diff --git a/SOURCES/policy-rhel-7.1.z-contrib.patch b/SOURCES/policy-rhel-7.1.z-contrib.patch index dd62b94..135f5bc 100644 --- a/SOURCES/policy-rhel-7.1.z-contrib.patch +++ b/SOURCES/policy-rhel-7.1.z-contrib.patch @@ -10,6 +10,28 @@ index 3226dec..e9c7099 100644 nagios_read_log(httpd_t) ') +diff --git a/chrome.te b/chrome.te +index f50b201..5c852ff 100644 +--- a/chrome.te ++++ b/chrome.te +@@ -35,7 +35,7 @@ allow chrome_sandbox_t self:capability2 block_suspend; + allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; + dontaudit chrome_sandbox_t self:capability sys_nice; + allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +-allow chrome_sandbox_t self:process setsched; ++allow chrome_sandbox_t self:process { setcap setsched }; + allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms; + allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; + allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -60,6 +60,8 @@ fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir }) + kernel_read_system_state(chrome_sandbox_t) + kernel_read_kernel_sysctls(chrome_sandbox_t) + ++auth_dontaudit_read_passwd(chrome_sandbox_t) ++ + fs_manage_cgroup_dirs(chrome_sandbox_t) + fs_manage_cgroup_files(chrome_sandbox_t) + fs_read_dos_files(chrome_sandbox_t) diff --git a/cron.te b/cron.te index 0ee059a..9d2cd2d 100644 --- a/cron.te diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 88309e8..7268b48 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 23%{?dist}.13 +Release: 23%{?dist}.17 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -608,6 +608,22 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Aug 28 2015 Miroslav Grepl 3.13.1-23.el7_1.17 +- Dontaudit chrome to read passwd file. +Resolves:#1257816 + +* Wed Aug 26 2015 Lukas Vrabec 3.13.1-23.el7_1.16 +- Revert Allow qpidd access to /proc//net/psched +Resolves: #1254318 + +* Wed Aug 19 2015 Lukas Vrabec 3.13.1-23.el7_1.15 +-Allow qpidd access to /proc//net/psched +Resolves: #1254318 + +* Tue Aug 18 2015 Lukas Vrabec 3.13.1-23.el7_1.14 +- Allow chrome setcap to itself. +Resolves: #1254565 + * Tue Jul 28 2015 Miroslav Grepl 3.13.1-23.el7_1.13 - glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes. - Allow glusterd to communicate with cluster domains over stream socket.