selinux-policy/fix_systemd_watch.patch

Index: fedora-policy-20210419/policy/modules/system/systemd.te
===================================================================
--- fedora-policy-20210419.orig/policy/modules/system/systemd.te
+++ fedora-policy-20210419/policy/modules/system/systemd.te
@@ -1357,3 +1357,10 @@ fstools_rw_swap_files(systemd_sleep_t)
 
 # systemd-sleep needs to getattr swap partitions
 storage_getattr_fixed_disk_dev(systemd_sleep_t)
+
+
+#######################################
+#
+# Allow systemd to watch certificate dir for ca-certificates
+# 
+watch_dirs_pattern(init_t,cert_t,cert_t)
Index: fedora-policy-20210419/policy/modules/system/init.te
===================================================================
--- fedora-policy-20210419.orig/policy/modules/system/init.te
+++ fedora-policy-20210419/policy/modules/system/init.te
@@ -317,7 +317,10 @@ files_etc_filetrans_etc_runtime(init_t,
 # Run /etc/X11/prefdm:
 files_exec_etc_files(init_t)
 files_watch_etc_dirs(init_t)
+files_watch_etc_files(init_t)
 files_read_usr_files(init_t)
+files_watch_usr_dirs(init_t)
+files_watch_usr_files(init_t)
 files_watch_root_dirs(init_t)
 files_write_root_dirs(init_t)
 files_watch_var_dirs(init_t)
@@ -334,6 +337,7 @@ files_remount_rootfs(init_t)
 files_create_var_dirs(init_t)
 files_watch_home(init_t)
 files_watch_all_pid(init_t)
+watch_dirs_pattern(init_t,lib_t,lib_t)
 
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
Accepting request 894639 from home:lnussel:branches:systemsmanagement:cockpit - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. - own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install files there OBS-URL: https://build.opensuse.org/request/show/894639 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=108 2021-05-20 17:02:09 +02:00			`Index: fedora-policy-20210419/policy/modules/system/systemd.te`
			`===================================================================`
			`--- fedora-policy-20210419.orig/policy/modules/system/systemd.te`
			`+++ fedora-policy-20210419/policy/modules/system/systemd.te`
			`@@ -1357,3 +1357,10 @@ fstools_rw_swap_files(systemd_sleep_t)`

			`# systemd-sleep needs to getattr swap partitions`
			`storage_getattr_fixed_disk_dev(systemd_sleep_t)`
			`+`
			`+`
			`+#######################################`
			`+#`
			`+# Allow systemd to watch certificate dir for ca-certificates`
			`+#`
			`+watch_dirs_pattern(init_t,cert_t,cert_t)`
			`Index: fedora-policy-20210419/policy/modules/system/init.te`
			`===================================================================`
			`--- fedora-policy-20210419.orig/policy/modules/system/init.te`
			`+++ fedora-policy-20210419/policy/modules/system/init.te`
			`@@ -317,7 +317,10 @@ files_etc_filetrans_etc_runtime(init_t,`
			`# Run /etc/X11/prefdm:`
			`files_exec_etc_files(init_t)`
			`files_watch_etc_dirs(init_t)`
			`+files_watch_etc_files(init_t)`
			`files_read_usr_files(init_t)`
			`+files_watch_usr_dirs(init_t)`
			`+files_watch_usr_files(init_t)`
			`files_watch_root_dirs(init_t)`
			`files_write_root_dirs(init_t)`
			`files_watch_var_dirs(init_t)`
			`@@ -334,6 +337,7 @@ files_remount_rootfs(init_t)`
			`files_create_var_dirs(init_t)`
			`files_watch_home(init_t)`
			`files_watch_all_pid(init_t)`
			`+watch_dirs_pattern(init_t,lib_t,lib_t)`

			`fs_list_inotifyfs(init_t)`
			`# cjp: this may be related to /dev/log`