[selinux-policy/f20] Added fix for clout_init to transition to rpm_script_t (dwalsh at redhat.com)
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Dec 2 14:20:20 UTC 2013
commit 8c35d6b3a4388b7620d35669c3cf62a337b7af37
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Dec 2 09:20:13 2013 -0500
Added fix for clout_init to transition to rpm_script_t (dwalsh at redhat.com)
- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel.
- Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on
- Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Allow apmd to request the kernel load modules
- Add glusterd_brick_t type
- label mate-keyring-daemon with gkeyringd_exec_t
- Add plymouthd_create_log()
- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
- Allow sssd to request the kernel loads modules
- Allow gpg_agent to use ssh-add
- Allow gpg_agent to use ssh-add
- Dontaudit access check on /root for myslqd_safe_t
- Allow ctdb to getattr on al filesystems
- Allow abrt to stream connect to syslog
- Allow dnsmasq to list dnsmasq.d directory
- Watchdog opens the raw socket
- Allow watchdog to read network state info
- Dontaudit access check on lvm lock dir
- Allow sosreport to send signull to setroubleshootd
- Add setroubleshoot_signull() interface
- Fix ldap_read_certs() interface
- Allow sosreport all signal perms
- Allow sosreport to run systemctl
- Allow sosreport to dbus chat with rpm
- Add glusterd_brick_t files type
- Allow zabbix_agentd to read all domain state
- Clean up rtas.if
- Allow smoltclient to execute ldconfig
- Allow sosreport to request the kernel to load a module
- Fix userdom_confined_admin_template()
- Add back exec_content boolean for secadm, logadm, auditadm
- Fix files_filetrans_system_db_named_files() interface
- Allow sulogin to getattr on /proc/kcore
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
policy-f20-contrib.patch | 18 ++++++++++++++++++
selinux-policy.spec | 1 +
2 files changed, 19 insertions(+), 0 deletions(-)
---
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 17d0954..8283f84 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -102114,3 +102114,21 @@ index 9ba9f81..983b6c8 100644
-miscfiles_read_localization(zos_remote_t)
-
logging_send_syslog_msg(zos_remote_t)
+commit a3007fcf054427b3e4f2c06c77ad783551aae67f
+Author: Dan Walsh <dwalsh at redhat.com>
+Date: Mon Dec 2 09:11:05 2013 -0500
+
+ Allow cloud_init to transition to rpm_script_t
+
+diff --git a/cloudform.te b/cloudform.te
+index 4e41e84..786d623 100644
+--- a/cloudform.te
++++ b/cloudform.te
+@@ -161,6 +161,7 @@ optional_policy(`
+
+ optional_policy(`
+ rpm_domtrans(cloud_init_t)
++ rpm_transition_script(cloud_init_t)
+ unconfined_domain(cloud_init_t)
+ ')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3baf4df..7fd8469 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -574,6 +574,7 @@ SELinux Reference policy mls base module.
%changelog
* Tue Nov 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-105
+- Added fix for clout_init to transition to rpm_script_t (dwalsh at redhat.com)
- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel.
- Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on
- Add lsmd_plugin_t for lsm plugins
More information about the scm-commits
mailing list