Update oracle linux selinux to match docker upstream

Add a dependency on specific selinux version for OL on docker-engine.spec

Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
This commit is contained in:
Thomas Tanaka 2017-03-02 13:59:05 -08:00
parent 3c22c7d5e9
commit fc7cc1cc75
8 changed files with 123 additions and 394 deletions

View file

@ -1,8 +1,8 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
@ -55,7 +55,7 @@ patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
@ -225,7 +225,7 @@ impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
@ -278,7 +278,7 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
@ -303,9 +303,10 @@ the "copyright" line and a pointer to where the full notice is found.
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
@ -335,5 +336,5 @@ necessary. Here is a sample; alter the names:
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

View file

@ -14,10 +14,3 @@ all: ${TARGETS:=.pp.bz2}
clean:
rm -f *~ *.tc *.pp *.pp.bz2
rm -rf tmp *.tar.gz
man: install
sepolicy manpage --domain ${TARGETS}_t
install:
semodule -i ${TARGETS}

View file

@ -1,33 +1,18 @@
/root/\.docker gen_context(system_u:object_r:docker_home_t,s0)
/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
/usr/bin/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0)
/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0)
/usr/bin/dockerd -- gen_context(system_u:object_r:docker_exec_t,s0)
/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
/usr/lib/systemd/system/docker-novolume-plugin.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0)
/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
/var/lib/kublet(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
/var/run/docker(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:docker_plugin_var_run_t,s0)
/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
# OL7.2 systemd selinux update
/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)

View file

@ -112,28 +112,7 @@ interface(`docker_read_share_files',`
')
files_search_var_lib($1)
list_dirs_pattern($1, docker_share_t, docker_share_t)
read_files_pattern($1, docker_share_t, docker_share_t)
read_lnk_files_pattern($1, docker_share_t, docker_share_t)
')
######################################
## <summary>
## Allow the specified domain to execute docker shared files
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_exec_share_files',`
gen_require(`
type docker_share_t;
')
can_exec($1, docker_share_t)
')
########################################
@ -305,7 +284,7 @@ interface(`docker_filetrans_named_content',`
gen_require(`
type docker_var_lib_t;
type docker_share_t;
type docker_log_t;
type docker_log_t;
type docker_var_run_t;
type docker_home_t;
')
@ -313,7 +292,6 @@ interface(`docker_filetrans_named_content',`
files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
logging_log_filetrans($1, docker_log_t, dir, "lxc")
files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
@ -362,6 +340,7 @@ interface(`docker_spc_stream_connect',`
allow $1 spc_t:unix_stream_socket connectto;
')
########################################
## <summary>
## All of the rules required to administrate
@ -410,250 +389,73 @@ interface(`docker_admin',`
')
')
########################################
## <summary>
## Execute docker_auth_exec_t in the docker_auth domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_auth_domtrans',`
interface(`domain_stub_named_filetrans_domain',`
gen_require(`
attribute named_filetrans_domain;
')
')
interface(`lvm_stub',`
gen_require(`
type lvm_t;
')
')
interface(`staff_stub',`
gen_require(`
type staff_t;
')
')
interface(`virt_stub_svirt_sandbox_domain',`
gen_require(`
type docker_auth_t, docker_auth_exec_t;
attribute svirt_sandbox_domain;
')
')
interface(`virt_stub_svirt_sandbox_file',`
gen_require(`
type svirt_sandbox_file_t;
')
')
interface(`fs_dontaudit_remount_tmpfs',`
gen_require(`
type tmpfs_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
dontaudit $1 tmpfs_t:filesystem remount;
')
######################################
## <summary>
## Execute docker_auth in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_auth_exec',`
interface(`dev_dontaudit_list_all_dev_nodes',`
gen_require(`
type docker_auth_exec_t;
type device_t;
')
corecmd_search_bin($1)
can_exec($1, docker_auth_exec_t)
dontaudit $1 device_t:dir list_dir_perms;
')
########################################
## <summary>
## Connect to docker_auth over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_auth_stream_connect',`
interface(`kernel_unlabeled_entry_type',`
gen_require(`
type docker_auth_t, docker_plugin_var_run_t;
type unlabeled_t;
')
files_search_pids($1)
stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
domain_entry_file($1, unlabeled_t)
')
########################################
## <summary>
## docker domain typebounds calling domain.
## </summary>
## <param name="domain">
## <summary>
## Domain to be typebound.
## </summary>
## </param>
#
interface(`docker_typebounds',`
interface(`kernel_unlabeled_domtrans',`
gen_require(`
type docker_t;
type unlabeled_t;
')
typebounds docker_t $1;
read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
domain_transition_pattern($1, unlabeled_t, $2)
type_transition $1 unlabeled_t:process $2;
')
########################################
## <summary>
## Allow any docker_exec_t to be an entrypoint of this domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`docker_entrypoint',`
interface(`files_write_all_pid_sockets',`
gen_require(`
type docker_exec_t;
attribute pidfile;
')
allow $1 docker_exec_t:file entrypoint;
allow $1 pidfile:sock_file write_sock_file_perms;
')
interface(`dev_dontaudit_mounton_sysfs',`
gen_require(`
type sysfs_t;
')
########################################
## <summary>
## Send and receive messages from
## systemd machined over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_machined',`
gen_require(`
type systemd_machined_t;
class dbus send_msg;
')
allow $1 systemd_machined_t:dbus send_msg;
allow systemd_machined_t $1:dbus send_msg;
ps_process_pattern(systemd_machined_t, $1)
dontaudit $1 sysfs_t:dir mounton;
')
########################################
## <summary>
## Allow any svirt_sandbox_file_t to be an entrypoint of this domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`virt_sandbox_entrypoint',`
gen_require(`
type svirt_sandbox_file_t;
')
allow $1 svirt_sandbox_file_t:file entrypoint;
')
########################################
## <summary>
## Send and receive messages from
## virt over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_dbus_chat',`
gen_require(`
type virtd_t;
class dbus send_msg;
')
allow $1 virtd_t:dbus send_msg;
allow virtd_t $1:dbus send_msg;
ps_process_pattern(virtd_t, $1)
')
#######################################
## <summary>
## Read the process state of virt sandbox containers
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_sandbox_read_state',`
gen_require(`
attribute svirt_sandbox_domain;
')
ps_process_pattern($1, svirt_sandbox_domain)
')
######################################
## <summary>
## Send a signal to sandbox domains
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_signal_sandbox',`
gen_require(`
attribute svirt_sandbox_domain;
')
allow $1 svirt_sandbox_domain:process signal;
')
#######################################
## <summary>
## Getattr Sandbox File systems
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_getattr_sandbox_filesystem',`
gen_require(`
type svirt_sandbox_file_t;
')
allow $1 svirt_sandbox_file_t:filesystem getattr;
')
#######################################
## <summary>
## Read Sandbox Files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_read_sandbox_files',`
gen_require(`
type svirt_sandbox_file_t;
')
list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
')
#######################################
## <summary>
## Read the process state of spc containers
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_spc_read_state',`
gen_require(`
type spc_t;
')
ps_process_pattern($1, spc_t)
')

View file

@ -23,10 +23,6 @@ type spc_t;
domain_type(spc_t)
role system_r types spc_t;
type docker_auth_t;
type docker_auth_exec_t;
init_daemon_domain(docker_auth_t, docker_auth_exec_t)
type spc_var_run_t;
files_pid_file(spc_var_run_t)
@ -54,9 +50,6 @@ files_tmpfs_file(docker_tmpfs_t)
type docker_var_run_t;
files_pid_file(docker_var_run_t)
type docker_plugin_var_run_t;
files_pid_file(docker_plugin_var_run_t)
type docker_unit_file_t;
systemd_unit_file(docker_unit_file_t)
@ -66,20 +59,6 @@ term_pty(docker_devpts_t)
type docker_share_t;
files_type(docker_share_t)
# OL7 systemd selinux update
type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
# /run/systemd/machines
type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t)
# /var/lib/machines
type systemd_machined_var_lib_t;
files_type(systemd_machined_var_lib_t)
########################################
#
# docker local policy
@ -93,8 +72,6 @@ allow docker_t self:tcp_socket create_stream_socket_perms;
allow docker_t self:udp_socket create_socket_perms;
allow docker_t self:capability2 block_suspend;
docker_auth_stream_connect(docker_t)
manage_files_pattern(docker_t, docker_home_t, docker_home_t)
manage_dirs_pattern(docker_t, docker_home_t, docker_home_t)
manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t)
@ -106,7 +83,6 @@ files_etc_filetrans(docker_t, docker_config_t, dir, "docker")
manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
manage_files_pattern(docker_t, docker_log_t, docker_log_t)
@ -229,10 +205,6 @@ optional_policy(`
openvswitch_stream_connect(docker_t)
')
#
# lxc rules
#
allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
@ -314,7 +286,6 @@ optional_policy(`
optional_policy(`
systemd_dbus_chat_logind(docker_t)
systemd_dbus_chat_machined(docker_t)
')
optional_policy(`
@ -326,11 +297,6 @@ optional_policy(`
udev_read_db(docker_t)
')
optional_policy(`
unconfined_domain(docker_t)
# unconfined_typebounds(docker_t)
')
optional_policy(`
virt_read_config(docker_t)
virt_exec(docker_t)
@ -339,12 +305,10 @@ optional_policy(`
virt_exec_sandbox_files(docker_t)
virt_manage_sandbox_files(docker_t)
virt_relabel_sandbox_filesystem(docker_t)
# for lxc
virt_transition_svirt_sandbox(docker_t, system_r)
virt_mounton_sandbox_file(docker_t)
# virt_attach_sandbox_tun_iface(docker_t)
allow docker_t svirt_sandbox_domain:tun_socket relabelfrom;
virt_sandbox_entrypoint(docker_t)
')
tunable_policy(`docker_connect_any',`
@ -357,19 +321,17 @@ tunable_policy(`docker_connect_any',`
#
# spc local policy
#
allow spc_t { docker_var_lib_t docker_share_t }:file entrypoint;
domain_entry_file(spc_t, docker_share_t)
domain_entry_file(spc_t, docker_var_lib_t)
role system_r types spc_t;
domain_entry_file(spc_t, docker_share_t)
domain_entry_file(spc_t, docker_var_lib_t)
domtrans_pattern(docker_t, docker_share_t, spc_t)
domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
allow docker_t spc_t:process { setsched signal_perms };
ps_process_pattern(docker_t, spc_t)
allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
filetrans_pattern(docker_t, docker_var_lib_t, docker_share_t, dir, "overlay")
optional_policy(`
systemd_dbus_chat_machined(spc_t)
')
optional_policy(`
dbus_chat_system_bus(spc_t)
@ -379,87 +341,67 @@ optional_policy(`
unconfined_domain_noaudit(spc_t)
')
optional_policy(`
unconfined_domain(docker_t)
')
optional_policy(`
virt_transition_svirt_sandbox(spc_t, system_r)
virt_sandbox_entrypoint(spc_t)
')
########################################
#
# docker_auth local policy
# docker upstream policy
#
allow docker_auth_t self:fifo_file rw_fifo_file_perms;
allow docker_auth_t self:unix_stream_socket create_stream_socket_perms;
dontaudit docker_auth_t self:capability net_admin;
docker_stream_connect(docker_auth_t)
manage_dirs_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
manage_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
manage_sock_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
manage_lnk_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
files_pid_filetrans(docker_auth_t, docker_plugin_var_run_t, { dir file lnk_file sock_file })
domain_use_interactive_fds(docker_auth_t)
kernel_read_net_sysctls(docker_auth_t)
auth_use_nsswitch(docker_auth_t)
files_read_etc_files(docker_auth_t)
miscfiles_read_localization(docker_auth_t)
sysnet_dns_name_resolve(docker_auth_t)
########################################
#
# OL7.2 systemd selinux update
# systemd_machined local policy
#
allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace };
allow systemd_machined_t systemd_unit_file_t:service { status start };
allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines")
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
kernel_dgram_send(systemd_machined_t)
# This is a bug, but need for now.
kernel_read_unlabeled_state(systemd_machined_t)
init_dbus_chat(systemd_machined_t)
init_status(systemd_machined_t)
userdom_dbus_send_all_users(systemd_machined_t)
term_use_ptmx(systemd_machined_t)
optional_policy(`
dbus_connect_system_bus(systemd_machined_t)
dbus_system_bus_client(systemd_machined_t)
# domain_stub_named_filetrans_domain()
gen_require(`
attribute named_filetrans_domain;
')
docker_filetrans_named_content(named_filetrans_domain)
')
optional_policy(`
docker_read_share_files(systemd_machined_t)
docker_spc_read_state(systemd_machined_t)
lvm_stub()
docker_rw_sem(lvm_t)
')
optional_policy(`
virt_dbus_chat(systemd_machined_t)
virt_sandbox_read_state(systemd_machined_t)
virt_signal_sandbox(systemd_machined_t)
virt_stream_connect_sandbox(systemd_machined_t)
virt_rw_svirt_dev(systemd_machined_t)
virt_getattr_sandbox_filesystem(systemd_machined_t)
virt_read_sandbox_files(systemd_machined_t)
staff_stub()
docker_stream_connect(staff_t)
docker_exec(staff_t)
')
optional_policy(`
virt_stub_svirt_sandbox_domain()
virt_stub_svirt_sandbox_file()
allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms;
docker_read_share_files(svirt_sandbox_domain)
docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
docker_use_ptys(svirt_sandbox_domain)
docker_spc_stream_connect(svirt_sandbox_domain)
fs_list_tmpfs(svirt_sandbox_domain)
fs_rw_hugetlbfs_files(svirt_sandbox_domain)
fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
tunable_policy(`virt_sandbox_use_fusefs',`
fs_manage_fusefs_dirs(svirt_sandbox_domain)
fs_manage_fusefs_files(svirt_sandbox_domain)
fs_manage_fusefs_symlinks(svirt_sandbox_domain)
')
gen_require(`
attribute domain;
')
dontaudit svirt_sandbox_domain domain:key {search link};
')
optional_policy(`
gen_require(`
type pcp_pmcd_t;
')
docker_manage_lib_files(pcp_pmcd_t)
')

View file

@ -14,6 +14,9 @@ Vendor: Docker
Packager: Docker <support@docker.com>
%global selinux_policyver 3.13.1-102
%if 0%{?oraclelinux} >= 7
%global selinux_policyver 3.13.1-102.0.3.el7_3.15
%endif # oraclelinux 7
%global selinuxtype targeted
%global moduletype services
%global modulenames docker

View file

@ -84,9 +84,12 @@ Requires: device-mapper >= 1.02.90-2
%if 0%{?fedora} >= 22
%global selinux_policyver 3.13.1-128
%endif # fedora 22
%if 0%{?centos} >= 7 || 0%{?rhel} >= 7 || 0%{?oraclelinux} >= 7
%if 0%{?centos} >= 7 || 0%{?rhel} >= 7
%global selinux_policyver 3.13.1-23
%endif # centos,oraclelinux 7
%endif # centos,rhel 7
%if 0%{?oraclelinux} >= 7
%global selinux_policyver 3.13.1-102.0.3.el7_3.15
%endif # oraclelinux 7
%endif # with_selinux
# RE: rhbz#1195804 - ensure min NVR for selinux-policy