diff --git a/container-selinux.tgz b/container-selinux.tgz index 5d20257..ecd2a47 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 7560b46..c4bf466 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -50166,10 +50166,10 @@ index 000000000..5871e072d +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..e944cee17 +index 000000000..9b84c582d --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1029 @@ +@@ -0,0 +1,1037 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50537,6 +50537,10 @@ index 000000000..e944cee17 +') + +optional_policy(` ++ mock_read_lib_files(systemd_machined_t) ++') ++ ++optional_policy(` + virt_dbus_chat(systemd_machined_t) + virt_sandbox_read_state(systemd_machined_t) + virt_signal_sandbox(systemd_machined_t) @@ -51115,6 +51119,10 @@ index 000000000..e944cee17 + dbus_connect_system_bus(systemd_resolved_t) +') + ++optional_policy(` ++ networkmanager_dbus_chat(systemd_resolved_t) ++') ++ +######################################## +# +# Common rules for systemd domains diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d16ef44..c022c34 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -17134,10 +17134,10 @@ index 000000000..1cc5fa464 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 000000000..2357f3ba8 +index 000000000..25cbb9aff --- /dev/null +++ b/conman.te -@@ -0,0 +1,97 @@ +@@ -0,0 +1,99 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -17215,6 +17215,8 @@ index 000000000..2357f3ba8 + +userdom_use_user_ptys(conman_t) + ++term_use_usb_ttys(conman_t) ++ +tunable_policy(`conman_can_network',` + corenet_sendrecv_all_client_packets(conman_t) + corenet_tcp_connect_all_ports(conman_t) @@ -71621,10 +71623,10 @@ index 000000000..02df03ad6 +') diff --git a/pdns.te b/pdns.te new file mode 100644 -index 000000000..509d89837 +index 000000000..63ddc577c --- /dev/null +++ b/pdns.te -@@ -0,0 +1,82 @@ +@@ -0,0 +1,83 @@ +policy_module(pdns, 1.0.2) + +######################################## @@ -71642,6 +71644,7 @@ index 000000000..509d89837 +type pdns_t; +type pdns_exec_t; +init_daemon_domain(pdns_t, pdns_exec_t) ++init_nnp_daemon_domain(pdns_t) + +type pdns_unit_file_t; +systemd_unit_file(pdns_unit_file_t) @@ -90156,7 +90159,7 @@ index c8bdea28d..beb2872e3 100644 + allow $1 haproxy_unit_file_t:service {status start}; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c449..14be26dce 100644 +index 6cf79c449..7b0fd415b 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -90682,7 +90685,7 @@ index 6cf79c449..14be26dce 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +607,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +607,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -90714,6 +90717,8 @@ index 6cf79c449..14be26dce 100644 +manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) +files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file }) + ++can_exec(haproxy_t, haproxy_exec_t) ++ +corenet_sendrecv_unlabeled_packets(haproxy_t) + +corenet_tcp_connect_commplex_link_port(haproxy_t) @@ -90742,7 +90747,7 @@ index 6cf79c449..14be26dce 100644 ###################################### # # qdiskd local policy -@@ -292,7 +671,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +@@ -292,7 +673,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) @@ -90750,7 +90755,7 @@ index 6cf79c449..14be26dce 100644 kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) -@@ -321,6 +699,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +701,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 5e28ec9..5158252 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 297%{?dist} +Release: 298%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -718,6 +718,15 @@ exit 0 %endif %changelog +* Sun Oct 22 2017 Lukas Vrabec - 3.13.1-298 +- Drop *.lst files from file list +- Ship file_contexts.homedirs in store +- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522) +- Allow haproxy daemon to reexec itself. BZ(1447800) +- Allow conmand to use usb ttys. +- Allow systemd_machined to read mock lib files. BZ(1504493) +- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) + * Fri Oct 20 2017 Lukas Vrabec - 3.13.1-297 - Fix typo in virt file contexts file - allow ipa_dnskey_t to read /proc/net/unix file