Sync from SUSE:SLFO:Main selinux-policy revision 1cc07852d76c83488bba1cb743a5a2fc
This commit is contained in:
parent
03dbb9718e
commit
007b7f7f07
@ -1,6 +1,4 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
||||
<param name="changesrevision">ee0114f1ae55a70c234ceed91d2b4489fde8bb49</param></service><service name="tar_scm">
|
||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
|
||||
<param name="changesrevision">eb718617858feb2cc9e64e241e19ea333fc4a8df</param></service></servicedata>
|
||||
43
container.fc
43
container.fc
@ -9,14 +9,19 @@
|
||||
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
|
||||
/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
@ -117,7 +122,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
|
||||
/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0)
|
||||
/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0)
|
||||
|
||||
/var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
@ -126,6 +131,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
|
||||
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
||||
@ -136,26 +142,25 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
|
||||
/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
|
||||
/var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
|
||||
/var/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
|
||||
/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
|
||||
/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
|
||||
|
||||
/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
|
||||
/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
|
||||
|
||||
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
|
||||
@ -573,7 +573,7 @@ interface(`container_filetrans_named_content',`
|
||||
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
|
||||
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
|
||||
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
|
||||
files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
|
||||
files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes")
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
211
container.te
211
container.te
@ -1,4 +1,4 @@
|
||||
policy_module(container, 2.219.0)
|
||||
policy_module(container, 2.232.1)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -38,6 +38,20 @@ gen_tunable(sshd_launch_containers, false)
|
||||
## </desc>
|
||||
gen_tunable(container_use_devices, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(container_use_xserver_devices, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow containers to use any dri device volume mounted into container
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(container_use_dri_devices, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow sandbox containers to manage cgroup (systemd)
|
||||
@ -136,6 +150,7 @@ type container_devpts_t alias docker_devpts_t;
|
||||
term_pty(container_devpts_t)
|
||||
|
||||
typealias container_ro_file_t alias { container_share_t docker_share_t };
|
||||
typeattribute container_ro_file_t container_file_type, user_home_type;
|
||||
files_mountpoint(container_ro_file_t)
|
||||
userdom_user_home_content(container_ro_file_t)
|
||||
|
||||
@ -568,7 +583,6 @@ tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_symlinks(container_runtime_domain)
|
||||
fs_remount_nfs(container_runtime_domain)
|
||||
fs_mount_nfs(container_runtime_domain)
|
||||
fs_unmount_nfs(container_runtime_domain)
|
||||
fs_exec_nfs_files(container_runtime_domain)
|
||||
kernel_rw_fs_sysctls(container_runtime_domain)
|
||||
allow container_runtime_domain nfs_t:file execmod;
|
||||
@ -634,21 +648,16 @@ fs_manage_fusefs_dirs(container_runtime_domain)
|
||||
fs_manage_fusefs_files(container_runtime_domain)
|
||||
fs_manage_fusefs_symlinks(container_runtime_domain)
|
||||
fs_mount_fusefs(container_runtime_domain)
|
||||
fs_unmount_fusefs(container_runtime_domain)
|
||||
fs_exec_fusefs_files(container_runtime_domain)
|
||||
storage_rw_fuse(container_runtime_domain)
|
||||
|
||||
optional_policy(`
|
||||
files_search_all(container_domain)
|
||||
container_read_share_files(container_domain)
|
||||
container_exec_share_files(container_domain)
|
||||
allow container_domain container_ro_file_t:file execmod;
|
||||
container_lib_filetrans(container_domain,container_file_t, sock_file)
|
||||
container_use_ptys(container_domain)
|
||||
container_spc_stream_connect(container_domain)
|
||||
fs_dontaudit_remount_tmpfs(container_domain)
|
||||
dev_dontaudit_mounton_sysfs(container_domain)
|
||||
')
|
||||
files_search_all(container_domain)
|
||||
container_read_share_files(container_domain)
|
||||
container_exec_share_files(container_domain)
|
||||
allow container_domain container_ro_file_t:file execmod;
|
||||
container_lib_filetrans(container_domain,container_file_t, sock_file)
|
||||
container_use_ptys(container_domain)
|
||||
container_spc_stream_connect(container_domain)
|
||||
|
||||
optional_policy(`
|
||||
apache_exec_modules(container_runtime_domain)
|
||||
@ -746,7 +755,7 @@ tunable_policy(`container_connect_any',`
|
||||
#
|
||||
# spc local policy
|
||||
#
|
||||
allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint;
|
||||
allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
|
||||
role system_r types spc_t;
|
||||
|
||||
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
|
||||
@ -755,6 +764,7 @@ domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
|
||||
fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
|
||||
|
||||
allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
|
||||
allow spc_t container_file_type:file execmod;
|
||||
|
||||
admin_pattern(spc_t, kubernetes_file_t)
|
||||
|
||||
@ -774,8 +784,14 @@ init_dbus_chat(spc_t)
|
||||
optional_policy(`
|
||||
systemd_dbus_chat_machined(spc_t)
|
||||
systemd_dbus_chat_logind(spc_t)
|
||||
systemd_dbus_chat_timedated(spc_t)
|
||||
systemd_dbus_chat_localed(spc_t)
|
||||
')
|
||||
|
||||
domain_transition_all(spc_t)
|
||||
|
||||
anaconda_domtrans_install(spc_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_chat_system_bus(spc_t)
|
||||
dbus_chat_session_bus(spc_t)
|
||||
@ -878,7 +894,7 @@ container_manage_files_template(container, container)
|
||||
typeattribute container_file_t container_file_type, user_home_type;
|
||||
typeattribute container_t container_domain, container_net_domain, container_user_domain;
|
||||
allow container_user_domain self:process getattr;
|
||||
allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
|
||||
allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
|
||||
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
|
||||
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
|
||||
allow container_domain container_runtime_t:unix_dgram_socket sendto;
|
||||
@ -897,6 +913,7 @@ dontaudit container_domain self:dir { write add_name };
|
||||
allow container_domain self:file rw_file_perms;
|
||||
allow container_domain self:lnk_file read_file_perms;
|
||||
allow container_domain self:fifo_file create_fifo_file_perms;
|
||||
allow container_domain self:fifo_file watch;
|
||||
allow container_domain self:filesystem associate;
|
||||
allow container_domain self:key manage_key_perms;
|
||||
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
|
||||
@ -916,28 +933,33 @@ allow container_domain self:unix_dgram_socket create_socket_perms;
|
||||
allow container_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit container_domain self:capability2 block_suspend ;
|
||||
allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
|
||||
fs_rw_onload_sockets(container_domain)
|
||||
fs_fusefs_entrypoint(container_domain)
|
||||
fs_fusefs_entrypoint(spc_t)
|
||||
|
||||
container_read_share_files(container_domain)
|
||||
container_exec_share_files(container_domain)
|
||||
container_use_ptys(container_domain)
|
||||
container_spc_stream_connect(container_domain)
|
||||
fs_dontaudit_remount_tmpfs(container_domain)
|
||||
|
||||
dev_dontaudit_mounton_sysfs(container_domain)
|
||||
dev_dontaudit_mounton_sysfs(container_domain)
|
||||
fs_mount_tmpfs(container_domain)
|
||||
dev_dontaudit_mounton_sysfs(container_domain)
|
||||
dev_getattr_mtrr_dev(container_domain)
|
||||
dev_list_sysfs(container_domain)
|
||||
dev_mounton_sysfs(container_t)
|
||||
dev_read_mtrr(container_domain)
|
||||
dev_read_rand(container_domain)
|
||||
dev_read_sysfs(container_domain)
|
||||
dev_read_urand(container_domain)
|
||||
dev_rw_inherited_dri(container_domain)
|
||||
dev_rw_kvm(container_domain)
|
||||
dev_rwx_zero(container_domain)
|
||||
dev_write_rand(container_domain)
|
||||
dev_write_urand(container_domain)
|
||||
allow container_domain sysfs_t:dir watch;
|
||||
|
||||
dontaudit container_domain container_runtime_tmpfs_t:dir read;
|
||||
allow container_domain container_runtime_tmpfs_t:dir mounton;
|
||||
|
||||
dev_getattr_mtrr_dev(container_domain)
|
||||
dev_list_sysfs(container_domain)
|
||||
allow container_domain sysfs_t:dir watch;
|
||||
|
||||
dev_rw_kvm(container_domain)
|
||||
dev_rwx_zero(container_domain)
|
||||
can_exec(container_domain, container_runtime_tmpfs_t)
|
||||
|
||||
allow container_domain self:key manage_key_perms;
|
||||
dontaudit container_domain container_domain:key search;
|
||||
@ -953,7 +975,7 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow container_domain self:passwd rootok;
|
||||
allow container_domain self:filesystem associate;
|
||||
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
|
||||
allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
|
||||
|
||||
kernel_getattr_proc(container_domain)
|
||||
kernel_list_all_proc(container_domain)
|
||||
@ -970,16 +992,42 @@ kernel_dontaudit_write_usermodehelper_state(container_domain)
|
||||
kernel_read_irq_sysctls(container_domain)
|
||||
kernel_get_sysvipc_info(container_domain)
|
||||
|
||||
fs_getattr_all_fs(container_domain)
|
||||
fs_rw_inherited_tmpfs_files(container_domain)
|
||||
fs_read_tmpfs_symlinks(container_domain)
|
||||
fs_search_tmpfs(container_domain)
|
||||
fs_list_hugetlbfs(container_domain)
|
||||
fs_manage_hugetlbfs_files(container_domain)
|
||||
fs_exec_hugetlbfs_files(container_domain)
|
||||
fs_dontaudit_getattr_all_dirs(container_domain)
|
||||
fs_dontaudit_getattr_all_files(container_domain)
|
||||
fs_dontaudit_remount_tmpfs(container_domain)
|
||||
fs_dontaudit_remount_tmpfs(container_domain)
|
||||
fs_exec_fusefs_files(container_domain)
|
||||
fs_exec_hugetlbfs_files(container_domain)
|
||||
fs_fusefs_entrypoint(container_domain)
|
||||
fs_getattr_all_fs(container_domain)
|
||||
fs_list_cgroup_dirs(container_domain)
|
||||
fs_list_hugetlbfs(container_domain)
|
||||
fs_manage_bpf_files(container_domain)
|
||||
fs_manage_fusefs_dirs(container_domain)
|
||||
fs_manage_fusefs_files(container_domain)
|
||||
fs_manage_fusefs_named_pipes(container_domain)
|
||||
fs_manage_fusefs_named_sockets(container_domain)
|
||||
fs_manage_fusefs_symlinks(container_domain)
|
||||
fs_manage_hugetlbfs_files(container_domain)
|
||||
fs_mount_fusefs(container_domain)
|
||||
fs_unmount_fusefs(container_domain)
|
||||
fs_mount_tmpfs(container_domain)
|
||||
fs_unmount_tmpfs(container_domain)
|
||||
fs_mount_xattr_fs(container_domain)
|
||||
fs_unmount_xattr_fs(container_domain)
|
||||
fs_mounton_cgroup(container_domain)
|
||||
fs_mounton_fusefs(container_domain)
|
||||
fs_read_cgroup_files(container_domain)
|
||||
fs_read_nsfs_files(container_domain)
|
||||
fs_read_tmpfs_symlinks(container_domain)
|
||||
fs_remount_xattr_fs(container_domain)
|
||||
fs_rw_inherited_tmpfs_files(container_domain)
|
||||
fs_rw_onload_sockets(container_domain)
|
||||
fs_search_tmpfs(container_domain)
|
||||
fs_unmount_cgroup(container_domain)
|
||||
fs_unmount_fusefs(container_domain)
|
||||
fs_unmount_nsfs(container_domain)
|
||||
fs_unmount_xattr_fs(container_domain)
|
||||
|
||||
term_use_all_inherited_terms(container_domain)
|
||||
|
||||
@ -1003,18 +1051,6 @@ gen_require(`
|
||||
type cgroup_t;
|
||||
')
|
||||
|
||||
dev_read_sysfs(container_domain)
|
||||
dev_read_mtrr(container_domain)
|
||||
dev_mounton_sysfs(container_t)
|
||||
|
||||
fs_mounton_cgroup(container_t)
|
||||
fs_unmount_cgroup(container_t)
|
||||
|
||||
dev_read_rand(container_domain)
|
||||
dev_write_rand(container_domain)
|
||||
dev_read_urand(container_domain)
|
||||
dev_write_urand(container_domain)
|
||||
|
||||
files_read_kernel_modules(container_domain)
|
||||
|
||||
allow container_file_t cgroup_t:filesystem associate;
|
||||
@ -1060,6 +1096,7 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
|
||||
allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;
|
||||
|
||||
allow container_domain spc_t:unix_stream_socket { read write };
|
||||
kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
|
||||
kernel_unlabeled_entry_type(spc_t)
|
||||
allow container_runtime_domain unlabeled_t:key manage_key_perms;
|
||||
@ -1069,9 +1106,6 @@ gen_require(`
|
||||
')
|
||||
dontaudit container_domain usermodehelper_t:file write;
|
||||
|
||||
fs_read_cgroup_files(container_domain)
|
||||
fs_list_cgroup_dirs(container_domain)
|
||||
|
||||
sysnet_read_config(container_domain)
|
||||
|
||||
allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
|
||||
@ -1099,20 +1133,6 @@ tunable_policy(`container_manage_cgroup',`
|
||||
fs_manage_cgroup_files(container_domain)
|
||||
')
|
||||
|
||||
fs_manage_fusefs_named_sockets(container_domain)
|
||||
fs_manage_fusefs_named_pipes(container_domain)
|
||||
fs_manage_fusefs_dirs(container_domain)
|
||||
fs_manage_fusefs_files(container_domain)
|
||||
fs_manage_fusefs_symlinks(container_domain)
|
||||
fs_manage_fusefs_named_sockets(container_domain)
|
||||
fs_manage_fusefs_named_pipes(container_domain)
|
||||
fs_exec_fusefs_files(container_domain)
|
||||
fs_mount_xattr_fs(container_domain)
|
||||
fs_unmount_xattr_fs(container_domain)
|
||||
fs_remount_xattr_fs(container_domain)
|
||||
fs_mount_fusefs(container_domain)
|
||||
fs_unmount_fusefs(container_domain)
|
||||
fs_mounton_fusefs(container_domain)
|
||||
storage_rw_fuse(container_domain)
|
||||
allow container_domain fusefs_t:file { mounton execmod };
|
||||
allow container_domain fusefs_t:filesystem remount;
|
||||
@ -1187,6 +1207,7 @@ dev_mount_sysfs_fs(container_userns_t)
|
||||
dev_mounton_sysfs(container_userns_t)
|
||||
|
||||
fs_mount_tmpfs(container_userns_t)
|
||||
fs_unmount_tmpfs(container_userns_t)
|
||||
fs_relabelfrom_tmpfs(container_userns_t)
|
||||
fs_remount_cgroup(container_userns_t)
|
||||
|
||||
@ -1383,6 +1404,15 @@ tunable_policy(`container_use_devices',`
|
||||
allow container_domain device_node:blk_file {rw_blk_file_perms map};
|
||||
')
|
||||
|
||||
tunable_policy(`container_use_xserver_devices',`
|
||||
dev_getattr_xserver_misc_dev(container_t)
|
||||
dev_rw_xserver_misc(container_t)
|
||||
')
|
||||
|
||||
tunable_policy(`container_use_dri_devices',`
|
||||
dev_rw_dri(container_domain)
|
||||
')
|
||||
|
||||
tunable_policy(`virt_sandbox_use_sys_admin',`
|
||||
allow container_init_t self:capability sys_admin;
|
||||
allow container_init_t self:cap_userns sys_admin;
|
||||
@ -1399,19 +1429,41 @@ fs_mounton_cgroup(container_engine_t)
|
||||
fs_unmount_cgroup(container_engine_t)
|
||||
fs_manage_cgroup_dirs(container_engine_t)
|
||||
fs_manage_cgroup_files(container_engine_t)
|
||||
fs_mount_tmpfs(container_engine_t)
|
||||
fs_write_cgroup_files(container_engine_t)
|
||||
|
||||
allow container_engine_t proc_t:file mounton;
|
||||
allow container_engine_t sysctl_t:file mounton;
|
||||
allow container_engine_t sysfs_t:filesystem remount;
|
||||
|
||||
fs_remount_cgroup(container_engine_t)
|
||||
fs_mount_all_fs(container_engine_t)
|
||||
fs_remount_all_fs(container_engine_t)
|
||||
fs_unmount_all_fs(container_engine_t)
|
||||
kernel_mounton_all_sysctls(container_engine_t)
|
||||
kernel_mount_proc(container_engine_t)
|
||||
kernel_mounton_core_if(container_engine_t)
|
||||
kernel_mounton_proc(container_engine_t)
|
||||
kernel_mounton_core_if(container_engine_t)
|
||||
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
|
||||
|
||||
term_mount_pty_fs(container_engine_t)
|
||||
term_use_generic_ptys(container_engine_t)
|
||||
|
||||
allow container_engine_t container_file_t:chr_file mounton;
|
||||
allow container_engine_t filesystem_type:{dir file} mounton;
|
||||
allow container_engine_t proc_kcore_t:file mounton;
|
||||
allow container_engine_t proc_t:filesystem remount;
|
||||
allow container_engine_t sysctl_t:{dir file} mounton;
|
||||
allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
|
||||
allow container_engine_t fusefs_t:file relabelto;
|
||||
allow container_engine_t kernel_t:system module_request;
|
||||
allow container_engine_t null_device_t:chr_file mounton;
|
||||
allow container_engine_t random_device_t:chr_file mounton;
|
||||
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
|
||||
allow container_engine_t urandom_device_t:chr_file mounton;
|
||||
allow container_engine_t zero_device_t:chr_file mounton;
|
||||
|
||||
manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type devtty_t;
|
||||
')
|
||||
allow container_engine_t devtty_t:chr_file mounton;
|
||||
')
|
||||
|
||||
type kubelet_t, container_runtime_domain;
|
||||
domain_type(kubelet_t)
|
||||
@ -1424,6 +1476,7 @@ optional_policy(`
|
||||
unconfined_domain(kubelet_t)
|
||||
')
|
||||
|
||||
manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
|
||||
|
||||
type kubelet_exec_t;
|
||||
application_executable_file(kubelet_exec_t)
|
||||
@ -1516,6 +1569,9 @@ role container_user_r types container_user_domain;
|
||||
role container_user_r types container_net_domain;
|
||||
role container_user_r types container_file_type;
|
||||
container_runtime_run(container_user_t, container_user_r)
|
||||
unconfined_role_change_to(container_user_r)
|
||||
|
||||
container_use_ptys(container_user_t)
|
||||
|
||||
fs_manage_cgroup_dirs(container_user_t)
|
||||
fs_manage_cgroup_files(container_user_t)
|
||||
@ -1524,6 +1580,12 @@ selinux_compute_access_vector(container_user_t)
|
||||
systemd_dbus_chat_hostnamed(container_user_t)
|
||||
systemd_start_systemd_services(container_user_t)
|
||||
|
||||
allow container_runtime_t container_user_t:process transition;
|
||||
allow container_runtime_t container_user_t:process2 nnp_transition;
|
||||
allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow container_user_t container_file_t:chr_file manage_chr_file_perms;
|
||||
allow container_user_t container_file_t:file entrypoint;
|
||||
|
||||
allow container_domain container_file_t:file entrypoint;
|
||||
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
|
||||
@ -1533,3 +1595,8 @@ allow container_domain fusefs_t:file { append create entrypoint execmod execute
|
||||
corecmd_entrypoint_all_executables(container_kvm_t)
|
||||
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
|
||||
allow svirt_sandbox_domain mountpoint:file entrypoint;
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow container_domain self:process ptrace;
|
||||
allow spc_t self:process ptrace;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/run /var/run
|
||||
/run/lock /var/lock
|
||||
/var/run /run
|
||||
/var/lock /run/lock
|
||||
/var/run/lock /var/lock
|
||||
/lib /usr/lib
|
||||
/lib64 /usr/lib
|
||||
@ -10,8 +10,13 @@
|
||||
/etc/systemd/system /usr/lib/systemd/system
|
||||
/run/systemd/system /usr/lib/systemd/system
|
||||
/run/systemd/generator /usr/lib/systemd/system
|
||||
/run/systemd/generator.early /usr/lib/systemd/system
|
||||
/run/systemd/generator.late /usr/lib/systemd/system
|
||||
/var/lib/xguest/home /home
|
||||
/var/run/netconfig /etc
|
||||
/var/adm/netconfig/md5/etc /etc
|
||||
/var/adm/netconfig/md5/var /var
|
||||
/usr/etc /etc
|
||||
/bin /usr/bin
|
||||
/sbin /usr/bin
|
||||
/usr/sbin /usr/bin
|
||||
|
||||
@ -2775,3 +2775,10 @@ libalternatives = module
|
||||
## kiw
|
||||
##
|
||||
kiwi = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: sap
|
||||
#
|
||||
# sap
|
||||
#
|
||||
sap = module
|
||||
|
||||
BIN
selinux-policy-20240604+git1.ee0114f1.tar.xz
(Stored with Git LFS)
BIN
selinux-policy-20240604+git1.ee0114f1.tar.xz
(Stored with Git LFS)
Binary file not shown.
BIN
selinux-policy-20240604+git230.eb718617.tar.xz
(Stored with Git LFS)
Normal file
BIN
selinux-policy-20240604+git230.eb718617.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,3 +1,236 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 26 07:56:15 UTC 2024 - cathy.hu@suse.com
|
||||
|
||||
- Enable sap module
|
||||
- Add equivalency in file_contexts.subs_dist
|
||||
* /bin /usr/bin
|
||||
* /sbin /usr/bin
|
||||
* /usr/sbin /usr/bin
|
||||
* /var/run /run
|
||||
* /var/lock /run/lock
|
||||
- Move to %posttrans to ensure selinux-policy got updated before
|
||||
the commands run (bsc#1221720)
|
||||
- Remove "Reference" from the package description. It's not the
|
||||
reference policy, but the Fedora branch of the policy
|
||||
- Update to version 20240604+git230.eb718617:
|
||||
* Initial policy for grub2 snapper plugin (bsc#1228205)
|
||||
* Set microos autorelabel script to systemd_autorelabel_generator_t
|
||||
* Allow systemd_generator to write kmsg
|
||||
* Initial policy for systemd growpart-generator (bsc#1226824)
|
||||
* Allow systemd_getty_generator_t read /proc/1/environ
|
||||
* Allow systemd_getty_generator_t to read and write to tty_device_t (bsc#1226888)
|
||||
* Change fc in rebootmgr module for /sbin -> /usr/bin
|
||||
* Change fc in rpm module for /sbin -> /usr/bin
|
||||
* Change fc in rsync module for /sbin -> /usr/bin
|
||||
* Change fc in wicked module for /sbin -> /usr/bin
|
||||
* Allow manage dosfs_t files to snapperd
|
||||
* Confine libvirt-dbus
|
||||
* Allow virtqemud the kill capability in user namespace
|
||||
* Allow rshim get options of the netlink class for KOBJECT_UEVENT family
|
||||
* Allow dhcpcd the kill capability
|
||||
* Allow systemd-networkd list /var/lib/systemd/network
|
||||
* Allow sysadm_t run systemd-nsresourced bpf programs
|
||||
* Update policy for systemd generators interactions
|
||||
* Allow create memory.pressure files with cgroup_memory_pressure_t
|
||||
* Add support for libvirt hooks
|
||||
* Allow certmonger read and write tpm devices
|
||||
* Allow all domains to connect to systemd-nsresourced over a unix socket
|
||||
* Allow systemd-machined read the vsock device
|
||||
* Update policy for systemd generators
|
||||
* Allow ptp4l_t request that the kernel load a kernel module
|
||||
* Allow sbd to trace processes in user namespace
|
||||
* Allow request-key execute scripts
|
||||
* Update policy for haproxyd
|
||||
* Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
|
||||
* Add auth_rw_wtmpdb_login_records to modules
|
||||
* Allow xdm_t to read-write to wtmpdb (bsc#1225984)
|
||||
* Introduce types for wtmpdb and rw interface
|
||||
* Introduce wtmp_file_type attribute
|
||||
* Update policy for systemd-nsresourced
|
||||
* Correct sbin-related file context entries
|
||||
* Allow login_userdomain execute systemd-tmpfiles in the caller domain
|
||||
* Allow virt_driver_domain read files labeled unconfined_t
|
||||
* Allow virt_driver_domain dbus chat with policykit
|
||||
* Allow virtqemud manage nfs files when virt_use_nfs boolean is on
|
||||
* Add rules for interactions between generators
|
||||
* Label memory.pressure files with cgroup_memory_pressure_t
|
||||
* Revert "Allow some systemd services write to cgroup files"
|
||||
* Revert "Add policy for wtmpdb (bsc#1210717)"
|
||||
* Allow gnome control center to set autologin (bsc#1222978)
|
||||
* Update policy for systemd-nsresourced
|
||||
* Label /usr/bin/ntfsck with fsadm_exec_t
|
||||
* Allow systemd_fstab_generator_t read tmpfs files
|
||||
* Update policy for systemd-nsresourced
|
||||
* Dontaudit xdm_t to getattr on root_t (bsc#1223145)
|
||||
* Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
|
||||
* Remove a few lines duplicated between {dkim,milter}.fc
|
||||
* Alias /bin → /usr/bin and remove redundant paths
|
||||
* Drop duplicate line for /usr/sbin/unix_chkpwd
|
||||
* Drop duplicate paths for /usr/sbin
|
||||
* Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599)
|
||||
* Update systemd-generator policy
|
||||
* Remove permissive domain for bootupd_t
|
||||
* Remove permissive domain for coreos_installer_t
|
||||
* Remove permissive domain for afterburn_t
|
||||
* Add the sap module to modules.conf
|
||||
* Move unconfined_domain(sap_unconfined_t) to an optional block
|
||||
* Create the sap module
|
||||
* Allow systemd-coredumpd sys_admin and sys_resource capabilities
|
||||
* Allow systemd-coredump read nsfs files
|
||||
* Allow generators auto file transition only for plain files
|
||||
* Allow systemd-hwdb write to the kernel messages device
|
||||
* Escape "interface" as a file name in a virt filetrans pattern
|
||||
* Allow gnome-software work for login_userdomain
|
||||
* Allow systemd-machined manage runtime sockets
|
||||
* Revert "Allow systemd-machined manage runtime sockets"
|
||||
* Allow postfix_domain connect to postgresql over a unix socket
|
||||
* Dontaudit systemd-coredump sys_admin capability
|
||||
* Allow all domains read and write z90crypt device
|
||||
* Allow tpm2 generator setfscreate
|
||||
* Allow systemd (PID 1) manage systemd conf files
|
||||
* Allow pulseaudio map its runtime files
|
||||
* Update policy for getty-generator
|
||||
* Allow systemd-hwdb send messages to kernel unix datagram sockets
|
||||
* Allow systemd-machined manage runtime sockets
|
||||
* Allow fstab-generator create unit file symlinks
|
||||
* Update policy for cryptsetup-generator
|
||||
* Update policy for fstab-generator
|
||||
* Allow virtqemud read vm sysctls
|
||||
* Allow collectd to trace processes in user namespace
|
||||
* Allow bootupd search efivarfs dirs
|
||||
* Add policy for systemd-mountfsd
|
||||
* Add policy for systemd-nsresourced
|
||||
* Update policy generators
|
||||
* Add policy for anaconda-generator
|
||||
* Update policy for fstab and gpt generators
|
||||
* Add policy for kdump-dep-generator
|
||||
* Add policy for a generic generator
|
||||
* Add policy for tpm2 generator
|
||||
* Add policy for ssh-generator
|
||||
* Add policy for second batch of generators
|
||||
* Update policy for systemd generators
|
||||
* ci: Adjust Cockpit test plans
|
||||
* Allow journald read systemd config files and directories
|
||||
* Allow systemd_domain read systemd_conf_t dirs
|
||||
* Fix bad Python regexp escapes
|
||||
* Allow fido services connect to postgres database
|
||||
* Revert "Update the README.md file with the c10s branch information"
|
||||
* Update the README.md file with the c10s branch information
|
||||
* Allow postfix smtpd map aliases file
|
||||
* Ensure dbus communication is allowed bidirectionally
|
||||
* Label systemd configuration files with systemd_conf_t
|
||||
* Label /run/systemd/machine with systemd_machined_var_run_t
|
||||
* Allow systemd-hostnamed read the vsock device
|
||||
* Allow sysadm execute dmidecode using sudo
|
||||
* Allow sudodomain list files in /var
|
||||
* Allow setroubleshootd get attributes of all sysctls
|
||||
* Allow various services read and write z90crypt device
|
||||
* Allow nfsidmap connect to systemd-homed
|
||||
* Allow sandbox_x_client_t dbus chat with accountsd
|
||||
* Allow system_cronjob_t dbus chat with avahi_t
|
||||
* Allow staff_t the io_uring sqpoll permission
|
||||
* Allow staff_t use the io_uring API
|
||||
* Add support for secretmem anon inode
|
||||
* Allow virtqemud read vfio devices
|
||||
* Allow virtqemud get attributes of a tmpfs filesystem
|
||||
* Allow svirt_t read vm sysctls
|
||||
* Allow virtqemud create and unlink files in /etc/libvirt/
|
||||
* Allow virtqemud get attributes of cifs files
|
||||
* Allow virtqemud get attributes of filesystems with extended attributes
|
||||
* Allow virtqemud get attributes of NFS filesystems
|
||||
* Allow virt_domain read and write usb devices conditionally
|
||||
* Allow virtstoraged use the io_uring API
|
||||
* Allow virtstoraged execute lvm programs in the lvm domain
|
||||
* Allow virtnodevd_t map /var/lib files
|
||||
* Allow svirt_tcg_t map svirt_image_t files
|
||||
* Allow abrt-dump-journal-core connect to systemd-homed
|
||||
* Allow abrt-dump-journal-core connect to systemd-machined
|
||||
* Allow sssd create and use io_uring
|
||||
* Allow selinux-relabel-generator create units dir
|
||||
* Allow dbus-broker read/write inherited user ttys
|
||||
* Define transitions for /run/libvirt/common and /run/libvirt/qemu
|
||||
* Allow systemd-sleep read raw disk data
|
||||
* Allow numad to trace processes in user namespace
|
||||
* Allow abrt-dump-journal-core connect to systemd-userdbd
|
||||
* Allow plymouthd read efivarfs files
|
||||
* Update the auth_dontaudit_read_passwd_file() interface
|
||||
* Label /dev/mmcblk0rpmb character device with removable_device_t
|
||||
* fix hibernate on btrfs swapfile (F40)
|
||||
* Allow nut to statfs()
|
||||
* Allow system dbusd service status systemd services
|
||||
* Allow systemd-timedated get the timemaster service status
|
||||
* Allow keyutils-dns-resolver connect to the system log service
|
||||
* Allow qemu-ga read vm sysctls
|
||||
* postfix: allow qmgr to delete mails in bounce/ directory
|
||||
* Remove duplicate in sysnetwork.fc
|
||||
* Rename /var/run/wicked* to /run/wicked*
|
||||
* Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
|
||||
* policy: support pidfs
|
||||
* Confine selinux-autorelabel-generator.sh
|
||||
* Allow logwatch_mail_t read/write to init over a unix stream socket
|
||||
* Allow logwatch read logind sessions files
|
||||
* files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
|
||||
* files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
|
||||
* Allow NetworkManager the sys_ptrace capability in user namespace
|
||||
* dontaudit execmem for modemmanager
|
||||
* Allow dhcpcd use unix_stream_socket
|
||||
* Allow dhcpc read /run/netns files
|
||||
* Update mmap_rw_file_perms to include the lock permission
|
||||
* Allow plymouthd log during shutdown
|
||||
* Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
|
||||
* Allow journalctl_t read filesystem sysctls
|
||||
* Allow cgred_t to get attributes of cgroup filesystems
|
||||
* Allow wdmd read hardware state information
|
||||
* Allow wdmd list the contents of the sysfs directories
|
||||
* Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
||||
* Allow sulogin relabel tty1
|
||||
* Dontaudit sulogin the checkpoint_restore capability
|
||||
* Modify sudo_role_template() to allow getpgid
|
||||
* Allow userdomain get attributes of files on an nsfs filesystem
|
||||
* Allow opafm create NFS files and directories
|
||||
* Allow virtqemud create and unlink files in /etc/libvirt/
|
||||
* Allow virtqemud domain transition on swtpm execution
|
||||
* Add the swtpm.if interface file for interactions with other domains
|
||||
* Allow samba to have dac_override capability
|
||||
* systemd: allow sys_admin capability for systemd_notify_t
|
||||
* systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
|
||||
* Allow thumb_t to watch and watch_reads mount_var_run_t
|
||||
* Allow krb5kdc_t map krb5kdc_principal_t files
|
||||
* Allow unprivileged confined user dbus chat with setroubleshoot
|
||||
* Allow login_userdomain map files in /var
|
||||
* Allow wireguard work with firewall-cmd
|
||||
* Differentiate between staff and sysadm when executing crontab with sudo
|
||||
* Add crontab_admin_domtrans interface
|
||||
* Allow abrt_t nnp domain transition to abrt_handle_event_t
|
||||
* Allow xdm_t to watch and watch_reads mount_var_run_t
|
||||
* Dontaudit subscription manager setfscreate and read file contexts
|
||||
* Don't audit crontab_domain write attempts to user home
|
||||
* Transition from sudodomains to crontab_t when executing crontab_exec_t
|
||||
* Add crontab_domtrans interface
|
||||
* Fix label of pseudoterminals created from sudodomain
|
||||
* Allow utempter_t use ptmx
|
||||
* Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
|
||||
* Allow admin user read/write on fixed_disk_device_t
|
||||
* Only allow confined user domains to login locally without unconfined_login
|
||||
* Add userdom_spec_domtrans_confined_admin_users interface
|
||||
* Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
||||
* Add userdom_spec_domtrans_admin_users interface
|
||||
* Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
||||
* Update ssh_role_template() for user ssh-agent type
|
||||
* Allow init to inherit system DBus file descriptors
|
||||
* Allow init to inherit fds from syslogd
|
||||
* Allow any domain to inherit fds from rpm-ostree
|
||||
* Update afterburn policy
|
||||
* Allow init_t nnp domain transition to abrtd_t
|
||||
* Rename all /var/lock file context entries to /run/lock
|
||||
* Rename all /var/run file context entries to /run
|
||||
- Update container-selinux to a68865582e123856c191fe0ecbbba9301758e591
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 16 10:51:43 UTC 2024 - Filippo Bonazzi <filippo.bonazzi@suse.com>
|
||||
|
||||
- Fix systemd generator.early and generator.late file contexts (bsc#1227638)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 04 16:39:04 UTC 2024 - cathy.hu@suse.com
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ Summary: SELinux policy configuration
|
||||
License: GPL-2.0-or-later
|
||||
Group: System/Management
|
||||
Name: selinux-policy
|
||||
Version: 20240604+git1.ee0114f1
|
||||
Version: 20240604+git230.eb718617
|
||||
Release: 0
|
||||
Source0: %{name}-%{version}.tar.xz
|
||||
Source1: container.fc
|
||||
@ -91,9 +91,9 @@ BuildRequires: python3-policycoreutils
|
||||
# we need selinuxenabled
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): pam-config
|
||||
Requires(post): pam-config
|
||||
Requires(post): selinux-tools
|
||||
Requires(post): /usr/bin/sha512sum
|
||||
Requires(posttrans): pam-config
|
||||
Requires(posttrans): selinux-tools
|
||||
Requires(posttrans): /usr/bin/sha512sum
|
||||
Recommends: audit
|
||||
Recommends: selinux-tools
|
||||
# for audit2allow
|
||||
@ -292,9 +292,8 @@ for i in $contrib_modules $base_modules; do \
|
||||
done;
|
||||
|
||||
%description
|
||||
SELinux Reference Policy. A complete SELinux policy that can be used
|
||||
as the system policy for a variety of systems and used as the basis for
|
||||
creating other policies.
|
||||
A complete SELinux policy that can be used as the system policy for a variety
|
||||
of systems and used as the basis for creating other policies.
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
@ -527,12 +526,12 @@ Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
|
||||
%description targeted
|
||||
SELinux Reference policy targeted base module.
|
||||
SELinux policy targeted base module.
|
||||
|
||||
%pre targeted
|
||||
%preInstall targeted
|
||||
|
||||
%post targeted
|
||||
%posttrans targeted
|
||||
%postInstall $1 targeted
|
||||
exit 0
|
||||
|
||||
@ -562,7 +561,7 @@ Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
|
||||
%description minimum
|
||||
SELinux Reference policy minimum base module.
|
||||
SELinux policy minimum base module.
|
||||
|
||||
%pre minimum
|
||||
%preInstall minimum
|
||||
@ -623,12 +622,12 @@ Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
|
||||
%description mls
|
||||
SELinux Reference policy mls base module.
|
||||
SELinux policy mls base module.
|
||||
|
||||
%pre mls
|
||||
%preInstall mls
|
||||
|
||||
%post mls
|
||||
%posttrans mls
|
||||
%postInstall $1 mls
|
||||
|
||||
%postun mls
|
||||
|
||||
Loading…
Reference in New Issue
Block a user