diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 9b3e5ae..b94176b 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ddf081b..1c19c4d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -46,9 +46,18 @@ index ec7b5cb..a027110 100644 ifndef LOCAL_ROOT rm -f $(fcsort) diff --git a/Rules.modular b/Rules.modular -index 313d837..ef3c532 100644 +index 313d837..4f261a9 100644 --- a/Rules.modular +++ b/Rules.modular +@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp + # Build module packages + # + $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te +- @echo "Compliling $(NAME) $(@F) module" ++ @echo "Compiling $(NAME) $(@F) module" + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ @@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs) @echo "Validating policy linking." $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ @@ -868,7 +877,7 @@ index 3a45f23..ee7d7b3 100644 constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..d0a8a5b 100644 +index a94b169..2e137e6 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -879,7 +888,7 @@ index a94b169..d0a8a5b 100644 } -@@ -393,6 +394,15 @@ class system +@@ -393,6 +394,13 @@ class system syslog_mod syslog_console module_request @@ -890,12 +899,10 @@ index a94b169..d0a8a5b 100644 + enable + disable + reload -+ stop -+ start } # -@@ -443,10 +453,13 @@ class capability +@@ -443,10 +451,13 @@ class capability class capability2 { mac_override # unused by SELinux @@ -910,7 +917,7 @@ index a94b169..d0a8a5b 100644 } # -@@ -690,6 +703,8 @@ class nscd +@@ -690,6 +701,8 @@ class nscd shmemhost getserv shmemserv @@ -919,7 +926,7 @@ index a94b169..d0a8a5b 100644 } # Define the access vector interpretation for controlling -@@ -831,6 +846,38 @@ inherits socket +@@ -831,6 +844,38 @@ inherits socket attach_queue } @@ -958,7 +965,7 @@ index a94b169..d0a8a5b 100644 class x_pointer inherits x_device -@@ -865,3 +912,18 @@ inherits database +@@ -865,3 +910,18 @@ inherits database implement execute } diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 2d560ab..b3d2b38 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9425,10 +9425,10 @@ index c3fd7b1..e189593 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..750788c 100644 +index 2b9a3a1..49accb6 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,76 @@ +@@ -1,54 +1,77 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -9463,6 +9463,7 @@ index 2b9a3a1..750788c 100644 -/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/named-pkcs11 -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) @@ -99864,10 +99865,10 @@ index 0000000..88490d5 + diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..3984dba +index 0000000..939b8be --- /dev/null +++ b/snapper.te -@@ -0,0 +1,82 @@ +@@ -0,0 +1,83 @@ +policy_module(snapper, 1.0.0) + +######################################## @@ -99893,7 +99894,8 @@ index 0000000..3984dba +# snapperd local policy +# + -+allow snapperd_t self:capability dac_override; ++allow snapperd_t self:capability { dac_override sys_admin }; ++allow snapperd_t self:process setsched; + +allow snapperd_t self:fifo_file rw_fifo_file_perms; +allow snapperd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 94b2f6c..fe4b660 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 185%{?dist} +Release: 186%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -653,6 +653,12 @@ exit 0 %endif %changelog +* Fri Apr 29 2016 Lukas Vrabec 3.13.1-186 +- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732) +- Label named-pkcs11 binary as named_exec_t. BZ(1331316) +- Revert "Add new permissions stop/start to class system. rhbz#1324453" +- Fix typo in module compilation message + * Wed Apr 27 2016 Lukas Vrabec 3.13.1-185 - Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)