commit container-selinux for openSUSE:Factory

Fri, 19 Nov 2021 17:38:22 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package container-selinux for 
openSUSE:Factory checked in at 2021-11-20 02:38:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
 and      /work/SRC/openSUSE:Factory/.container-selinux.new.1895 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "container-selinux"

Sat Nov 20 02:38:03 2021 rev:9 rq:931472 version:2.171.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes      
2021-08-12 09:01:48.066138103 +0200
+++ 
/work/SRC/openSUSE:Factory/.container-selinux.new.1895/container-selinux.changes
    2021-11-20 02:38:09.404974862 +0100
@@ -1,0 +2,10 @@
+Fri Nov 12 16:21:06 UTC 2021 - Richard Brown <[email protected]>
+
+- Update to version 2.171.0
+  * Define kubernetes_file_t as a config_type
+  * Allow containers to be socket activated by user domains and by systemd.
+  * Allow iptables to use fifo files of a container runtime
+  * Allow container_runtime create all tmpfs content as 
container_runtime_tmpfs_t
+  * Allow containers to create lnk_file on tmpfs_t directories.
+
+-------------------------------------------------------------------

Old:
----
  container-selinux-2.164.2.tar.gz

New:
----
  container-selinux-2.171.0.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.HOCAm8/_old  2021-11-20 02:38:09.884973278 +0100
+++ /var/tmp/diff_new_pack.HOCAm8/_new  2021-11-20 02:38:09.888973265 +0100
@@ -26,7 +26,7 @@
 # Version of SELinux we were using
 %define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
 Name:           container-selinux
-Version:        2.164.2
+Version:        2.171.0
 Release:        0
 Summary:        SELinux policies for container runtimes
 License:        GPL-2.0-only

++++++ container-selinux-2.164.2.tar.gz -> container-selinux-2.171.0.tar.gz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.164.2/README.md 
new/container-selinux-2.171.0/README.md
--- old/container-selinux-2.164.2/README.md     2021-08-02 19:18:31.000000000 
+0200
+++ new/container-selinux-2.171.0/README.md     2021-11-10 23:21:41.000000000 
+0100
@@ -2,29 +2,8 @@
 
 ## Blogs on SELinux Policy
 
-**[Docker and 
SELinux](https://www.projectatomic.io/docs/docker-and-selinux/)**  
-Interaction between SELinux policy and Docker
-
-**[Issues with Docker Volumes and 
SELinux](https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/
  )**  
-Use of volume mounted content with SELinux
-
-**[Docker SELinux 
Flag](https://www.projectatomic.io/blog/2016/07/docker-selinux-flag/)**  
-Information on `???selinux-enabled` flag in Docker daemon
-
-**[SELinux Policy for 
Containers](https://www.projectatomic.io/blog/2017/02/selinux-policy-containers/)**
  
-Tightening of SELinux policy to prevent information leaks
-
-**[Extending SELinux Policy for 
Containers](https://www.projectatomic.io/blog/2016/03/selinux-and-docker-part-2/)**
  
-Policy module for running containers as securely as possible
-
-**[Practical SELinux and 
Containers](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)**
  
-How to make SELinux and containers work well together with best security 
separation
-
-**[`no-new-privileges` Security Flag in Docker 
](https://www.projectatomic.io/blog/2016/03/no-new-privs-docker/)**  
-Explains `--no-new-privileges` flag usage
-
 **[Container Labeling](https://danwalsh.livejournal.com/81269.html)**  
-Explains `container_t` vs c`ontainer_var_lib_t`
+Explains `container_t` vs `container_var_lib_t`
 
 **[`container_t` versus 
`svirt_lxc_net_t`](https://danwalsh.livejournal.com/79191.html)**  
 Clarifys `container_t` versus `svirt_lxc_net_t` aliases
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.164.2/container.fc 
new/container-selinux-2.171.0/container.fc
--- old/container-selinux-2.164.2/container.fc  2021-08-02 19:18:31.000000000 
+0200
+++ new/container-selinux-2.171.0/container.fc  2021-11-10 23:21:41.000000000 
+0100
@@ -116,6 +116,8 @@
 /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*            -d      
gen_context(system_u:object_r:container_share_t,s0)
 /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*                 
<<none>>
 /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?                    
gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/rancher/k3s/data/.lock                                     
gen_context(system_u:object_r:container_lock_t,s0)
+/var/lib/rancher/k3s/data/[^/]*/etc(/.*)?                           
gen_context(system_u:object_r:container_config_t,s0)
 /var/run/flannel(/.*)?                                                         
gen_context(system_u:object_r:container_var_run_t,s0)
 /var/run/k3s(/.*)?                                                             
gen_context(system_u:object_r:container_var_run_t,s0)
 /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?                        
        gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.164.2/container.if 
new/container-selinux-2.171.0/container.if
--- old/container-selinux-2.164.2/container.if  2021-08-02 19:18:31.000000000 
+0200
+++ new/container-selinux-2.171.0/container.if  2021-11-10 23:21:41.000000000 
+0100
@@ -608,6 +608,7 @@
                type container_lock_t;
                type container_log_t;
                type container_config_t;
+               type container_file_t;
        ')
 
        allow $1 container_runtime_t:process { ptrace signal_perms };
@@ -631,6 +632,8 @@
        admin_pattern($1, container_unit_file_t)
        allow $1 container_unit_file_t:service all_service_perms;
 
+       admin_pattern($1, container_file_t)
+
        optional_policy(`
                systemd_passwd_agent_exec($1)
                systemd_read_fifo_file_passwd_run($1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/container-selinux-2.164.2/container.te 
new/container-selinux-2.171.0/container.te
--- old/container-selinux-2.164.2/container.te  2021-08-02 19:18:31.000000000 
+0200
+++ new/container-selinux-2.171.0/container.te  2021-11-10 23:21:41.000000000 
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.164.2)
+policy_module(container, 2.171.0)
 
 gen_require(`
        class passwd rootok;
@@ -57,7 +57,7 @@
 files_pid_file(spc_var_run_t)
 
 type kubernetes_file_t;
-files_type(kubernetes_file_t)
+files_config_file(kubernetes_file_t)
 
 type container_var_lib_t alias docker_var_lib_t;
 files_type(container_var_lib_t)
@@ -199,7 +199,7 @@
 manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, 
container_runtime_tmpfs_t)
 allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom;
 can_exec(container_runtime_domain, container_runtime_tmpfs_t)
-fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, { dir 
file })
+fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, 
dir_file_class_set)
 allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton;
 
 manage_dirs_pattern(container_runtime_domain, container_ro_file_t, 
container_ro_file_t)
@@ -802,7 +802,7 @@
 manage_sock_files_pattern(container_domain, container_file_t, container_file_t)
 allow container_domain container_file_t:{file dir} mounton;
 allow container_domain container_file_t:filesystem { mount remount unmount };
-fs_tmpfs_filetrans(container_domain, container_file_t, { dir file })
+fs_tmpfs_filetrans(container_domain, container_file_t, { dir file lnk_file })
 allow container_domain container_file_t:dir_file_class_set { relabelfrom 
relabelto map };
 container_read_share_files(container_domain)
 container_exec_share_files(container_domain)
@@ -875,7 +875,6 @@
 gen_require(`
        type container_file_t;
 ')
-fs_noxattr_type(container_file_t)
 # fs_associate_cgroupfs(container_file_t)
 gen_require(`
        type cgroup_t;
@@ -1033,6 +1032,7 @@
 container_read_pid_files(iptables_t)
 container_read_state(iptables_t)
 container_append_file(iptables_t)
+allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
 
 optional_policy(`
        gen_require(`
@@ -1112,6 +1112,8 @@
 container_domain_template(container_logreader)
 typeattribute container_logreader_t container_net_domain;
 logging_read_all_logs(container_logreader_t)
+# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges
+allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
 logging_read_audit_log(container_logreader_t)
 logging_list_logs(container_logreader_t)
 
@@ -1126,6 +1128,7 @@
        gen_require(`
                type sysadm_t, staff_t, user_t;
                role sysadm_r, staff_r, user_r;
+               attribute userdomain;
        ')
 
        container_runtime_run(sysadm_t, sysadm_r)
@@ -1139,6 +1142,10 @@
        role user_r types container_user_domain;
 
        staff_role_change_to(system_r)
+
+       allow staff_t container_runtime_t:process signal_perms;
+       allow staff_t container_domain:process signal_perms;
+       allow container_domain userdomain:unix_stream_socket { accept ioctl 
read getattr lock write append getopt };
 ')
 
 gen_require(`
@@ -1157,6 +1164,7 @@
 ')
 dontaudit container_domain device_node:chr_file setattr;
 dontaudit container_domain sysctl_type:file write;
+allow container_domain init_t:unix_stream_socket { accept ioctl read getattr 
lock write append getopt };
 
 allow container_t proc_t:filesystem remount;
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/contrib/container-selinux.spec 
new/container-selinux-2.171.0/contrib/container-selinux.spec
--- old/container-selinux-2.164.2/contrib/container-selinux.spec        
2021-08-02 19:18:31.000000000 +0200
+++ new/container-selinux-2.171.0/contrib/container-selinux.spec        
2021-11-10 23:21:41.000000000 +0100
@@ -78,6 +78,8 @@
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/services
 install -p -m 644 container.if 
%{buildroot}%{_datadir}/selinux/devel/include/services
 install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/udica/templates
+install -m 0644 udica-templates/*.cil %{buildroot}%{_datadir}/udica/templates
 
 # remove spec file
 rm -rf container-selinux.spec
@@ -112,6 +114,7 @@
 %files
 %doc README.md
 %{_datadir}/selinux/*
+%{_datadir}/udica/templates/*
 
 %changelog
 * Fri Jan 06 2017 Dan Walsh <[email protected]> - 2:2.1-1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/base_container.cil 
new/container-selinux-2.171.0/udica-templates/base_container.cil
--- old/container-selinux-2.164.2/udica-templates/base_container.cil    
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/base_container.cil    
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,14 @@
+(block container
+(type process)
+(type socket)
+(roletype system_r process)
+(typeattributeset domain (process ))
+(typeattributeset container_domain (process ))
+(typeattributeset svirt_sandbox_domain (process ))
+(typeattributeset mcs_constrained_type (process ))
+(typeattributeset file_type (socket ))
+(allow process socket (sock_file (create open getattr setattr read write 
rename link unlink ioctl lock append)))
+(allow process proc_type (file (getattr open read)))
+(allow process cpu_online_t (file (getattr open read)))
+(allow container_runtime_t process (key (create link read search setattr view 
write)))
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/config_container.cil 
new/container-selinux-2.171.0/udica-templates/config_container.cil
--- old/container-selinux-2.164.2/udica-templates/config_container.cil  
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/config_container.cil  
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,24 @@
+(block config_container
+       (optional config_container_optional
+               (allow process configfile (dir (ioctl read getattr lock search 
open)))
+               (allow process configfile (file (ioctl read getattr lock open)))
+               (allow process configfile (lnk_file (read getattr)))
+       )
+)
+
+(block config_rw_container
+       (blockinherit config_container)
+       (optional config_rw_container_optional
+               (allow process configfile (dir (ioctl read write getattr lock 
append open)))
+               (allow process configfile (file (ioctl read write getattr lock 
append open)))
+               (allow process configfile (lnk_file (ioctl read write getattr 
lock append open)))
+       )
+)
+
+(block config_manage_container
+       (optional config_manage_container_optional
+               (allow process configfile (dir (ioctl read write create getattr 
setattr lock unlink link rename add_name remove_name reparent search rmdir 
open)))
+               (allow process configfile (file (ioctl read write create 
getattr setattr lock append unlink link rename open)))
+               (allow process configfile (lnk_file (ioctl read write create 
getattr setattr lock append unlink link rename open)))
+       )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/home_container.cil 
new/container-selinux-2.171.0/udica-templates/home_container.cil
--- old/container-selinux-2.164.2/udica-templates/home_container.cil    
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/home_container.cil    
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,37 @@
+(block home_container
+       (optional home_container_optional
+               (allow process process (capability (dac_override )))
+
+               (allow process user_home_dir_t (dir (getattr search open read 
lock ioctl)))
+               (allow process home_root_t (dir (getattr search open read lock 
ioctl)))
+               (allow process user_home_t (dir (getattr search open read lock 
ioctl)))
+
+               (allow process user_home_dir_t (file (getattr ioctl lock open 
read)))
+               (allow process user_home_t (file (getattr ioctl lock open 
read)))
+       )
+)
+
+
+(block home_rw_container
+       (blockinherit home_container)
+       (optional home_rw_container_optional
+               (allow process user_home_dir_t (dir (open getattr setattr read 
write link search add_name remove_name reparent lock ioctl)))
+               (allow process home_root_t (dir (open getattr setattr read 
write link search add_name remove_name reparent lock ioctl)))
+               (allow process user_home_t (dir (open getattr setattr read 
write link search add_name remove_name reparent lock ioctl)))
+
+               (allow process user_home_t (file (open getattr read write 
append ioctl lock)))
+               (allow process user_home_dir_t (file (open getattr read write 
append ioctl lock)))
+       )
+)
+
+(block home_manage_container
+       (blockinherit home_rw_container)
+       (optional home_manage_container_optional
+               (allow process user_home_dir_t (dir (create unlink rename rmdir 
)))
+               (allow process home_root_t (dir (create unlink rename rmdir )))
+               (allow process user_home_t (dir (create unlink rename rmdir )))
+
+               (allow process user_home_t (file (create rename link unlink )))
+               (allow process user_home_dir_t (file (create rename link unlink 
)))
+       )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/log_container.cil 
new/container-selinux-2.171.0/udica-templates/log_container.cil
--- old/container-selinux-2.164.2/udica-templates/log_container.cil     
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/log_container.cil     
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,35 @@
+(block log_container
+       (optional log_container_optional
+               (allow process var_t (dir (getattr search open)))
+               (allow process logfile (dir (ioctl read getattr lock search 
open)))
+               (allow process logfile (file (ioctl read getattr lock open 
map)))
+               (allow process auditd_log_t (dir (ioctl read getattr lock 
search open)))
+               (allow process auditd_log_t (file (ioctl read getattr lock 
open)))
+       )
+)
+
+
+(block log_rw_container
+       (blockinherit log_container)
+
+       (optional log_rw_container_optional
+               (allow process logfile (dir (ioctl read write create getattr 
setattr lock add_name search open)))
+               (allow process logfile (file (ioctl read write create getattr 
setattr lock append open)))
+               (allow process logfile (lnk_file (ioctl read write getattr lock 
append open)))
+               (allow process var_t (dir (getattr search open)))
+               (allow process auditd_log_t (dir (ioctl read getattr lock 
search open)))
+               (allow process auditd_log_t (file (ioctl read getattr lock 
open)))
+       )
+)
+
+(block log_manage_container
+       (blockinherit log_rw_container)
+
+       (optional log_manage_container_optional
+               (allow process logfile (dir (ioctl read write create getattr 
setattr lock unlink link rename add_name remove_name reparent search rmdir 
open)))
+               (allow process logfile (file (ioctl read write create getattr 
setattr lock append unlink link rename open)))
+               (allow process logfile (lnk_file (ioctl read write create 
getattr setattr lock append unlink link rename)))
+               (allow process auditd_log_t (dir (ioctl read write getattr lock 
search open)))
+               (allow process auditd_log_t (file (ioctl read write getattr 
lock open)))
+       )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/net_container.cil 
new/container-selinux-2.171.0/udica-templates/net_container.cil
--- old/container-selinux-2.164.2/udica-templates/net_container.cil     
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/net_container.cil     
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,25 @@
+(block net_container
+       (optional net_container_optional
+               (typeattributeset sandbox_net_domain (process))
+       )
+)
+
+(block restricted_net_container
+       (optional restricted_net_container_optional
+               (allow process process (tcp_socket (ioctl read getattr lock 
write setattr append bind connect getopt setopt shutdown create listen accept)))
+               (allow process process (udp_socket (ioctl read getattr lock 
write setattr append bind connect getopt setopt shutdown create)))
+               (allow process process (sctp_socket (ioctl read getattr lock 
write setattr append bind connect getopt setopt shutdown create)))
+
+               (allow process proc_t (lnk_file (read)))
+
+               (allow process node_t (node (tcp_recv tcp_send recvfrom 
sendto)))
+               (allow process node_t (node (udp_recv recvfrom)))
+               (allow process node_t (node (udp_send sendto)))
+
+               (allow process node_t (udp_socket (node_bind)))
+               (allow process node_t (tcp_socket (node_bind)))
+
+               (allow process http_port_t (tcp_socket (name_connect)))
+               (allow process http_port_t (tcp_socket (recv_msg send_msg)))
+       )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/tmp_container.cil 
new/container-selinux-2.171.0/udica-templates/tmp_container.cil
--- old/container-selinux-2.164.2/udica-templates/tmp_container.cil     
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/tmp_container.cil     
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,15 @@
+(block tmp_container
+       (optional tmp_container_optional
+               (allow process tmpfile (dir (getattr search open)))
+               (allow process tmpfile (file (ioctl read getattr lock open)))
+       )
+)
+
+(block tmp_rw_container
+       (blockinherit tmp_container)
+
+       (optional tmp_rw_container_optional
+               (allow process tmpfile (file (ioctl read write getattr lock 
append open)))
+               (allow process tmpfile (dir (ioctl read write getattr lock 
append open)))
+       )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/tty_container.cil 
new/container-selinux-2.171.0/udica-templates/tty_container.cil
--- old/container-selinux-2.164.2/udica-templates/tty_container.cil     
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/tty_container.cil     
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,9 @@
+(block tty_container
+       (optional tty_container_optional
+               (allow process device_t (dir (getattr search open)))
+               (allow process device_t (dir (ioctl read getattr lock search 
open)))
+               (allow process device_t (lnk_file (read getattr)))
+
+               (allow process devtty_t (chr_file (ioctl read write getattr 
lock append open)))
+       )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/virt_container.cil 
new/container-selinux-2.171.0/udica-templates/virt_container.cil
--- old/container-selinux-2.164.2/udica-templates/virt_container.cil    
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/virt_container.cil    
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,14 @@
+(block virt_container
+       (optional virt_container_optional
+               (allow process var_t (dir (getattr search open)))
+               (allow process var_t (lnk_file (read getattr)))
+
+               (allow process var_run_t (dir (getattr search open)))
+               (allow process var_run_t (lnk_file (read getattr)))
+
+               (allow process virt_var_run_t (dir (getattr search open)))
+               (allow process virt_var_run_t (sock_file (write getattr append 
open)))
+
+               (allow process virtd_t (unix_stream_socket (connectto)))
+       )
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/container-selinux-2.164.2/udica-templates/x_container.cil 
new/container-selinux-2.171.0/udica-templates/x_container.cil
--- old/container-selinux-2.164.2/udica-templates/x_container.cil       
1970-01-01 01:00:00.000000000 +0100
+++ new/container-selinux-2.171.0/udica-templates/x_container.cil       
2021-11-10 23:21:41.000000000 +0100
@@ -0,0 +1,25 @@
+(block x_container
+       (optional x_container_optional
+               (allow xserver_t process (shm (getattr read write associate 
unix_read unix_write lock)))
+
+               (allow process xserver_t (unix_stream_socket (connectto)))
+
+               (allow process device_t (dir (getattr search open)))
+
+               (allow process dri_device_t (chr_file (ioctl read write getattr 
lock append open map)))
+
+               (allow process xserver_misc_device_t (chr_file (ioctl read 
write getattr lock append open map)))
+
+               (allow process urandom_device_t (chr_file (open read)))
+
+               (allow process tmpfs_t (dir (getattr search open)))
+
+               (allow process tmp_t (dir (getattr search open)))
+               (allow process tmp_t (lnk_file (read getattr)))
+
+               (allow process xserver_tmp_t (dir (getattr search open)))
+               (allow process xserver_tmp_t (sock_file (write getattr append 
open)))
+
+               (allow process xserver_exec_t (file (ioctl read getattr lock 
map execute execute_no_trans open)))
+       )
+)

Reply via email to