From 614b77aa6b57b52e2fa52e5f90781b09f0720468 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 31 2016 10:53:26 +0000 Subject: * Wed Aug 31 2016 Lukas Vrabec 3.13.1-191.15 - udisksd has moved - Fix file context for /etc/pki/pki-tomcat/ca/ - new interface oddjob_mkhomedir_entrypoint() - Allow mdadm to get attributes from all devices. - Label /etc/puppetlabs as puppet_etc_t. - Add new domain ipa_ods_exporter_t BZ(1366640) - Allow VirtualBox to manage udev rules. - Allow systemd_resolved to send dbus msgs to userdomains - Allow systemd-resolved to read network sysctls - Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t - Label all files in /dev/oracleasmfs/ as oracleasmfs_t --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index ac42d8a..65646ba 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 73cc8a7..2f815db 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -17844,10 +17844,10 @@ index 1a03abd..3221f80 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index d7c11a0..efcd377 100644 +index d7c11a0..f521a50 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,23 +1,29 @@ +@@ -1,23 +1,28 @@ -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/cgroup/.* <> +# ecryptfs does not support xattr @@ -17866,8 +17866,7 @@ index d7c11a0..efcd377 100644 +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) +/dev/shm/.* <> -+/dev/oracleasm -d gen_context(system_u:object_r:oracleasmfs_t,s0) -+/dev/oracleasm/.* <> ++/dev/oracleasm(/.*)? gen_context(system_u:object_r:oracleasmfs_t,s0) + +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> @@ -27126,10 +27125,10 @@ index 0000000..03faeac + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..a298e23 +index 0000000..79f40da --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,354 @@ +@@ -0,0 +1,358 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -27329,6 +27328,10 @@ index 0000000..a298e23 +') + +optional_policy(` ++ oddjob_mkhomedir_entrypoint(unconfined_t) ++') ++ ++optional_policy(` + dbus_role_template(unconfined, unconfined_r, unconfined_t) + role system_r types unconfined_dbusd_t; + @@ -37262,7 +37265,7 @@ index 79a45f6..d4f6066 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..f1cc9e3 100644 +index 17eda24..71aec04 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37488,7 +37491,7 @@ index 17eda24..f1cc9e3 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +257,67 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +257,69 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -37548,11 +37551,13 @@ index 17eda24..f1cc9e3 100644 +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) + ++udev_manage_rules_files(init_t) + +-miscfiles_read_localization(init_t) +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) - --miscfiles_read_localization(init_t) ++ +userdom_transition_login_userdomain(init_t) +userdom_noatsecure_login_userdomain(init_t) +userdom_sigchld_login_userdomain(init_t) @@ -37561,7 +37566,7 @@ index 17eda24..f1cc9e3 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +326,264 @@ ifdef(`distro_gentoo',` +@@ -186,29 +328,264 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37835,7 +37840,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -216,7 +591,30 @@ optional_policy(` +@@ -216,7 +593,30 @@ optional_policy(` ') optional_policy(` @@ -37867,7 +37872,7 @@ index 17eda24..f1cc9e3 100644 ') ######################################## -@@ -225,9 +623,9 @@ optional_policy(` +@@ -225,9 +625,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37879,7 +37884,7 @@ index 17eda24..f1cc9e3 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +656,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +658,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37896,7 +37901,7 @@ index 17eda24..f1cc9e3 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +681,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +683,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37939,7 +37944,7 @@ index 17eda24..f1cc9e3 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +718,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +720,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37951,7 +37956,7 @@ index 17eda24..f1cc9e3 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +730,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +732,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37962,7 +37967,7 @@ index 17eda24..f1cc9e3 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +741,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +743,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37972,7 +37977,7 @@ index 17eda24..f1cc9e3 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +750,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +752,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37980,7 +37985,7 @@ index 17eda24..f1cc9e3 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +757,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +759,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37988,7 +37993,7 @@ index 17eda24..f1cc9e3 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +765,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +767,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38006,7 +38011,7 @@ index 17eda24..f1cc9e3 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +783,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +785,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38020,7 +38025,7 @@ index 17eda24..f1cc9e3 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +798,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +800,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38034,7 +38039,7 @@ index 17eda24..f1cc9e3 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +811,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +813,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38045,7 +38050,7 @@ index 17eda24..f1cc9e3 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +824,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +826,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38053,7 +38058,7 @@ index 17eda24..f1cc9e3 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +843,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +845,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38077,7 +38082,7 @@ index 17eda24..f1cc9e3 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +876,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +878,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38085,7 +38090,7 @@ index 17eda24..f1cc9e3 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +910,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +912,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38096,7 +38101,7 @@ index 17eda24..f1cc9e3 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +934,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +936,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38105,7 +38110,7 @@ index 17eda24..f1cc9e3 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +949,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +951,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38113,7 +38118,7 @@ index 17eda24..f1cc9e3 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +970,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +972,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38121,7 +38126,7 @@ index 17eda24..f1cc9e3 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +980,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +982,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38166,7 +38171,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -559,14 +1025,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1027,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38198,7 +38203,7 @@ index 17eda24..f1cc9e3 100644 ') ') -@@ -577,6 +1060,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1062,39 @@ ifdef(`distro_suse',` ') ') @@ -38238,7 +38243,7 @@ index 17eda24..f1cc9e3 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1105,8 @@ optional_policy(` +@@ -589,6 +1107,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38247,7 +38252,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -610,6 +1128,7 @@ optional_policy(` +@@ -610,6 +1130,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38255,7 +38260,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -626,6 +1145,17 @@ optional_policy(` +@@ -626,6 +1147,17 @@ optional_policy(` ') optional_policy(` @@ -38273,7 +38278,7 @@ index 17eda24..f1cc9e3 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1172,13 @@ optional_policy(` +@@ -642,9 +1174,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38287,7 +38292,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -657,15 +1191,11 @@ optional_policy(` +@@ -657,15 +1193,11 @@ optional_policy(` ') optional_policy(` @@ -38305,7 +38310,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -686,6 +1216,15 @@ optional_policy(` +@@ -686,6 +1218,15 @@ optional_policy(` ') optional_policy(` @@ -38321,7 +38326,7 @@ index 17eda24..f1cc9e3 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1265,7 @@ optional_policy(` +@@ -726,6 +1267,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38329,7 +38334,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -743,7 +1283,13 @@ optional_policy(` +@@ -743,7 +1285,13 @@ optional_policy(` ') optional_policy(` @@ -38344,7 +38349,7 @@ index 17eda24..f1cc9e3 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1312,10 @@ optional_policy(` +@@ -766,6 +1314,10 @@ optional_policy(` ') optional_policy(` @@ -38355,7 +38360,7 @@ index 17eda24..f1cc9e3 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1325,20 @@ optional_policy(` +@@ -775,10 +1327,20 @@ optional_policy(` ') optional_policy(` @@ -38376,7 +38381,7 @@ index 17eda24..f1cc9e3 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1347,10 @@ optional_policy(` +@@ -787,6 +1349,10 @@ optional_policy(` ') optional_policy(` @@ -38387,7 +38392,7 @@ index 17eda24..f1cc9e3 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1372,6 @@ optional_policy(` +@@ -808,8 +1374,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38396,7 +38401,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -818,6 +1380,10 @@ optional_policy(` +@@ -818,6 +1382,10 @@ optional_policy(` ') optional_policy(` @@ -38407,7 +38412,7 @@ index 17eda24..f1cc9e3 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1393,12 @@ optional_policy(` +@@ -827,10 +1395,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38420,7 +38425,7 @@ index 17eda24..f1cc9e3 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1425,60 @@ optional_policy(` +@@ -857,21 +1427,60 @@ optional_policy(` ') optional_policy(` @@ -38482,7 +38487,7 @@ index 17eda24..f1cc9e3 100644 ') optional_policy(` -@@ -887,6 +1494,10 @@ optional_policy(` +@@ -887,6 +1496,10 @@ optional_policy(` ') optional_policy(` @@ -38493,7 +38498,7 @@ index 17eda24..f1cc9e3 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1508,218 @@ optional_policy(` +@@ -897,3 +1510,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48833,10 +48838,10 @@ index 0000000..16cd1ac +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..3e6cbf1 +index 0000000..fda8f23 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,961 @@ +@@ -0,0 +1,964 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49728,6 +49733,7 @@ index 0000000..3e6cbf1 +read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) + +kernel_dgram_send(systemd_resolved_t) ++kernel_read_net_sysctls(systemd_resolved_t) + +auth_read_passwd(systemd_resolved_t) + @@ -49740,6 +49746,8 @@ index 0000000..3e6cbf1 + +sysnet_manage_config(systemd_resolved_t) + ++userdom_dbus_send_all_users(systemd_resolved_t) ++ +optional_policy(` + dbus_system_bus_client(systemd_resolved_t) + dbus_connect_system_bus(systemd_resolved_t) diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index 5af0e41..4715777 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -23730,6 +23730,17 @@ index 583a527..91c4104 100644 +optional_policy(` + gnome_dontaudit_search_config(denyhosts_t) +') +diff --git a/devicekit.fc b/devicekit.fc +index ae49c9d..ecf42a8 100644 +--- a/devicekit.fc ++++ b/devicekit.fc +@@ -1,5 +1,6 @@ + /lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + /lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) ++/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + + /usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + /usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) diff --git a/devicekit.if b/devicekit.if index 8ce99ff..1bc5d3a 100644 --- a/devicekit.if @@ -63768,7 +63779,7 @@ index dd1d9ef..c48733a 100644 -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/oddjob.if b/oddjob.if -index c87bd2a..284e4de 100644 +index c87bd2a..6180fba 100644 --- a/oddjob.if +++ b/oddjob.if @@ -1,4 +1,8 @@ @@ -63880,7 +63891,7 @@ index c87bd2a..284e4de 100644 ## ## ## -@@ -105,46 +141,96 @@ interface(`oddjob_domtrans_mkhomedir',` +@@ -105,46 +141,114 @@ interface(`oddjob_domtrans_mkhomedir',` # interface(`oddjob_run_mkhomedir',` gen_require(` @@ -63926,8 +63937,7 @@ index c87bd2a..284e4de 100644 -###################################### +####################################### - ## --## Send child terminated signals to oddjob. ++## +## Execute oddjob in the oddjob domain. +## +## @@ -63951,7 +63961,8 @@ index c87bd2a..284e4de 100644 +') + +######################################## -+## + ## +-## Send child terminated signals to oddjob. +## Create a domain which can be started by init, +## with a range transition. ## @@ -63989,6 +64000,24 @@ index c87bd2a..284e4de 100644 + range_transition oddjob_t $2:process $3; + mls_rangetrans_target($1) + ') ++') ++ ++######################################## ++## ++## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`oddjob_mkhomedir_entrypoint',` ++ gen_require(` ++ type oddjob_mkhomedir_exec_t; ++ ') ++ allow $1 oddjob_mkhomedir_exec_t:file entrypoint; ') diff --git a/oddjob.te b/oddjob.te index e403097..45d387d 100644 @@ -71232,12 +71261,12 @@ index 0000000..a2cb118 + diff --git a/pki.fc b/pki.fc new file mode 100644 -index 0000000..b2b20f0 +index 0000000..47cd0f8 --- /dev/null +++ b/pki.fc @@ -0,0 +1,57 @@ +/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/etc/pki/pki-tomcat/ca/(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/etc/pki/pki-tomcat/ca(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) +/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) @@ -79061,12 +79090,13 @@ index 6643b49..dd0c3d3 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..d2c4d2a 100644 +index d68e26d..2542f5a 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,21 @@ +@@ -1,18 +1,22 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) ++/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) @@ -83945,10 +83975,10 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..357db0b 100644 +index c99753f..31ff402 100644 --- a/raid.te +++ b/raid.te -@@ -15,54 +15,103 @@ role mdadm_roles types mdadm_t; +@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) @@ -84029,6 +84059,7 @@ index c99753f..357db0b 100644 -dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_read_all_blk_files(mdadm_t) +dev_dontaudit_read_all_chr_files(mdadm_t) ++dev_getattr_generic_chr_files(mdadm_t) +dev_read_crash(mdadm_t) +dev_read_framebuffer(mdadm_t) dev_read_realtime_clock(mdadm_t) @@ -84061,7 +84092,7 @@ index c99753f..357db0b 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -71,15 +120,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -84088,7 +84119,7 @@ index c99753f..357db0b 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -90,17 +149,38 @@ optional_policy(` +@@ -90,17 +150,38 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index dd60480..143a6f7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.14%{?dist} +Release: 191.15%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,19 @@ exit 0 %endif %changelog +* Wed Aug 31 2016 Lukas Vrabec 3.13.1-191.15 +- udisksd has moved +- Fix file context for /etc/pki/pki-tomcat/ca/ +- new interface oddjob_mkhomedir_entrypoint() +- Allow mdadm to get attributes from all devices. +- Label /etc/puppetlabs as puppet_etc_t. +- Add new domain ipa_ods_exporter_t BZ(1366640) +- Allow VirtualBox to manage udev rules. +- Allow systemd_resolved to send dbus msgs to userdomains +- Allow systemd-resolved to read network sysctls +- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t +- Label all files in /dev/oracleasmfs/ as oracleasmfs_t + * Thu Aug 25 2016 Lukas Vrabec 3.13.1-191.14 - Add new domain ipa_ods_exporter_t BZ(1366640) - Create new interface opendnssec_stream_connect()