From be2df80e69342d4fe5df5248612080a21e58cfe5 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 14 2017 14:11:30 +0000 Subject: * Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271 - Allow tomcat_t domain couple capabilities to make working tomcat-jsvc - Label /usr/libexec/sudo/sesh as shell_exec_t --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 7e7df53..205a2b5 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9f3f960..4bbdffa 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3839,7 +3839,7 @@ index 759016583..f50f79935 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8dad..1b078065a 100644 +index 33e0f8dad..1eb3faaa3 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -4063,7 +4063,7 @@ index 33e0f8dad..1b078065a 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -245,26 +298,40 @@ ifdef(`distro_gentoo',` +@@ -245,26 +298,41 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -4089,6 +4089,7 @@ index 33e0f8dad..1b078065a 100644 +/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/libexec/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -4109,7 +4110,7 @@ index 33e0f8dad..1b078065a 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -280,10 +347,14 @@ ifdef(`distro_gentoo',` +@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -4124,7 +4125,7 @@ index 33e0f8dad..1b078065a 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +369,22 @@ ifdef(`distro_gentoo',` +@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -4149,7 +4150,7 @@ index 33e0f8dad..1b078065a 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +402,27 @@ ifdef(`distro_redhat', ` +@@ -325,20 +403,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -4178,7 +4179,7 @@ index 33e0f8dad..1b078065a 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +430,7 @@ ifdef(`distro_redhat', ` +@@ -346,6 +431,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -4186,7 +4187,7 @@ index 33e0f8dad..1b078065a 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,17 +472,36 @@ ifdef(`distro_suse', ` +@@ -387,17 +473,36 @@ ifdef(`distro_suse', ` # # /var # diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 97d1a04..5fbe0bc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -111868,10 +111868,10 @@ index 000000000..e5cec8fda +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 000000000..1d0e69bf8 +index 000000000..bc54338c2 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,106 @@ +@@ -0,0 +1,108 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -111922,8 +111922,10 @@ index 000000000..1d0e69bf8 +# tomcat domain local policy +# + ++allow tomcat_t self:capability { dac_override setuid kill }; ++ +allow tomcat_t self:process execmem; -+allow tomcat_t self:process { signal signull }; ++allow tomcat_t self:process { setcap signal signull }; + +allow tomcat_t self:tcp_socket { accept listen }; +allow tomcat_domain self:fifo_file rw_fifo_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 1b4e09c..91e6e4e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 270%{?dist} +Release: 271%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -683,6 +683,10 @@ exit 0 %endif %changelog +* Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271 +- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc +- Label /usr/libexec/sudo/sesh as shell_exec_t + * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-270 - refpolicy: Infiniband pkeys and endport