selinux-policy/fix_systemd.patch

Index: fedora-policy-20230116/policy/modules/system/systemd.te
===================================================================
--- fedora-policy-20230116.orig/policy/modules/system/systemd.te
+++ fedora-policy-20230116/policy/modules/system/systemd.te
@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system
 xserver_dbus_chat(systemd_logind_t)
 
 optional_policy(`
+	packagekit_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
 	apache_read_tmp_files(systemd_logind_t)
 ')
 
@@ -863,6 +867,10 @@ optional_policy(`
 	dbus_system_bus_client(systemd_localed_t)
 ')
 
+optional_policy(`
+	nscd_unconfined(systemd_hostnamed_t)
+')
+
 #######################################
 #
 # Hostnamed policy
@@ -1195,6 +1203,8 @@ systemd_unit_file_filetrans(systemd_gpt_
 systemd_create_unit_file_dirs(systemd_gpt_generator_t)
 systemd_create_unit_file_lnk(systemd_gpt_generator_t)
 
+kernel_dgram_send(systemd_gpt_generator_t)
+
 optional_policy(`
 	udev_read_pid_files(systemd_gpt_generator_t)
 ')
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 15:51:33 +01:00			`Index: fedora-policy-20230116/policy/modules/system/systemd.te`
Accepting request 781805 from home:jsegitz:branches:security:SELinux - Update to version 20200219 Refreshed fix_hadoop.patch Updated * fix_dbus.patch * fix_hadoop.patch * fix_nscd.patch * fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added * fix_init.patch * fix_locallogin.patch * fix_policykit.patch * fix_iptables.patch * fix_irqbalance.patch * fix_ntp.patch * fix_fwupd.patch * fix_firewalld.patch * fix_logrotate.patch * fix_selinuxutil.patch * fix_corecommand.patch * fix_snapper.patch * fix_systemd.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * xdm_entrypoint_pam.patch - Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies - Reduced default module list of minimum policy by removing OBS-URL: https://build.opensuse.org/request/show/781805 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=74 2020-03-05 11:13:59 +01:00			`===================================================================`
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 15:51:33 +01:00			`--- fedora-policy-20230116.orig/policy/modules/system/systemd.te`
			`+++ fedora-policy-20230116/policy/modules/system/systemd.te`
Accepting request 1035580 from home:jsegitz:branches:security:SELinux - Update to version 20221019. Refreshed: * distro_suse_to_distro_redhat.patch * fix_apache.patch * fix_chronyd.patch * fix_cron.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_rpm.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch - Dropped fix_cockpit.patch as this is now packaged with cockpit itself - Remove the ipa module, freeip ships their own module - Added fix_alsa.patch to allow reading of config files in home directories - Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus OBS-URL: https://build.opensuse.org/request/show/1035580 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=155 2022-11-14 09:27:42 +01:00			`@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system`
Accepting request 781805 from home:jsegitz:branches:security:SELinux - Update to version 20200219 Refreshed fix_hadoop.patch Updated * fix_dbus.patch * fix_hadoop.patch * fix_nscd.patch * fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added * fix_init.patch * fix_locallogin.patch * fix_policykit.patch * fix_iptables.patch * fix_irqbalance.patch * fix_ntp.patch * fix_fwupd.patch * fix_firewalld.patch * fix_logrotate.patch * fix_selinuxutil.patch * fix_corecommand.patch * fix_snapper.patch * fix_systemd.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * xdm_entrypoint_pam.patch - Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies - Reduced default module list of minimum policy by removing OBS-URL: https://build.opensuse.org/request/show/781805 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=74 2020-03-05 11:13:59 +01:00			`xserver_dbus_chat(systemd_logind_t)`

			optional_policy(`
			`+ packagekit_dbus_chat(systemd_logind_t)`
			`+')`
			`+`
			+optional_policy(`
			`apache_read_tmp_files(systemd_logind_t)`
			`')`
Accepting request 810877 from home:jsegitz:branches:security:SELinux - Added module for wicked - New patches: * fix_authlogin.patch * fix_screen.patch * fix_unprivuser.patch * fix_rpm.patch * fix_apache.patch - Added module for rtorrent - Enable snapper module in minimum policy to reduce issues on BTRFS Updated fix_snapper.patch to prevent relabling of snapshot OBS-URL: https://build.opensuse.org/request/show/810877 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=76 2020-06-02 17:31:08 +02:00
Accepting request 1035580 from home:jsegitz:branches:security:SELinux - Update to version 20221019. Refreshed: * distro_suse_to_distro_redhat.patch * fix_apache.patch * fix_chronyd.patch * fix_cron.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_rpm.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch - Dropped fix_cockpit.patch as this is now packaged with cockpit itself - Remove the ipa module, freeip ships their own module - Added fix_alsa.patch to allow reading of config files in home directories - Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus OBS-URL: https://build.opensuse.org/request/show/1035580 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=155 2022-11-14 09:27:42 +01:00			@@ -863,6 +867,10 @@ optional_policy(`
			`dbus_system_bus_client(systemd_localed_t)`
Accepting request 810877 from home:jsegitz:branches:security:SELinux - Added module for wicked - New patches: * fix_authlogin.patch * fix_screen.patch * fix_unprivuser.patch * fix_rpm.patch * fix_apache.patch - Added module for rtorrent - Enable snapper module in minimum policy to reduce issues on BTRFS Updated fix_snapper.patch to prevent relabling of snapshot OBS-URL: https://build.opensuse.org/request/show/810877 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=76 2020-06-02 17:31:08 +02:00			`')`

			+optional_policy(`
			`+ nscd_unconfined(systemd_hostnamed_t)`
			`+')`
			`+`
			`#######################################`
			`#`
Accepting request 1035580 from home:jsegitz:branches:security:SELinux - Update to version 20221019. Refreshed: * distro_suse_to_distro_redhat.patch * fix_apache.patch * fix_chronyd.patch * fix_cron.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_rpm.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch - Dropped fix_cockpit.patch as this is now packaged with cockpit itself - Remove the ipa module, freeip ships their own module - Added fix_alsa.patch to allow reading of config files in home directories - Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus OBS-URL: https://build.opensuse.org/request/show/1035580 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=155 2022-11-14 09:27:42 +01:00			`# Hostnamed policy`
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 15:51:33 +01:00			`@@ -1195,6 +1203,8 @@ systemd_unit_file_filetrans(systemd_gpt_`
Accepting request 988934 from home:jsegitz:branches:security:SELinux - Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for systemd_gpt_generator_t (bsc#1200911) OBS-URL: https://build.opensuse.org/request/show/988934 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=135 2022-07-13 10:54:50 +02:00			`systemd_create_unit_file_dirs(systemd_gpt_generator_t)`
			`systemd_create_unit_file_lnk(systemd_gpt_generator_t)`

			`+kernel_dgram_send(systemd_gpt_generator_t)`
			`+`
			optional_policy(`
			`udev_read_pid_files(systemd_gpt_generator_t)`
			`')`