SLFO-pool/selinux-policy
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main selinux-policy revision b3055241f87f4b87ba0d78c6af6b4307

Browse Source
This commit is contained in:
Adrian Schröter
2025-08-07 10:25:06 +02:00
parent a03204bbc9
commit 5470ae6a24
7 changed files with 183 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_servicedata
View File

@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
<param name="changesrevision">68c4038281d54812db3c49ccc4a84b84172a82c1</param></service></servicedata>
<param name="changesrevision">15675827ab60cadbfa09c9c74505ad34032ffe33</param></service></servicedata>

BIN
selinux-policy-20250627+git62.68c403828.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

BIN
selinux-policy-20250627+git66.15675827a.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

9
selinux-policy-rpmlintrc
View File

@@ -1,9 +0,0 @@
addFilter("W: non-conffile-in-etc.*")
addFilter("W: zero-length /etc/selinux/.*")
addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
addFilter("W: files-duplicate")
addFilter("E: files-duplicated-waste")
addFilter("W: zero-length")

35
selinux-policy.changes
View File

@@ -1,3 +1,38 @@
-------------------------------------------------------------------
Thu Jul 31 14:15:31 UTC 2025 - Cathy Hu <cathy.hu@suse.com>
- Update to version 20250627+git66.15675827a:
* Set /srv/tftpboot = /var/lib/tftpboot as equivalent file context (bsc#1247381)
* Create unconfined type for salt-minion bsc#1228984
-------------------------------------------------------------------
Thu Jul 31 13:07:09 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
- Change default of example config to enforcing mode. With
selinux-autorelabel taking care of relabeling this should work
nowadays
-------------------------------------------------------------------
Wed Jul 30 08:04:02 UTC 2025 - Cathy Hu <cathy.hu@suse.com>
- Unify with factory specfile, which includes:
- Explain that disabling SELinux should not be done via the config
file anymore (bsc#1246549)
- Drop mls option, as we don't provide this ATM
- Improve selinux-policy-devel dependencies and add post script to
improve experience when debugging (bsc#1236193).
- Move manpages to selinux-policy-doc package (bsc#1241391)
- Add ugly workaround for semodule removal issues
(bsc#1221342 bsc#1238062 bsc#1230643 bsc#1230938)
Can be dropped when PED-12491 is done.
- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate
python36 tooling
- Improve selinux-policy packaging
* Remove bashisms to support UNIX SH syntax in scriptlets (bsc#1237517)
* Fix non-existing $package variable in "%post minimum" scriptlet
* Improve selinux-policy.rpmlintrc file
* Remove duplicates with fdupes
-------------------------------------------------------------------
Wed Jul 16 08:24:24 UTC 2025 - Cathy Hu <cathy.hu@suse.com>

14
selinux-policy.rpmlintrc Normal file
View File

@@ -0,0 +1,14 @@
# SELinux policy packaging places a lot of files under /etc. This is by
# necessity at the moment, might get improved in the future.
addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* W: non-conffile-in-etc.*")
# Zero length files
addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* zero-length /etc/selinux/.*")
addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* zero-length /var/lib/selinux/.*")
# Hidden sha512 file
addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* hidden-file-or-dir /etc/selinux/(targeted|minimum|mls|sandbox)/.policy.sha512")
# No check section needed
addFilter("W: no-%check-section")

227
selinux-policy.spec
View File

@@ -36,13 +36,13 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
Version: 20250627+git62.68c403828
Version: 20250627+git66.15675827a
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
Source2: container.te
Source3: container.if
Source4: selinux-policy-rpmlintrc
Source4: selinux-policy.rpmlintrc
Source5: README.Update
Source6: update.sh
Source7: debug-build.sh
@@ -54,17 +54,24 @@ Source60: selinux-policy.conf
Source91: Makefile.devel
Source95: macros.selinux-policy
URL: https://github.com/fedora-selinux/selinux-policy.git
URL: https://github.com/openSUSE/selinux-policy
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%if 0%{?suse_version} < 1600
%define python_for_executables python311
BuildRequires: %{python_for_executables}
BuildRequires: %{python_for_executables}-policycoreutils
%else
BuildRequires: %primary_python
BuildRequires: %{python_module policycoreutils}
%endif
BuildRequires: checkpolicy
BuildRequires: fdupes
BuildRequires: gawk
BuildRequires: libxml2-tools
BuildRequires: m4
BuildRequires: policycoreutils
BuildRequires: policycoreutils-devel
BuildRequires: python3
BuildRequires: python3-policycoreutils
# we need selinuxenabled
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): pam-config
@@ -188,31 +195,29 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if selinuxenabled; then \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
if [ $? = 0 ] && [ "${SELINUXTYPE}" = %1 ] && [ -f ${FILE_CONTEXT}.pre ]; then \
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
if /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null;then \
continue; \
fi; \
/sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \
fi;
%define preInstall() \
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch %{_sysconfdir}/selinux/%1/.rebuild; \
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
if [ "$sha512" == "$checksha512" ] ; then \
rm %{_sysconfdir}/selinux/%1/.rebuild; \
fi; \
fi; \
if [ "$1" -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %1 ] && [ -f ${FILE_CONTEXT} ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch %{_sysconfdir}/selinux/%1/.rebuild; \
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
POLICY_FILE=$(ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1); \
sha512=$(sha512sum "$POLICY_FILE" | cut -d ' ' -f 1); \
checksha512=$(cat %{_sysconfdir}/selinux/%1/.policy.sha512); \
if [ "$sha512" = "$checksha512" ] ; then \
rm %{_sysconfdir}/selinux/%1/.rebuild; \
fi; \
fi; \
fi;
%define postInstall() \
@@ -222,8 +227,8 @@ if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
/usr/sbin/semodule -B -n -s %2 2> /dev/null; \
fi; \
if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
touch /etc/selinux/.autorelabel \
else \
touch /etc/selinux/.autorelabel ; \
else \
if [ "${SELINUXTYPE}" = "%2" ]; then \
if selinuxenabled; then \
load_policy; \
@@ -236,11 +241,11 @@ else \
if [ %1 -eq 1 ]; then \
/sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
else \
%relabel %2 \
%relabel %2 ; \
fi; \
else \
# run fixfiles on next boot \
touch /.autorelabel \
touch /.autorelabel ; \
fi; \
fi;
@@ -249,11 +254,11 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
%define nonBaseModulesList() \
modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
modules=$(cat %{buildroot}%{_datadir}/selinux/%1/modules.lst); \
for i in $modules; do \
if [ $i != "sandbox" ];then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
fi; \
if [ "$i" != "sandbox" ]; then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst ; \
fi; \
done;
%description
@@ -286,16 +291,16 @@ rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
%{_sbindir}/load_policy
fi;
exit 0
%preun sandbox
if [ $1 -eq 0 ] ; then
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi;
if [ "$1" -eq 0 ] ; then
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi;
fi;
exit 0
@@ -380,63 +385,87 @@ mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
rm %{buildroot}%{_mandir}/man8/container_selinux.8*
rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if
%fdupes -s %{buildroot}%{_mandir}
%post
if [ ! -s %{_sysconfdir}/selinux/config ]; then
# new install, use old sysconfig file if that exists,
# else create new one.
if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then
mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
else
echo "
# new install, use old sysconfig file if that exists,
# else create new one.
if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then
mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
else
echo "
# This file controls the state of SELinux on the system.
# SELinux can be completly disabled with the \"selinux=0\" kernel
# commandline option.
#
# SELINUX= can take one of these three values:
# SELINUX= can take one of these two values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is disabled
SELINUX=permissive
# Previously SELinux could be disabled by changing the value to
# 'disabled'. This is deprecated and should not be used anymore.
# If you want to disable linux add 'selinux=0' to the kernel
# command line. For details see
# https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
" > %{_sysconfdir}/selinux/config
fi
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
fi
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
fi
%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
if [ $1 -eq 1 ]; then
if [ "$1" -eq 1 ]; then
pam-config -a --selinux
fi
%if 0%{?is_opensuse}
# 2025-04-07 cahu:
# Extremely ugly Workaround for t-u module removal issue
# (see bsc#1221342 bsc#1238062 bsc#1230643 bsc#1230938)
# This removes empty module folders in /var/lib/selinux that
# are created by microOS' create-dirs-from-rpmdb on rollback when the
# current policy has dropped the module that was still contained in an older
# snapshot. That means the removed module will also NOT be contained
# in previous snapshots. Also this can cause warnings during install due to rpmdb
# still containing the path that was deleted, which should go away in the subsequent
# installations.
# Can be dropped once PED-12491 is implemented.
if [ -n "${TRANSACTIONAL_UPDATE}" ]; then
for p in targeted minimum mls; do
if [ -d %{_sharedstatedir}/selinux/$p/active/modules/100 ]; then
find %{_sharedstatedir}/selinux/$p/active/modules/100 -type d -empty -delete -print
fi
done
fi
%endif
exit 0
%define post_un() \
# disable selinux if we uninstall a policy and it's the used one \
if [ $1 -eq 0 ]; then \
if [ "$1" -eq 0 ]; then \
if [ -s %{_sysconfdir}/selinux/config ]; then \
source %{_sysconfdir}/selinux/config &> /dev/null || true \
fi \
. %{_sysconfdir}/selinux/config > /dev/null 2>&1 || true ; \
fi; \
if [ "$SELINUXTYPE" = "$2" ]; then \
%{_sbindir}/setenforce 0 2> /dev/null \
%{_sbindir}/setenforce 0 2> /dev/null ; \
if [ -s %{_sysconfdir}/selinux/config ]; then \
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \
fi \
fi \
pam-config -d --selinux \
fi \
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config ; \
fi; \
fi; \
pam-config -d --selinux ; \
fi; \
exit 0
%postun
if [ $1 = 0 ]; then
%{_sbindir}/setenforce 0 2> /dev/null
if [ -s %{_sysconfdir}/selinux/config ]; then
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
fi
if [ "$1" = 0 ]; then
%{_sbindir}/setenforce 0 2> /dev/null
if [ -s %{_sysconfdir}/selinux/config ]; then
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
fi
fi
exit 0
@@ -447,14 +476,13 @@ Requires(pre): selinux-policy = %{version}-%{release}
Requires: /usr/bin/make
Requires: checkpolicy >= %{CHECKPOLICYVER}
Requires: m4
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
%description devel
SELinux policy development and man page package
SELinux policy development package
%files devel
%defattr(-,root,root,-)
%doc %{_datadir}/man/ru/man8/*
%doc %{_datadir}/man/man8/*
%dir %{_datadir}/selinux/devel
%dir %{_datadir}/selinux/devel/html/
%doc %{_datadir}/selinux/devel/html/*
@@ -462,6 +490,11 @@ SELinux policy development and man page package
%{_datadir}/selinux/devel/include/*
%{_datadir}/selinux/devel/Makefile
%{_datadir}/selinux/devel/example.*
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
%post devel
%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
exit 0
%package doc
Summary: SELinux policy documentation
@@ -470,11 +503,13 @@ Requires(pre): selinux-policy = %{version}-%{release}
Requires: /usr/bin/xdg-open
%description doc
SELinux policy documentation package
SELinux policy documentation and man page package
%files doc
%defattr(-,root,root,-)
%doc %{_datadir}/doc/%{name}
%doc %{_datadir}/man/ru/man8/*
%doc %{_datadir}/man/man8/*
%{_datadir}/selinux/devel/policy.*
%if %{BUILD_TARGETED}
@@ -526,40 +561,38 @@ SELinux policy minimum base module.
%pre minimum
%preInstall minimum
if [ $1 -ne 1 ]; then
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
if [ "$1" -ne 1 ]; then
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
fi
%post minimum
modules=`cat %{_datadir}/selinux/minimum/modules.lst`
basemodules=`cat %{_datadir}/selinux/minimum/base.lst`
enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst`
if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
fi
if [ $1 -eq 1 ]; then
for p in $modules; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $basemodules $enabledmodules; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
%{_sbindir}/semanage import -S minimum -f - << __eof
modules=$(cat %{_datadir}/selinux/minimum/modules.lst)
basemodules=$(cat %{_datadir}/selinux/minimum/base.lst)
enabledmodules=$(cat %{_datadir}/selinux/minimum/modules-enabled.lst)
mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled
if [ "$1" -eq 1 ]; then
for p in $modules; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
done
for p in $basemodules $enabledmodules; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
done
%{_sbindir}/semanage import -S minimum -f - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
%{_sbindir}/semodule -B -s minimum 2> /dev/null
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
%{_sbindir}/semodule -B -s minimum 2> /dev/null
else
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
for p in $packages; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $instpackages snapper dbus kerberos nscd rtkit; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
%{_sbindir}/semodule -B -s minimum 2> /dev/null
%relabel minimum
instpackages=$(cat %{_datadir}/selinux/minimum/instmodules.lst)
for p in $modules; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
done
for p in $instpackages snapper dbus kerberos nscd rtkit; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
done
%{_sbindir}/semodule -B -s minimum 2> /dev/null
%relabel minimum
fi
exit 0