From 1fd70ac29b5c1862931e3c69552c47ea0907e24d00d4cc7a04511a6926a69e08 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 5 Mar 2020 10:13:59 +0000 Subject: [PATCH] Accepting request 781805 from home:jsegitz:branches:security:SELinux - Update to version 20200219 Refreshed fix_hadoop.patch Updated * fix_dbus.patch * fix_hadoop.patch * fix_nscd.patch * fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added * fix_init.patch * fix_locallogin.patch * fix_policykit.patch * fix_iptables.patch * fix_irqbalance.patch * fix_ntp.patch * fix_fwupd.patch * fix_firewalld.patch * fix_logrotate.patch * fix_selinuxutil.patch * fix_corecommand.patch * fix_snapper.patch * fix_systemd.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * xdm_entrypoint_pam.patch - Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies - Reduced default module list of minimum policy by removing OBS-URL: https://build.opensuse.org/request/show/781805 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=74 --- booleans-minimum.conf | 5 ++ booleans-targeted.conf | 9 +-- fedora-policy.20190802.tar.bz2 | 3 - fedora-policy.20200219.tar.bz2 | 3 + file_contexts.subs_dist | 1 + fix_chronyd.patch | 15 ++++ fix_corecommand.patch | 34 +++++++++ fix_dbus.patch | 43 +++-------- fix_dbus.patch_orig | 35 +++++++++ fix_firewalld.patch | 42 +++++++++++ fix_fwupd.patch | 12 +++ fix_hadoop.patch | 12 +-- fix_init.patch | 62 ++++++++++++++++ fix_iptables.patch | 12 +++ fix_irqbalance.patch | 13 ++++ fix_locallogin.patch | 12 +++ fix_logging.patch | 17 ++++- fix_logrotate.patch | 12 +++ fix_networkmanager.patch | 54 ++++++++++++++ fix_nscd.patch | 19 ++++- fix_ntp.patch | 39 ++++++++++ fix_policykit.patch | 13 ++++ postfix_paths.patch => fix_postfix.patch | 27 +++++-- fix_selinuxutil.patch | 26 +++++++ fix_snapper.patch | 15 ++++ fix_systemd.patch | 15 ++++ fix_unconfined.patch | 22 ++++++ fix_unconfineduser.patch | 15 ++++ fix_xserver.patch | 37 ++++++++- minimum_temp_fixes.fc | 0 minimum_temp_fixes.if | 1 - minimum_temp_fixes.te | 95 ------------------------ modules-minimum-base.conf | 7 -- modules-targeted-base.conf | 7 -- packagekit.if | 38 ++++++++++ packagekit.te | 41 +++++----- rpmlintrc | 2 - selinux-policy-rpmlintrc | 13 +--- selinux-policy.changes | 39 ++++++++++ selinux-policy.spec | 75 ++++++++++++------- targeted_temp_fixes.fc | 0 targeted_temp_fixes.if | 1 - targeted_temp_fixes.te | 54 -------------- xdm_entrypoint_pam.patch | 43 +++++++++++ 44 files changed, 755 insertions(+), 285 deletions(-) delete mode 100644 fedora-policy.20190802.tar.bz2 create mode 100644 fedora-policy.20200219.tar.bz2 create mode 100644 fix_chronyd.patch create mode 100644 fix_corecommand.patch create mode 100644 fix_dbus.patch_orig create mode 100644 fix_firewalld.patch create mode 100644 fix_fwupd.patch create mode 100644 fix_init.patch create mode 100644 fix_iptables.patch create mode 100644 fix_irqbalance.patch create mode 100644 fix_locallogin.patch create mode 100644 fix_logrotate.patch create mode 100644 fix_networkmanager.patch create mode 100644 fix_ntp.patch create mode 100644 fix_policykit.patch rename postfix_paths.patch => fix_postfix.patch (82%) create mode 100644 fix_selinuxutil.patch create mode 100644 fix_snapper.patch create mode 100644 fix_systemd.patch create mode 100644 fix_unconfined.patch create mode 100644 fix_unconfineduser.patch delete mode 100644 minimum_temp_fixes.fc delete mode 100644 minimum_temp_fixes.if delete mode 100644 minimum_temp_fixes.te delete mode 100644 rpmlintrc delete mode 100644 targeted_temp_fixes.fc delete mode 100644 targeted_temp_fixes.if delete mode 100644 targeted_temp_fixes.te create mode 100644 xdm_entrypoint_pam.patch diff --git a/booleans-minimum.conf b/booleans-minimum.conf index 26b0dc4..2e00a7a 100644 --- a/booleans-minimum.conf +++ b/booleans-minimum.conf @@ -246,3 +246,8 @@ init_upstart = true # Allow mount to mount any file/dir # allow_mount_anyfile = true + +# Allow all domains to mmap files +# +domain_can_mmap_files = true + diff --git a/booleans-targeted.conf b/booleans-targeted.conf index d943d04..d8cf568 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -7,14 +7,11 @@ nfs_export_all_ro = true nfs_export_all_rw = true nscd_use_shm = true openvpn_enable_homedirs = true -postfix_local_write_mail_spool=true +postfix_local_write_mail_spool= true pppd_can_insmod = false privoxy_connect_any = true selinuxuser_direct_dri_enabled = true -selinuxuser_execmem = true -selinuxuser_execmod = true -selinuxuser_execstack = true -selinuxuser_rw_noexattrfile=true +selinuxuser_rw_noexattrfile = true selinuxuser_ping = true squid_connect_any = true telepathy_tcp_connect_generic_network_ports=true @@ -22,3 +19,5 @@ unconfined_chrome_sandbox_transition=true unconfined_mozilla_plugin_transition=true xguest_exec_content = true mozilla_plugin_can_network_connect = true +# Allow all domains to mmap files +domain_can_mmap_files = true diff --git a/fedora-policy.20190802.tar.bz2 b/fedora-policy.20190802.tar.bz2 deleted file mode 100644 index 409383d..0000000 --- a/fedora-policy.20190802.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3ff2142bd458599826f79aa85344da39a6ef833e5c644d0da46dfc686baf9bd3 -size 730294 diff --git a/fedora-policy.20200219.tar.bz2 b/fedora-policy.20200219.tar.bz2 new file mode 100644 index 0000000..258bc73 --- /dev/null +++ b/fedora-policy.20200219.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:62cd90fa977ee00fd42a249690e13ad8fb87de95d06a1f12e86d05695544844d +size 735114 diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist index dcb0062..10c5abe 100644 --- a/file_contexts.subs_dist +++ b/file_contexts.subs_dist @@ -11,3 +11,4 @@ /run/systemd/system /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system /var/lib/xguest/home /home +/var/run/netconfig /etc diff --git a/fix_chronyd.patch b/fix_chronyd.patch new file mode 100644 index 0000000..49d5345 --- /dev/null +++ b/fix_chronyd.patch @@ -0,0 +1,15 @@ +Index: fedora-policy/policy/modules/contrib/chronyd.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/chronyd.te 2020-02-19 09:36:31.776283304 +0000 ++++ fedora-policy/policy/modules/contrib/chronyd.te 2020-02-25 10:33:09.169920838 +0000 +@@ -136,6 +136,10 @@ systemd_exec_systemctl(chronyd_t) + userdom_dgram_send(chronyd_t) + + optional_policy(` ++ networkmanager_read_pid_files(chronyd_t) ++') ++ ++optional_policy(` + cron_dgram_send(chronyd_t) + ') + diff --git a/fix_corecommand.patch b/fix_corecommand.patch new file mode 100644 index 0000000..6ee1497 --- /dev/null +++ b/fix_corecommand.patch @@ -0,0 +1,34 @@ +Index: fedora-policy/policy/modules/kernel/corecommands.fc +=================================================================== +--- fedora-policy.orig/policy/modules/kernel/corecommands.fc 2020-02-24 08:46:26.205153437 +0000 ++++ fedora-policy/policy/modules/kernel/corecommands.fc 2020-02-24 13:44:00.711915017 +0000 +@@ -251,6 +251,21 @@ ifdef(`distro_gentoo',` + /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) + /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-settings-daemon-3.0/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-calculator-search-provider -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-control-center-search-provider -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-photos-thumbnailer -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-rr-debug -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-session-binary -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-session-check-accelerated -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-session-check-accelerated-gles-helper -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-session-check-accelerated-gl-helper -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-session-failed -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-software-cmd -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-software-restarter -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-terminal-migration -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-terminal-server -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gnome-tweak-tool-lid-inhibitor -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) +@@ -391,6 +406,7 @@ ifdef(`distro_debian',` + /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) + ') ++/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0) + + ifdef(`distro_gentoo', ` + /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/fix_dbus.patch b/fix_dbus.patch index 39f1fc6..0387af9 100644 --- a/fix_dbus.patch +++ b/fix_dbus.patch @@ -1,35 +1,12 @@ -Index: fedora-policy/policy/modules/contrib/evolution.te +Index: fedora-policy/policy/modules/contrib/dbus.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/evolution.te 2019-08-05 09:39:48.641670181 +0200 -+++ fedora-policy/policy/modules/contrib/evolution.te 2019-08-05 09:57:29.695474175 +0200 -@@ -228,7 +228,6 @@ optional_policy(` +--- fedora-policy.orig/policy/modules/contrib/dbus.te 2020-02-25 08:22:02.846623845 +0000 ++++ fedora-policy/policy/modules/contrib/dbus.te 2020-02-25 08:22:31.991108418 +0000 +@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d + manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) + manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) + files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) ++allow system_dbusd_t system_dbusd_tmp_t:file execute; - optional_policy(` - dbus_system_bus_client(evolution_t) -- dbus_all_session_bus_client(evolution_t) - ') - - optional_policy(` -@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',` - ') - - optional_policy(` -- dbus_all_session_bus_client(evolution_alarm_t) --') -- --optional_policy(` - gnome_stream_connect_gconf(evolution_alarm_t) - ') - -Index: fedora-policy/policy/modules/contrib/thunderbird.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/thunderbird.te 2019-08-05 09:39:48.681670851 +0200 -+++ fedora-policy/policy/modules/contrib/thunderbird.te 2019-08-05 09:57:38.503622198 +0200 -@@ -121,7 +121,6 @@ ifndef(`enable_mls',` - - optional_policy(` - dbus_system_bus_client(thunderbird_t) -- dbus_all_session_bus_client(thunderbird_t) - - optional_policy(` - cups_dbus_chat(thunderbird_t) + manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) + manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) diff --git a/fix_dbus.patch_orig b/fix_dbus.patch_orig new file mode 100644 index 0000000..39f1fc6 --- /dev/null +++ b/fix_dbus.patch_orig @@ -0,0 +1,35 @@ +Index: fedora-policy/policy/modules/contrib/evolution.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/evolution.te 2019-08-05 09:39:48.641670181 +0200 ++++ fedora-policy/policy/modules/contrib/evolution.te 2019-08-05 09:57:29.695474175 +0200 +@@ -228,7 +228,6 @@ optional_policy(` + + optional_policy(` + dbus_system_bus_client(evolution_t) +- dbus_all_session_bus_client(evolution_t) + ') + + optional_policy(` +@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',` + ') + + optional_policy(` +- dbus_all_session_bus_client(evolution_alarm_t) +-') +- +-optional_policy(` + gnome_stream_connect_gconf(evolution_alarm_t) + ') + +Index: fedora-policy/policy/modules/contrib/thunderbird.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/thunderbird.te 2019-08-05 09:39:48.681670851 +0200 ++++ fedora-policy/policy/modules/contrib/thunderbird.te 2019-08-05 09:57:38.503622198 +0200 +@@ -121,7 +121,6 @@ ifndef(`enable_mls',` + + optional_policy(` + dbus_system_bus_client(thunderbird_t) +- dbus_all_session_bus_client(thunderbird_t) + + optional_policy(` + cups_dbus_chat(thunderbird_t) diff --git a/fix_firewalld.patch b/fix_firewalld.patch new file mode 100644 index 0000000..5b5e67e --- /dev/null +++ b/fix_firewalld.patch @@ -0,0 +1,42 @@ +Index: fedora-policy/policy/modules/contrib/firewalld.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/firewalld.te 2020-02-24 08:16:03.798820784 +0000 ++++ fedora-policy/policy/modules/contrib/firewalld.te 2020-02-24 08:18:03.164764310 +0000 +@@ -129,6 +129,7 @@ optional_policy(` + ') + + optional_policy(` ++ iptables_manage_var_lib_files(firewalld_t) + iptables_domtrans(firewalld_t) + iptables_read_var_run(firewalld_t) + ') +Index: fedora-policy/policy/modules/system/iptables.if +=================================================================== +--- fedora-policy.orig/policy/modules/system/iptables.if 2020-02-19 09:36:25.440182406 +0000 ++++ fedora-policy/policy/modules/system/iptables.if 2020-02-24 08:17:53.076600108 +0000 +@@ -2,6 +2,25 @@ + + ######################################## + ## ++## Allow management of iptables_var_lib_t files ++## ++## ++## ++## Domain allowed to mange files ++## ++## ++# ++interface(`iptables_manage_var_lib_files',` ++ gen_require(` ++ type iptables_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1, iptables_var_lib_t, iptables_var_lib_t) ++ manage_files_pattern($1, iptables_var_lib_t, iptables_var_lib_t) ++') ++ ++######################################## ++## + ## Execute iptables in the iptables domain. + ## + ## diff --git a/fix_fwupd.patch b/fix_fwupd.patch new file mode 100644 index 0000000..0a069b7 --- /dev/null +++ b/fix_fwupd.patch @@ -0,0 +1,12 @@ +Index: fedora-policy/policy/modules/contrib/fwupd.fc +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/fwupd.fc 2020-02-19 09:36:31.784283432 +0000 ++++ fedora-policy/policy/modules/contrib/fwupd.fc 2020-02-21 14:24:21.739179426 +0000 +@@ -4,6 +4,7 @@ + /etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0) + + /usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) ++/usr/lib/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) + + /var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) + diff --git a/fix_hadoop.patch b/fix_hadoop.patch index 3782c40..34039ec 100644 --- a/fix_hadoop.patch +++ b/fix_hadoop.patch @@ -1,8 +1,8 @@ Index: fedora-policy/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/sysadm.te 2019-08-05 09:39:39.113510611 +0200 -+++ fedora-policy/policy/modules/roles/sysadm.te 2019-08-05 14:11:28.416872543 +0200 -@@ -282,10 +282,6 @@ optional_policy(` +--- fedora-policy.orig/policy/modules/roles/sysadm.te 2020-02-19 09:08:50.433854051 +0000 ++++ fedora-policy/policy/modules/roles/sysadm.te 2020-02-19 09:17:47.026397710 +0000 +@@ -289,10 +289,6 @@ optional_policy(` ') optional_policy(` @@ -15,9 +15,9 @@ Index: fedora-policy/policy/modules/roles/sysadm.te Index: fedora-policy/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/unprivuser.te 2019-08-05 09:39:39.113510611 +0200 -+++ fedora-policy/policy/modules/roles/unprivuser.te 2019-08-05 14:11:22.908782828 +0200 -@@ -192,10 +192,6 @@ ifndef(`distro_redhat',` +--- fedora-policy.orig/policy/modules/roles/unprivuser.te 2020-02-19 09:08:50.433854051 +0000 ++++ fedora-policy/policy/modules/roles/unprivuser.te 2020-02-19 09:17:47.030397773 +0000 +@@ -197,10 +197,6 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_init.patch b/fix_init.patch new file mode 100644 index 0000000..841dff0 --- /dev/null +++ b/fix_init.patch @@ -0,0 +1,62 @@ +Index: fedora-policy/policy/modules/system/init.te +=================================================================== +--- fedora-policy.orig/policy/modules/system/init.te ++++ fedora-policy/policy/modules/system/init.te +@@ -250,6 +250,7 @@ corecmd_exec_bin(init_t) + corenet_all_recvfrom_netlabel(init_t) + corenet_tcp_bind_all_ports(init_t) + corenet_udp_bind_all_ports(init_t) ++corenet_udp_bind_generic_node(init_t) + + dev_create_all_files(init_t) + dev_create_all_chr_files(init_t) +@@ -419,10 +420,15 @@ ifdef(`distro_redhat',` + corecmd_shell_domtrans(init_t, initrc_t) + + storage_raw_rw_fixed_disk(init_t) ++storage_raw_read_removable_device(init_t) + + sysnet_read_dhcpc_state(init_t) + + optional_policy(` ++ networkmanager_initrc_read_lnk_files(init_t) ++') ++ ++optional_policy(` + bootloader_domtrans(init_t) + ') + +@@ -536,7 +542,7 @@ tunable_policy(`init_create_dirs',` + allow init_t self:system all_system_perms; + allow init_t self:system module_load; + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; +-allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec }; ++allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem }; + allow init_t self:process { getcap setcap }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom }; + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -598,6 +604,7 @@ files_delete_all_spool_sockets(init_t) + files_create_var_lib_dirs(init_t) + files_create_var_lib_symlinks(init_t) + files_read_var_lib_symlinks(init_t) ++files_read_var_files(init_t) + files_manage_urandom_seed(init_t) + files_list_locks(init_t) + files_list_spool(init_t) +@@ -689,6 +696,7 @@ systemd_userdbd_runtime_manage_symlinks( + create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + + create_dirs_pattern(init_t, var_log_t, var_log_t) ++files_manage_var_files(init_t) + + auth_use_nsswitch(init_t) + auth_rw_login_records(init_t) +@@ -1525,6 +1533,8 @@ optional_policy(` + + optional_policy(` + postfix_list_spool(initrc_t) ++ #allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl }; ++ postfix_domtrans_map(init_t) + ') + + optional_policy(` diff --git a/fix_iptables.patch b/fix_iptables.patch new file mode 100644 index 0000000..5100015 --- /dev/null +++ b/fix_iptables.patch @@ -0,0 +1,12 @@ +Index: fedora-policy/policy/modules/system/iptables.te +=================================================================== +--- fedora-policy.orig/policy/modules/system/iptables.te 2020-02-19 09:36:25.440182406 +0000 ++++ fedora-policy/policy/modules/system/iptables.te 2020-02-21 12:19:23.060595602 +0000 +@@ -76,6 +76,7 @@ kernel_read_kernel_sysctls(iptables_t) + kernel_read_usermodehelper_state(iptables_t) + kernel_use_fds(iptables_t) + kernel_rw_net_sysctls(iptables_t) ++kernel_rw_pipes(iptables_t) + kernel_search_network_sysctl(iptables_t) + + diff --git a/fix_irqbalance.patch b/fix_irqbalance.patch new file mode 100644 index 0000000..97b2679 --- /dev/null +++ b/fix_irqbalance.patch @@ -0,0 +1,13 @@ +Index: fedora-policy/policy/modules/contrib/irqbalance.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/irqbalance.te 2020-02-19 09:36:31.792283559 +0000 ++++ fedora-policy/policy/modules/contrib/irqbalance.te 2020-02-21 12:18:36.155848163 +0000 +@@ -28,6 +28,8 @@ allow irqbalance_t self:udp_socket creat + manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) + files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) + ++init_nnp_daemon_domain(irqbalance_t) ++ + kernel_read_network_state(irqbalance_t) + kernel_read_system_state(irqbalance_t) + kernel_read_kernel_sysctls(irqbalance_t) diff --git a/fix_locallogin.patch b/fix_locallogin.patch new file mode 100644 index 0000000..6247e22 --- /dev/null +++ b/fix_locallogin.patch @@ -0,0 +1,12 @@ +Index: fedora-policy/policy/modules/system/locallogin.te +=================================================================== +--- fedora-policy.orig/policy/modules/system/locallogin.te 2020-02-19 09:36:25.440182406 +0000 ++++ fedora-policy/policy/modules/system/locallogin.te 2020-02-21 08:52:35.961803038 +0000 +@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t) + kernel_read_kernel_sysctls(local_login_t) + kernel_search_key(local_login_t) + kernel_link_key(local_login_t) ++kernel_getattr_proc(local_login_t) + + corecmd_list_bin(local_login_t) + corecmd_read_bin_symlinks(local_login_t) diff --git a/fix_logging.patch b/fix_logging.patch index f26a61d..d8a64a2 100644 --- a/fix_logging.patch +++ b/fix_logging.patch @@ -1,12 +1,21 @@ Index: fedora-policy/policy/modules/system/logging.fc =================================================================== ---- fedora-policy.orig/policy/modules/system/logging.fc 2019-08-22 11:28:09.250979768 +0200 -+++ fedora-policy/policy/modules/system/logging.fc 2019-08-22 11:45:28.360015899 +0200 -@@ -3,6 +3,7 @@ +--- fedora-policy.orig/policy/modules/system/logging.fc 2020-02-24 08:53:21.924002716 +0000 ++++ fedora-policy/policy/modules/system/logging.fc 2020-02-24 13:33:16.353371311 +0000 +@@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) -+/var//run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) ++/var/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) ++/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +@@ -83,6 +85,7 @@ ifdef(`distro_redhat',` + /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) + /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) + /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) ++/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) + /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) + + /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) diff --git a/fix_logrotate.patch b/fix_logrotate.patch new file mode 100644 index 0000000..a640d77 --- /dev/null +++ b/fix_logrotate.patch @@ -0,0 +1,12 @@ +Index: fedora-policy/policy/modules/contrib/logrotate.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/logrotate.te 2020-02-19 09:36:31.796283623 +0000 ++++ fedora-policy/policy/modules/contrib/logrotate.te 2020-02-24 07:54:50.138294492 +0000 +@@ -100,6 +100,7 @@ files_var_lib_filetrans(logrotate_t, log + + kernel_read_system_state(logrotate_t) + kernel_read_kernel_sysctls(logrotate_t) ++files_manage_mounttab(logrotate_t) + + dev_read_urand(logrotate_t) + dev_read_sysfs(logrotate_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch new file mode 100644 index 0000000..e78c78c --- /dev/null +++ b/fix_networkmanager.patch @@ -0,0 +1,54 @@ +Index: fedora-policy/policy/modules/contrib/networkmanager.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy/policy/modules/contrib/networkmanager.te +@@ -233,6 +233,9 @@ userdom_read_home_certs(NetworkManager_t + userdom_read_user_home_content_files(NetworkManager_t) + userdom_dgram_send(NetworkManager_t) + ++hostname_exec(NetworkManager_t) ++networkmanager_systemctl(NetworkManager_t) ++ + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(NetworkManager_t) + ') +@@ -250,6 +253,10 @@ optional_policy(` + ') + + optional_policy(` ++ packagekit_dbus_chat(NetworkManager_t) ++') ++ ++optional_policy(` + bind_domtrans(NetworkManager_t) + bind_manage_cache(NetworkManager_t) + bind_kill(NetworkManager_t) +Index: fedora-policy/policy/modules/contrib/networkmanager.if +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy/policy/modules/contrib/networkmanager.if +@@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran + init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) + ') + ++####################################### ++## ++## Allow reading of NetworkManager link files ++## ++## ++## ++## Domain allowed to read the links ++## ++## ++# ++interface(`networkmanager_initrc_read_lnk_files',` ++ gen_require(` ++ type NetworkManager_initrc_exec_t; ++ ') ++ ++ read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) ++') ++ + ######################################## + ## + ## Execute NetworkManager server in the NetworkManager domain. diff --git a/fix_nscd.patch b/fix_nscd.patch index caba7f0..8830f9a 100644 --- a/fix_nscd.patch +++ b/fix_nscd.patch @@ -1,7 +1,7 @@ Index: fedora-policy/policy/modules/contrib/nscd.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/nscd.fc 2019-08-05 09:39:48.661670516 +0200 -+++ fedora-policy/policy/modules/contrib/nscd.fc 2019-08-15 14:13:18.681607730 +0200 +--- fedora-policy.orig/policy/modules/contrib/nscd.fc 2020-02-25 10:33:52.706658487 +0000 ++++ fedora-policy/policy/modules/contrib/nscd.fc 2020-02-25 10:33:56.314719506 +0000 @@ -8,8 +8,10 @@ /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) @@ -14,3 +14,18 @@ Index: fedora-policy/policy/modules/contrib/nscd.fc /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) + +Index: fedora-policy/policy/modules/contrib/nscd.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/nscd.te 2020-02-19 09:36:31.804283750 +0000 ++++ fedora-policy/policy/modules/contrib/nscd.te 2020-02-25 10:34:18.611090097 +0000 +@@ -127,6 +127,10 @@ userdom_dontaudit_use_unpriv_user_fds(ns + userdom_dontaudit_search_user_home_dirs(nscd_t) + + optional_policy(` ++ networkmanager_read_pid_files(nscd_t) ++') ++ ++optional_policy(` + accountsd_dontaudit_rw_fifo_file(nscd_t) + ') + diff --git a/fix_ntp.patch b/fix_ntp.patch new file mode 100644 index 0000000..b444775 --- /dev/null +++ b/fix_ntp.patch @@ -0,0 +1,39 @@ +Index: fedora-policy/policy/modules/contrib/ntp.fc +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/ntp.fc 2020-02-21 15:59:23.349556504 +0000 ++++ fedora-policy/policy/modules/contrib/ntp.fc 2020-02-21 16:01:41.591761350 +0000 +@@ -16,7 +16,6 @@ + + /usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) + +-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + /var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + +@@ -25,3 +24,26 @@ + /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) + + /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) ++ ++/var/lib/ntp gen_context(system_u:object_r:root_t,s0) ++/var/lib/ntp/kod gen_context(system_u:object_r:etc_runtime_t,s0) ++/var/lib/ntp/dev gen_context(system_u:object_r:device_t,s0) ++/var/lib/ntp/etc gen_context(system_u:object_r:etc_t,s0) ++/var/lib/ntp/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) ++/var/lib/ntp/etc/ntp/crypto(/.*)? -- gen_context(system_u:object_r:ntpd_key_t,s0) ++/var/lib/ntp/etc/ntp/data(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) ++/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) ++/var/lib/ntp/etc/ntp.conf.iburst -- gen_context(system_u:object_r:ntp_conf_t,s0) ++/var/lib/ntp/var gen_context(system_u:object_r:var_t,s0) ++/var/lib/ntp/var/lib gen_context(system_u:object_r:var_lib_t,s0) ++/var/lib/ntp/var/run gen_context(system_u:object_r:var_run_t,s0) ++/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/drift gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/drift/ntp.drift -- gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) ++/var/lib/ntp/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) ++/var/lib/ntp/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) ++/var/lib/ntp/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) diff --git a/fix_policykit.patch b/fix_policykit.patch new file mode 100644 index 0000000..1ce0185 --- /dev/null +++ b/fix_policykit.patch @@ -0,0 +1,13 @@ +Index: fedora-policy/policy/modules/contrib/policykit.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/policykit.te 2020-02-21 13:28:23.080385220 +0000 ++++ fedora-policy/policy/modules/contrib/policykit.te 2020-02-21 13:31:09.023086041 +0000 +@@ -98,6 +98,8 @@ userdom_getattr_all_users(policykit_t) + userdom_read_all_users_state(policykit_t) + userdom_dontaudit_search_admin_dir(policykit_t) + ++policykit_dbus_chat(policykit_t) ++ + optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) + diff --git a/postfix_paths.patch b/fix_postfix.patch similarity index 82% rename from postfix_paths.patch rename to fix_postfix.patch index edd7349..abd7860 100644 --- a/postfix_paths.patch +++ b/fix_postfix.patch @@ -1,11 +1,11 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/postfix.fc 2019-08-05 09:39:48.669670650 +0200 -+++ fedora-policy/policy/modules/contrib/postfix.fc 2019-08-14 11:11:26.195163409 +0200 -@@ -1,36 +1,19 @@ - # postfix +--- fedora-policy.orig/policy/modules/contrib/postfix.fc 2020-02-25 10:34:35.875376865 +0000 ++++ fedora-policy/policy/modules/contrib/postfix.fc 2020-02-25 10:34:37.719407494 +0000 +@@ -2,36 +2,19 @@ /etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) /etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) + /etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0) -ifdef(`distro_redhat', ` -/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) @@ -51,7 +51,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -44,6 +27,9 @@ ifdef(`distro_redhat', ` +@@ -45,6 +28,9 @@ ifdef(`distro_redhat', ` /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -61,3 +61,20 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) +Index: fedora-policy/policy/modules/contrib/postfix.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/postfix.te 2020-02-19 09:36:31.820284005 +0000 ++++ fedora-policy/policy/modules/contrib/postfix.te 2020-02-25 10:35:55.544700764 +0000 +@@ -447,6 +447,12 @@ logging_send_syslog_msg(postfix_map_t) + + userdom_use_inherited_user_ptys(postfix_map_t) + ++corecmd_exec_bin(postfix_map_t) ++ ++optional_policy(` ++ mta_read_aliases(postfix_map_t) ++') ++ + optional_policy(` + locallogin_dontaudit_use_fds(postfix_map_t) + ') diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch new file mode 100644 index 0000000..fb0148d --- /dev/null +++ b/fix_selinuxutil.patch @@ -0,0 +1,26 @@ +Index: fedora-policy/policy/modules/system/selinuxutil.te +=================================================================== +--- fedora-policy.orig/policy/modules/system/selinuxutil.te 2020-02-19 09:36:25.444182470 +0000 ++++ fedora-policy/policy/modules/system/selinuxutil.te 2020-02-24 07:57:26.556813139 +0000 +@@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',` + ') + + optional_policy(` ++ packagekit_read_write_fifo(load_policy_t) ++') ++ ++optional_policy(` + portage_dontaudit_use_fds(load_policy_t) + ') + +@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t) + logging_send_syslog_msg(setfiles_t) + + optional_policy(` ++ packagekit_read_write_fifo(setfiles_t) ++') ++ ++optional_policy(` + cloudform_dontaudit_write_cloud_log(setfiles_t) + ') + diff --git a/fix_snapper.patch b/fix_snapper.patch new file mode 100644 index 0000000..ba4b6f0 --- /dev/null +++ b/fix_snapper.patch @@ -0,0 +1,15 @@ +Index: fedora-policy/policy/modules/contrib/snapper.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/snapper.te 2020-02-19 09:36:31.880284960 +0000 ++++ fedora-policy/policy/modules/contrib/snapper.te 2020-02-24 10:57:10.311792681 +0000 +@@ -73,6 +73,10 @@ storage_raw_read_fixed_disk(snapperd_t) + auth_use_nsswitch(snapperd_t) + + optional_policy(` ++ packagekit_dbus_chat(snapperd_t) ++') ++ ++optional_policy(` + cron_system_entry(snapperd_t, snapperd_exec_t) + ') + diff --git a/fix_systemd.patch b/fix_systemd.patch new file mode 100644 index 0000000..b7dc35f --- /dev/null +++ b/fix_systemd.patch @@ -0,0 +1,15 @@ +Index: fedora-policy/policy/modules/system/systemd.te +=================================================================== +--- fedora-policy.orig/policy/modules/system/systemd.te 2020-02-19 09:36:25.444182470 +0000 ++++ fedora-policy/policy/modules/system/systemd.te 2020-02-24 10:56:11.762848157 +0000 +@@ -328,6 +328,10 @@ userdom_manage_user_tmp_chr_files(system + xserver_dbus_chat(systemd_logind_t) + + optional_policy(` ++ packagekit_dbus_chat(systemd_logind_t) ++') ++ ++optional_policy(` + apache_read_tmp_files(systemd_logind_t) + ') + diff --git a/fix_unconfined.patch b/fix_unconfined.patch new file mode 100644 index 0000000..261628c --- /dev/null +++ b/fix_unconfined.patch @@ -0,0 +1,22 @@ +Index: fedora-policy/policy/modules/system/unconfined.te +=================================================================== +--- fedora-policy.orig/policy/modules/system/unconfined.te 2020-02-19 09:36:25.444182470 +0000 ++++ fedora-policy/policy/modules/system/unconfined.te 2020-02-24 15:14:59.222899685 +0000 +@@ -1,5 +1,10 @@ + policy_module(unconfined, 3.5.0) + ++require { ++ type var_run_t; ++ type net_conf_t; ++} ++ + ######################################## + # + # Declarations +@@ -39,3 +44,6 @@ optional_policy(` + optional_policy(` + container_runtime_domtrans(unconfined_service_t) + ') ++ ++filetrans_pattern(unconfined_service_t, var_run_t, net_conf_t, dir) ++ diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch new file mode 100644 index 0000000..511dfcd --- /dev/null +++ b/fix_unconfineduser.patch @@ -0,0 +1,15 @@ +Index: fedora-policy/policy/modules/roles/unconfineduser.te +=================================================================== +--- fedora-policy.orig/policy/modules/roles/unconfineduser.te 2020-02-19 09:36:25.436182342 +0000 ++++ fedora-policy/policy/modules/roles/unconfineduser.te 2020-02-25 08:24:07.992702226 +0000 +@@ -244,6 +244,10 @@ optional_policy(` + dbus_stub(unconfined_t) + + optional_policy(` ++ systemd_dbus_chat_logind(unconfined_dbusd_t) ++ ') ++ ++ optional_policy(` + bluetooth_dbus_chat(unconfined_t) + ') + diff --git a/fix_xserver.patch b/fix_xserver.patch index 04e2aa2..14f6700 100644 --- a/fix_xserver.patch +++ b/fix_xserver.patch @@ -1,8 +1,24 @@ Index: fedora-policy/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy.orig/policy/modules/services/xserver.fc 2019-08-05 09:39:39.113510611 +0200 -+++ fedora-policy/policy/modules/services/xserver.fc 2019-08-22 11:44:16.178832073 +0200 -@@ -133,6 +133,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ +--- fedora-policy.orig/policy/modules/services/xserver.fc ++++ fedora-policy/policy/modules/services/xserver.fc +@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ + /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) + /etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) ++/etc/X11/xdm/Xsetup -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) + +@@ -102,6 +103,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ + + /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/lib/sddm/sddm-helper -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) + /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) +@@ -135,6 +137,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) @@ -10,3 +26,18 @@ Index: fedora-policy/policy/modules/services/xserver.fc ifndef(`distro_debian',` /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ') +Index: fedora-policy/policy/modules/services/xserver.te +=================================================================== +--- fedora-policy.orig/policy/modules/services/xserver.te ++++ fedora-policy/policy/modules/services/xserver.te +@@ -477,6 +477,10 @@ userdom_delete_user_home_content_files(x + userdom_signull_unpriv_users(xdm_t) + userdom_dontaudit_read_admin_home_lnk_files(xdm_t) + ++files_manage_generic_pids_symlinks(xdm_t) ++userdom_manage_user_home_content_dirs(xdm_t) ++userdom_manage_user_home_content_files(xdm_t) ++ + # Allow gdm to run gdm-binary + can_exec(xdm_t, xdm_exec_t) + can_exec(xdm_t, xsession_exec_t) diff --git a/minimum_temp_fixes.fc b/minimum_temp_fixes.fc deleted file mode 100644 index 473a0f4..0000000 diff --git a/minimum_temp_fixes.if b/minimum_temp_fixes.if deleted file mode 100644 index 5846dc1..0000000 --- a/minimum_temp_fixes.if +++ /dev/null @@ -1 +0,0 @@ -## diff --git a/minimum_temp_fixes.te b/minimum_temp_fixes.te deleted file mode 100644 index 13534a8..0000000 --- a/minimum_temp_fixes.te +++ /dev/null @@ -1,95 +0,0 @@ -policy_module(minimum_temp_fixes, 1.0) - -require { - type sshd_t; - type lib_t; - type init_t; - type unconfined_t; - type systemd_localed_t; - type systemd_logind_t; - type unconfined_service_t; - type chkpwd_t; - type bin_t; - type fsadm_t; - type getty_t; - type systemd_tmpfiles_t; - type systemd_systemctl_exec_t; - type unconfined_dbusd_t; - type rtkit_daemon_t; - type system_dbusd_t; - class dir mounton; - class dbus { acquire_svc send_msg }; - class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv }; - class process { execmem transition }; - class file { entrypoint execmod }; -} - -#============= chkpwd_t ============== -allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd }; -files_map_var_lib_files(chkpwd_t) -files_read_var_lib_files(chkpwd_t) -files_write_generic_pid_sockets(chkpwd_t) - -#============= fsadm_t ============== -allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd }; - -#============= getty_t ============== -allow getty_t unconfined_service_t:nscd shmemgrp; -files_map_var_lib_files(getty_t) -files_read_var_lib_files(getty_t) -files_write_generic_pid_sockets(getty_t) - -#============= init_t ============== -allow init_t bin_t:dir mounton; -allow init_t lib_t:dir mounton; -allow init_t self:process execmem; -allow init_t unconfined_service_t:dbus { acquire_svc send_msg }; -allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd }; -files_manage_generic_spool(init_t) -corenet_udp_bind_generic_node(init_t) -files_map_var_lib_files(init_t) -files_read_var_files(init_t) -files_manage_var_files(init_t) -storage_raw_read_removable_device(init_t) - -#============= sshd_t ============== -allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd }; -files_exec_generic_pid_files(sshd_t) -files_map_var_lib_files(sshd_t) -files_read_var_lib_files(sshd_t) -files_write_generic_pid_sockets(sshd_t) -unconfined_server_dbus_chat(sshd_t) - -#============= systemd_localed_t ============== -allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg }; -files_write_generic_pid_sockets(systemd_localed_t) - -#============= systemd_logind_t ============== -allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg }; -allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd }; -files_map_var_lib_files(systemd_logind_t) -files_read_var_lib_files(systemd_logind_t) -files_write_generic_pid_sockets(systemd_logind_t) -systemd_dbus_chat_logind(systemd_logind_t) - -#============= systemd_tmpfiles_t ============== -allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd }; -files_map_var_lib_files(systemd_tmpfiles_t) - -#============= unconfined_service_t ============== -allow unconfined_service_t unconfined_t:process transition; -init_dbus_chat(unconfined_service_t) -unconfined_server_dbus_chat(unconfined_service_t) - -#============= unconfined_t ============== -allow unconfined_t systemd_systemctl_exec_t:file entrypoint; -allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv }; - -#============= unconfined_dbusd_t ============== -allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd }; - -#============= rtkit_daemon_t ============== -allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd }; - -#============= system_dbusd_t ============== -allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd }; diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf index 42d49a3..8774301 100644 --- a/modules-minimum-base.conf +++ b/modules-minimum-base.conf @@ -406,13 +406,6 @@ kdbus = module # rpm = module -# Layer: contrib -# Module: minimum_temp_fixes -# -# Temporary fixes for the minimum policy. -# -minimum_temp_fixes = module - # Layer: contrib # Module: packagekit # diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index f2e2ca2..80f7c5d 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -399,13 +399,6 @@ unconfined = module # kdbus = module -# Layer: contrib -# Module: targeted_temp_fixes -# -# Temporary fixes for the targeted policy. -# -targeted_temp_fixes = module - # Layer: contrib # Module: packagekit # diff --git a/packagekit.if b/packagekit.if index d9235e0..a9d1918 100644 --- a/packagekit.if +++ b/packagekit.if @@ -1,2 +1,40 @@ ## A temporary policy for packagekit. +######################################## +## +## Allow reading of fifo files +## +## +## +## Domain allowed to mange files +## +## +# +interface(`packagekit_read_write_fifo',` + gen_require(` + type packagekit_t; + ') + + allow $1 packagekit_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## +## Send and receive messages from +## packagekit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`packagekit_dbus_chat',` + gen_require(` + type packagekit_t; + class dbus send_msg; + ') + + allow $1 packagekit_t:dbus send_msg; + allow packagekit_t $1:dbus send_msg; +') diff --git a/packagekit.te b/packagekit.te index b0e373f..090ccb7 100644 --- a/packagekit.te +++ b/packagekit.te @@ -9,29 +9,30 @@ type packagekit_t; type packagekit_exec_t; init_daemon_domain(packagekit_t,packagekit_exec_t) -permissive packagekit_t; - type packagekit_unit_file_t; systemd_unit_file(packagekit_unit_file_t) type packagekit_var_lib_t; files_type(packagekit_var_lib_t) -#allow packagekit_t self:tcp_socket create_stream_socket_perms; -# -#manage_dirs_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t) -#manage_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t) -#manage_lnk_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t) -#files_var_lib_filetrans(packagekit_t, packagekit_var_lib_t, dir) -# -#kernel_read_unix_sysctls(packagekit_t) -#kernel_read_net_sysctls(packagekit_t) -# -#corenet_tcp_bind_generic_node(packagekit_t) -# -#corenet_tcp_bind_kubernetes_port(packagekit_t) -#corenet_tcp_bind_afs3_callback_port(packagekit_t) -# -#fs_getattr_xattr_fs(packagekit_t) -# -#logging_send_syslog_msg(packagekit_t) +unconfined_dbus_chat(packagekit_t) +init_dbus_chat(packagekit_t) +optional_policy(` + policykit_dbus_chat(packagekit_t) +') + +optional_policy(` + unconfined_domain(packagekit_t) +') + +optional_policy(` + snapper_dbus_chat(packagekit_t) +') + +optional_policy(` + systemd_dbus_chat_logind(packagekit_t) +') + +optional_policy(` + rpm_transition_script(packagekit_t,system_r) +') diff --git a/rpmlintrc b/rpmlintrc deleted file mode 100644 index 6e3208f..0000000 --- a/rpmlintrc +++ /dev/null @@ -1,2 +0,0 @@ -# this is intentional -addFilter("W: files-duplicate") diff --git a/selinux-policy-rpmlintrc b/selinux-policy-rpmlintrc index 74b3c35..b3f69e8 100644 --- a/selinux-policy-rpmlintrc +++ b/selinux-policy-rpmlintrc @@ -3,16 +3,7 @@ addFilter("W: zero-length /etc/selinux/.*") addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512") addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512") addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512") -addFilter("W: files-duplicate /etc/selinux/minimum/seusers /etc/selinux/minimum/modules/active/seusers.final") -addFilter("W: files-duplicate /etc/selinux/minimum/contexts/files/file_contexts /etc/selinux/minimum/modules/active/file_contexts") -addFilter("W: files-duplicate /etc/selinux/minimum/modules/active/file_contexts.homedirs /etc/selinux/minimum/contexts/files/file_contexts.homedirs") -addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/seusers.final /etc/selinux/targeted/seusers") -addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/file_contexts /etc/selinux/targeted/contexts/files/file_contexts") -addFilter("W: files-duplicate /etc/selinux/targeted/contexts/files/file_contexts.homedirs /etc/selinux/targeted/modules/active/file_contexts.homedirs") -addFilter("W: files-duplicate /etc/selinux/mls/modules/active/seusers.final /etc/selinux/mls/seusers") -addFilter("W: files-duplicate /etc/selinux/mls/modules/active/file_contexts /etc/selinux/mls/contexts/files/file_contexts") -addFilter("W: files-duplicate /etc/selinux/mls/contexts/files/file_contexts.homedirs /etc/selinux/mls/modules/active/file_contexts.homedirs") -addFilter("E: files-duplicated-waste") -addFilter("E: files-duplicated-waste") +addFilter("W: files-duplicate") addFilter("E: files-duplicated-waste") +addFilter("W: zero-length") diff --git a/selinux-policy.changes b/selinux-policy.changes index 5d926a8..6342c60 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Wed Feb 19 09:21:24 UTC 2020 - Johannes Segitz + +- Update to version 20200219 + Refreshed fix_hadoop.patch + Updated + * fix_dbus.patch + * fix_hadoop.patch + * fix_nscd.patch + * fix_xserver.patch + Renamed postfix_paths.patch to fix_postfix.patch + Added + * fix_init.patch + * fix_locallogin.patch + * fix_policykit.patch + * fix_iptables.patch + * fix_irqbalance.patch + * fix_ntp.patch + * fix_fwupd.patch + * fix_firewalld.patch + * fix_logrotate.patch + * fix_selinuxutil.patch + * fix_corecommand.patch + * fix_snapper.patch + * fix_systemd.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_chronyd.patch + * fix_networkmanager.patch + * xdm_entrypoint_pam.patch +- Removed modules minimum_temp_fixes and targeted_temp_fixes + from the corresponding policies +- Reduced default module list of minimum policy by removing + apache inetd nis postfix mta modules +- Adding/removing necessary pam config automatically +- Minimum and targeted policy: Enable domain_can_mmap_files by default +- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and + selinuxuser_execstack to have safe defaults + ------------------------------------------------------------------- Mon Aug 9 12:11:28 UTC 2019 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 259411d..98d15bf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -70,9 +70,9 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20190609 +Version: 20200219 Release: 0 -Source: fedora-policy.20190802.tar.bz2 +Source: fedora-policy.%{version}.tar.bz2 Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf @@ -107,14 +107,6 @@ Source92: customizable_types #Source93: config.tgz Source94: file_contexts.subs_dist -Source100: minimum_temp_fixes.te -Source101: minimum_temp_fixes.if -Source102: minimum_temp_fixes.fc - -Source110: targeted_temp_fixes.te -Source111: targeted_temp_fixes.if -Source112: targeted_temp_fixes.fc - Source120: packagekit.te Source121: packagekit.if Source122: packagekit.fc @@ -125,12 +117,30 @@ Patch003: fix_gift.patch Patch004: fix_java.patch Patch005: fix_hadoop.patch Patch006: fix_thunderbird.patch -Patch007: postfix_paths.patch +Patch007: fix_postfix.patch Patch008: fix_nscd.patch Patch009: fix_sysnetwork.patch Patch010: fix_logging.patch Patch011: fix_xserver.patch Patch012: fix_miscfiles.patch +Patch013: fix_init.patch +Patch014: fix_locallogin.patch +Patch015: fix_policykit.patch +Patch016: fix_iptables.patch +Patch017: fix_irqbalance.patch +Patch018: fix_ntp.patch +Patch019: fix_fwupd.patch +Patch020: fix_firewalld.patch +Patch021: fix_logrotate.patch +Patch022: fix_selinuxutil.patch +Patch024: fix_corecommand.patch +Patch025: fix_snapper.patch +Patch026: fix_systemd.patch +Patch027: fix_unconfined.patch +Patch028: fix_unconfineduser.patch +Patch029: fix_chronyd.patch +Patch030: fix_networkmanager.patch +Patch031: xdm_entrypoint_pam.patch Patch100: sedoctool.patch @@ -150,8 +160,10 @@ BuildRequires: python BuildRequires: python-xml #BuildRequires: selinux-policy-devel # we need selinuxenabled -Requires(post): selinux-tools Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): pam-config +Requires(post): pam-config +Requires(post): selinux-tools Requires(post): /bin/awk /usr/bin/sha512sum Recommends: audit Recommends: selinux-tools @@ -349,6 +361,24 @@ systems and used as the basis for creating other policies. %patch010 -p1 %patch011 -p1 %patch012 -p1 +%patch013 -p1 +%patch014 -p1 +%patch015 -p1 +%patch016 -p1 +%patch017 -p1 +%patch018 -p1 +%patch019 -p1 +%patch020 -p1 +%patch021 -p1 +%patch022 -p1 +%patch024 -p1 +%patch025 -p1 +%patch026 -p1 +%patch027 -p1 +%patch028 -p1 +%patch029 -p1 +%patch030 -p1 +%patch031 -p1 %patch100 -p1 @@ -374,16 +404,10 @@ done make clean %if %{BUILD_TARGETED} -for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do - cp $i policy/modules/contrib -done %makeConfig targeted mcs n deny contrib %installCmds targeted mcs n allow %modulesList targeted %endif -for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do - rm policy/modules/contrib/$(basename $i) -done %if %{BUILD_MLS} %makeConfig mls mls n deny contrib @@ -392,9 +416,6 @@ done %endif %if %{BUILD_MINIMUM} -for i in %{SOURCE100} %{SOURCE101} %{SOURCE102}; do - cp $i policy/modules/contrib -done %makeConfig minimum mcs n deny contrib %installCmds minimum mcs n allow install -m0644 %{SOURCE18} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \ @@ -434,6 +455,9 @@ else [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers fi %tmpfiles_create %_tmpfilesdir/selinux-policy.conf +if [ $1 -eq 1 ]; then + pam-config -a --selinux +fi exit 0 %global post_un() \ @@ -443,6 +467,7 @@ if [ $1 -eq 0 ]; then \ if [ -s %{_sysconfdir}/selinux/config ]; then \ sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \ fi \ + pam-config -d --selinux \ fi \ exit 0 @@ -534,14 +559,12 @@ fi %post minimum contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` -if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then - mkdir /var/lib/selinux/minimum/active/modules/disabled -fi +mkdir -p /var/lib/selinux/minimum/active/modules/disabled 2>/dev/null if [ $1 -eq 1 ]; then for p in $contribpackages; do touch /var/lib/selinux/minimum/active/modules/disabled/$p done -for p in $basepackages apache dbus inetd kerberos mta nis nscd rpm postfix rtkit; do +for p in $basepackages dbus kerberos nscd rpm rtkit; do rm -f /var/lib/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semanage import -S minimum -f - << __eof @@ -555,7 +578,7 @@ instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` for p in $contribpackages; do touch /var/lib/selinux/minimum/active/modules/disabled/$p done -for p in $instpackages apache dbus inetd kerberos mta nis nscd postfix rtkit; do +for p in $instpackages dbus kerberos nscd rtkit; do rm -f /var/lib/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semodule -B -s minimum diff --git a/targeted_temp_fixes.fc b/targeted_temp_fixes.fc deleted file mode 100644 index 473a0f4..0000000 diff --git a/targeted_temp_fixes.if b/targeted_temp_fixes.if deleted file mode 100644 index 5846dc1..0000000 --- a/targeted_temp_fixes.if +++ /dev/null @@ -1 +0,0 @@ -## diff --git a/targeted_temp_fixes.te b/targeted_temp_fixes.te deleted file mode 100644 index 61b1d82..0000000 --- a/targeted_temp_fixes.te +++ /dev/null @@ -1,54 +0,0 @@ -policy_module(targeted_temp_fixes, 1.0) - -require { - type iptables_t; - type nscd_t; - type lib_t; - type bin_t; - type init_t; - type irqbalance_t; - type iptables_var_lib_t; - type postfix_master_t; - type firewalld_t; - type postfix_map_exec_t; - type xdm_t; - type groupadd_t; - type useradd_t; - class netlink_selinux_socket { bind create }; - class dir { add_name mounton write }; - class file { create execute execute_no_trans getattr ioctl lock open read }; -} - -#============= firewalld_t ============== -allow firewalld_t iptables_var_lib_t:dir { add_name write }; -allow firewalld_t iptables_var_lib_t:file { create lock open read }; - -#============= init_t ============== -allow init_t bin_t:dir mounton; -allow init_t lib_t:dir mounton; -allow init_t postfix_map_exec_t:file { execute execute_no_trans getattr ioctl open read }; -files_rw_var_files(init_t) -fwupd_manage_cache_dirs(init_t) -ntp_read_drift_files(init_t) - -#============= iptables_t ============== -kernel_rw_pipes(iptables_t) - -#============= irqbalance_t ============== -init_nnp_daemon_domain(irqbalance_t) - -#============= nscd_t ============== -files_exec_generic_pid_files(nscd_t) - -#============= postfix_master_t ============== -files_read_var_lib_files(postfix_master_t) -files_read_var_lib_symlinks(postfix_master_t) - -#============= xdm_t ============== -# KDE write to home directories -userdom_manage_user_home_content_files(xdm_t) - -#============= groupadd_t ============== allow groupadd_t self:netlink_selinux_socket { bind create }; -allow useradd_t self:netlink_selinux_socket { bind create }; -selinux_compute_access_vector(groupadd_t) -selinux_compute_access_vector(useradd_t) diff --git a/xdm_entrypoint_pam.patch b/xdm_entrypoint_pam.patch new file mode 100644 index 0000000..b56d11c --- /dev/null +++ b/xdm_entrypoint_pam.patch @@ -0,0 +1,43 @@ +Index: fedora-policy/policy/modules/roles/unconfineduser.te +=================================================================== +--- fedora-policy.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy/policy/modules/roles/unconfineduser.te +@@ -126,6 +126,10 @@ optional_policy(` + ') + + optional_policy(` ++ xdm_entrypoint(unconfined_t) ++ ') ++ ++ optional_policy(` + abrt_dbus_chat(unconfined_t) + abrt_run_helper(unconfined_t, unconfined_r) + ') +Index: fedora-policy/policy/modules/services/xserver.if +=================================================================== +--- fedora-policy.orig/policy/modules/services/xserver.if ++++ fedora-policy/policy/modules/services/xserver.if +@@ -507,6 +507,23 @@ interface(`xserver_domtrans_xdm',` + domtrans_pattern($1, xdm_exec_t, xdm_t) + ') + ++######################################## ++## ++## Allow any xdm_exec_t to be an entrypoint of this domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`xdm_entrypoint',` ++ gen_require(` ++ type xdm_exec_t; ++ ') ++ allow $1 xdm_exec_t:file entrypoint; ++') + + ######################################## + ##