From f9d97717a8be3a4aaa6c528066d61a361460531c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mar 18 2015 16:03:21 +0000 Subject: * Wed Mar 18 2015 Lukas Vrabec 3.13.1-119 - build without docker --- diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 41278c4..95e0c69 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -581,13 +581,6 @@ dnsmasq = module dnssec = module # Layer: services -# Module: docker -# -# Docker -# -docker = module - -# Layer: services # Module: dovecot # # Dovecot POP and IMAP mail server diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9e4b237..75724b3 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -24905,764 +24905,6 @@ index c7bb4e7..e6fe2f40 100644 sysnet_dns_name_resolve(dnssec_triggerd_t) sysnet_manage_config(dnssec_triggerd_t) sysnet_etc_filetrans_config(dnssec_triggerd_t) -diff --git a/docker.fc b/docker.fc -new file mode 100644 -index 0000000..a4aa484 ---- /dev/null -+++ b/docker.fc -@@ -0,0 +1,23 @@ -+/root/\.docker gen_context(system_u:object_r:docker_home_t,s0) -+ -+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) -+ -+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) -+ -+/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0) -+ -+/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) -+ -+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) -+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) -+/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0) -+ -+/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0) -+ -+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) -+ -+/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0) -+/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0) -+/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0) -+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) -+ -diff --git a/docker.if b/docker.if -new file mode 100644 -index 0000000..1542da8 ---- /dev/null -+++ b/docker.if -@@ -0,0 +1,392 @@ -+ -+## The open-source application container engine. -+ -+######################################## -+## -+## Execute docker in the docker domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`docker_domtrans',` -+ gen_require(` -+ type docker_t, docker_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, docker_exec_t, docker_t) -+') -+ -+######################################## -+## -+## Execute docker in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`docker_exec',` -+ gen_require(` -+ type docker_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, docker_exec_t) -+') -+ -+######################################## -+## -+## Search docker lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_search_lib',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ allow $1 docker_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Execute docker lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_exec_lib',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ allow $1 docker_var_lib_t:dir search_dir_perms; -+ can_exec($1, docker_var_lib_t) -+') -+ -+######################################## -+## -+## Read docker lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_read_lib_files',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) -+') -+ -+######################################## -+## -+## Read docker share files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_read_share_files',` -+ gen_require(` -+ type docker_share_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, docker_share_t, docker_share_t) -+') -+ -+######################################## -+## -+## Manage docker lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_manage_lib_files',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) -+ manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) -+') -+ -+######################################## -+## -+## Manage docker lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_manage_lib_dirs',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) -+') -+ -+######################################## -+## -+## Create objects in a docker var lib directory -+## with an automatic type transition to -+## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`docker_lib_filetrans',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Read docker PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_read_pid_files',` -+ gen_require(` -+ type docker_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, docker_var_run_t, docker_var_run_t) -+') -+ -+######################################## -+## -+## Execute docker server in the docker domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`docker_systemctl',` -+ gen_require(` -+ type docker_t; -+ type docker_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ init_reload_services($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 docker_unit_file_t:file read_file_perms; -+ allow $1 docker_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, docker_t) -+') -+ -+######################################## -+## -+## Read and write docker shared memory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_rw_sem',` -+ gen_require(` -+ type docker_t; -+ ') -+ -+ allow $1 docker_t:sem rw_sem_perms; -+') -+ -+####################################### -+## -+## Read and write the docker pty type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_use_ptys',` -+ gen_require(` -+ type docker_devpts_t; -+ ') -+ -+ allow $1 docker_devpts_t:chr_file rw_term_perms; -+') -+ -+####################################### -+## -+## Allow domain to create docker content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_filetrans_named_content',` -+ -+ gen_require(` -+ type docker_var_lib_t; -+ type docker_share_t; -+ type docker_log_t; -+ type docker_var_run_t; -+ type docker_home_t; -+ ') -+ -+ files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") -+ files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") -+ files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") -+ logging_log_filetrans($1, docker_log_t, dir, "lxc") -+ files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") -+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") -+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") -+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") -+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") -+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") -+ userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") -+') -+ -+######################################## -+## -+## Connect to docker over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_stream_connect',` -+ gen_require(` -+ type docker_t, docker_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) -+') -+ -+######################################## -+## -+## Connect to SPC containers over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_spc_stream_connect',` -+ gen_require(` -+ type spc_t, spc_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ files_write_all_pid_sockets($1) -+ allow $1 spc_t:unix_stream_socket connectto; -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an docker environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_admin',` -+ gen_require(` -+ type docker_t; -+ type docker_var_lib_t, docker_var_run_t; -+ type docker_unit_file_t; -+ type docker_lock_t; -+ type docker_log_t; -+ type docker_config_t; -+ ') -+ -+ allow $1 docker_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, docker_t) -+ -+ admin_pattern($1, docker_config_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, docker_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, docker_var_run_t) -+ -+ files_search_locks($1) -+ admin_pattern($1, docker_lock_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, docker_log_t) -+ -+ docker_systemctl($1) -+ admin_pattern($1, docker_unit_file_t) -+ allow $1 docker_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -+ -diff --git a/docker.te b/docker.te -new file mode 100644 -index 0000000..0a03a30 ---- /dev/null -+++ b/docker.te -@@ -0,0 +1,325 @@ -+policy_module(docker, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

-+## Determine whether docker can -+## connect to all TCP ports. -+##

-+## -+gen_tunable(docker_connect_any, false) -+ -+type docker_t; -+type docker_exec_t; -+init_daemon_domain(docker_t, docker_exec_t) -+domain_subj_id_change_exemption(docker_t) -+domain_role_change_exemption(docker_t) -+ -+type spc_t; -+domain_type(spc_t) -+role system_r types spc_t; -+ -+type docker_var_lib_t; -+files_type(docker_var_lib_t) -+ -+type docker_home_t; -+userdom_user_home_content(docker_home_t) -+ -+type docker_config_t; -+files_config_file(docker_config_t) -+ -+type docker_lock_t; -+files_lock_file(docker_lock_t) -+ -+type docker_log_t; -+logging_log_file(docker_log_t) -+ -+type docker_tmp_t; -+files_tmp_file(docker_tmp_t) -+ -+type docker_tmpfs_t; -+files_tmpfs_file(docker_tmpfs_t) -+ -+type docker_var_run_t; -+files_pid_file(docker_var_run_t) -+ -+type docker_unit_file_t; -+systemd_unit_file(docker_unit_file_t) -+ -+type docker_devpts_t; -+term_pty(docker_devpts_t) -+ -+type docker_share_t; -+files_type(docker_share_t) -+ -+######################################## -+# -+# docker local policy -+# -+allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap }; -+allow docker_t self:process { getattr signal_perms setrlimit }; -+allow docker_t self:fifo_file rw_fifo_file_perms; -+allow docker_t self:unix_stream_socket create_stream_socket_perms; -+allow docker_t self:tcp_socket create_stream_socket_perms; -+allow docker_t self:udp_socket create_socket_perms; -+allow docker_t self:capability2 block_suspend; -+ -+manage_files_pattern(docker_t, docker_home_t, docker_home_t) -+manage_dirs_pattern(docker_t, docker_home_t, docker_home_t) -+manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t) -+userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker") -+ -+manage_dirs_pattern(docker_t, docker_config_t, docker_config_t) -+manage_files_pattern(docker_t, docker_config_t, docker_config_t) -+files_etc_filetrans(docker_t, docker_config_t, dir, "docker") -+ -+manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) -+manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) -+files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc") -+ -+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) -+manage_files_pattern(docker_t, docker_log_t, docker_log_t) -+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) -+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) -+allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto }; -+ -+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) -+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) -+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) -+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) -+manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) -+manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) -+manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) -+manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) -+manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) -+can_exec(docker_t, docker_tmpfs_t) -+fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) -+allow docker_t docker_tmpfs_t:chr_file mounton; -+ -+manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) -+manage_files_pattern(docker_t, docker_share_t, docker_share_t) -+manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) -+allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto }; -+ -+can_exec(docker_t, docker_share_t) -+#docker_filetrans_named_content(docker_t) -+ -+manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto }; -+files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) -+manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) -+manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) -+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) -+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) -+ -+allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; -+term_create_pty(docker_t, docker_devpts_t) -+ -+kernel_read_system_state(docker_t) -+kernel_read_network_state(docker_t) -+kernel_read_all_sysctls(docker_t) -+kernel_rw_net_sysctls(docker_t) -+kernel_setsched(docker_t) -+kernel_read_all_proc(docker_t) -+ -+domain_use_interactive_fds(docker_t) -+domain_dontaudit_read_all_domains_state(docker_t) -+ -+corecmd_exec_bin(docker_t) -+corecmd_exec_shell(docker_t) -+ -+corenet_tcp_bind_generic_node(docker_t) -+corenet_tcp_sendrecv_generic_if(docker_t) -+corenet_tcp_sendrecv_generic_node(docker_t) -+corenet_tcp_sendrecv_generic_port(docker_t) -+corenet_tcp_bind_all_ports(docker_t) -+corenet_tcp_connect_http_port(docker_t) -+corenet_tcp_connect_commplex_main_port(docker_t) -+corenet_udp_sendrecv_generic_if(docker_t) -+corenet_udp_sendrecv_generic_node(docker_t) -+corenet_udp_sendrecv_all_ports(docker_t) -+corenet_udp_bind_generic_node(docker_t) -+corenet_udp_bind_all_ports(docker_t) -+ -+files_read_config_files(docker_t) -+ -+fs_read_cgroup_files(docker_t) -+fs_read_tmpfs_symlinks(docker_t) -+fs_search_all(docker_t) -+fs_getattr_all_fs(docker_t) -+ -+storage_raw_rw_fixed_disk(docker_t) -+ -+auth_use_nsswitch(docker_t) -+auth_dontaudit_getattr_shadow(docker_t) -+ -+init_read_state(docker_t) -+init_status(docker_t) -+ -+logging_send_audit_msgs(docker_t) -+logging_send_syslog_msg(docker_t) -+ -+miscfiles_read_localization(docker_t) -+ -+mount_domtrans(docker_t) -+ -+seutil_read_default_contexts(docker_t) -+seutil_read_config(docker_t) -+ -+sysnet_dns_name_resolve(docker_t) -+sysnet_exec_ifconfig(docker_t) -+ -+optional_policy(` -+ fstools_domtrans(docker_t) -+') -+ -+optional_policy(` -+ iptables_domtrans(docker_t) -+') -+ -+optional_policy(` -+ openvswitch_stream_connect(docker_t) -+') -+ -+# -+# lxc rules -+# -+ -+allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace }; -+ -+allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; -+ -+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; -+allow docker_t self:netlink_audit_socket create_netlink_socket_perms; -+allow docker_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+allow docker_t docker_var_lib_t:dir mounton; -+allow docker_t docker_var_lib_t:chr_file mounton; -+can_exec(docker_t, docker_var_lib_t) -+ -+kernel_dontaudit_setsched(docker_t) -+kernel_get_sysvipc_info(docker_t) -+kernel_request_load_module(docker_t) -+kernel_mounton_messages(docker_t) -+kernel_mounton_all_proc(docker_t) -+kernel_mounton_all_sysctls(docker_t) -+ -+dev_getattr_all(docker_t) -+dev_getattr_sysfs_fs(docker_t) -+dev_read_urand(docker_t) -+dev_read_lvm_control(docker_t) -+dev_rw_sysfs(docker_t) -+dev_rw_loop_control(docker_t) -+dev_rw_lvm_control(docker_t) -+ -+files_getattr_isid_type_dirs(docker_t) -+files_manage_isid_type_dirs(docker_t) -+files_manage_isid_type_files(docker_t) -+files_manage_isid_type_symlinks(docker_t) -+files_manage_isid_type_chr_files(docker_t) -+files_manage_isid_type_blk_files(docker_t) -+files_exec_isid_files(docker_t) -+files_mounton_isid(docker_t) -+files_mounton_non_security(docker_t) -+files_mounton_isid_type_chr_file(docker_t) -+ -+fs_mount_all_fs(docker_t) -+fs_unmount_all_fs(docker_t) -+fs_remount_all_fs(docker_t) -+files_mounton_isid(docker_t) -+fs_manage_cgroup_dirs(docker_t) -+fs_manage_cgroup_files(docker_t) -+fs_relabelfrom_xattr_fs(docker_t) -+fs_relabelfrom_tmpfs(docker_t) -+fs_read_tmpfs_symlinks(docker_t) -+fs_list_hugetlbfs(docker_t) -+ -+term_use_generic_ptys(docker_t) -+term_use_ptmx(docker_t) -+term_getattr_pty_fs(docker_t) -+term_relabel_pty_fs(docker_t) -+term_mounton_unallocated_ttys(docker_t) -+ -+modutils_domtrans_insmod(docker_t) -+ -+systemd_status_all_unit_files(docker_t) -+systemd_start_systemd_services(docker_t) -+ -+userdom_stream_connect(docker_t) -+userdom_search_user_home_content(docker_t) -+userdom_read_all_users_state(docker_t) -+ -+optional_policy(` -+ gpm_getattr_gpmctl(docker_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(docker_t) -+ init_dbus_chat(docker_t) -+ init_start_transient_unit(docker_t) -+ -+ optional_policy(` -+ systemd_dbus_chat_logind(docker_t) -+ ') -+') -+ -+optional_policy(` -+ udev_read_db(docker_t) -+') -+ -+optional_policy(` -+ virt_read_config(docker_t) -+ virt_exec(docker_t) -+ virt_stream_connect(docker_t) -+ virt_stream_connect_sandbox(docker_t) -+ virt_exec_sandbox_files(docker_t) -+ virt_manage_sandbox_files(docker_t) -+ virt_relabel_sandbox_filesystem(docker_t) -+ # for lxc -+ virt_transition_svirt_sandbox(docker_t, system_r) -+ virt_mounton_sandbox_file(docker_t) -+ virt_attach_sandbox_tun_iface(docker_t) -+') -+ -+tunable_policy(`docker_connect_any',` -+ corenet_tcp_connect_all_ports(docker_t) -+ corenet_sendrecv_all_packets(docker_t) -+ corenet_tcp_sendrecv_all_ports(docker_t) -+') -+ -+######################################## -+# -+# spc local policy -+# -+domain_entry_file(spc_t, docker_share_t) -+domain_entry_file(spc_t, docker_var_lib_t) -+role system_r types spc_t; -+ -+domain_entry_file(spc_t, docker_share_t) -+domain_entry_file(spc_t, docker_var_lib_t) -+domtrans_pattern(docker_t, docker_share_t, spc_t) -+domtrans_pattern(docker_t, docker_var_lib_t, spc_t) -+allow docker_t spc_t:process { setsched signal_perms }; -+ps_process_pattern(docker_t, spc_t) -+allow docker_t spc_t:socket_class_set { relabelto relabelfrom }; -+ -+optional_policy(` -+ unconfined_domain_noaudit(spc_t) -+') -+ -+optional_policy(` -+ virt_transition_svirt_sandbox(spc_t, system_r) -+') diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 --- a/dovecot.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 8c9a926..0d41f9e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 118%{?dist} +Release: 119%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 18 2015 Lukas Vrabec 3.13.1-119 +- build without docker + * Mon Mar 16 2015 Lukas Vrabec 3.13.1-118 - docker watches for content in the /etc directory - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib