[selinux-policy/f21] * Wed Sep 10 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-80 - Back port workaround for #1134389 fr
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Sep 10 13:45:30 UTC 2014
commit 30ba69c06735e780840931ae7f8f5895780677a0
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Sep 10 15:45:15 2014 +0200
* Wed Sep 10 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-80
- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
- Since docker will now label volumes we can tighten the security of docker
policy-rawhide-base.patch | 10 ++-
policy-rawhide-contrib.patch | 274 ++++++++++++++++++++++--------------------
selinux-policy.spec | 6 +-
3 files changed, 158 insertions(+), 132 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4ab6b63..e768ba5 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -29903,7 +29903,7 @@ index 3efd5b6..12dca57 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..ff0708e 100644
+index 09b791d..49d8c47 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -30227,7 +30227,7 @@ index 09b791d..ff0708e 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +520,145 @@ optional_policy(`
+@@ -456,10 +520,151 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -30235,6 +30235,12 @@ index 09b791d..ff0708e 100644
+ sssd_read_lib_files(nsswitch_domain)
')
++#1134389
++userdom_manage_all_users_keys(nsswitch_domain)
++optional_policy(`
++ sssd_manage_keys(nsswitch_domain)
++")
++
optional_policy(`
samba_stream_connect_winbind(nsswitch_domain)
+ samba_stream_connect_nmbd(nsswitch_domain)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index fb586b5..285ba81 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -24183,7 +24183,7 @@ index 0000000..a952041
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..7f715f8
+index 0000000..c1ab586
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,58 @@
@@ -24234,7 +24234,7 @@ index 0000000..7f715f8
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
-+auth_read_passwd(dnssec_trigger_t)
++auth_use_nsswitch(dnssec_trigger_t)
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
@@ -95487,7 +95487,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..16a04bf 100644
+index a240455..f4d8c79 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -95781,7 +95781,7 @@ index a240455..16a04bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +388,46 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
@@ -95804,6 +95804,25 @@ index a240455..16a04bf 100644
+ dontaudit $1 sssd_var_lib_t:sock_file { read write };
+')
+
++#######################################
++## <summary>
++## Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_manage_keys',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ allow $1 sssd_t:key manage_key_perms;
++ allow sssd_t $1:key manage_key_perms;
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -95811,7 +95830,7 @@ index a240455..16a04bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +436,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -95820,7 +95839,7 @@ index a240455..16a04bf 100644
## </summary>
## </param>
## <rolecap/>
-@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +444,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -103952,7 +103971,7 @@ index facdee8..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..58d42f6 100644
+index f03dcf5..7b38f46 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,227 @@
@@ -105439,7 +105458,7 @@ index f03dcf5..58d42f6 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1155,319 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1155,316 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -105468,12 +105487,12 @@ index f03dcf5..58d42f6 100644
+optional_policy(`
+ docker_exec_lib(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
@@ -105503,89 +105522,7 @@ index f03dcf5..58d42f6 100644
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-
--allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
--allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
--allow svirt_lxc_domain self:fifo_file manage_file_perms;
--allow svirt_lxc_domain self:sem create_sem_perms;
--allow svirt_lxc_domain self:shm create_shm_perms;
--allow svirt_lxc_domain self:msgq create_msgq_perms;
--allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
--allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
--
--allow svirt_lxc_domain virtd_lxc_t:fd use;
--allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virtd_lxc_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
--allow svirt_lxc_domain virsh_t:fd use;
--allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virsh_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
--allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
--manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
--allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
--allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
--
--can_exec(svirt_lxc_domain, svirt_lxc_file_t)
--
--kernel_getattr_proc(svirt_lxc_domain)
--kernel_list_all_proc(svirt_lxc_domain)
--kernel_read_kernel_sysctls(svirt_lxc_domain)
--kernel_rw_net_sysctls(svirt_lxc_domain)
--kernel_read_system_state(svirt_lxc_domain)
--kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
--
--corecmd_exec_all_executables(svirt_lxc_domain)
--
--files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
--files_dontaudit_getattr_all_files(svirt_lxc_domain)
--files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
--files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
--files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
--files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
--files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
--# files_entrypoint_all_files(svirt_lxc_domain)
--files_list_var(svirt_lxc_domain)
--files_list_var_lib(svirt_lxc_domain)
--files_search_all(svirt_lxc_domain)
--files_read_config_files(svirt_lxc_domain)
--files_read_usr_files(svirt_lxc_domain)
--files_read_usr_symlinks(svirt_lxc_domain)
--
--fs_getattr_all_fs(svirt_lxc_domain)
--fs_list_inotifyfs(svirt_lxc_domain)
--
--# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
--# fs_rw_inherited_cifs_files(svirt_lxc_domain)
--# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
--
--auth_dontaudit_read_login_records(svirt_lxc_domain)
--auth_dontaudit_write_login_records(svirt_lxc_domain)
--auth_search_pam_console_data(svirt_lxc_domain)
--
--clock_read_adjtime(svirt_lxc_domain)
--
--init_read_utmp(svirt_lxc_domain)
--init_dontaudit_write_utmp(svirt_lxc_domain)
--
--libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
--
--miscfiles_read_localization(svirt_lxc_domain)
--miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
--miscfiles_read_fonts(svirt_lxc_domain)
--
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@@ -105661,20 +105598,14 @@ index f03dcf5..58d42f6 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-
- optional_policy(`
-- udev_read_pid_files(svirt_lxc_domain)
++
++optional_policy(`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
- ')
-
- optional_policy(`
-- apache_exec_modules(svirt_lxc_domain)
-- apache_read_sys_content(svirt_lxc_domain)
-+ docker_manage_lib_files(svirt_lxc_net_t)
-+ docker_manage_lib_dirs(svirt_lxc_net_t)
++')
++
++optional_policy(`
+ docker_read_share_files(svirt_sandbox_domain)
-+ docker_exec_lib(svirt_sandbox_domain)
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
+')
@@ -105682,7 +105613,89 @@ index f03dcf5..58d42f6 100644
+optional_policy(`
+ gear_read_pid_files(svirt_sandbox_domain)
+')
-+
+
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
+-miscfiles_read_localization(svirt_lxc_domain)
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
@@ -105690,12 +105703,15 @@ index f03dcf5..58d42f6 100644
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- udev_read_pid_files(svirt_lxc_domain)
+ udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- apache_exec_modules(svirt_lxc_domain)
+- apache_read_sys_content(svirt_lxc_domain)
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -105718,12 +105734,19 @@ index f03dcf5..58d42f6 100644
-# Lxc net local policy
+# svirt_lxc_net_t local policy
#
--
--allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+virt_sandbox_domain_template(svirt_lxc_net)
+virt_default_capabilities(svirt_lxc_net_t)
+typeattribute svirt_lxc_net_t sandbox_net_domain;
- dontaudit svirt_lxc_net_t self:capability2 block_suspend;
++dontaudit svirt_lxc_net_t self:capability2 {fsetid block_suspend };
++allow svirt_lxc_net_t self:process { execstack execmem };
++manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
+
+-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
@@ -105736,8 +105759,9 @@ index f03dcf5..58d42f6 100644
-
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
-+allow svirt_lxc_net_t self:process { execstack execmem };
-+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++tunable_policy(`virt_sandbox_use_mknod',`
++ allow svirt_lxc_net_t self:capability mknod;
++')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -105749,14 +105773,6 @@ index f03dcf5..58d42f6 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+ allow svirt_lxc_net_t self:capability sys_admin;
-+')
-+
-+tunable_policy(`virt_sandbox_use_mknod',`
-+ allow svirt_lxc_net_t self:capability mknod;
-+')
-+
+tunable_policy(`virt_sandbox_use_all_caps',`
+ allow svirt_lxc_net_t self:capability all_capability_perms;
+ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
@@ -105846,10 +105862,10 @@ index f03dcf5..58d42f6 100644
+term_use_ptmx(svirt_qemu_net_t)
+
+dev_rw_kvm(svirt_qemu_net_t)
++
++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
-+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
@@ -105897,7 +105913,7 @@ index f03dcf5..58d42f6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1480,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1477,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -105912,7 +105928,7 @@ index f03dcf5..58d42f6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1498,8 @@ optional_policy(`
+@@ -1192,9 +1495,8 @@ optional_policy(`
########################################
#
@@ -105923,7 +105939,7 @@ index f03dcf5..58d42f6 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1512,219 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1509,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ccb91fe..1cfcaed 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 79%{?dist}
+Release: 80%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Sep 10 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-80
+- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
+- Since docker will now label volumes we can tighten the security of docker
+
* Wed Sep 10 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-79
- Re-arange openshift_net_read_t rules.
- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide
More information about the scm-commits
mailing list