diff --git a/docker-selinux.tgz b/docker-selinux.tgz index a53f917..2dada19 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a5c7403..ab24bc0 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -35886,7 +35886,7 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..660ef80 100644 +index be8ed1e..bce6063 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,18 @@ role iptables_roles types iptables_t; @@ -35947,7 +35947,7 @@ index be8ed1e..660ef80 100644 kernel_use_fds(iptables_t) # needed by ipvsadm -@@ -64,6 +74,8 @@ corenet_relabelto_all_packets(iptables_t) +@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -35956,7 +35956,9 @@ index be8ed1e..660ef80 100644 fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -72,11 +84,12 @@ fs_list_inotifyfs(iptables_t) + fs_list_inotifyfs(iptables_t) ++fs_read_nsfs_files(iptables_t) + mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -35971,7 +35973,7 @@ index be8ed1e..660ef80 100644 auth_use_nsswitch(iptables_t) -@@ -85,15 +98,14 @@ init_use_script_ptys(iptables_t) +@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -35989,7 +35991,7 @@ index be8ed1e..660ef80 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +114,9 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -35999,7 +36001,7 @@ index be8ed1e..660ef80 100644 ') optional_policy(` -@@ -110,6 +125,12 @@ optional_policy(` +@@ -110,6 +126,12 @@ optional_policy(` ') optional_policy(` @@ -36012,7 +36014,7 @@ index be8ed1e..660ef80 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +145,16 @@ optional_policy(` +@@ -124,6 +146,16 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -36029,7 +36031,7 @@ index be8ed1e..660ef80 100644 ') optional_policy(` -@@ -135,9 +166,9 @@ optional_policy(` +@@ -135,9 +167,9 @@ optional_policy(` ') optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d8d0f0f..03b15df 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -108706,10 +108706,10 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..374e8ef 100644 +index a4f20bc..58f9c69 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,101 @@ +@@ -1,51 +1,102 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -108762,6 +108762,7 @@ index a4f20bc..374e8ef 100644 /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6ff9647..ad84a35 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 167%{?dist} +Release: 168%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -664,6 +664,10 @@ exit 0 %endif %changelog +* Wed Jan 20 2016 Lukas Vrabec 3.13.1-168 +- Label virtlogd binary as virtd_exec_t. BZ(1291940) +- Allow iptables to read nsfs files. BZ(1296826) + * Mon Jan 18 2016 Lukas Vrabec 3.13.1-167 - Add fwupd policy for daemon to allow session software to update device firmware - Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)