From 6261723d55619301ca1f599554037b05f7c3fb1c Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mar 19 2014 10:21:51 +0000
Subject: * Wed Mar 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-141

- Allow docker containers to manage /var/lib/docker content

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 206fe53..e70b33d 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -22857,7 +22857,7 @@ index 9d2f311..9e87525 100644
 +	postgresql_filetrans_named_content($1)
  ')
 diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..e73a293 100644
+index 346d011..19dfc1f 100644
 --- a/policy/modules/services/postgresql.te
 +++ b/policy/modules/services/postgresql.te
 @@ -19,25 +19,32 @@ gen_require(`
@@ -22931,7 +22931,13 @@ index 346d011..e73a293 100644
  manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
  logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
  
-@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t)
+@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
+ files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+ 
+ kernel_read_kernel_sysctls(postgresql_t)
++kernel_read_network_state(postgresql_t)
+ kernel_read_system_state(postgresql_t)
+ kernel_list_proc(postgresql_t)
  kernel_read_all_sysctls(postgresql_t)
  kernel_read_proc_symlinks(postgresql_t)
  
@@ -22939,7 +22945,7 @@ index 346d011..e73a293 100644
  corenet_all_recvfrom_netlabel(postgresql_t)
  corenet_tcp_sendrecv_generic_if(postgresql_t)
  corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
  domain_use_interactive_fds(postgresql_t)
  
  files_dontaudit_search_home(postgresql_t)
@@ -22949,7 +22955,7 @@ index 346d011..e73a293 100644
  files_read_etc_runtime_files(postgresql_t)
  files_read_usr_files(postgresql_t)
  
-@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
  logging_send_syslog_msg(postgresql_t)
  logging_send_audit_msgs(postgresql_t)
  
@@ -22981,7 +22987,7 @@ index 346d011..e73a293 100644
  	allow postgresql_t self:process execmem;
  ')
  
-@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
  # It is always allowed to operate temporary objects for any database client.
  allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
  
@@ -23038,7 +23044,7 @@ index 346d011..e73a293 100644
  	allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
  ')
  
-@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
  
  kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
  
@@ -23047,7 +23053,7 @@ index 346d011..e73a293 100644
  	allow sepgsql_admin_type sepgsql_database_type:db_database *;
  
  	allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
  allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
  
  kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index d52b916..4147183 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -23083,10 +23083,10 @@ index 0000000..1c4ac02
 +/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
 diff --git a/docker.if b/docker.if
 new file mode 100644
-index 0000000..cc6846a
+index 0000000..867fd78
 --- /dev/null
 +++ b/docker.if
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,324 @@
 +
 +## <summary>The open-source application container engine.</summary>
 +
@@ -23202,6 +23202,7 @@ index 0000000..cc6846a
 +
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
++	manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
 +')
 +
 +########################################
@@ -98401,7 +98402,7 @@ index c30da4c..6351bcb 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..f2c0191 100644
+index 9dec06c..88dcafb 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -99923,7 +99924,7 @@ index 9dec06c..f2c0191 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1053,37 +1102,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',`
  ##	</summary>
  ## </param>
  #
@@ -99947,7 +99948,7 @@ index 9dec06c..f2c0191 100644
  ## </summary>
 -## <param name="domain">
 +## <param name="prefix">
- ##	<summary>
++##	<summary>
 +##	Prefix for the domain.
 +##	</summary>
 +## </param>
@@ -99964,6 +99965,8 @@ index 9dec06c..f2c0191 100644
 +	mcs_constrained($1_t)
 +	role system_r types $1_t;
 +
++	logging_send_syslog_msg($1_t)
++
 +	kernel_read_system_state($1_t)
 +')
 +
@@ -99972,7 +99975,7 @@ index 9dec06c..f2c0191 100644
 +##	Make the specified type usable as a lxc domain
 +## </summary>
 +## <param name="type">
-+##	<summary>
+ ##	<summary>
 +##	Type to be used as a lxc domain
 +##	</summary>
 +## </param>
@@ -100069,7 +100072,7 @@ index 9dec06c..f2c0191 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +1234,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -100143,7 +100146,7 @@ index 9dec06c..f2c0191 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1297,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -100216,7 +100219,7 @@ index 9dec06c..f2c0191 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..49a7fce 100644
+index 1f22fba..afa8936 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,147 +1,194 @@
@@ -101649,7 +101652,7 @@ index 1f22fba..49a7fce 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1111,276 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1111,278 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -101869,6 +101872,8 @@ index 1f22fba..49a7fce 100644
 +')
 +
 +optional_policy(`
++	docker_manage_lib_files(svirt_lxc_net_t)
++	docker_manage_lib_dirs(svirt_lxc_net_t)
 +	docker_read_share_files(svirt_sandbox_domain)
 +	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
 +	docker_use_ptys(svirt_sandbox_domain)
@@ -102063,7 +102068,7 @@ index 1f22fba..49a7fce 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1393,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1395,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -102078,7 +102083,7 @@ index 1f22fba..49a7fce 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1411,8 @@ optional_policy(`
+@@ -1183,9 +1413,8 @@ optional_policy(`
  
  ########################################
  #
@@ -102089,7 +102094,7 @@ index 1f22fba..49a7fce 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1425,216 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1427,216 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 20b4912..6b9120e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 140%{?dist}
+Release: 141%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Mar 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-141
+- Allow docker containers to manage /var/lib/docker content
+
 * Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-140
 - Allow docker to read tmpfs_t symlinks
 - Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets