diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 192c2ec..486f14c 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 671a949..097cf35 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -25374,7 +25374,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..fe03d6d 100644 +index 2522ca6..a23a472 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) @@ -25807,7 +25807,7 @@ index 2522ca6..fe03d6d 100644 ') optional_policy(` -@@ -345,30 +490,37 @@ optional_policy(` +@@ -345,30 +490,38 @@ optional_policy(` ') optional_policy(` @@ -25820,6 +25820,7 @@ index 2522ca6..fe03d6d 100644 + systemd_login_reboot(sysadm_t) + systemd_login_halt(sysadm_t) + systemd_login_undefined(sysadm_t) ++ systemd_tmpfiles_run(sysadm_t, sysadm_r) ') optional_policy(` @@ -25854,7 +25855,7 @@ index 2522ca6..fe03d6d 100644 ') optional_policy(` -@@ -380,10 +532,6 @@ optional_policy(` +@@ -380,10 +533,6 @@ optional_policy(` ') optional_policy(` @@ -25865,7 +25866,7 @@ index 2522ca6..fe03d6d 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +539,9 @@ optional_policy(` +@@ -391,6 +540,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25875,7 +25876,7 @@ index 2522ca6..fe03d6d 100644 ') optional_policy(` -@@ -398,31 +549,34 @@ optional_policy(` +@@ -398,31 +550,34 @@ optional_policy(` ') optional_policy(` @@ -25916,7 +25917,7 @@ index 2522ca6..fe03d6d 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +589,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +590,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25927,7 +25928,7 @@ index 2522ca6..fe03d6d 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +609,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +610,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -35258,7 +35259,7 @@ index bc0ffc8..37b8ea5 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..e176b9f 100644 +index 79a45f6..9926eaf 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -36301,7 +36302,7 @@ index 79a45f6..e176b9f 100644 ') ######################################## -@@ -1806,37 +2294,672 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,37 +2294,690 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -36729,6 +36730,24 @@ index 79a45f6..e176b9f 100644 + +######################################## +## ++## Start system from init ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_start',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system start; ++') ++ ++######################################## ++## +## Tell init to reboot the system. +## +## @@ -46795,10 +46814,10 @@ index 0000000..8b77d7a +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..513b97b +index 0000000..16cd1ac --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1738 @@ +@@ -0,0 +1,1763 @@ +## SELinux policy for systemd components + +###################################### @@ -47405,6 +47424,31 @@ index 0000000..513b97b + +######################################## +## ++## Execute systemd-tmpfiles in the systemd_tmpfiles_t domain, and ++## allow the specified role the systemd_tmpfiles domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the systemd_tmpfiles domain. ++## ++## ++# ++interface(`systemd_tmpfiles_run',` ++ gen_require(` ++ type systemd_tmpfiles_t; ++ ') ++ ++ systemd_passwd_agent_domtrans($1) ++ role $2 types systemd_tmpfiles_t; ++') ++ ++######################################## ++## +## Role access for systemd_passwd_agent +## +## @@ -48539,10 +48583,10 @@ index 0000000..513b97b +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..7877160 +index 0000000..180e701 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,957 @@ +@@ -0,0 +1,958 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48770,6 +48814,7 @@ index 0000000..7877160 +init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit") + +init_status(systemd_logind_t) ++init_start(systemd_logind_t) +init_signal(systemd_logind_t) +init_reboot(systemd_logind_t) +init_halt(systemd_logind_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 2a75676..7b0f931 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -648,6 +648,12 @@ exit 0 %endif %changelog +* Wed Jul 13 2016 Lukas Vrabec 3.13.1-202 +- Allow systemd_logind_t to start init_t BZ(1355861) +- Add init_start() interface +- Allow sysadm user to run systemd-tmpfiles +- Add interface systemd_tmpfiles_run + * Mon Jul 11 2016 Lukas Vrabec 3.13.1-201 - Allow lttng tools to block suspending - Allow creation of vpnaas in openstack