From e7a2a92b668419455c1afe32a35ffeeb3b8eaab8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 1 Jun 2016 14:13:11 -0700 Subject: [PATCH] sec-policy/selinux-virt: Grant more permissions on chr_files apt seems to use character device nodes for a couple of things, so give the full set of permissions for them when operating in the container's own context. --- ...203-r11.ebuild => selinux-base-policy-2.20141203-r12.ebuild} | 0 ...2.20141203-r11.ebuild => selinux-base-2.20141203-r12.ebuild} | 0 ...1203-r11.ebuild => selinux-unconfined-2.20141203-r12.ebuild} | 0 .../coreos-overlay/sec-policy/selinux-virt/files/virt.diff | 2 +- ...2.20141203-r11.ebuild => selinux-virt-2.20141203-r12.ebuild} | 0 5 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/{selinux-base-policy-2.20141203-r11.ebuild => selinux-base-policy-2.20141203-r12.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/{selinux-base-2.20141203-r11.ebuild => selinux-base-2.20141203-r12.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/{selinux-unconfined-2.20141203-r11.ebuild => selinux-unconfined-2.20141203-r12.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/{selinux-virt-2.20141203-r11.ebuild => selinux-virt-2.20141203-r12.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r11.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r12.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r11.ebuild rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r12.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r11.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r12.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r11.ebuild rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r12.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r11.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r12.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r11.ebuild rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r12.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff index d11b4f9266..377fdaf288 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff @@ -27,7 +27,7 @@ diff -u contrib.orig/virt.te contrib/virt.te +term_use_generic_ptys(svirt_lxc_net_t) +term_setattr_generic_ptys(svirt_lxc_net_t) +allow svirt_lxc_net_t tmpfs_t:chr_file { read write open }; -+allow svirt_lxc_net_t svirt_lxc_file_t:chr_file { setattr }; ++allow svirt_lxc_net_t svirt_lxc_file_t:chr_file { manage_file_perm }; +allow svirt_lxc_net_t self:capability sys_chroot; +allow svirt_lxc_net_t self:process getpgid; +allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton }; diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r11.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r12.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r11.ebuild rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r12.ebuild