_t to mmap usr_t files - Allow systemd to read/write dri devices. --- container-selinux.tgz | Bin 6903 -> 6902 bytes policy-rawhide-base.patch | 89 ++++++++++++++++++----------------- policy-rawhide-contrib.patch | 15 +++--- selinux-policy.spec | 7 ++- 4 files changed, 60 insertions(+), 51 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 11ff2f9f857ec4ad54e99c5fbcb59a4934bef486..96dd93e9612f4c258feb25566d33504f8119107a 100644 GIT binary patch delta 6436 zcmV+<8QbRfHTE?vABzY8l~b-+00Zq^ZExH-lAf>bUm+v|#2zGe>`Zb%JiCX*%mQ~G z4jAk%u#qi1fA}7MU;f+sx9V^BdH3Pn<>fb*?=IiJ`~LmqhpYGByuEyP1&@NaPgNoH z=g_oa9R%NGw{^HlA}ih4`+w1&)ytQ`56vOZ!}{Tmf7>TPStZ4rraaV95`?r)UNEW`e;kts0iOXclcxbk z0VR{~0V@G3lN$n;0TYw60xEyM!Xn)13(51CV>wmr$#ffsKSsL=jIjyxq*`*&gU_n> zynBwxPxhNf?{E&oBmbUpVJzD#&&fFB!oekGe%Ck_sLvm3t2({K za**;fcBqETYq7>!81T`VOHC=aWOXp1prI0xl%^ELc-K)DHjSkydN(XnvI9RT@vTk?Ma#VNo~$)lAs@5s>lW;x3LRsc#oK!dS@9ZSgTZG;NYcZ8p_c zr@uQCX-neoI*MV(d{ZF`V!f3jd7We>ZcIT^DU2t26Yw9w%)514GVlr%%Uz5$VK@fg zi&B%1_$!bjLwa9ExOjyEzJT#R1@~ukQPMOHi#WKeQ`2TLPjY`)xxW0Qz5^NMv%I~A zo{%)q4|%|_h3qFtQx|3sXwvLY%c^~tx`YQBzEzyT#N&!X1B0!7AoYlIp)XW1Lp0IG z$!*n=-HR_#Q25&*UqSdW+A~8JWel}gM#%WXTqB(`gsr}cu<>6>(M}OH{tQcUh@2QE ziM?B>vHW<=Yl(lo;NK0(@^7J#{t|qrPmrwKIarmo&_b~<^F$v5d{N|!t~e;PER9I= zI(Q-9ode&Cv)MRt8QshWX@Gk@s1ZJ$g9fI)it{GQQt00KNUUuO)MS=y7)BY*ldM*Q zhGW3++kw4I!_bC8LsTGS_ffBSG5lRs;Kr_{3NvvAf|!4dVCc@77;iFAca1u-Jnesj z)4Ch|+jMuH6t_#F?#rfamIkE#+JcyM(v;clIZ9v=Sk_Yw7y_H}K3S&u3=@so1>s8A zKV;#<@`zUpLWXUbr$PsS;Znn@y$<6%E!bLwhn}|S!xk%nbS_^2+L5lGvM7XqLmC~} z_#h0x(7%5VnifowoYt45{o?jBs}0&4SnJtQWX27yC34KNiSE~A)<)X05AuW7YCH9n zc|)jieiUBzpm%&Y!}@g&yubeZV^@dfIgh?7@*aUmi*_0O^7YHG$F${ILtV*0VJ&a8 zEj)pLLl_+S$7f5AB`@dJa6k^zxYn z#8Q2ygsl@pPg^KWJ~A9#K^iI2-Y!u-%Xz|hTebF530z)xG4`s+|Y!<)6`{j89NY`@JEF8 zcU7Eq2BEfaNCnH+@n$Eif?@GsfahxllLeTZu%OisRSC^ymTKB8doO0;t1De~=U%ID znSP9p9pZH*vEERs#hh;a814>CJeFbXLr!COtWq8AwFAi*KdIHl56Ku#*dgh!C6a#| zN=Eq@k?^gfO2beH#cCXQN%dF;i`e_I0GiO{OGmBxC)hTl)y%6Nv?;9Ov8&YK+F|qO zxKPYnZ`a=Z_}duvt3*(m;AgXoKhp~;277<4L$k{h27ZNS5UMyC-&(vf%CoyQsPn07B`E8@ z;UP&x89;Q3L}&65dWKQ`<+Q6?w_&|YT0xU%%^LK^jyt2Zmr;XbA00DLSS%jn62*f= z)-~@Fd_}9nm%d2-FZv^U^t?@;stou2{|_JDzJE8k|Nrjm{r}JM!#pkPyo`TAv7O4% z@H)6Uzq&ksd$!W_1q<_J-j$#(%eK6kYAUZ@20tZ$Q&VCASaVjS%HpJnc!*8KgKH8D zQGx0Ncl!kNV6BFegk&BIKQVc8vn=@Ak3R=hS+_CJ{dF76 zrW@V<#-oisra10kh?xjdI@P&MXoCv!BN9FG=2T;H%>KL@XaIa9dj|f{5PPgnWIQk( zV6%f{i4K3-@wbg_RMCHc8;&aTC^estXsEh#tPehP)mh8XNry!##~A%mdIx3VJVHJ^ zH6je*MT}-2y9@DT;hOEk>5ydz#v?ZRSTYKc2_Y|`%gDWQI$$&i8dlYTcfJ$F0aq9ubZUKzz(H1be-=!JB^ocMVMX`*gR5m6tZ) z{gN}b?_aE7+{UP7PPT+Piw5*Zm<7xpgICN)W?J~0B-?(B!YbUPS=v4Xk3qCA?~33i z1p{ac|H2!VP12@uklz$#9AMYb0UrHplNK`mo*vX8*fdGI1xQ@*));(6>7PDbkJSRK z7;#`BpG%9n;>I3F`E_;KF}NSp;5(;3Nlu-(m_n1-C zxFcG81S_bVbcsF#^_8W?&H9F4P&_2J7#?s$%>*KJM4W~@4NAP71?j4lTtaaGkcNg$ zVp6Bk8WgzE%sP`SIB+Mjfc&Sj(8z@0Tqn^j3+lpc_IS7~FX(8~?Kn`NbK zu{5u|nTLPt_f4i>>mRW!m{~Y{awZVv#fSwUeKZme*ui8*k9=|8)@9x;^px-ouqBh?e3z{72x=@$91V8c8Mvk^x_o;{HbG0*~=zJTdopzX4&edmL_(&3(IKLl5EyQ!v9Y{g=wGne5i_Q5 z&s}GIF>g9g#GX98eewIgO0UVTL0cyMkph1oxrTDI(0%cb5xjpJxMSie3lX=@pR$a} z2KSUQd{z;Si413D`M7o;V!2A+sxJ4b(}cB6H7n*dM`jM_9A-0SnJY2l+`;03IeBn+ zU@na}dA7SSeR`M^Pc(ddN3pERGM1A0+U=8IcXx1~68>s=eAB)0rzt|Y^Zj%M;5C2k z)ys~iE2)>OV>z2^EH&MniSLOyS?PJ=PF8%LxYM0cp1_l};25rtChVo|p127#WsLBz z@`48JSgy0Vqt^>_suAf4Ja3qJ0M8m`F5G@xf%h=rkfvcE+fD<*XBZE&JZWS1PU;zc zkru``#z^UpKk;Y-epJy9Ixx1Si$s4QMvSJ%t#OMH^=AEi142(S9_`J-tSIQ)Os-NF zNsI0YUvj!>`p`seW~quGzC&a$QV?4c?UUHAa6Ip}2%(FVUQ;}L7`5pw%%|8=KBtfI z-65uQdb|+!rf~^H#OkHHXrJ}Cob*#GH={~BJ`6{zq(`H60e&K^@0D||FsgsqNBM%C zhZl4XA#^Zp%+VufeX3@kWSIw@pJVBWQ^VeQo?uJ2Gni(Ur3DKue6+W3+sd;D!4j2u zUS-Msn#SZfZ|`)|SAs?+zcb$1C#f@zlE+R)*>XoyovS+*L2jW}$fGV8(@EUvxSn>v z>uQs^MhoL7nSR9lhHq$_$4Y-=4-H;Q%klW%2a;ub@M_+nAU}-ex3+Z`x{#RkDZ1R* zMo!86J|mU)5JuDQ2}h}S>#|_UVR@<;b6c9WtkHzS7zR?`_ZY;NHa8Y}I=aV2tZ16M zw2k&=I-VXuA3m@#jmtX=G|y-&?yH%phzQ>wEG^;$W##6#sUvzXwvm7Q#FX+xU?hyA zqgP$35S;MT>b%)msC&d)L?T7qNatAmjNL)nG}hrkobQp0 zdO?d@?Y$*)+^2uBV-Awrv;wtUY|9Y`$nS@wY1d@a=@(25^t?Um9A*g^Gj11*Aa*-g z48%VE9s0bT7xGhin1GZGM-N)H56Ku8UMk}CWbGMSqs<;#TFBzES=@|v(`dlQvPz;t zh9Q;glME)K%luxg;^bD{gIGLK3K0kn58G{SE}*1thsA%^GFv3c!Gk8dr8T#$OGnl4 zlL%NVCq-74l^2v>kytq}DQc$+K*%g@(wL&LMz`pEt8xUx=nj3r;j;%HFv&ByNnG;8 zZOq@mc*YChx(lg&=nD9c;^ za;$_XjkHMCa(Oq@h&=E7%3gJcSkhT--APK)s?F~mBtr6lWR*M-3O~Rop_mtk0u9J0 zq)xCOxS<6GJN0g(2z}SUL;H4}?lCjZ6%819ec6BJ3g}qsb}j!BpL%lg#G3Mcql_39p?oF;W*85cW=Ypl*zA@GblB#bTm zZ!15O)m4N&ceK+;?x>BC-rZ8cLc@n~I0?l_^B^Swj#t|3=0gmHT+eOU^n}a~xz9AF zK^jXt6LV*n-W!5X+0_(w{C2IC*$=8R0V;pFf9M3iRlXmkw?I0CeVS`X!f0pPHob@p z)~C!Au`}TotK$-DIosr!xhyW+u%hD)>LBMKte_MjH|}-NQrfQSOd0sM)xlt4r)8dp z`_PI{-{Z2>m!&}xhJlNSSsdN57g{QoWzCsn-p>j#(dQuAw6M9)SRzGJ$=kF}?qGk$ z#G?&;WfdxJ=Vy8U4|1PxJJ7H(77-rF6nOG#&6{$zdZ`k2SF|P-MN?t)bcvBUj&9hD z@~|3BlwvB5l`W^NYhfm85#Q)bFHF830}Vn8*Gozsn%zenp!;;dx~E;tK4X#hOy+7H z(dLp>#zygG3bm$G+cs2)0rX0UM^S&A9`nnjlqA-o(d-_5Lxm0LYS`K6NsqX@-sc`6 zhs_$~d+MwPlEz48{>sfGed~1eY{6t0b)`jJ`a)qA%}92jvh^d4LWd=&7v>wIG&xTa z<|#I2NTQs4$J~W=CHfnD#lkpS2F1wa!&CW{$Z(F}7~%Bkr0!JFdTwaQk8FRQ^nNAs zacT&VhtaBr8{^2;mT+E#@yy=7q;f9%Dy^h?w%Hs+-WeVeQ+WvjLiMP;^vs$6`jt5e=Ky(a3ZD@jM(`mA)?YJxNNeUOnXXFQeW zjD%Y%=fw0<(hRr2DFF;JmD+!`njOY!SBTGZjNIoK|Hg>x-RRYhh2Wi+F%~MrbuZ)C zBHULre9*_QX;?n?GNSg6{rU^J>!;imnkG2En*egGYj-sajxR~-ip`WnO2C~+A7cdb z3p$kKtv1%pO?Qi^p3o9}vNZYxXh@sfyJy7jT6o<_nsejAwZB*lXf#LUuo2?k zhiSp!Md=F$OT=kjW6Ug9K|gc7)D(S*-QX|7e=3Gc&{< zm!5W*VtGoT#$ez{;kNVh#LmbMdu(3VVdVZpz&arUDNDKd@gF z#)sQ;cHb zYt$;^y^kigZ^rFz7mwo~%kgwa(2FY559^IlY1%=$RmnfWvAFMX_=IEd(c^EAV{gCX zZeNk`dFnELd{Q%y@lMGUJ%%+wZ@qdQ{Mvo)TaBx>-R6Jul^ZdW)W&ZJdSk*$3+kxx zv_uD&bjEo`E(m!Tv{MT8yAtFj8q(dKav@r;#&F74!<-4UW0JSV*q%wTk^A4^?C8FJ zVekLtkL>yL?UQ}m&i(zr%eUWOy&ru4@9o#`|9zI93$!0EemQ4f^r5eV;*d!0TmA{V z_2DC5lL z?(miZ%IldVvy)ur2d+>P#{=Tmj`-oR$=;9sL*)OL$zB zmXR$YU2qpbGPS?V-G7u4c4{h)`2-3}Ae;5p(Q3;Kzo_=I7qN^I6Zi}3G6B1|O4ERk z*KA-K&9qax&?Z?=1d{}Frm_K#RqmJbDvd}dnPeky=;{T$W*NLU{Fco!BIK(VvvZrN ypo7RWMUMfnVzW)q0QBiB6=*jPM`)5S?UecY^Y!QJ&)1*N@bgdlURRO;$N&K2p}08! delta 6460 zcmV-C8N=rGHTN|wABzY8ATg*}00Zq^ZExH-lAf>bUm+v|#2zGe>}0Y)JiCX*%mH^F z78vXVvq<;UDM3dZF+JKU85I z=0OqW$sb=ZsuzD6lL!Hy0k4y&0Y?Eflkfp60UMJX0+#_Zle7XVe=lJX?(~J^dCak# zs`g~Mjl&)qCDO$K)sb&7*fXhvAWb&$uv_?Um%Hh%oe ziQWYKM=yF{V@(*2!S|xn1gv~hA?U)q;>=Tjr_I0bsb)uxhWvI8O_<7U7|% zZThgqN+6xf7l3x8>!&OV;op!(2R1$k12FXOe}kq4lO(70C27C7{mg2E_6F8^b`+U$ zgKLQ#vuvXKHJP=Mw(NuaptaggeP!MdYMdX1mp$kmAI`9TodfT0KmXX(p?S`uuZp}! zAkv~;2ETm$GVC#Jxz%&8El<;3RL^6*HCD&F=ux+OXSiztJKg+ZXME1g8BaHW z2zh&iO?nN|2%2geCkDVf|edXPrT)EgVw8@^!q~39DdOJQ(2ln!#iNCMPUt z^+Q!cbD5=@Hp||NS@`NoSKYbSDqN-?qhp77T}iArlxi`jTR(=o0~3#B82gaZ7#^!s zM|!{K&6hg5Y2VPP=mcb(Sek_0{botUz ztNsbL&1g0Ast0Wft9a}xb+~re{5dWZ^VZw7H$VP1hW#oLl%}{WzVsT6ZTGoLL~etT z+e1XNNIY3XD^^42$jphbEz!u?giRXt7f>NzzvZ&3lWlr$kmt|zf{MXjf9uff@`Qn3 z;TeP~PR6$uuZ;5SZVl>u>RJiPx^H+$5>W;aog&ehe1x81RDU_`>eg*o?~+!~hPs6QvZwo$R0g!lcy@fegFT%hqvFq z)9?RZU4Fg)|5<*Rr)8a&e=#VwQ#l%52Uq7;m*;QKR+_$GVV=yp64YhcmN!#P<<-mJ zrvz|nN-O|t&Wco7oHP*+v8i})O@bjRP@UjzpMV~$)o_xK%wypvCU0(*1%LnX=b$R< zR>t5|Tu(A|Y)pG7!j0NixitfG{dKSnvnDyys>Ex=ta^TosCxRLfApLOe(&n?Pz9&l zEp^7Vv_~ztQN{qedf0X{(A+e{g@&vO(1A|FyH72Qaf--`!z2gw%#`-2p(NJ@XRhj- z!{)a&7;e!XReGoNO>mM4)ww5!bZD5WXRn=WZCj~^gt~}vyTP>BaB5xDY!luWF?%-X z71e1tr1$Cf|b>BzsP8wJ}`QOxZqubwjw9&^D#~lnY6G2L+I+qD;P(gk~qDS7G zYD|vVpH~A7fRAL)z#kf7kJX8c2c`pTc91O5;ZHmMwy}*We;RPZQDq*b=JOE^RdBq#>w{d*M!!*HJJCf6?w@c!f^qJ zk6DIbulF{1e-q%Yfk}U#?)I?q(gwU=a>n-kixrI97`4pFmQZKWfc^-xfZ1d4iuuS) z3xAVj+mBILg_|@>+lSyWi1y`O5!|F;0Bzx4c*C+u+B6RGo1%;Z>>4`2qknDELdM_I zgE|D8CTX_-i3{EugRdz4)2HjPT7VTJ4(#hB1N%6`e*^mwCb38U2NW6|Y8X20I8Wc; z9HHLE7?w0nhE7JB1tl5;qtyIt5o4#7gGP3E>CLQM8};PPn;jjO!f#Iw45DWN*lHmC z7}LIE+WRs=oqiWw_-{`(Q@{r=T7Bq=)<)F=D2I4}GKIaHkXONmY=P#`R7nxLICWjA zHU(Woe>7RW#xYYu0ZfxJN}=)|Gm08_M2nAL1(lO7(PyB(vb4Ba-|!2HhvXK+1CFSf zK!lEn({QIjiMO*LUA2-+C=LM9(6C8N>NHw|0ymmjXOaa6?nD-l|5O$lnJ}E|B)Vlm zUAWC2uh|?Ps+uRg6xalMx#4%Sth6nb=9M?|e{lW2$@FXeBbEg-3x`k61fskcu>hox zM&bcGn9S&rFYepA%)5o25}xE`3}(X0m<(a0dLk5fxXm-&B0m;vm}g-&;%LaTC$b?1 zT0rwkyY|F}K{rKUV*6{3gqzc!ZbSwJ7N5VIIza8-$cuSRW;=9K+}xbz+R-#0fmd4v zf7&Cqm7?^6Px7wKyvFVf59T)2i8Xm@+3?I)k^I0E!O39nPkx$?5I%}2%(5K7y43=v zS@C^hTj+j(+ekHy;kUf*`gONAzcpoX4liH08t`az*$sUFpN7#CFM~hFF^eh8!<(cR z@Uu^%o8YdjZ_a`2KgufE9pa6oV%nsgDQK&gL3RO*d!adty#jdY-tG6`v>W zbZ3+&@MJAGhU=pVd#Sr8ZURjiBmAqppaDCU>um1m^}?KLM0x_x8)hEBvxb=qw;xyF zJq$RcX&A`1(}3_9#=|U6+St95dWK)5h4GCsQu^ahJlcRCRrG@njBV*6e-Vfgqv>&L z++sw%SwG)^(36Zud$TYr3i>vatJFo(qI<%ZoNk&vG*O#bsv?N*5ZQ|q#MVUnB=##D z&$}%`=pv=p6b~OpZF&pyDYlf)>0^9%h$)>OFND2mTtX4Cdg(6OXFV<_{nX0MsM3xP z!_g|~(WqU3p9t%F<(w;we`@wozF_C!1)W0(9ZVZ@^vGGCs@W%5=0WG@SUTd=uy>v( z*wXC`rkQ1F!9oik?d{vP@+?BIL}i{=S#rOoF*(lLJKgk^ppnV%jCb})>Wri0v6E4@ z+|g9$>W)Q_Tj&+?s0+q)5_dYTrycOR+GMWL!uUz1A2Gk-8`|cvf6~}PgO}2BJpT8A zWZ53Pns+G352N|5ZQX?~Bqn`|E_b$(Q!>BLNaa0*(e!)5QR>~gELd__o+`%NmZmLh zG~qCYfzQRcya~Qw#|3iM9MUv z(8l!tLVJLJ$Ix{FyG6LB1F3bC*xGMm6?W|wo&Z7!7!K8;)s~pNDED`9*oKaIM7Fn> zboL6o42IN>o^$L47_Ur%tazVSOkc>)23jUpa%fX-yT-{je>`L@^RwLBM51!A;b((> zXmE*%x&LO(a{O5)4JRg3DBU`74M}5~X5U@tHFCW&GuBmZb#9)q*Gx1U2ZbHLQtB2a zf0;ESePdxxD`p|i~P$0M-_YwU)nd#Nh90m&SqETnN1h`ypxC zHQ99f1ych(Z_hf1Spvq4+XW+t-3}H5v5$X;K5yrR{8Sz$AZ5eRgI4WBGRB3Mig-O) zd&bsivxk-zvbby(H>2G&8t}2KlBkejNG1CugURSJzgMd`xmEWd7EhEy1cJlEcAJ|E zD5=|Ff3da97D;mOpvi7&&28(_Q8oM|0@lh&k(FiT1?5*HRt`*x+UWuiGE18@rf96u zEjr(-9KkTULmzPX?7;_2@=R_LmppMB^EWV_@dCK+LTVqn0{){oy438oH{tf%YwK^$ zGq#UcJrl0&e&RvqD}kned)_sqbkY%52&n9ae@EW9+9Eev>wC8G^dlxG%OZXlTC(;B zn2y=T0qN-I+nU!%fG~@o}4`K=782mi00xhwJnV>{K4Rx>J%XC{vX&Qf`&dW?Zg#h7##4xJ{u`$&b2am#8~c3Qrt$&l{UNi5JMr?b6Yk&A+tm7GmUAG#?sEj+!?0#hTv0nHH96&U2A3bgQ`q`e@gBj zI>B$1??>q^kPcy=<{FYP+S#^EFCv5WDKkavOt{7BxWrn{HhE?)iwifb=y-!V$ax4W zC`HJPdmXftwyQc*2L5ezFj&}Wndjj?wBpnExGeQ$X^@0r;38rcM|bRnmWpLrb0(Sh zvqDVtIfynbZ0<9bNYPaCHm#F8f0!}xXhUCFg^JtxS>FGH+~?a4G;EATghw(3p1fM~ zrkt%_s)XGYtw}}ER2V&7Vq}h^8#bdntVR>1n2KX%%PH$xn2B1%H~P{Glds1>gV4hD zl9GpJ_Ynu^J{_>`X&1B4SmZsExtd3`xnz~GQM{Q#ttr*E4HaSly%OS4e-x+3{4yye ziM41nyGP$pVMDqab~bv_Bkr#Exkt!hvj+K|I;(-CF_M|Ta`Q;vIvqV*Fd0T&X;GKH zP?$wCk{zgQ{YazGVF~Jm`Nk+s&Xa_Bij5hPC@0@BcVS(L{sv#MFwT}iF*5n^RDLBg zoFh0!IDI;)J5{uv8yfN>f14-0Ux|F28Uo~Dw5s98IC8ZmoEKp{v$rp)oXfsSE2*As zHV2V+hKIydUV?y7Jt}W~SHE>pk{Q>bvd8S(MZK_AH*%+0`udCX=GmAk7hme?l($W< ziF)cv(h;{lE1kBQ;Ea7AWF*TOPo+5{;g-rdF};*D!!2-10E0}We|D{Ahq2lf;`1CM z_c_MDG2(hRdbMLAc;{t|h01W<%Q&_O_Z1Bv^zmyNmXE!RsQqKV{zC5hDR+gY3C`~( zfE?@ET@8cdOOm=`GbND{a3|8o7{UC44kh_`Jenk(sqk7|+r12aWcd!W2bT3BWgpmq zMH|d%RL1A{A;Q35f4j;g{$2gfc-{+^l2a{~Jz-SsJGzpDBeq8G8BG*@qu=T=#Ky2-eso-v>|j*Oe;LiZc02-BCNJb?vptun zpfnC*9`?$v|465X9x>qvY;eSNxZ*i9^<=#Y(Hd?gu?F=+c86IU4OxGMBt~83=;P}? z9jcctjqYyI;-nx^W^46(HhW7{o^H;r5)}c!aaZf0Wof&$kjFDHD1t$vIs)CVD#n zag;V(ay+t1cp?qOrPHVj;v)-o4*203waR$!qlxXCal6~a)~y02f@`+xZ(d;Wa;WZ$-PfB*0D?fa|m_3!^(e)#(R zzt8e>f%fCYFX!xwKJ;}^91_WW%RgbaK78bhe^ULiQxiOedGi+Z%f+FoFS2xlYxV`h zxj6ssT8e1yGSWvxk=DL^Q|fWJx^sRpPl3ANh_4?HUio`b=NB|uU zpQp#e;pjXHWp!~IGTC8t7DMs{>f&#xJ_4vGsztB>>Vnn!7fjUZ4JrbROpubQLG<(Q ze!(vY_zRJJi(njB_OCRheO(3^e49ok_-qE1*1!(~@GfqaPz;36HDNGO|Ua3+@6)ruLV)`;St>PEExzpFm*=WV7Bn zT5Xx(7u8<&B9>8N0)Js$CSVs=X&UhHnhi{&nRZGS+9d0VV3J_YR5swT%KdU)N~Q56 zlWYVIUA=(UEQ9xk-?CXognad4c5X8jbP#!_=rI6RY_(oibm4 WzW#ju`TFx2e*OvX8JTbZ$N&JzOtaPi diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4e2480bb..4b9c6c9d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -36943,7 +36943,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..a980b4d3f 100644 +index 17eda2480..4593a868a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37124,7 +37124,7 @@ index 17eda2480..a980b4d3f 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +213,27 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +213,28 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -37150,10 +37150,11 @@ index 17eda2480..a980b4d3f 100644 +dev_filetrans_all_named_dev(init_t) +dev_write_watchdog(init_t) +dev_rw_inherited_input_dev(init_t) ++dev_rw_dri(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,45 +241,103 @@ domain_signal_all_domains(init_t) +@@ -139,45 +242,103 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -37264,7 +37265,7 @@ index 17eda2480..a980b4d3f 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +346,283 @@ ifdef(`distro_gentoo',` +@@ -186,29 +347,283 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37557,7 +37558,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -216,7 +630,30 @@ optional_policy(` +@@ -216,7 +631,30 @@ optional_policy(` ') optional_policy(` @@ -37589,7 +37590,7 @@ index 17eda2480..a980b4d3f 100644 ') ######################################## -@@ -225,9 +662,9 @@ optional_policy(` +@@ -225,9 +663,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37601,7 +37602,7 @@ index 17eda2480..a980b4d3f 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +695,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +696,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37618,7 +37619,7 @@ index 17eda2480..a980b4d3f 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +720,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +721,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37661,7 +37662,7 @@ index 17eda2480..a980b4d3f 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +757,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +758,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37673,7 +37674,7 @@ index 17eda2480..a980b4d3f 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +769,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +770,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37684,7 +37685,7 @@ index 17eda2480..a980b4d3f 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +780,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +781,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37694,7 +37695,7 @@ index 17eda2480..a980b4d3f 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +789,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +790,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37702,7 +37703,7 @@ index 17eda2480..a980b4d3f 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +796,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +797,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37710,7 +37711,7 @@ index 17eda2480..a980b4d3f 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +804,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +805,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37728,7 +37729,7 @@ index 17eda2480..a980b4d3f 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +822,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +823,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37742,7 +37743,7 @@ index 17eda2480..a980b4d3f 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +837,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +838,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37756,7 +37757,7 @@ index 17eda2480..a980b4d3f 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +850,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +851,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37767,7 +37768,7 @@ index 17eda2480..a980b4d3f 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +863,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +864,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37775,7 +37776,7 @@ index 17eda2480..a980b4d3f 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +882,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +883,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37799,7 +37800,7 @@ index 17eda2480..a980b4d3f 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +915,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +916,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37807,7 +37808,7 @@ index 17eda2480..a980b4d3f 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +949,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +950,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37818,7 +37819,7 @@ index 17eda2480..a980b4d3f 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +973,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +974,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37827,7 +37828,7 @@ index 17eda2480..a980b4d3f 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +988,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +989,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37835,7 +37836,7 @@ index 17eda2480..a980b4d3f 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1009,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1010,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37843,7 +37844,7 @@ index 17eda2480..a980b4d3f 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1019,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1020,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37888,7 +37889,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -559,14 +1064,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1065,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37920,7 +37921,7 @@ index 17eda2480..a980b4d3f 100644 ') ') -@@ -577,6 +1099,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1100,39 @@ ifdef(`distro_suse',` ') ') @@ -37960,7 +37961,7 @@ index 17eda2480..a980b4d3f 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1144,8 @@ optional_policy(` +@@ -589,6 +1145,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37969,7 +37970,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -610,6 +1167,7 @@ optional_policy(` +@@ -610,6 +1168,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37977,7 +37978,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -626,6 +1184,17 @@ optional_policy(` +@@ -626,6 +1185,17 @@ optional_policy(` ') optional_policy(` @@ -37995,7 +37996,7 @@ index 17eda2480..a980b4d3f 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1211,13 @@ optional_policy(` +@@ -642,9 +1212,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38009,7 +38010,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -657,15 +1230,11 @@ optional_policy(` +@@ -657,15 +1231,11 @@ optional_policy(` ') optional_policy(` @@ -38027,7 +38028,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -686,6 +1255,15 @@ optional_policy(` +@@ -686,6 +1256,15 @@ optional_policy(` ') optional_policy(` @@ -38043,7 +38044,7 @@ index 17eda2480..a980b4d3f 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1304,7 @@ optional_policy(` +@@ -726,6 +1305,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38051,7 +38052,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -743,7 +1322,13 @@ optional_policy(` +@@ -743,7 +1323,13 @@ optional_policy(` ') optional_policy(` @@ -38066,7 +38067,7 @@ index 17eda2480..a980b4d3f 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1351,10 @@ optional_policy(` +@@ -766,6 +1352,10 @@ optional_policy(` ') optional_policy(` @@ -38077,7 +38078,7 @@ index 17eda2480..a980b4d3f 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1364,20 @@ optional_policy(` +@@ -775,10 +1365,20 @@ optional_policy(` ') optional_policy(` @@ -38098,7 +38099,7 @@ index 17eda2480..a980b4d3f 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1386,10 @@ optional_policy(` +@@ -787,6 +1387,10 @@ optional_policy(` ') optional_policy(` @@ -38109,7 +38110,7 @@ index 17eda2480..a980b4d3f 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1411,6 @@ optional_policy(` +@@ -808,8 +1412,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38118,7 +38119,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -818,6 +1419,10 @@ optional_policy(` +@@ -818,6 +1420,10 @@ optional_policy(` ') optional_policy(` @@ -38129,7 +38130,7 @@ index 17eda2480..a980b4d3f 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1432,12 @@ optional_policy(` +@@ -827,10 +1433,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38142,7 +38143,7 @@ index 17eda2480..a980b4d3f 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1464,62 @@ optional_policy(` +@@ -857,21 +1465,62 @@ optional_policy(` ') optional_policy(` @@ -38206,7 +38207,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -887,6 +1535,10 @@ optional_policy(` +@@ -887,6 +1536,10 @@ optional_policy(` ') optional_policy(` @@ -38217,7 +38218,7 @@ index 17eda2480..a980b4d3f 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1549,218 @@ optional_policy(` +@@ -897,3 +1550,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f1b26385..59f9fbf9 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f070f..3c19e28fc 100644 +index eb50f070f..5c05075a4 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1060,7 +1060,7 @@ index eb50f070f..3c19e28fc 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +476,86 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +476,87 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1142,6 +1142,7 @@ index eb50f070f..3c19e28fc 100644 +init_read_var_lib_files(abrt_dump_oops_t) + +optional_policy(` ++ sssd_read_public_files(abrt_dump_oops_t) + sssd_stream_connect(abrt_dump_oops_t) +') + @@ -1151,7 +1152,7 @@ index eb50f070f..3c19e28fc 100644 ####################################### # -@@ -404,25 +563,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +564,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1214,7 +1215,7 @@ index eb50f070f..3c19e28fc 100644 ') ####################################### -@@ -430,10 +624,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +625,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -15550,10 +15551,10 @@ index 000000000..d5920c061 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 000000000..b802a9920 +index 000000000..08aaee4bb --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,121 @@ +@@ -0,0 +1,123 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -15618,6 +15619,8 @@ index 000000000..b802a9920 + +auth_use_nsswitch(cockpit_ws_t) + ++files_mmap_usr_files(cockpit_ws_t) ++ +init_stream_connect(cockpit_ws_t) + +logging_send_syslog_msg(cockpit_ws_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index aa074f6f..1c037307 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 278%{?dist} +Release: 279%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,11 @@ exit 0 %endif %changelog +* Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279 +- Allow abrt_dump_oops_t to read sssd_public_t files +- Allow cockpit_ws_t to mmap usr_t files +- Allow systemd to read/write dri devices. + * Thu Aug 31 2017 Lukas Vrabec - 3.13.1-278 - Add couple rules related to map permissions - Allow ddclient use nsswitch BZ(1456241)