From 9921eeb6427ed11f366c2ea7871610da142124f9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 08:06:39 +0000 Subject: import selinux-policy-3.13.1-192.el7_5.3 --- diff --git a/SOURCES/policy-rhel-7.5.z-base.patch b/SOURCES/policy-rhel-7.5.z-base.patch new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/SOURCES/policy-rhel-7.5.z-base.patch diff --git a/SOURCES/policy-rhel-7.5.z-contrib.patch b/SOURCES/policy-rhel-7.5.z-contrib.patch new file mode 100644 index 0000000..5fef8da --- /dev/null +++ b/SOURCES/policy-rhel-7.5.z-contrib.patch @@ -0,0 +1,35 @@ +diff --git a/snapper.te b/snapper.te +index faf4fc9fca..fda6e0b289 100644 +--- a/snapper.te ++++ b/snapper.te +@@ -22,6 +22,8 @@ files_type(snapperd_data_t) + # + # snapperd local policy + # ++allow snapperd_t self:capability { dac_read_search fowner sys_admin }; ++allow snapperd_t self:process setsched; + + allow snapperd_t self:fifo_file rw_fifo_file_perms; + allow snapperd_t self:unix_stream_socket create_stream_socket_perms; +@@ -36,8 +38,12 @@ manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t) + manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) + manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) + manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) ++allow snapperd_t snapperd_data_t:file relabelfrom; ++allow snapperd_t snapperd_data_t:dir { relabelfrom relabelto mounton }; + snapper_filetrans_named_content(snapperd_t) + ++kernel_setsched(snapperd_t) ++ + domain_read_all_domains_state(snapperd_t) + + corecmd_exec_shell(snapperd_t) +@@ -51,6 +57,8 @@ files_read_all_files(snapperd_t) + files_list_all(snapperd_t) + + fs_getattr_all_fs(snapperd_t) ++fs_mount_xattr_fs(snapperd_t) ++fs_unmount_xattr_fs(snapperd_t) + + storage_raw_read_fixed_disk(snapperd_t) + diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 110f2cf..f32713d 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -20,12 +20,14 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 192%{?dist} +Release: 192%{?dist}.3 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch0: policy-rhel-7.5-base.patch patch1: policy-rhel-7.5-contrib.patch +patch2: policy-rhel-7.5.z-base.patch +patch3: policy-rhel-7.5.z-contrib.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf @@ -340,9 +342,11 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-contrib-%{version} -q -b 29 %patch1 -p1 +%patch3 -p1 contrib_path=`pwd` %setup -n serefpolicy-%{version} -q %patch0 -p1 +%patch2 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.* @@ -652,6 +656,18 @@ fi %endif %changelog +* Wed Mar 28 2018 Lukas Vrabec - 3.13.1-192.3 +- Allow snapperd_t domain to unmount fs_t filesystems +Resolves: rhbz#1561424 + +* Mon Mar 26 2018 Lukas Vrabec - 3.13.1-192.2 +- Allow snapperd_t to set priority for kernel processes +Resolves: rhbz#1558656 + +* Wed Mar 21 2018 Lukas Vrabec - 3.13.1-192.1 +- Backport several changes for snapperdfrom Fedora Rawhide +Resolves: rhbz#1558656 + * Tue Feb 27 2018 Lukas Vrabec - 3.13.1-192 - Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. Resolves: rhbz#1546721