From 8c35d6b3a4388b7620d35669c3cf62a337b7af37 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Dec 02 2013 14:20:13 +0000 Subject: Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com) - Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel. - Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on - Add lsmd_plugin_t for lsm plugins - Allow dovecot-deliver to search mountpoints - Add labeling for /etc/mdadm.conf - Allow opelmi admin providers to dbus chat with init_t - Allow sblim domain to read /dev/urandom and /dev/random - Allow apmd to request the kernel load modules - Add glusterd_brick_t type - label mate-keyring-daemon with gkeyringd_exec_t - Add plymouthd_create_log() - Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 - Allow sssd to request the kernel loads modules - Allow gpg_agent to use ssh-add - Allow gpg_agent to use ssh-add - Dontaudit access check on /root for myslqd_safe_t - Allow ctdb to getattr on al filesystems - Allow abrt to stream connect to syslog - Allow dnsmasq to list dnsmasq.d directory - Watchdog opens the raw socket - Allow watchdog to read network state info - Dontaudit access check on lvm lock dir - Allow sosreport to send signull to setroubleshootd - Add setroubleshoot_signull() interface - Fix ldap_read_certs() interface - Allow sosreport all signal perms - Allow sosreport to run systemctl - Allow sosreport to dbus chat with rpm - Add glusterd_brick_t files type - Allow zabbix_agentd to read all domain state - Clean up rtas.if - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Fix userdom_confined_admin_template() - Add back exec_content boolean for secadm, logadm, auditadm - Fix files_filetrans_system_db_named_files() interface - Allow sulogin to getattr on /proc/kcore - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface --- diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 17d0954..8283f84 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -102114,3 +102114,21 @@ index 9ba9f81..983b6c8 100644 -miscfiles_read_localization(zos_remote_t) - logging_send_syslog_msg(zos_remote_t) +commit a3007fcf054427b3e4f2c06c77ad783551aae67f +Author: Dan Walsh +Date: Mon Dec 2 09:11:05 2013 -0500 + + Allow cloud_init to transition to rpm_script_t + +diff --git a/cloudform.te b/cloudform.te +index 4e41e84..786d623 100644 +--- a/cloudform.te ++++ b/cloudform.te +@@ -161,6 +161,7 @@ optional_policy(` + + optional_policy(` + rpm_domtrans(cloud_init_t) ++ rpm_transition_script(cloud_init_t) + unconfined_domain(cloud_init_t) + ') + diff --git a/selinux-policy.spec b/selinux-policy.spec index 3baf4df..7fd8469 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -574,6 +574,7 @@ SELinux Reference policy mls base module. %changelog * Tue Nov 26 2013 Miroslav Grepl 3.12.1-105 +- Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com) - Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel. - Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on - Add lsmd_plugin_t for lsm plugins