[selinux-policy] * Mon Mar 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-118 - docker watches for content in the /

Lukas Vrabec lvrabec at fedoraproject.org
Mon Mar 16 17:04:32 UTC 2015 

commit e2a064a427c98aaee9128b2bd3e44b45c188c59d
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Mon Mar 16 18:04:20 2015 +0100

    * Mon Mar 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-118
    - docker watches for content in the /etc directory
    - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
    - Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
    - Allow docker to communicate with openvswitch
    - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
    - Allow docker to relablefrom/to sockets and docker_log_t
    - Allow journald to set loginuid. BZ(1190498)
    - Add cap. sys_admin for passwd_t. BZ(1185191)
    - Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.

 policy-rawhide-base.patch    | 37 +++++++++++++++++++++----------------
 policy-rawhide-contrib.patch | 25 ++++++++++++++++---------
 selinux-policy.spec          | 13 ++++++++++++-
 3 files changed, 49 insertions(+), 26 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 12f8a66..6ea32b6 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2725,7 +2725,7 @@ index 99e3903..fa68362 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..4aef39e 100644
+index 1d732f1..0dbda7d 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -2883,7 +2883,7 @@ index 1d732f1..4aef39e 100644
  #
  
 -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
-+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
  dontaudit passwd_t self:capability sys_tty_config;
  allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow passwd_t self:process { setrlimit setfscreate };
@@ -17087,7 +17087,7 @@ index e100d88..f45a698 100644
 +	allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..15230be 100644
+index 8dbab4c..96d9a91 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -17242,7 +17242,7 @@ index 8dbab4c..15230be 100644
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -277,25 +314,49 @@ files_list_root(kernel_t)
+@@ -277,25 +314,53 @@ files_list_root(kernel_t)
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -17271,6 +17271,10 @@ index 8dbab4c..15230be 100644
  
 +
 +optional_policy(`
++    abrt_filetrans_named_content(kernel_t)
++')
++
++optional_policy(`
 +	apache_filetrans_home_content(kernel_t)
 +')
 +
@@ -17292,7 +17296,7 @@ index 8dbab4c..15230be 100644
  ')
  
  optional_policy(`
-@@ -305,6 +366,19 @@ optional_policy(`
+@@ -305,6 +370,19 @@ optional_policy(`
  
  optional_policy(`
  	logging_send_syslog_msg(kernel_t)
@@ -17312,7 +17316,7 @@ index 8dbab4c..15230be 100644
  ')
  
  optional_policy(`
-@@ -312,6 +386,11 @@ optional_policy(`
+@@ -312,6 +390,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17324,7 +17328,7 @@ index 8dbab4c..15230be 100644
  	# nfs kernel server needs kernel UDP access. It is less risky and painful
  	# to just give it everything.
  	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +411,6 @@ optional_policy(`
+@@ -332,9 +415,6 @@ optional_policy(`
  
  	sysnet_read_config(kernel_t)
  
@@ -17334,7 +17338,7 @@ index 8dbab4c..15230be 100644
  	rpc_udp_rw_nfs_sockets(kernel_t)
  
  	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +419,7 @@ optional_policy(`
+@@ -343,9 +423,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -17345,7 +17349,7 @@ index 8dbab4c..15230be 100644
  	')
  
  	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +428,7 @@ optional_policy(`
+@@ -354,7 +432,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -17354,7 +17358,7 @@ index 8dbab4c..15230be 100644
  	')
  ')
  
-@@ -367,6 +441,15 @@ optional_policy(`
+@@ -367,6 +445,15 @@ optional_policy(`
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -17370,7 +17374,7 @@ index 8dbab4c..15230be 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
  allow kern_unconfined unlabeled_t:filesystem *;
  allow kern_unconfined unlabeled_t:association *;
  allow kern_unconfined unlabeled_t:packet *;
@@ -34876,7 +34880,7 @@ index 4e94884..8c67cd0 100644
 +	filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..df37453 100644
+index 59b04c1..9d8e11d 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -35218,13 +35222,14 @@ index 59b04c1..df37453 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +551,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +551,12 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
 -
 -miscfiles_read_localization(syslogd_t)
 +logging_manage_all_logs(syslogd_t)
++logging_set_loginuid(syslogd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 -userdom_dontaudit_search_user_home_dirs(syslogd_t)
@@ -35233,7 +35238,7 @@ index 59b04c1..df37453 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +582,7 @@ optional_policy(`
+@@ -497,6 +583,7 @@ optional_policy(`
  optional_policy(`
  	cron_manage_log_files(syslogd_t)
  	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -35241,7 +35246,7 @@ index 59b04c1..df37453 100644
  ')
  
  optional_policy(`
-@@ -507,15 +593,40 @@ optional_policy(`
+@@ -507,15 +594,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35282,7 +35287,7 @@ index 59b04c1..df37453 100644
  ')
  
  optional_policy(`
-@@ -526,3 +637,26 @@ optional_policy(`
+@@ -526,3 +638,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 07f13fa..9e4b237 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -80,7 +80,7 @@ index 1a93dc5..f2b26f5 100644
 -/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 -/var/spool/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/abrt.if b/abrt.if
-index 058d908..1e92177 100644
+index 058d908..158acba 100644
 --- a/abrt.if
 +++ b/abrt.if
 @@ -1,4 +1,26 @@
@@ -537,7 +537,7 @@ index 058d908..1e92177 100644
 +		type abrt_var_run_t;
 +	')
 +
-+	files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
++	files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
 +	files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
 +	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
 +	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
@@ -3036,7 +3036,7 @@ index 0000000..36251b9
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..cb58319
+index 0000000..253a684
 --- /dev/null
 +++ b/antivirus.te
 @@ -0,0 +1,270 @@
@@ -3305,9 +3305,9 @@ index 0000000..cb58319
 +
 +optional_policy(`
 +	spamd_stream_connect(clamd_t)
-+    spamassassin_exec(antivirus_domain)
-+    spamassassin_exec_client(antivirus_domain)
-+    spamassassin_read_lib_files(antivirus_domain)
++	spamassassin_exec(antivirus_domain)
++	spamassassin_exec_client(antivirus_domain)
++	spamassassin_read_lib_files(antivirus_domain)
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
@@ -25334,10 +25334,10 @@ index 0000000..1542da8
 +
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..df9e6ce
+index 0000000..0a03a30
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,318 @@
+@@ -0,0 +1,325 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -25425,6 +25425,7 @@ index 0000000..df9e6ce
 +manage_files_pattern(docker_t, docker_log_t, docker_log_t)
 +manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
 +logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
++allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto };
 +
 +manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
 +manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
@@ -25492,7 +25493,7 @@ index 0000000..df9e6ce
 +corenet_udp_bind_generic_node(docker_t)
 +corenet_udp_bind_all_ports(docker_t)
 +
-+files_read_etc_files(docker_t)
++files_read_config_files(docker_t)
 +
 +fs_read_cgroup_files(docker_t)
 +fs_read_tmpfs_symlinks(docker_t)
@@ -25502,6 +25503,7 @@ index 0000000..df9e6ce
 +storage_raw_rw_fixed_disk(docker_t)
 +
 +auth_use_nsswitch(docker_t)
++auth_dontaudit_getattr_shadow(docker_t)
 +
 +init_read_state(docker_t)
 +init_status(docker_t)
@@ -25527,6 +25529,10 @@ index 0000000..df9e6ce
 +	iptables_domtrans(docker_t)
 +')
 +
++optional_policy(`
++	openvswitch_stream_connect(docker_t)
++')
++
 +#
 +# lxc rules
 +#
@@ -25648,6 +25654,7 @@ index 0000000..df9e6ce
 +domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
 +allow docker_t spc_t:process { setsched signal_perms };
 +ps_process_pattern(docker_t, spc_t)
++allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
 +
 +optional_policy(`
 +	unconfined_domain_noaudit(spc_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1e2acc2..8c9a926 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 117%{?dist}
+Release: 118%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,17 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Mar 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-118
+- docker watches for content in the /etc directory
+- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
+- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
+- Allow docker to communicate with openvswitch
+- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
+- Allow docker to relablefrom/to sockets and docker_log_t
+- Allow journald to set loginuid. BZ(1190498)
+- Add cap. sys_admin for passwd_t. BZ(1185191)
+- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
+
 * Fri Mar 09 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-117
 - Allow spamc read spamd_etc_t files. BZ(1199339).
 - Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)

More information about the scm-commits mailing list