9921ee
import selinux-policy-3.13.1-192.el7_5.3
Authored and Committed by 
centosrcm
6 years ago
empty file added
SOURCES/policy-rhel-7.5.z-contrib.patch
ADDED
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
diff --git a/snapper.te b/snapper.te
|
|
2
|
+
index faf4fc9fca..fda6e0b289 100644
|
|
3
|
+
--- a/snapper.te
|
|
4
|
+
+++ b/snapper.te
|
|
5
|
+
@@ -22,6 +22,8 @@ files_type(snapperd_data_t)
|
|
6
|
+
#
|
|
7
|
+
# snapperd local policy
|
|
8
|
+
#
|
|
9
|
+
+allow snapperd_t self:capability { dac_read_search fowner sys_admin };
|
|
10
|
+
+allow snapperd_t self:process setsched;
|
|
11
|
+
|
|
12
|
+
allow snapperd_t self:fifo_file rw_fifo_file_perms;
|
|
13
|
+
allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
|
|
14
|
+
@@ -36,8 +38,12 @@ manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
|
|
15
|
+
manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
|
|
16
|
+
manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
|
|
17
|
+
manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
|
|
18
|
+
+allow snapperd_t snapperd_data_t:file relabelfrom;
|
|
19
|
+
+allow snapperd_t snapperd_data_t:dir { relabelfrom relabelto mounton };
|
|
20
|
+
snapper_filetrans_named_content(snapperd_t)
|
|
21
|
+
|
|
22
|
+
+kernel_setsched(snapperd_t)
|
|
23
|
+
+
|
|
24
|
+
domain_read_all_domains_state(snapperd_t)
|
|
25
|
+
|
|
26
|
+
corecmd_exec_shell(snapperd_t)
|
|
27
|
+
@@ -51,6 +57,8 @@ files_read_all_files(snapperd_t)
|
|
28
|
+
files_list_all(snapperd_t)
|
|
29
|
+
|
|
30
|
+
fs_getattr_all_fs(snapperd_t)
|
|
31
|
+
+fs_mount_xattr_fs(snapperd_t)
|
|
32
|
+
+fs_unmount_xattr_fs(snapperd_t)
|
|
33
|
+
|
|
34
|
+
storage_raw_read_fixed_disk(snapperd_t)
|
|
35
|
+
|
SPECS/selinux-policy.spec
CHANGED
|
@@ -20,12 +20,14 @@
|
|
|
20
20
|
Summary: SELinux policy configuration
|
|
21
21
|
Name: selinux-policy
|
|
22
22
|
Version: 3.13.1
|
|
23
|
-
Release: 192%{?dist
|
|
23
|
+
Release: 192%{?dist}.3
|
|
24
24
|
License: GPLv2+
|
|
25
25
|
Group: System Environment/Base
|
|
26
26
|
Source: serefpolicy-%{version}.tgz
|
|
27
27
|
patch0: policy-rhel-7.5-base.patch
|
|
28
28
|
patch1: policy-rhel-7.5-contrib.patch
|
|
29
|
+
patch2: policy-rhel-7.5.z-base.patch
|
|
30
|
+
patch3: policy-rhel-7.5.z-contrib.patch
|
|
29
31
|
Source1: modules-targeted-base.conf
|
|
30
32
|
Source31: modules-targeted-contrib.conf
|
|
31
33
|
Source2: booleans-targeted.conf
|
|
@@ -340,9 +342,11 @@ Based off of reference policy: Checked out revision 2.20091117
|
|
|
340
342
|
%prep
|
|
341
343
|
%setup -n serefpolicy-contrib-%{version} -q -b 29
|
|
342
344
|
%patch1 -p1
|
|
345
|
+
%patch3 -p1
|
|
343
346
|
contrib_path=`pwd`
|
|
344
347
|
%setup -n serefpolicy-%{version} -q
|
|
345
348
|
%patch0 -p1
|
|
349
|
+
%patch2 -p1
|
|
346
350
|
refpolicy_path=`pwd`
|
|
347
351
|
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
|
|
348
352
|
rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
|
|
@@ -652,6 +656,18 @@ fi
|
|
|
652
656
|
%endif
|
|
653
657
|
|
|
654
658
|
%changelog
|
|
659
|
+
* Wed Mar 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.3
|
|
660
|
+
- Allow snapperd_t domain to unmount fs_t filesystems
|
|
661
|
+
Resolves: rhbz#1561424
|
|
662
|
+
|
|
663
|
+
* Mon Mar 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.2
|
|
664
|
+
- Allow snapperd_t to set priority for kernel processes
|
|
665
|
+
Resolves: rhbz#1558656
|
|
666
|
+
|
|
667
|
+
* Wed Mar 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192.1
|
|
668
|
+
- Backport several changes for snapperdfrom Fedora Rawhide
|
|
669
|
+
Resolves: rhbz#1558656
|
|
670
|
+
|
|
655
671
|
* Tue Feb 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192
|
|
656
672
|
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled.
|
|
657
673
|
Resolves: rhbz#1546721
|