[selinux-policy] * Fri Feb 28 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-29 - Make docker as permissive domain

Miroslav Grepl mgrepl at fedoraproject.org
Fri Feb 28 11:33:33 UTC 2014 

commit 18bb7ec6a30f3bca90bdbe490d93e1adbf3d9332
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Feb 28 12:34:15 2014 +0100

    * Fri Feb 28 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-29
    - Make docker as permissive domain

 policy-rawhide-contrib.patch |   24 ++++++++++++++----------
 selinux-policy.spec          |    3 +++
 2 files changed, 17 insertions(+), 10 deletions(-)
---
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 20293f5..b9dfcdd 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -18132,7 +18132,7 @@ index 3023be7..20e370b 100644
 +	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
  ')
 diff --git a/cups.te b/cups.te
-index c91813c..3598e62 100644
+index c91813c..2230476 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
@@ -18265,7 +18265,7 @@ index c91813c..3598e62 100644
  #
  
 -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
  dontaudit cupsd_t self:capability { sys_tty_config net_admin };
  allow cupsd_t self:capability2 block_suspend;
 -allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
@@ -26403,7 +26403,7 @@ index 5010f04..3b73741 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index 92a6479..064f58e 100644
+index 92a6479..e37a473 100644
 --- a/fprintd.te
 +++ b/fprintd.te
 @@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
@@ -26433,7 +26433,7 @@ index 92a6479..064f58e 100644
  
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +55,13 @@ optional_policy(`
+@@ -54,8 +55,17 @@ optional_policy(`
  	')
  ')
  
@@ -26446,6 +26446,10 @@ index 92a6479..064f58e 100644
 +')
 +
 +optional_policy(`
++	udev_read_db(fprintd_t)
++')
++
++optional_policy(`
 +	xserver_read_state_xdm(fprintd_t)
  ')
 diff --git a/freeipmi.fc b/freeipmi.fc
@@ -51881,7 +51885,7 @@ index ba64485..429bd79 100644
 +
 +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
 diff --git a/nscd.if b/nscd.if
-index 8f2ab09..6ab4ea1 100644
+index 8f2ab09..bc2c7fe 100644
 --- a/nscd.if
 +++ b/nscd.if
 @@ -1,8 +1,8 @@
@@ -52037,7 +52041,7 @@ index 8f2ab09..6ab4ea1 100644
 +interface(`nscd_shm_use',`
 +	gen_require(`
 +		type nscd_t, nscd_var_run_t;
-+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
++		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
  	')
 +
 +	allow $1 nscd_var_run_t:dir list_dir_perms;
@@ -58881,7 +58885,7 @@ index 0000000..9b8cb6b
 +/var/run/pmcd\.socket    --  gen_context(system_u:object_r:pcp_var_run_t,s0)
 diff --git a/pcp.if b/pcp.if
 new file mode 100644
-index 0000000..ba24b40
+index 0000000..d9296b1
 --- /dev/null
 +++ b/pcp.if
 @@ -0,0 +1,139 @@
@@ -58926,7 +58930,7 @@ index 0000000..ba24b40
 +    gen_require(`
 +        type pcp_var_lib_t;
 +    ')
-+    libs_search_lib($1)
++    files_search_var_lib($1)
 +    read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
 +')
 +
@@ -105702,7 +105706,7 @@ index 0000000..ceaa219
 +/var/spool/zoneminder-upload(/.*)?	gen_context(system_u:object_r:zoneminder_spool_t,s0)
 diff --git a/zoneminder.if b/zoneminder.if
 new file mode 100644
-index 0000000..e0604c7
+index 0000000..fb0519e
 --- /dev/null
 +++ b/zoneminder.if
 @@ -0,0 +1,374 @@
@@ -105915,7 +105919,7 @@ index 0000000..e0604c7
 +#
 +interface(`zoneminder_manage_lib_sock_files',`
 +    gen_require(`
-+        type zoneminder_sock_var_lib_t;
++        type zoneminder_var_lib_t;
 +    ')
 +    files_search_var_lib($1)
 +    manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f0ce0e6..773dccb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -580,6 +580,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Feb 28 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-29
+- Make docker as permissive domain
+
 * Thu Feb 27 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-28
 - Allow bumblebeed to send signal to insmod
 - Dontaudit attempts by crond_t net_admin caused by journald

More information about the scm-commits mailing list