diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 6ef476e..9f673ed 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1,5 +1,5 @@ diff --git a/Makefile b/Makefile -index 85d4cfb..b51cf37 100644 +index 85d4cfb..7bfdfc6 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule @@ -15,7 +15,7 @@ index 85d4cfb..b51cf37 100644 user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts) $(contextpath)/files/media $(user_default_contexts_names) ++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts systemd_contexts) $(contextpath)/files/media $(user_default_contexts_names) net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) @@ -58,6 +58,13 @@ index 313d837..ef3c532 100644 @echo "Success." ######################################## +diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts +new file mode 100644 +index 0000000..ff32acc +--- /dev/null ++++ b/config/appconfig-mcs/systemd_contexts +@@ -0,0 +1 @@ ++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context index d387b42..150f281 100644 --- a/config/appconfig-mcs/virtual_domain_context @@ -65,6 +72,20 @@ index d387b42..150f281 100644 @@ -1 +1,2 @@ system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 +diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts +new file mode 100644 +index 0000000..ff32acc +--- /dev/null ++++ b/config/appconfig-mls/systemd_contexts +@@ -0,0 +1 @@ ++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 +diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts +new file mode 100644 +index 0000000..ff32acc +--- /dev/null ++++ b/config/appconfig-standard/systemd_contexts +@@ -0,0 +1 @@ ++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context index c049e10..150f281 100644 --- a/config/appconfig-standard/virtual_domain_context @@ -3170,10 +3191,10 @@ index 1dc7a85..c6f4da0 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..19aaaed 100644 +index 7590165..fb30c11 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,57 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -3232,6 +3253,10 @@ index 7590165..19aaaed 100644 - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) + fs_dontaudit_list_inotifyfs(seunshare_domain) ++ ++ optional_policy(` ++ gnome_dontaudit_rw_inherited_config(seunshare_domain) ++ ') optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) @@ -8766,7 +8791,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..40f0157 100644 +index cf04cb5..369ddc2 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8903,7 +8928,7 @@ index cf04cb5..40f0157 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,302 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9068,6 +9093,10 @@ index cf04cb5..40f0157 100644 +') + +optional_policy(` ++ rsync_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` + sysnet_filetrans_named_content(named_filetrans_domain) +') + @@ -9078,7 +9107,7 @@ index cf04cb5..40f0157 100644 + systemd_login_undefined(unconfined_domain_type) + systemd_filetrans_named_content(named_filetrans_domain) + systemd_filetrans_named_hostname(named_filetrans_domain) -+ systemd_filetrans_home_content(named_filetrans_domain) ++ systemd_filetrans_home_content(named_filetrans_domain) +') + +optional_policy(` @@ -12714,7 +12743,7 @@ index cda5588..924f856 100644 +/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..f71d93e 100644 +index 8416beb..c6cd3eb 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -13322,7 +13351,33 @@ index 8416beb..f71d93e 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,11 +2607,12 @@ interface(`fs_list_inotifyfs',` +@@ -2098,6 +2557,25 @@ interface(`fs_rw_hugetlbfs_files',` + + ######################################## + ## ++## Execute hugetlbfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_exec_hugetlbfs_files',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:dir list_dir_perms; ++ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++') ++ ++######################################## ++## + ## Allow the type to associate to hugetlbfs filesystems. + ## + ## +@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -13336,7 +13391,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -2485,6 +2945,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -13344,7 +13399,7 @@ index 8416beb..f71d93e 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +2984,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -13352,7 +13407,7 @@ index 8416beb..f71d93e 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3011,25 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3030,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -13378,7 +13433,7 @@ index 8416beb..f71d93e 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3050,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3069,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -13387,7 +13442,7 @@ index 8416beb..f71d93e 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3070,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3089,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -13430,7 +13485,7 @@ index 8416beb..f71d93e 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3120,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -13439,7 +13494,7 @@ index 8416beb..f71d93e 100644 ') ######################################## -@@ -2627,7 +3144,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -13448,7 +13503,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -2719,6 +3236,26 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3255,26 @@ interface(`fs_search_rpc',` ######################################## ## @@ -13475,7 +13530,7 @@ index 8416beb..f71d93e 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3278,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3297,7 @@ interface(`fs_search_removable',` ## ## ## @@ -13484,7 +13539,7 @@ index 8416beb..f71d93e 100644 ## ## # -@@ -2777,7 +3314,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3333,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -13493,7 +13548,7 @@ index 8416beb..f71d93e 100644 ## ## # -@@ -2970,6 +3507,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3526,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -13501,7 +13556,7 @@ index 8416beb..f71d93e 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3548,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3567,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -13509,7 +13564,7 @@ index 8416beb..f71d93e 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3589,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +3608,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -13517,7 +13572,7 @@ index 8416beb..f71d93e 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +3677,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +3696,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -13542,7 +13597,7 @@ index 8416beb..f71d93e 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3255,17 +3813,53 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,17 +3832,53 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -13599,7 +13654,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -3273,12 +3867,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +3886,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -13614,7 +13669,7 @@ index 8416beb..f71d93e 100644 ') ######################################## -@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4005,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -13623,7 +13678,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4042,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -13632,7 +13687,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4060,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -13641,7 +13696,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4428,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -13666,7 +13721,7 @@ index 8416beb..f71d93e 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +4520,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +4539,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -13675,7 +13730,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -3916,17 +4528,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +4547,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -13696,7 +13751,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -3934,17 +4546,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +4565,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -13717,7 +13772,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -3952,17 +4564,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +4583,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -13757,7 +13812,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -3970,31 +4601,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +4620,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -13813,7 +13868,7 @@ index 8416beb..f71d93e 100644 ') ######################################## -@@ -4105,7 +4753,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +4772,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -13822,7 +13877,7 @@ index 8416beb..f71d93e 100644 ') ######################################## -@@ -4165,6 +4813,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +4832,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -13847,7 +13902,7 @@ index 8416beb..f71d93e 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +4868,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +4887,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -13856,7 +13911,7 @@ index 8416beb..f71d93e 100644 ## ## ## -@@ -4221,6 +4887,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +4906,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -13917,7 +13972,7 @@ index 8416beb..f71d93e 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +4998,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5017,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -13962,7 +14017,7 @@ index 8416beb..f71d93e 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5055,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5074,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -13988,7 +14043,7 @@ index 8416beb..f71d93e 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4503,6 +5280,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5299,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -13997,7 +14052,7 @@ index 8416beb..f71d93e 100644 ') ######################################## -@@ -4549,7 +5328,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5347,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -14006,7 +14061,7 @@ index 8416beb..f71d93e 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5375,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5394,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -14033,7 +14088,7 @@ index 8416beb..f71d93e 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +5470,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +5489,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -14059,7 +14114,7 @@ index 8416beb..f71d93e 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +5730,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +5749,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -17537,7 +17592,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..15466e9 100644 +index 88d0028..eea8991 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) @@ -17852,7 +17907,7 @@ index 88d0028..15466e9 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +362,36 @@ optional_policy(` +@@ -270,35 +362,41 @@ optional_policy(` ') optional_policy(` @@ -17896,7 +17951,12 @@ index 88d0028..15466e9 100644 ') optional_policy(` -@@ -319,12 +416,19 @@ optional_policy(` + rsync_exec(sysadm_t) ++ rsync_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +@@ -319,12 +417,20 @@ optional_policy(` ') optional_policy(` @@ -17909,6 +17969,7 @@ index 88d0028..15466e9 100644 seutil_run_setfiles(sysadm_t, sysadm_r) seutil_run_runinit(sysadm_t, sysadm_r) + seutil_dbus_chat_semanage(sysadm_t) ++ seutil_read_login_config(sysadm_t) ') optional_policy(` @@ -17917,7 +17978,7 @@ index 88d0028..15466e9 100644 ') optional_policy(` -@@ -349,7 +453,18 @@ optional_policy(` +@@ -349,7 +455,18 @@ optional_policy(` ') optional_policy(` @@ -17937,7 +17998,7 @@ index 88d0028..15466e9 100644 ') optional_policy(` -@@ -360,19 +475,15 @@ optional_policy(` +@@ -360,19 +477,15 @@ optional_policy(` ') optional_policy(` @@ -17959,7 +18020,7 @@ index 88d0028..15466e9 100644 ') optional_policy(` -@@ -384,10 +495,6 @@ optional_policy(` +@@ -384,10 +497,6 @@ optional_policy(` ') optional_policy(` @@ -17970,7 +18031,7 @@ index 88d0028..15466e9 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +502,9 @@ optional_policy(` +@@ -395,6 +504,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -17980,7 +18041,7 @@ index 88d0028..15466e9 100644 ') optional_policy(` -@@ -402,31 +512,34 @@ optional_policy(` +@@ -402,31 +514,34 @@ optional_policy(` ') optional_policy(` @@ -18021,7 +18082,7 @@ index 88d0028..15466e9 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +552,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +554,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18032,7 +18093,7 @@ index 88d0028..15466e9 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +572,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +574,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -27947,10 +28008,10 @@ index 24e7804..76da5dd 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..d9b6a37 100644 +index dd3be8d..e9ab9ba 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -11,10 +11,24 @@ gen_require(` +@@ -11,10 +11,31 @@ gen_require(` ## ##

    @@ -27974,10 +28035,17 @@ index dd3be8d..d9b6a37 100644 +##

    +##     +gen_tunable(daemons_dump_core, false) ++ ++## ++##

    ++## Enable cluster mode for daemons. ++##

    ++##     ++gen_tunable(daemons_enable_cluster_mode, false) # used for direct running of init scripts # by admin domains -@@ -25,9 +39,17 @@ attribute direct_init_entry; +@@ -25,9 +46,17 @@ attribute direct_init_entry; attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; @@ -27995,7 +28063,7 @@ index dd3be8d..d9b6a37 100644 # Mark file type as a daemon run directory attribute daemonrundir; -@@ -35,12 +57,14 @@ attribute daemonrundir; +@@ -35,12 +64,14 @@ attribute daemonrundir; # # init_t is the domain of the init process. # @@ -28011,7 +28079,7 @@ index dd3be8d..d9b6a37 100644 # # init_var_run_t is the type for /var/run/shutdown.pid. -@@ -49,6 +73,15 @@ type init_var_run_t; +@@ -49,6 +80,15 @@ type init_var_run_t; files_pid_file(init_var_run_t) # @@ -28027,7 +28095,7 @@ index dd3be8d..d9b6a37 100644 # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. -@@ -57,7 +90,7 @@ type initctl_t; +@@ -57,7 +97,7 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) @@ -28036,7 +28104,7 @@ index dd3be8d..d9b6a37 100644 type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) -@@ -98,7 +131,9 @@ ifdef(`enable_mls',` +@@ -98,7 +138,9 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -28047,7 +28115,7 @@ index dd3be8d..d9b6a37 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -28087,7 +28155,7 @@ index dd3be8d..d9b6a37 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +181,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -28107,7 +28175,7 @@ index dd3be8d..d9b6a37 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t) +@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -28128,7 +28196,7 @@ index dd3be8d..d9b6a37 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +223,51 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +230,51 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -28183,7 +28251,7 @@ index dd3be8d..d9b6a37 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +276,204 @@ ifdef(`distro_gentoo',` +@@ -186,29 +283,204 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -28213,13 +28281,14 @@ index dd3be8d..d9b6a37 100644 + +optional_policy(` + chronyd_read_keys(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + kdump_read_crash(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) +') @@ -28360,14 +28429,13 @@ index dd3be8d..d9b6a37 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -28375,10 +28443,9 @@ index dd3be8d..d9b6a37 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -28388,15 +28455,16 @@ index dd3be8d..d9b6a37 100644 + +optional_policy(` + networkmanager_stream_connect(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) ') optional_policy(` -@@ -216,7 +481,30 @@ optional_policy(` +@@ -216,7 +488,30 @@ optional_policy(` ') optional_policy(` @@ -28427,7 +28495,7 @@ index dd3be8d..d9b6a37 100644 ') ######################################## -@@ -225,8 +513,9 @@ optional_policy(` +@@ -225,8 +520,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28439,7 +28507,7 @@ index dd3be8d..d9b6a37 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +546,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +553,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28456,7 +28524,7 @@ index dd3be8d..d9b6a37 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +571,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +578,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28499,7 +28567,7 @@ index dd3be8d..d9b6a37 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +608,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +615,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28511,7 +28579,7 @@ index dd3be8d..d9b6a37 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +620,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +627,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28522,7 +28590,7 @@ index dd3be8d..d9b6a37 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +631,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +638,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28532,7 +28600,7 @@ index dd3be8d..d9b6a37 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +640,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +647,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28540,7 +28608,7 @@ index dd3be8d..d9b6a37 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +647,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +654,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28548,7 +28616,7 @@ index dd3be8d..d9b6a37 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +655,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +662,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28566,7 +28634,7 @@ index dd3be8d..d9b6a37 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +673,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +680,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28580,7 +28648,7 @@ index dd3be8d..d9b6a37 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +688,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +695,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28594,7 +28662,7 @@ index dd3be8d..d9b6a37 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +701,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +708,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28602,7 +28670,7 @@ index dd3be8d..d9b6a37 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +713,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +720,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28610,7 +28678,7 @@ index dd3be8d..d9b6a37 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +732,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +739,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28634,7 +28702,7 @@ index dd3be8d..d9b6a37 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +765,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +772,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28642,7 +28710,7 @@ index dd3be8d..d9b6a37 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +799,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +806,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28653,7 +28721,7 @@ index dd3be8d..d9b6a37 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +823,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +830,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28662,7 +28730,7 @@ index dd3be8d..d9b6a37 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +838,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +845,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28670,7 +28738,7 @@ index dd3be8d..d9b6a37 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +859,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +866,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28678,7 +28746,7 @@ index dd3be8d..d9b6a37 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +869,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +876,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28723,7 +28791,7 @@ index dd3be8d..d9b6a37 100644 ') optional_policy(` -@@ -558,14 +914,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +921,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28755,7 +28823,7 @@ index dd3be8d..d9b6a37 100644 ') ') -@@ -576,6 +949,39 @@ ifdef(`distro_suse',` +@@ -576,6 +956,39 @@ ifdef(`distro_suse',` ') ') @@ -28795,7 +28863,7 @@ index dd3be8d..d9b6a37 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +994,8 @@ optional_policy(` +@@ -588,6 +1001,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28804,7 +28872,7 @@ index dd3be8d..d9b6a37 100644 ') optional_policy(` -@@ -609,6 +1017,7 @@ optional_policy(` +@@ -609,6 +1024,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28812,7 +28880,7 @@ index dd3be8d..d9b6a37 100644 ') optional_policy(` -@@ -625,6 +1034,17 @@ optional_policy(` +@@ -625,6 +1041,17 @@ optional_policy(` ') optional_policy(` @@ -28830,7 +28898,7 @@ index dd3be8d..d9b6a37 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1061,13 @@ optional_policy(` +@@ -641,9 +1068,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28844,7 +28912,7 @@ index dd3be8d..d9b6a37 100644 ') optional_policy(` -@@ -656,15 +1080,11 @@ optional_policy(` +@@ -656,15 +1087,11 @@ optional_policy(` ') optional_policy(` @@ -28862,7 +28930,7 @@ index dd3be8d..d9b6a37 100644 ') optional_policy(` -@@ -685,6 +1105,15 @@ optional_policy(` +@@ -685,6 +1112,15 @@ optional_policy(` ') optional_policy(` @@ -28878,7 +28946,7 @@ index dd3be8d..d9b6a37 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1154,7 @@ optional_policy(` +@@ -725,6 +1161,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28886,7 +28954,7 @@ index dd3be8d..d9b6a37 100644 ') optional_policy(` -@@ -742,7 +1172,13 @@ optional_policy(` +@@ -742,7 +1179,13 @@ optional_policy(` ') optional_policy(` @@ -28901,7 +28969,7 @@ index dd3be8d..d9b6a37 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1201,10 @@ optional_policy(` +@@ -765,6 +1208,10 @@ optional_policy(` ') optional_policy(` @@ -28912,7 +28980,7 @@ index dd3be8d..d9b6a37 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1214,20 @@ optional_policy(` +@@ -774,10 +1221,20 @@ optional_policy(` ') optional_policy(` @@ -28933,7 +29001,7 @@ index dd3be8d..d9b6a37 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1236,10 @@ optional_policy(` +@@ -786,6 +1243,10 @@ optional_policy(` ') optional_policy(` @@ -28944,7 +29012,7 @@ index dd3be8d..d9b6a37 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1261,6 @@ optional_policy(` +@@ -807,8 +1268,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -28953,7 +29021,7 @@ index dd3be8d..d9b6a37 100644 ') optional_policy(` -@@ -817,6 +1269,10 @@ optional_policy(` +@@ -817,6 +1276,10 @@ optional_policy(` ') optional_policy(` @@ -28964,7 +29032,7 @@ index dd3be8d..d9b6a37 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1282,12 @@ optional_policy(` +@@ -826,10 +1289,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -28977,7 +29045,7 @@ index dd3be8d..d9b6a37 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1314,28 @@ optional_policy(` +@@ -856,12 +1321,28 @@ optional_policy(` ') optional_policy(` @@ -29007,7 +29075,7 @@ index dd3be8d..d9b6a37 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1345,18 @@ optional_policy(` +@@ -871,6 +1352,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29026,7 +29094,7 @@ index dd3be8d..d9b6a37 100644 ') optional_policy(` -@@ -886,6 +1372,10 @@ optional_policy(` +@@ -886,6 +1379,10 @@ optional_policy(` ') optional_policy(` @@ -29037,7 +29105,7 @@ index dd3be8d..d9b6a37 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1386,196 @@ optional_policy(` +@@ -896,3 +1393,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -29234,6 +29302,28 @@ index dd3be8d..d9b6a37 100644 + allow daemon direct_run_init:process sigchld; + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') ++ ++optional_policy(` ++ tunable_policy(`daemons_enable_cluster_mode',` ++ rhcs_manage_cluster_pid_files(daemon) ++ rhcs_manage_cluster_lib_files(daemon) ++ rhcs_rw_inherited_cluster_tmp_files(daemon) ++ rhcs_stream_connect_cluster_to(daemon,daemon) ++',` ++ rhcs_read_cluster_lib_files(daemon) ++ rhcs_read_cluster_pid_files(daemon) ++ ') ++ ++ ') ++ ++optional_policy(` ++ tunable_policy(`daemons_enable_cluster_mode',` ++ #resource agents placed config files in /etc/cluster ++ ccs_manage_config(daemon) ++',` ++ ccs_read_config(daemon) ++ ') ++ ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 662e79b..a199ffd 100644 --- a/policy/modules/system/ipsec.fc @@ -34454,7 +34544,7 @@ index 3822072..270bde3 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..59ed766 100644 +index ec01d0b..ececda2 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -34982,7 +35072,7 @@ index ec01d0b..59ed766 100644 ') ######################################## -@@ -522,108 +598,191 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +598,192 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -35075,6 +35165,7 @@ index ec01d0b..59ed766 100644 + optional_policy(` + setroubleshoot_fixit_dontaudit_leaks(setfiles_t) + setroubleshoot_fixit_dontaudit_leaks(setsebool_t) ++ setroubleshoot_fixit_dontaudit_leaks(load_policy_t) + ') +') +ifdef(`distro_ubuntu',` @@ -37561,10 +37652,10 @@ index 0000000..35b4178 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..5842807 +index 0000000..f758960 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,649 @@ +@@ -0,0 +1,650 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -37895,6 +37986,7 @@ index 0000000..5842807 + +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) ++logging_setattr_all_log_dirs(systemd_tmpfiles_t) + +miscfiles_filetrans_named_content(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index bc676e1..f11fea6 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -25988,10 +25988,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..dd418db +index 0000000..d6a2e10 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,185 @@ +@@ -0,0 +1,187 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -26065,6 +26065,7 @@ index 0000000..dd418db +manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) ++allow glusterd_t glusterd_tmp_t:dir mounton; + +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) @@ -26130,6 +26131,7 @@ index 0000000..dd418db +domain_use_interactive_fds(glusterd_t) + +fs_mount_all_fs(glusterd_t) ++fs_unmount_all_fs(glusterd_t) +fs_getattr_all_fs(glusterd_t) + +files_mounton_mnt(glusterd_t) @@ -40908,7 +40910,7 @@ index 6194b80..d54c5ba 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..11a0f02 100644 +index 6a306ee..b236449 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -41352,7 +41354,7 @@ index 6a306ee..11a0f02 100644 ') optional_policy(` -@@ -300,259 +324,235 @@ optional_policy(` +@@ -300,259 +324,236 @@ optional_policy(` ######################################## # @@ -41587,6 +41589,7 @@ index 6a306ee..11a0f02 100644 +fs_list_dos(mozilla_plugin_t) +fs_read_noxattr_fs_files(mozilla_plugin_t) +fs_read_hugetlbfs_files(mozilla_plugin_t) ++fs_exec_hugetlbfs_files(mozilla_plugin_t) application_exec(mozilla_plugin_t) +application_dontaudit_signull(mozilla_plugin_t) @@ -41739,7 +41742,7 @@ index 6a306ee..11a0f02 100644 ') optional_policy(` -@@ -560,7 +560,7 @@ optional_policy(` +@@ -560,7 +561,7 @@ optional_policy(` ') optional_policy(` @@ -41748,7 +41751,7 @@ index 6a306ee..11a0f02 100644 ') optional_policy(` -@@ -568,108 +568,130 @@ optional_policy(` +@@ -568,108 +569,130 @@ optional_policy(` ') optional_policy(` @@ -71063,7 +71066,7 @@ index 47de2d6..98a4280 100644 +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index 56bc01f..b8d154e 100644 +index 56bc01f..2e4d698 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -71108,7 +71111,7 @@ index 56bc01f..b8d154e 100644 manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file }) -+ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) ++ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file }) - optional_policy(` - dbus_system_bus_client($1_t) @@ -71287,139 +71290,138 @@ index 56bc01f..b8d154e 100644 ##     ## ## -@@ -342,10 +331,9 @@ interface(`rhcs_stream_connect_groupd',` +@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',` stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) ') --######################################## +##################################### - ## --## Read and write all cluster domains --## shared memory. ++## +## Allow read and write access to groupd semaphores. - ## - ## - ## -@@ -353,21 +341,20 @@ interface(`rhcs_stream_connect_groupd',` - ## - ## - # --interface(`rhcs_rw_cluster_shm',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`rhcs_rw_groupd_semaphores',` - gen_require(` -- attribute cluster_domain, cluster_tmpfs; ++ gen_require(` + type groupd_t, groupd_tmpfs_t; - ') - -- allow $1 cluster_domain:shm { rw_shm_perms destroy }; ++ ') ++ + allow $1 groupd_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) -- manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) ++ ++ fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) - ') - --#################################### ++') ++ +######################################## - ## --## Read and write all cluster --## domains semaphores. ++## +## Read and write to group shared memory. - ## - ## - ## -@@ -375,17 +362,20 @@ interface(`rhcs_rw_cluster_shm',` - ## - ## - # --interface(`rhcs_rw_cluster_semaphores',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`rhcs_rw_groupd_shm',` - gen_require(` -- attribute cluster_domain; ++ gen_require(` + type groupd_t, groupd_tmpfs_t; - ') - -- allow $1 cluster_domain:sem { rw_sem_perms destroy }; ++ ') ++ + allow $1 groupd_t:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ++') ++ + ######################################## + ## +-## Read and write all cluster domains +-## shared memory. ++## Read and write to group shared memory. + ## + ## + ## +@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',` + + #################################### + ## +-## Read and write all cluster +-## domains semaphores. ++## Read and write access to cluster domains semaphores. + ## + ## + ## +@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',` + allow $1 cluster_domain:sem { rw_sem_perms destroy }; ') -##################################### -+######################################## ++#################################### ## -## Read and write groupd semaphores. -+## Read and write to group shared memory. ++## Connect to cluster domains over a unix domain ++## stream socket. ## ## ## -@@ -393,20 +383,20 @@ interface(`rhcs_rw_cluster_semaphores',` +@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',` ## ## # -interface(`rhcs_rw_groupd_semaphores',` -+interface(`rhcs_rw_cluster_shm',` ++interface(`rhcs_stream_connect_cluster',` gen_require(` - type groupd_t, groupd_tmpfs_t; -+ attribute cluster_domain, cluster_tmpfs; ++ attribute cluster_domain, cluster_pid; ') - allow $1 groupd_t:sem { rw_sem_perms destroy }; -+ allow $1 cluster_domain:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) +- +- fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) ++ files_search_pids($1) ++ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) ') -######################################## -+#################################### ++##################################### ## -## Read and write groupd shared memory. -+## Read and write access to cluster domains semaphores. ++## Connect to cluster domains over a unix domain ++## stream socket. ## ## ## -@@ -414,15 +404,32 @@ interface(`rhcs_rw_groupd_semaphores',` + ## Domain allowed access. ## ## ++## ++## ++## Domain allowed access. ++## ++## # -interface(`rhcs_rw_groupd_shm',` -+interface(`rhcs_rw_cluster_semaphores',` ++interface(`rhcs_stream_connect_cluster_to',` gen_require(` - type groupd_t, groupd_tmpfs_t; + attribute cluster_domain; ++ attribute cluster_pid; ') - allow $1 groupd_t:shm { rw_shm_perms destroy }; -+ allow $1 cluster_domain:sem { rw_sem_perms destroy }; -+') - +- - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+#################################### -+## -+## Connect to cluster domains over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_stream_connect_cluster',` -+ gen_require(` -+ attribute cluster_domain, cluster_pid; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) ++ files_search_pids($1) ++ stream_connect_pattern($1, cluster_pid, cluster_pid, $2) ') ###################################### -@@ -446,52 +453,322 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -71470,11 +71472,7 @@ index 56bc01f..b8d154e 100644 + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') - -- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; -- allow $2 system_r; ++ +##################################### +## +## Allow domain to manage cluster lib files @@ -71490,14 +71488,16 @@ index 56bc01f..b8d154e 100644 + type cluster_var_lib_t; + ') -- files_search_pids($1) -- admin_pattern($1, cluster_pid) +- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; +- allow $2 system_r; + files_search_var_lib($1) + manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- files_search_locks($1) -- admin_pattern($1, fenced_lock_t) +- files_search_pids($1) +- admin_pattern($1, cluster_pid) +#################################### +## +## Allow domain to relabel cluster lib files @@ -71518,8 +71518,8 @@ index 56bc01f..b8d154e 100644 + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- files_search_tmp($1) -- admin_pattern($1, fenced_tmp_t) +- files_search_locks($1) +- admin_pattern($1, fenced_lock_t) +###################################### +## +## Execute a domain transition to run cluster administrative domain. @@ -71535,14 +71535,14 @@ index 56bc01f..b8d154e 100644 + type cluster_t, cluster_exec_t; + ') -- files_search_var_lib($1) -- admin_pattern($1, qdiskd_var_lib_t) +- files_search_tmp($1) +- admin_pattern($1, fenced_tmp_t) + corecmd_search_bin($1) + domtrans_pattern($1, cluster_exec_t, cluster_t) +') -- fs_search_tmpfs($1) -- admin_pattern($1, cluster_tmpfs) +- files_search_var_lib($1) +- admin_pattern($1, qdiskd_var_lib_t) +####################################### +## +## Execute cluster init scripts in @@ -71558,7 +71558,9 @@ index 56bc01f..b8d154e 100644 + gen_require(` + type cluster_initrc_exec_t; + ') -+ + +- fs_search_tmpfs($1) +- admin_pattern($1, cluster_tmpfs) + init_labeled_script_domtrans($1, cluster_initrc_exec_t) +') + @@ -71621,6 +71623,24 @@ index 56bc01f..b8d154e 100644 + +##################################### +## ++## Allow the specified domain to read/write inherited cluster's tmpf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_rw_inherited_cluster_tmp_files',` ++ gen_require(` ++ type cluster_tmp_t; ++ ') ++ ++ allow $1 cluster_tmp_t:file rw_inherited_file_perms; ++') ++ ++##################################### ++## +## Allow manage cluster tmp files. +## +## @@ -71677,6 +71697,26 @@ index 56bc01f..b8d154e 100644 + +##################################### +## ++## Allow read cluster pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_read_cluster_pid_files',` ++ gen_require(` ++ type cluster_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t) ++') ++ ++ ++##################################### ++## +## Allow manage cluster pid files. +## +## @@ -71771,7 +71811,7 @@ index 56bc01f..b8d154e 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..b978814 100644 +index 2c2de9a..26fba30 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -71802,7 +71842,7 @@ index 2c2de9a..b978814 100644 attribute cluster_domain; attribute cluster_log; attribute cluster_pid; -@@ -44,34 +65,281 @@ type foghorn_initrc_exec_t; +@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t; init_script_file(foghorn_initrc_exec_t) rhcs_domain_template(gfs_controld) @@ -71965,8 +72005,10 @@ index 2c2de9a..b978814 100644 + corenet_tcp_connect_all_ports(cluster_t) +') + ++# we need to have dirs created with var_run_t in /run/cluster ++files_create_var_run_dirs(cluster_t) ++ +tunable_policy(`cluster_manage_all_files',` -+ files_create_var_run_dirs(cluster_t) + files_getattr_all_symlinks(cluster_t) + files_list_all(cluster_t) + files_manage_mnt_dirs(cluster_t) @@ -72088,7 +72130,7 @@ index 2c2de9a..b978814 100644 ') ##################################### -@@ -79,7 +347,7 @@ optional_policy(` +@@ -79,7 +349,7 @@ optional_policy(` # dlm_controld local policy # @@ -72097,7 +72139,7 @@ index 2c2de9a..b978814 100644 allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -@@ -98,16 +366,30 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -72130,7 +72172,7 @@ index 2c2de9a..b978814 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +400,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -72141,7 +72183,7 @@ index 2c2de9a..b978814 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +429,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -72152,7 +72194,7 @@ index 2c2de9a..b978814 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +439,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -72161,7 +72203,7 @@ index 2c2de9a..b978814 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +461,8 @@ optional_policy(` +@@ -182,7 +463,8 @@ optional_policy(` ') optional_policy(` @@ -72171,7 +72213,7 @@ index 2c2de9a..b978814 100644 ') optional_policy(` -@@ -190,12 +470,12 @@ optional_policy(` +@@ -190,12 +472,12 @@ optional_policy(` ') optional_policy(` @@ -72187,7 +72229,7 @@ index 2c2de9a..b978814 100644 ') optional_policy(` -@@ -203,6 +483,13 @@ optional_policy(` +@@ -203,6 +485,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -72201,7 +72243,7 @@ index 2c2de9a..b978814 100644 ####################################### # # foghorn local policy -@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -72222,7 +72264,7 @@ index 2c2de9a..b978814 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -72231,7 +72273,7 @@ index 2c2de9a..b978814 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -72273,7 +72315,7 @@ index 2c2de9a..b978814 100644 ###################################### # # qdiskd local policy -@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -76106,10 +76148,10 @@ index d1fd97f..7ee8502 100644 - -miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/rsync.fc b/rsync.fc -index d25301b..d92f567 100644 +index d25301b..f3eeec7 100644 --- a/rsync.fc +++ b/rsync.fc -@@ -1,7 +1,7 @@ +@@ -1,7 +1,8 @@ /etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) -/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) @@ -76119,8 +76161,9 @@ index d25301b..d92f567 100644 +/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0) /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) ++/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if -index f1140ef..02de8a5 100644 +index f1140ef..8afe362 100644 --- a/rsync.if +++ b/rsync.if @@ -1,16 +1,32 @@ @@ -76345,34 +76388,36 @@ index f1140ef..02de8a5 100644 ## with rsync etc type. ## ## -@@ -236,46 +224,3 @@ interface(`rsync_etc_filetrans_config',` +@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',` - files_etc_filetrans($1, rsync_etc_t, $2, $3) - ') -- --######################################## --## + ######################################## + ## -## All of the rules required to -## administrate an rsync environment. --## --## --## ++## Transition to rsync named content + ## + ## + ## -## Domain allowed access. -## -## -## -## -## Role allowed access. --## --## ++## Domain allowed access. + ## + ## -## --# + # -interface(`rsync_admin',` -- gen_require(` ++interface(`rsync_filetrans_named_content',` + gen_require(` - type rsync_t, rsync_etc_t, rsync_data_t; - type rsync_log_t, rsync_tmp_t. rsync_var_run_t; -- ') -- ++ type rsync_etc_t; ++ type rsync_var_run_t; + ') + - allow $1 rsync_t:process { ptrace signal_perms }; - ps_process_pattern($1, rsync_t) - @@ -76391,7 +76436,10 @@ index f1140ef..02de8a5 100644 - admin_pattern($1, rsync_var_run_t) - - rsync_run($1, $2) --') ++ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond") ++ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock") ++ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") + ') diff --git a/rsync.te b/rsync.te index e3e7c96..ec50426 100644 --- a/rsync.te @@ -97216,10 +97264,10 @@ index 7c7f7fa..20ce90b 100644 + xserver_manage_core_devices(wm_domain) +') diff --git a/xen.fc b/xen.fc -index 42d83b0..5f18f6e 100644 +index 42d83b0..651d1cb 100644 --- a/xen.fc +++ b/xen.fc -@@ -1,38 +1,41 @@ +@@ -1,38 +1,42 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) -/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) @@ -97246,6 +97294,7 @@ index 42d83b0..5f18f6e 100644 /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) -/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) ++/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) +') -/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) @@ -97545,7 +97594,7 @@ index f93558c..16e29c1 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index ed40676..0706207 100644 +index ed40676..3fe3e35 100644 --- a/xen.te +++ b/xen.te @@ -1,42 +1,34 @@ @@ -98064,7 +98113,7 @@ index ed40676..0706207 100644 manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t) +@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) @@ -98087,11 +98136,10 @@ index ed40676..0706207 100644 - xen_append_log(xenstored_t) - ######################################## - # +-######################################## +-# -# xm local policy -+# SSH component local policy - # +-# - -allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow xm_t self:process { getcap getsched setsched setcap signal }; @@ -98187,9 +98235,14 @@ index ed40676..0706207 100644 - optional_policy(` - cron_system_entry(xm_t, xm_exec_t) --') -- --optional_policy(` ++ virt_read_config(xenstored_t) + ') + ++######################################## ++# ++# SSH component local policy ++# + optional_policy(` - dbus_system_bus_client(xm_t) - - optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 9116b9b..4cfb2f6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 94%{?dist} +Release: 95%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -230,7 +230,7 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/sytemd_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ @@ -573,6 +573,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Oct 28 2013 Miroslav Grepl 3.12.1-95 +- Allow sysadm_t to read login information +- Allow systemd_tmpfiles to setattr on var_log_t directories +- Udpdate Makefile to include systemd_contexts +- Add systemd_contexts +- Add fs_exec_hugetlbfs_files() interface +- Add daemons_enable_cluster_mode boolean +- Fix rsync_filetrans_named_content() +- Add rhcs_read_cluster_pid_files() interface +- Update rhcs.if with additional interfaces from RHEL6 +- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t +- Allow glusterd_t to mounton glusterd_tmp_t +- Allow glusterd to unmout al filesystems +- Allow xenstored to read virt config +- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label +- Allow mozilla_plugin_t to mmap hugepages as an executable + * Thu Oct 24 2013 Miroslav Grepl 3.12.1-94 - Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp