diff --git a/container-selinux.tgz b/container-selinux.tgz index 1e43445..19e9920 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 99726a8..62ea368 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..1c4fbd3 100644 +index eb50f07..ca625e9 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -870,7 +870,7 @@ index eb50f07..1c4fbd3 100644 ') optional_policy(` -@@ -222,6 +255,36 @@ optional_policy(` +@@ -222,6 +255,37 @@ optional_policy(` ') optional_policy(` @@ -887,6 +887,7 @@ index eb50f07..1c4fbd3 100644 + +optional_policy(` + mta_send_mail(abrt_t) ++ mta_manage_home_rw(abrt_t) +') + +optional_policy(` @@ -907,7 +908,7 @@ index eb50f07..1c4fbd3 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,18 +297,25 @@ optional_policy(` +@@ -234,18 +298,25 @@ optional_policy(` ') optional_policy(` @@ -936,7 +937,7 @@ index eb50f07..1c4fbd3 100644 optional_policy(` sosreport_domtrans(abrt_t) -@@ -253,9 +323,21 @@ optional_policy(` +@@ -253,9 +324,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -959,7 +960,7 @@ index eb50f07..1c4fbd3 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +348,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +349,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -974,7 +975,7 @@ index eb50f07..1c4fbd3 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +367,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +368,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -982,7 +983,7 @@ index eb50f07..1c4fbd3 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +376,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +377,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -1003,7 +1004,7 @@ index eb50f07..1c4fbd3 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +397,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +398,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1030,7 +1031,7 @@ index eb50f07..1c4fbd3 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +433,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +434,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1044,7 +1045,7 @@ index eb50f07..1c4fbd3 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +451,11 @@ optional_policy(` +@@ -343,10 +452,11 @@ optional_policy(` ####################################### # @@ -1058,7 +1059,7 @@ index eb50f07..1c4fbd3 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +474,84 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +475,84 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1147,7 +1148,7 @@ index eb50f07..1c4fbd3 100644 ####################################### # -@@ -404,25 +559,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +560,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1210,7 +1211,7 @@ index eb50f07..1c4fbd3 100644 ') ####################################### -@@ -430,10 +620,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +621,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -75644,7 +75645,7 @@ index ded95ec..3cf7146 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..b140dcb 100644 +index 5cfb83e..9cfa754 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -75822,9 +75823,8 @@ index 5cfb83e..b140dcb 100644 -######################################## -# -# Common postfix user domain local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) @@ -75832,8 +75832,9 @@ index 5cfb83e..b140dcb 100644 -######################################## -# -# Master local policy --# -- ++# Postfix master process local policy + # + -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -76206,7 +76207,7 @@ index 5cfb83e..b140dcb 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -508,21 +422,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -508,21 +422,24 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -76227,12 +76228,14 @@ index 5cfb83e..b140dcb 100644 +# Postfix pickup local policy # ++dontaudit postfix_pickup_t self:capability net_admin; ++ +allow postfix_pickup_t self:tcp_socket create_socket_perms; + stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -532,21 +447,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -532,21 +449,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -76258,7 +76261,7 @@ index 5cfb83e..b140dcb 100644 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) -@@ -557,6 +472,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) +@@ -557,6 +474,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) corecmd_exec_bin(postfix_pipe_t) optional_policy(` @@ -76269,7 +76272,7 @@ index 5cfb83e..b140dcb 100644 dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -584,19 +503,28 @@ optional_policy(` +@@ -584,19 +505,28 @@ optional_policy(` ######################################## # @@ -76303,7 +76306,7 @@ index 5cfb83e..b140dcb 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -611,10 +539,7 @@ optional_policy(` +@@ -611,10 +541,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -76315,7 +76318,7 @@ index 5cfb83e..b140dcb 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -629,17 +554,24 @@ optional_policy(` +@@ -629,17 +556,24 @@ optional_policy(` ####################################### # @@ -76343,7 +76346,7 @@ index 5cfb83e..b140dcb 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +587,78 @@ optional_policy(` +@@ -655,69 +589,78 @@ optional_policy(` ######################################## # @@ -76440,7 +76443,7 @@ index 5cfb83e..b140dcb 100644 ') optional_policy(` -@@ -730,28 +671,32 @@ optional_policy(` +@@ -730,28 +673,32 @@ optional_policy(` ######################################## # @@ -76481,7 +76484,7 @@ index 5cfb83e..b140dcb 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -764,6 +709,7 @@ optional_policy(` +@@ -764,6 +711,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -76489,7 +76492,7 @@ index 5cfb83e..b140dcb 100644 ') optional_policy(` -@@ -774,31 +720,101 @@ optional_policy(` +@@ -774,31 +722,101 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ed2482e..c5775e8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 250%{?dist} +Release: 251%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,9 @@ exit 0 %endif %changelog +* Tue Apr 18 2017 Lukas Vrabec - 3.13.1-251 +- Fix abrt module to reflect all changes in abrt release + * Tue Apr 18 2017 Lukas Vrabec - 3.13.1-250 - Allow tlp_t domain to ioctl removable devices BZ(1436830) - Allow tlp_t domain domtrans into mount_t BZ(1442571)