diff --git a/docker-selinux.tgz b/docker-selinux.tgz index b24750c..df508b3 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f0068de..6a4e7cc 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -45145,10 +45145,10 @@ index 0000000..c253b33 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..9afb637 +index 0000000..3358b07 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,788 @@ +@@ -0,0 +1,791 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45486,6 +45486,9 @@ index 0000000..9afb637 +corenet_udp_bind_all_nodes(systemd_networkd_t) +corenet_tcp_bind_dhcpc_port(systemd_networkd_t) +corenet_udp_bind_dhcpc_port(systemd_networkd_t) ++corenet_tcp_bind_dhcpd_port(systemd_networkd_t) ++corenet_udp_bind_dhcpd_port(systemd_networkd_t) ++ + +fs_read_xenfs_files(systemd_networkd_t) + @@ -45556,7 +45559,7 @@ index 0000000..9afb637 +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; ++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod sys_admin }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index dc370d4..3bff382 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -7818,7 +7818,7 @@ index f3c0aba..f6e25ed 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..5db6cde 100644 +index 080bc4d..5b4d973 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) @@ -7856,7 +7856,7 @@ index 080bc4d..5db6cde 100644 corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) +@@ -67,26 +73,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t) @@ -7867,9 +7867,12 @@ index 080bc4d..5db6cde 100644 corenet_sendrecv_snmp_server_packets(apcupsd_t) corenet_udp_sendrecv_snmp_port(apcupsd_t) ++corenet_tcp_connect_smtp_port(apcupsd_t) ++ +fs_getattr_xattr_fs(apcupsd_t) + +dev_read_sysfs(apcupsd_t) ++dev_read_urand(apcupsd_t) + dev_rw_generic_usb_dev(apcupsd_t) @@ -7900,7 +7903,7 @@ index 080bc4d..5db6cde 100644 optional_policy(` hostname_exec(apcupsd_t) -@@ -101,6 +119,11 @@ optional_policy(` +@@ -101,6 +122,11 @@ optional_policy(` shutdown_domtrans(apcupsd_t) ') @@ -7912,7 +7915,7 @@ index 080bc4d..5db6cde 100644 ######################################## # # CGI local policy -@@ -108,20 +131,20 @@ optional_policy(` +@@ -108,20 +134,20 @@ optional_policy(` optional_policy(` apache_content_template(apcupsd_cgi) @@ -66690,10 +66693,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..65502e1 +index 0000000..573632e --- /dev/null +++ b/pcp.te -@@ -0,0 +1,272 @@ +@@ -0,0 +1,274 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -66838,6 +66841,8 @@ index 0000000..65502e1 + +logging_send_syslog_msg(pcp_pmcd_t) + ++lvm_domtrans(pcp_pmcd_t) ++ +storage_getattr_fixed_disk_dev(pcp_pmcd_t) + +userdom_read_user_tmp_files(pcp_pmcd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 19e82c3..fb6d602 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 159%{?dist} +Release: 160%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -664,6 +664,14 @@ exit 0 %endif %changelog +* Tue Nov 24 2015 Lukas Vrabec 3.13.1-160 +- Allow apcupsd sending mails about battery state. BZ(1274018) +- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779) +- Merge pull request #68 from rhatdan/rawhide-contrib +- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785 +- Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092) +- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269) + * Fri Nov 20 2015 Miroslav Grepl 3.13.1-159 - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048) - Allow abrt-hook-ccpp to change SELinux user identity for created objects.