diff --git a/SOURCES/glusterd-snapshot-creation-fdc66.patch b/SOURCES/glusterd-snapshot-creation-fdc66.patch new file mode 100644 index 0000000..ce7a3c6 --- /dev/null +++ b/SOURCES/glusterd-snapshot-creation-fdc66.patch @@ -0,0 +1,29 @@ +diff --git a/glusterd.te b/glusterd.te +index 48811e2..d2a1ba9 100644 +--- a/glusterd.te ++++ b/glusterd.te +@@ -59,7 +59,7 @@ files_type(glusterd_brick_t) + # Local policy + # + +-allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; ++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; + + allow glusterd_t self:capability2 block_suspend; + allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; +@@ -155,6 +155,7 @@ corenet_tcp_connect_all_ports(glusterd_t) + dev_read_sysfs(glusterd_t) + dev_read_urand(glusterd_t) + dev_read_rand(glusterd_t) ++dev_rw_infiniband_dev(glusterd_t) + + domain_read_all_domains_state(glusterd_t) + domain_getattr_all_sockets(glusterd_t) +@@ -164,6 +165,7 @@ domain_use_interactive_fds(glusterd_t) + fs_mount_all_fs(glusterd_t) + fs_unmount_all_fs(glusterd_t) + fs_getattr_all_fs(glusterd_t) ++fs_getattr_all_dirs(glusterd_t) + + files_mounton_non_security(glusterd_t) + diff --git a/SOURCES/policy-rhel-7.3-base.patch b/SOURCES/policy-rhel-7.3-base.patch index 39fb90f..bbf81c4 100644 --- a/SOURCES/policy-rhel-7.3-base.patch +++ b/SOURCES/policy-rhel-7.3-base.patch @@ -42755,7 +42755,7 @@ index d43f3b1..c5053db 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..f496e60 100644 +index 3822072..cce3055 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -43235,7 +43235,33 @@ index 3822072..f496e60 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -784,7 +1146,9 @@ interface(`seutil_read_file_contexts',` +@@ -768,6 +1130,25 @@ interface(`seutil_manage_default_contexts',` + + ######################################## + ## ++## Create, read, write, and delete the default_contexts dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_manage_default_contexts_dirs',` ++ gen_require(` ++ type selinux_config_t, default_context_t; ++ ') ++ ++ files_search_etc($1) ++ manage_dirs_pattern($1, default_context_t, default_context_t) ++') ++ ++######################################## ++## + ## Read the file_contexts files. + ## + ## +@@ -784,7 +1165,9 @@ interface(`seutil_read_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; @@ -43245,7 +43271,7 @@ index 3822072..f496e60 100644 ') ######################################## -@@ -846,6 +1210,7 @@ interface(`seutil_manage_file_contexts',` +@@ -846,6 +1229,7 @@ interface(`seutil_manage_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; manage_files_pattern($1, file_context_t, file_context_t) @@ -43253,7 +43279,7 @@ index 3822072..f496e60 100644 ') ######################################## -@@ -999,6 +1364,26 @@ interface(`seutil_domtrans_semanage',` +@@ -999,6 +1383,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -43280,7 +43306,7 @@ index 3822072..f496e60 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1402,105 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1421,105 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -43388,7 +43414,7 @@ index 3822072..f496e60 100644 ') ######################################## -@@ -1041,9 +1520,15 @@ interface(`seutil_manage_module_store',` +@@ -1041,9 +1539,15 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) @@ -43404,7 +43430,7 @@ index 3822072..f496e60 100644 ') ####################################### -@@ -1067,6 +1552,24 @@ interface(`seutil_get_semanage_read_lock',` +@@ -1067,6 +1571,24 @@ interface(`seutil_get_semanage_read_lock',` ####################################### ## @@ -43429,7 +43455,7 @@ index 3822072..f496e60 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1640,121 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1659,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') diff --git a/SOURCES/policy-rhel-7.3-contrib.patch b/SOURCES/policy-rhel-7.3-contrib.patch index cb7780d..f5c2ff7 100644 --- a/SOURCES/policy-rhel-7.3-contrib.patch +++ b/SOURCES/policy-rhel-7.3-contrib.patch @@ -103539,7 +103539,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..694c12d 100644 +index 2d8db1f..87e70a6 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) @@ -103649,7 +103649,7 @@ index 2d8db1f..694c12d 100644 init_read_utmp(sssd_t) -@@ -112,18 +124,59 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +124,60 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -103708,6 +103708,7 @@ index 2d8db1f..694c12d 100644 +seutil_manage_config(sssd_selinux_manager_t) +seutil_manage_login_config(sssd_selinux_manager_t) +seutil_manage_default_contexts(sssd_selinux_manager_t) ++seutil_manage_default_contexts_dirs(sssd_selinux_manager_t) + +seutil_exec_setfiles(sssd_selinux_manager_t) +logging_dontaudit_search_audit_logs(sssd_selinux_manager_t) diff --git a/SOURCES/selinux-policy-migrate-local-changes.sh b/SOURCES/selinux-policy-migrate-local-changes.sh new file mode 100755 index 0000000..6ccf3f0 --- /dev/null +++ b/SOURCES/selinux-policy-migrate-local-changes.sh @@ -0,0 +1,68 @@ +#!/bin/bash +#=============================================================================== +# +# FILE: selinux-policy-migrate-local-changes.sh +# +# USAGE: ./selinux-policy-migrate-local-changes.sh +# +# DESCRIPTION: This script migrates local changes from pre-2.4 SELinux modules +# store structure to the new structure +# +# AUTHOR: Petr Lautrbach +#=============================================================================== + +if [ ! -f /etc/selinux/config ]; then + SELINUXTYPE=none +else + source /etc/selinux/config +fi + +REBUILD=0 +MIGRATE_SELINUXTYPE=$1 + +for local in booleans.local file_contexts.local ports.local users_extra.local users.local; do + if [ -e /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/$local ]; then + REBUILD=1 + cp -v --preserve=mode,ownership,timestamps,links /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/$local /etc/selinux/$MIGRATE_SELINUXTYPE/active/$local + fi +done +if [ -e /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/seusers ]; then + REBUILD=1 + cp -v --preserve=mode,ownership,timestamps,links /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/seusers /etc/selinux/$MIGRATE_SELINUXTYPE/active/seusers.local +fi + +INSTALL_MODULES="" +for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \*disabled 2> /dev/null`; do + module=`basename $i | sed 's/\.pp\.disabled$//'` + if [ -d /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/100/$module ]; then + touch /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/disabled/$module + fi +done +for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \*.pp 2> /dev/null`; do + module=`basename $i | sed 's/\.pp$//'` + if [ ! -d /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/100/$module ]; then + INSTALL_MODULES="${INSTALL_MODULES} $i" + fi +done +if [ -n "$INSTALL_MODULES" ]; then + semodule -s $MIGRATE_SELINUXTYPE -n -X 400 -i $INSTALL_MODULES + REBUILD=1 +fi + +cat > /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/README.migrated <> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \ fi; -%define migrateStoreUpdateLocalChanges() \ -for local in booleans.local file_contexts.local ports.local users_extra.local users.local; do \ - if [ -e /etc/selinux/%1/modules/active/$local ]; then \ - touch /etc/selinux/%1/.rebuild \ - install -D /etc/selinux/%1/modules/active/$local /etc/selinux/%1/active/$local \ - fi \ -done \ -if [ -e /etc/selinux/%1/modules/active/seusers ]; then \ - touch /etc/selinux/%1/.rebuild \ - install -D /etc/selinux/%1/modules/active/seusers /etc/selinux/%1/active/seusers.local \ -fi; - -%define migrateStoreUpdateLocalPackages() \ -INSTALL_MODULES="" \ -for i in `find /etc/selinux/%1/modules/active/modules/ -name \*disabled 2> /dev/null`; do \ - module=`basename $i | sed 's/\.pp\.disabled$//'` \ - if [ -d /etc/selinux/%1/active/modules/100/$module ]; then \ - touch /etc/selinux/%1/active/modules/disabled/$module \ - fi \ -done \ -for i in `find /etc/selinux/%1/modules/active/modules/ -name \*.pp 2> /dev/null`; do \ - module=`basename $i | sed 's/\.pp$//'` \ - if [ ! -d /etc/selinux/%1/active/modules/100/$module ]; then \ - INSTALL_MODULES="${INSTALL_MODULES} $i" \ - fi \ -done \ -if [ -n "$INSTALL_MODULES" ]; then \ - semodule -s %1 -n -X 400 -i $INSTALL_MODULES \ - touch /etc/selinux/%1/.rebuild \ -fi; +%define installMigrateLocalChangesFiles() \ +mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \ +install -p -m 755 %{SOURCE110} %{buildroot}/%{_libexecdir}/selinux/ \ +mkdir -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/ \ +install -m 644 -p %{SOURCE111} %{buildroot}/%{_unitdir}/ \ +ln -s ../selinux-policy-migrate-local-changes@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-policy-migrate-local-changes@%1.service \ +%nil %description SELinux Reference Policy - modular. @@ -346,6 +333,7 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-contrib-%{version} -q -b 29 %patch3 -p1 +%patch4 -p1 contrib_path=`pwd` %setup -n serefpolicy-%{version} -q %patch2 -p1 @@ -393,6 +381,8 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp %modulesList targeted %nonBaseModulesList targeted +%installMigrateLocalChangesFiles targeted + %endif %if %{BUILD_MINIMUM} @@ -407,6 +397,7 @@ rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox rm -rf %{buildroot}%{_sysconfdir}/selinux/minimum/active/modules/100/sandbox %modulesList minimum %nonBaseModulesList minimum +%installMigrateLocalChangesFiles minimum %endif %if %{BUILD_MLS} @@ -416,6 +407,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/minimum/active/modules/100/sandbox %installCmds mls mls n deny %modulesList mls %nonBaseModulesList mls +%installMigrateLocalChangesFiles mls %endif mkdir -p %{buildroot}%{_mandir} @@ -507,8 +499,7 @@ SELinux Reference policy targeted base module. %post targeted if [ -e /etc/selinux/targeted/modules/active/base.pp ]; then - %migrateStoreUpdateLocalChanges targeted - %migrateStoreUpdateLocalPackages targeted + %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh targeted fi %postInstall $1 targeted exit 0 @@ -555,8 +546,7 @@ fi %post minimum if [ -e /etc/selinux/minimum/modules/active/base.pp ]; then - %migrateStoreUpdateLocalChanges minimum - %migrateStoreUpdateLocalPackages minimum + %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh minimum fi contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` @@ -629,8 +619,7 @@ SELinux Reference policy mls base module. %post mls if [ -e /etc/selinux/mls/modules/active/base.pp ]; then - %migrateStoreUpdateLocalChanges mls - %migrateStoreUpdateLocalPackages mls + %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh mls fi %postInstall $1 mls @@ -646,6 +635,24 @@ fi %endif %changelog +* Wed Oct 19 2016 Miroslav Grepl - 3.13.1-102.4 +- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. +Resolves:#1386620 +- Allow glusterd to get attributes on /sys/kernel/config directory. +Resolves:#1386621 + +* Wed Oct 12 2016 Petr Lautrbach - 3.13.1-102.3 +- Use selinux-policy-migrate-local-changes.sh instead of migrateStore* macros +Resolves: rhbz#1383450 +- Add selinux-policy-migrate-local-changes service +Resolves: rhbz#1383450 + +* Fri Sep 30 2016 Lukas Vrabec - 3.13.1-102.1 +- Allow sssd_selinux_manager_t to manage also dir class. +Resolves: rhbz#1380687 +- Add interface seutil_manage_default_contexts_dirs() +Resolves: rhbz#1380687 + * Tue Sep 27 2016 Dan Walsh - 3.13.1-102 - Add virt_sandbox_use_nfs -> virt_use_nfs boolean substitution. Resolves: rhbz#1355783