diff --git a/SOURCES/glusterd-snapshot-creation-fdc66.patch b/SOURCES/glusterd-snapshot-creation-fdc66.patch deleted file mode 100644 index ce7a3c6..0000000 --- a/SOURCES/glusterd-snapshot-creation-fdc66.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/glusterd.te b/glusterd.te -index 48811e2..d2a1ba9 100644 ---- a/glusterd.te -+++ b/glusterd.te -@@ -59,7 +59,7 @@ files_type(glusterd_brick_t) - # Local policy - # - --allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; -+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; - - allow glusterd_t self:capability2 block_suspend; - allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; -@@ -155,6 +155,7 @@ corenet_tcp_connect_all_ports(glusterd_t) - dev_read_sysfs(glusterd_t) - dev_read_urand(glusterd_t) - dev_read_rand(glusterd_t) -+dev_rw_infiniband_dev(glusterd_t) - - domain_read_all_domains_state(glusterd_t) - domain_getattr_all_sockets(glusterd_t) -@@ -164,6 +165,7 @@ domain_use_interactive_fds(glusterd_t) - fs_mount_all_fs(glusterd_t) - fs_unmount_all_fs(glusterd_t) - fs_getattr_all_fs(glusterd_t) -+fs_getattr_all_dirs(glusterd_t) - - files_mounton_non_security(glusterd_t) - diff --git a/SOURCES/policy-rhel-7.3.z-contrib.patch b/SOURCES/policy-rhel-7.3.z-contrib.patch new file mode 100644 index 0000000..5559f0f --- /dev/null +++ b/SOURCES/policy-rhel-7.3.z-contrib.patch @@ -0,0 +1,44 @@ +diff --git a/glusterd.te b/glusterd.te +index 48811e2..d2a1ba9 100644 +--- a/glusterd.te ++++ b/glusterd.te +@@ -59,7 +59,7 @@ files_type(glusterd_brick_t) + # Local policy + # + +-allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; ++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; + + allow glusterd_t self:capability2 block_suspend; + allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; +@@ -155,6 +155,7 @@ corenet_tcp_connect_all_ports(glusterd_t) + dev_read_sysfs(glusterd_t) + dev_read_urand(glusterd_t) + dev_read_rand(glusterd_t) ++dev_rw_infiniband_dev(glusterd_t) + + domain_read_all_domains_state(glusterd_t) + domain_getattr_all_sockets(glusterd_t) +@@ -164,6 +165,7 @@ domain_use_interactive_fds(glusterd_t) + fs_mount_all_fs(glusterd_t) + fs_unmount_all_fs(glusterd_t) + fs_getattr_all_fs(glusterd_t) ++fs_getattr_all_dirs(glusterd_t) + + files_mounton_non_security(glusterd_t) + +diff --git a/rhcs.te b/rhcs.te +index ce1ca24..4c9f2b6 100644 +--- a/rhcs.te ++++ b/rhcs.te +@@ -275,6 +275,10 @@ optional_policy(` + ') + + optional_policy(` ++ fprintd_dbus_chat(cluster_t) ++') ++ ++optional_policy(` + ldap_systemctl(cluster_t) + ') + diff --git a/SOURCES/selinux-policy-migrate-local-changes.sh b/SOURCES/selinux-policy-migrate-local-changes.sh index 6ccf3f0..628e006 100755 --- a/SOURCES/selinux-policy-migrate-local-changes.sh +++ b/SOURCES/selinux-policy-migrate-local-changes.sh @@ -63,6 +63,8 @@ if [ $REBUILD = 1 ]; then semodule -B -n -s $MIGRATE_SELINUXTYPE if [ "$MIGRATE_SELINUXTYPE" = "$SELINUXTYPE" ] && selinuxenabled; then load_policy - semanage export | semanage import + if [ -x /usr/sbin/semanage ]; then + /usr/sbin/semanage export | /usr/sbin/semanage import + fi fi fi diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 659ab13..cd17f81 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 102%{?dist}.4 +Release: 102%{?dist}.7 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -28,7 +28,7 @@ patch: policy-rhel-7.1-base.patch patch1: policy-rhel-7.1-contrib.patch patch2: policy-rhel-7.3-base.patch patch3: policy-rhel-7.3-contrib.patch -patch4: glusterd-snapshot-creation-fdc66.patch +patch4: policy-rhel-7.3.z-contrib.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf @@ -500,6 +500,7 @@ SELinux Reference policy targeted base module. %post targeted if [ -e /etc/selinux/targeted/modules/active/base.pp ]; then %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh targeted + systemctl daemon-reexec fi %postInstall $1 targeted exit 0 @@ -547,6 +548,7 @@ fi %post minimum if [ -e /etc/selinux/minimum/modules/active/base.pp ]; then %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh minimum + systemctl daemon-reexec fi contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` @@ -620,6 +622,7 @@ SELinux Reference policy mls base module. %post mls if [ -e /etc/selinux/mls/modules/active/base.pp ]; then %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh mls + systemctl daemon-reexec fi %postInstall $1 mls @@ -635,6 +638,18 @@ fi %endif %changelog +* Mon Nov 14 2016 Lukas Vrabec - 3.13.1-102.7 +- Update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients. +Resolves: rhbz#1394715 + +* Wed Nov 09 2016 Lukas Vrabec - 3.13.1-102.6 +- Allow cluster_t communicate to fprintd_t via dbus +Resolves: rhbz#1349798 + +* Wed Nov 09 2016 Lukas Vrabec - 3.13.1-102.5 +- Fix error message during update from RHEL-7.2 to RHEL-7.3, when /usr/sbin/semanage command is not installed and selinux-policy-migrate-local-changes.sh script is executed in %post install phase of selinux-policy package +Resolves: rhbz#1393045 + * Wed Oct 19 2016 Miroslav Grepl - 3.13.1-102.4 - Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. Resolves:#1386620