pool/selinux-policy
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 832021 from security:SELinux

Browse Source 
Policy is in better state now and should be fine for people with basic SELinux knowledge

OBS-URL: https://build.opensuse.org/request/show/832021
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=1
This commit is contained in:
Dominique Leuenberger 2020-10-06 15:06:19 +00:00 committed by Git OBS Bridge
parent 83a39a4ddd
commit 3de9778fbc
71 changed files with 617 additions and 2051 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
booleans-minimum.conf
View File

@ -4,19 +4,19 @@ allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
allow_execstack = true
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
allow_ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
allow_ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
@ -24,7 +24,7 @@ allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
allow_gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
@ -32,7 +32,7 @@ allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
allow_httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
@ -44,7 +44,7 @@ allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
allow_saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
@ -56,7 +56,7 @@ allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
allow_zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
@ -148,35 +148,55 @@ user_ping = false
# allow host key based authentication
#
ssh_keysign = false
allow_ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
#
read_untrusted_content = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow regular users direct mouse access
#
user_direct_mouse = false
# Allow users to read system messages.
#
user_dmesg = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
user_rw_noexattrfile = false
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow w to display everyone
#
user_ttyfile_stat = false
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
#
write_untrusted_content = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
allow_daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
allow_polyinstantiation = false
# Allow all domains to dump core
#
daemons_dump_core = true
allow_daemons_dump_core = true
# Allow samba to act as the domain controller
#
@ -188,24 +208,36 @@ samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
allow_xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
allow_guest_exec_content = false
allow_xguest_exec_content = false
# Only allow browser to use the web
#
browser_confine_xguest=false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
allow_postfix_local_write_mail_spool=false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
user_rw_noexattrfile=true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
qemu_full_network=true
# Allow nsplugin execmem/execstack for bad plugins
#
allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain
#
allow_unconfined_nsplugin_transition=true
# System uses init upstart program
#
@ -213,20 +245,9 @@ init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
allow_mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

236
booleans-mls.conf
View File

@ -1,232 +1,6 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
kerberos_enabled = true
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = false
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = false
polyinstantiation_enabled = true
ftpd_is_daemon = true
selinuxuser_ping = true
xserver_object_manager = true

245
booleans-targeted.conf
View File

@ -1,232 +1,23 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
kerberos_enabled = true
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nfs_export_all_ro = true
nfs_export_all_rw = true
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true
openvpn_enable_homedirs = true
postfix_local_write_mail_spool= true
pppd_can_insmod = false
privoxy_connect_any = true
selinuxuser_direct_dri_enabled = true
selinuxuser_rw_noexattrfile = true
selinuxuser_ping = true
squid_connect_any = true
telepathy_tcp_connect_generic_network_ports=true
unconfined_chrome_sandbox_transition=true
unconfined_mozilla_plugin_transition=true
xguest_exec_content = true
mozilla_plugin_can_network_connect = true
# Allow all domains to mmap files
domain_can_mmap_files = true

209
distro_suse_to_distro_redhat.patch
View File

@ -1,209 +0,0 @@
Index: fedora-policy-20221019/policy/modules/contrib/apache.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc
+++ fedora-policy-20221019/policy/modules/contrib/apache.fc
@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',`
/var/spool/cron/lastrun/[^/]* -- <<none>>
')
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',`
/var/spool/cron/lastrun/[^/]* -- <<none>>
')
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
@@ -80,7 +80,7 @@ ifdef(`distro_redhat', `
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
# SuSE
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc
+++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc
@@ -462,7 +462,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0)
')
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -491,7 +491,7 @@ ifdef(`distro_suse', `
/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
-ifdef(`distro_suse',`
+ifdef(`distro_redhat',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
Index: fedora-policy-20221019/policy/modules/kernel/devices.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc
+++ fedora-policy-20221019/policy/modules/kernel/devices.fc
@@ -148,7 +148,7 @@
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
/dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0)
Index: fedora-policy-20221019/policy/modules/kernel/files.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
+++ fedora-policy-20221019/policy/modules/kernel/files.fc
@@ -22,7 +22,7 @@ ifdef(`distro_redhat',`
/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
-ifdef(`distro_suse',`
+ifdef(`distro_redhat',`
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
-ifdef(`distro_suse',`
+ifdef(`distro_redhat',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
Index: fedora-policy-20221019/policy/modules/services/xserver.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
+++ fedora-policy-20221019/policy/modules/services/xserver.fc
@@ -189,7 +189,7 @@ ifndef(`distro_debian',`
/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-ifdef(`distro_suse',`
+ifdef(`distro_redhat',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')
Index: fedora-policy-20221019/policy/modules/system/authlogin.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc
+++ fedora-policy-20221019/policy/modules/system/authlogin.fc
@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~ gen_co
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
Index: fedora-policy-20221019/policy/modules/system/init.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/init.fc
+++ fedora-policy-20221019/policy/modules/system/init.fc
@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
/var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
Index: fedora-policy-20221019/policy/modules/system/init.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/init.te
+++ fedora-policy-20221019/policy/modules/system/init.te
@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',`
')
')
-ifdef(`distro_suse',`
+ifdef(`distro_redhat',`
optional_policy(`
# set permissions on /tmp/.X11-unix
xserver_setattr_xdm_tmp_dirs(initrc_t)
Index: fedora-policy-20221019/policy/modules/system/libraries.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/libraries.fc
+++ fedora-policy-20221019/policy/modules/system/libraries.fc
@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_
/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-ifdef(`distro_suse',`
+ifdef(`distro_redhat',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
Index: fedora-policy-20221019/policy/modules/system/locallogin.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/locallogin.te
+++ fedora-policy-20221019/policy/modules/system/locallogin.te
@@ -274,7 +274,7 @@ ifdef(`enable_mls',`
')
# suse and debian do not use pam with sulogin...
-ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ifdef(`distro_redhat', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
allow sulogin_t self:capability sys_tty_config;
Index: fedora-policy-20221019/policy/modules/system/logging.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/logging.fc
+++ fedora-policy-20221019/policy/modules/system/logging.fc
@@ -46,7 +46,7 @@
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh)
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-ifdef(`distro_suse', `
+ifdef(`distro_redhat', `
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
Index: fedora-policy-20221019/policy/modules/system/logging.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/logging.te
+++ fedora-policy-20221019/policy/modules/system/logging.te
@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',`
term_dontaudit_setattr_unallocated_ttys(syslogd_t)
')
-ifdef(`distro_suse',`
+ifdef(`distro_redhat',`
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
')

41
dontaudit_interface_kmod_tmpfs.patch
View File

@ -1,41 +0,0 @@
Index: fedora-policy-20221019/policy/modules/services/xserver.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.te
+++ fedora-policy-20221019/policy/modules/services/xserver.te
@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t)
userdom_nnp_transition_login_userdomain(xdm_t)
userdom_watch_user_home_dirs(xdm_t)
+# SUSE uses startproc to start the display manager. While checking for running processes
+# it goes over all running instances, triggering AVCs
+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t)
+
#userdom_home_manager(xdm_t)
tunable_policy(`xdm_write_home',`
userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
Index: fedora-policy-20221019/policy/modules/system/modutils.if
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/modutils.if
+++ fedora-policy-20221019/policy/modules/system/modutils.if
@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
')
+
+#######################################
+## <summary>
+## Don't audit accesses to tmp file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_dontaudit_kmod_tmpfs_getattr',`
+ gen_require(`
+ type kmod_tmpfs_t;
+ ')
+
+ dontaudit $1 kmod_tmpfs_t:file { getattr };
+')

3
fedora-policy-20221019.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede
size 733130

3
fedora-policy.20200717.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9cce9137b42c72c260c989e8a35153681b4fda9c9bcabda80816393683cd0304
size 752394

1
file_contexts.subs_dist
View File

@ -14,4 +14,3 @@
/var/run/netconfig /etc
/var/adm/netconfig/md5/etc /etc
/var/adm/netconfig/md5/var /var
/usr/etc /etc

15
fix_alsa.patch
View File

@ -1,15 +0,0 @@
Index: fedora-policy-20221019/policy/modules/contrib/alsa.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te
+++ fedora-policy-20221019/policy/modules/contrib/alsa.te
@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
+optional_policy(`
+ gnome_read_home_config(alsa_t)
+')
+
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(alsa_t)

10
fix_apache.patch
View File

@ -1,10 +1,10 @@
Index: fedora-policy-20221019/policy/modules/contrib/apache.if
Index: fedora-policy/policy/modules/contrib/apache.if
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/apache.if
+++ fedora-policy-20221019/policy/modules/contrib/apache.if
@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',`
--- fedora-policy.orig/policy/modules/contrib/apache.if
+++ fedora-policy/policy/modules/contrib/apache.if
@@ -1967,3 +1967,25 @@ interface(`apache_ioctl_stream_sockets',
allow $1 httpd_t:sem r_sem_perms;
allow $1 httpd_t:unix_stream_socket ioctl;
')
+
+#######################################

12
fix_auditd.patch
View File

@ -1,12 +0,0 @@
Index: fedora-policy-20211111/policy/modules/system/logging.if
===================================================================
--- fedora-policy-20211111.orig/policy/modules/system/logging.if
+++ fedora-policy-20211111/policy/modules/system/logging.if
@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config',
files_search_etc($1)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+ allow $1 auditd_etc_t:dir mounton;
')
########################################

12
fix_authlogin.patch
View File

@ -1,10 +1,10 @@
Index: fedora-policy-20211111/policy/modules/system/authlogin.fc
Index: fedora-policy/policy/modules/system/authlogin.fc
===================================================================
--- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc
+++ fedora-policy-20211111/policy/modules/system/authlogin.fc
@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', `
/usr/libexec/chkpwd/tcb_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/usr/libexec/chkpwd/tcb_updpwd -- gen_context(system_u:object_r:updpwd_exec_t,s0)
--- fedora-policy.orig/policy/modules/system/authlogin.fc
+++ fedora-policy/policy/modules/system/authlogin.fc
@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
+/usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)

12
fix_bitlbee.patch
View File

@ -1,12 +0,0 @@
Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
===================================================================
--- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc
+++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
@@ -9,6 +9,5 @@
/var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0)
-/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)
/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)

17
fix_chronyd.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
Index: fedora-policy/policy/modules/contrib/chronyd.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te
+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te
@@ -144,6 +144,14 @@ systemd_exec_systemctl(chronyd_t)
--- fedora-policy.orig/policy/modules/contrib/chronyd.te
+++ fedora-policy/policy/modules/contrib/chronyd.te
@@ -136,6 +136,14 @@ systemd_exec_systemctl(chronyd_t)
userdom_dgram_send(chronyd_t)
optional_policy(`
@ -17,16 +17,15 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
cron_dgram_send(chronyd_t)
')
Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc
Index: fedora-policy/policy/modules/contrib/chronyd.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc
+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc
@@ -6,6 +6,8 @@
--- fedora-policy.orig/policy/modules/contrib/chronyd.fc
+++ fedora-policy/policy/modules/contrib/chronyd.fc
@@ -6,6 +6,7 @@
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/libexec/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)

13
fix_cloudform.patch
View File

@ -1,13 +0,0 @@
Index: fedora-policy/policy/modules/contrib/cloudform.te
===================================================================
--- cloudform.te 2022-07-18 14:06:56.735383426 +0200
+++ cloudform.te.new 2022-07-18 14:07:36.003069544 +0200
@@ -81,6 +81,8 @@
init_dbus_chat(cloud_init_t)
+snapper_dbus_chat(cloud_init_t)
+
kernel_read_network_state(cloud_init_t)
corenet_tcp_connect_http_port(cloud_init_t)

18
fix_colord.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20211111/policy/modules/contrib/colord.fc
Index: fedora-policy/policy/modules/contrib/colord.fc
===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc
+++ fedora-policy-20211111/policy/modules/contrib/colord.fc
--- fedora-policy.orig/policy/modules/contrib/colord.fc
+++ fedora-policy/policy/modules/contrib/colord.fc
@@ -6,6 +6,8 @@
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
@ -11,15 +11,3 @@ Index: fedora-policy-20211111/policy/modules/contrib/colord.fc
/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
Index: fedora-policy-20211111/policy/modules/contrib/colord.te
===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/colord.te
+++ fedora-policy-20211111/policy/modules/contrib/colord.te
@@ -17,6 +17,7 @@ type colord_t;
type colord_exec_t;
dbus_system_domain(colord_t, colord_exec_t)
init_daemon_domain(colord_t, colord_exec_t)
+init_nnp_daemon_domain(colord_t)
type colord_tmp_t;
files_tmp_file(colord_tmp_t)

11
fix_corecommand.patch
View File

@ -45,16 +45,7 @@ Index: fedora-policy/policy/modules/kernel/corecommands.fc
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',`
/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
@@ -391,6 +413,7 @@ ifdef(`distro_debian',`
@@ -391,6 +411,7 @@ ifdef(`distro_debian',`
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
')

29
fix_cron.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
Index: fedora-policy/policy/modules/contrib/cron.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
--- fedora-policy.orig/policy/modules/contrib/cron.fc
+++ fedora-policy/policy/modules/contrib/cron.fc
@@ -34,7 +34,7 @@
/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
@ -11,32 +11,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/crontabs/.* -- <<none>>
@@ -55,6 +55,10 @@ ifdef(`distro_redhat', `
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+
+/var/spool/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/atjobs/.SEQ -- gen_context(system_u:object_r:user_cron_spool_t,s0)
+/var/spool/atjobs/[^/]* -- <<none>>
')
ifdef(`distro_debian',`
@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',`
@@ -69,9 +69,3 @@ ifdef(`distro_gentoo',`
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
')
-
-ifdef(`distro_redhat', `
-ifdef(`distro_suse', `
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-/var/spool/cron/lastrun/[^/]* -- <<none>>
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-')
Index: fedora-policy-20221019/policy/modules/contrib/cron.if
Index: fedora-policy/policy/modules/contrib/cron.if
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/cron.if
+++ fedora-policy-20221019/policy/modules/contrib/cron.if
@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo
--- fedora-policy.orig/policy/modules/contrib/cron.if
+++ fedora-policy/policy/modules/contrib/cron.if
@@ -1031,7 +1031,7 @@ interface(`cron_generic_log_filetrans_lo
#
interface(`cron_system_spool_entrypoint',`
gen_require(`

12
fix_dbus.patch
View File

@ -1,11 +1,11 @@
Index: fedora-policy-20211111/policy/modules/contrib/dbus.te
Index: fedora-policy/policy/modules/contrib/dbus.te
===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/dbus.te
+++ fedora-policy-20211111/policy/modules/contrib/dbus.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst
--- fedora-policy.orig/policy/modules/contrib/dbus.te 2020-02-25 08:22:02.846623845 +0000
+++ fedora-policy/policy/modules/contrib/dbus.te 2020-02-25 08:22:31.991108418 +0000
@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file })
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+allow system_dbusd_t system_dbusd_tmp_t:file execute;
manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)

12
fix_dnsmasq.patch
View File

@ -1,12 +0,0 @@
Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
===================================================================
--- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te
+++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t)
logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_public_files(dnsmasq_t)
+sysnet_manage_config_dirs(dnsmasq_t)
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)

15
fix_dovecot.patch
View File

@ -1,15 +0,0 @@
Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc
===================================================================
--- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc
+++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc
@@ -34,6 +34,10 @@ ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
')
+/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+
#
# /var
#

14
fix_firewalld.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te
Index: fedora-policy/policy/modules/contrib/firewalld.te
===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te
+++ fedora-policy-20211111/policy/modules/contrib/firewalld.te
@@ -131,6 +131,7 @@ optional_policy(`
--- fedora-policy.orig/policy/modules/contrib/firewalld.te 2020-02-24 08:16:03.798820784 +0000
+++ fedora-policy/policy/modules/contrib/firewalld.te 2020-02-24 08:18:03.164764310 +0000
@@ -129,6 +129,7 @@ optional_policy(`
')
optional_policy(`
@ -10,10 +10,10 @@ Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te
iptables_domtrans(firewalld_t)
iptables_read_var_run(firewalld_t)
')
Index: fedora-policy-20211111/policy/modules/system/iptables.if
Index: fedora-policy/policy/modules/system/iptables.if
===================================================================
--- fedora-policy-20211111.orig/policy/modules/system/iptables.if
+++ fedora-policy-20211111/policy/modules/system/iptables.if
--- fedora-policy.orig/policy/modules/system/iptables.if 2020-02-19 09:36:25.440182406 +0000
+++ fedora-policy/policy/modules/system/iptables.if 2020-02-24 08:17:53.076600108 +0000
@@ -2,6 +2,25 @@
########################################

9
fix_gift.patch Normal file
View File

@ -0,0 +1,9 @@
Index: fedora-policy/policy/modules/contrib/gift.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/gift.te 2019-08-05 09:39:48.645670248 +0200
+++ fedora-policy/policy/modules/contrib/gift.te 2019-08-05 10:05:44.787808191 +0200
@@ -113,4 +113,3 @@ files_read_etc_runtime_files(giftd_t)
sysnet_dns_name_resolve(giftd_t)
userdom_use_inherited_user_terminals(giftd_t)
-userdom_home_manager(gitd_t)

30
fix_hadoop.patch Normal file
View File

@ -0,0 +1,30 @@
Index: fedora-policy/policy/modules/roles/sysadm.te
===================================================================
--- fedora-policy.orig/policy/modules/roles/sysadm.te
+++ fedora-policy/policy/modules/roles/sysadm.te
@@ -293,10 +293,6 @@ optional_policy(`
')
optional_policy(`
- hadoop_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
iotop_run(sysadm_t, sysadm_r)
')
Index: fedora-policy/policy/modules/roles/unprivuser.te
===================================================================
--- fedora-policy.orig/policy/modules/roles/unprivuser.te
+++ fedora-policy/policy/modules/roles/unprivuser.te
@@ -200,10 +200,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- hadoop_role(user_r, user_t)
- ')
-
- optional_policy(`
irc_role(user_r, user_t)
')

15
fix_hypervkvp.patch
View File

@ -1,15 +0,0 @@
Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
===================================================================
--- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc
+++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
@@ -3,8 +3,10 @@
/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/lib/hyper-v/bin/.*kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+/usr/lib/hyper-v/bin/.*vss_daemon -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)

66
fix_init.patch
View File

@ -1,17 +1,16 @@
Index: fedora-policy-20221019/policy/modules/system/init.te
Index: fedora-policy/policy/modules/system/init.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/init.te
+++ fedora-policy-20221019/policy/modules/system/init.te
@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t)
--- fedora-policy.orig/policy/modules/system/init.te
+++ fedora-policy/policy/modules/system/init.te
@@ -257,6 +257,7 @@ corecmd_exec_bin(init_t)
corenet_all_recvfrom_netlabel(init_t)
corenet_tcp_bind_all_ports(init_t)
corenet_udp_bind_all_ports(init_t)
+corenet_udp_bind_generic_node(init_t)
+corenet_tcp_bind_generic_node(init_t)
dev_create_all_files(init_t)
dev_create_all_chr_files(init_t)
@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t)
@@ -378,6 +379,7 @@ logging_manage_audit_config(init_t)
logging_create_syslog_netlink_audit_socket(init_t)
logging_write_var_log_dirs(init_t)
logging_manage_var_log_symlinks(init_t)
@ -19,7 +18,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
seutil_read_config(init_t)
seutil_read_login_config(init_t)
@@ -450,9 +453,19 @@ ifdef(`distro_redhat',`
@@ -427,10 +429,15 @@ ifdef(`distro_redhat',`
corecmd_shell_domtrans(init_t, initrc_t)
storage_raw_rw_fixed_disk(init_t)
@ -27,19 +26,15 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
sysnet_read_dhcpc_state(init_t)
+# bsc#1197610, find a better, generic solution
+optional_policy(`
+ mta_getattr_spool(init_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_read_lnk_files(init_t)
+')
+
optional_policy(`
anaconda_stream_connect(init_t)
anaconda_create_unix_stream_sockets(init_t)
@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',`
+ networkmanager_initrc_read_lnk_files(init_t)
+')
+
+optional_policy(`
bootloader_domtrans(init_t)
')
@@ -544,7 +551,7 @@ tunable_policy(`init_create_dirs',`
allow init_t self:system all_system_perms;
allow init_t self:system module_load;
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@ -47,12 +42,8 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
allow init_t self:process { getcap setcap };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
-allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
# Until systemd is fixed
@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t)
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -606,6 +613,7 @@ files_delete_all_spool_sockets(init_t)
files_create_var_lib_dirs(init_t)
files_create_var_lib_symlinks(init_t)
files_read_var_lib_symlinks(init_t)
@ -60,16 +51,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
files_manage_urandom_seed(init_t)
files_list_locks(init_t)
files_list_spool(init_t)
@@ -684,7 +698,7 @@ fs_list_all(init_t)
fs_list_auto_mountpoints(init_t)
fs_register_binary_executable_type(init_t)
fs_relabel_tmpfs_sock_file(init_t)
-fs_rw_tmpfs_files(init_t)
+fs_rw_tmpfs_files(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_search_cgroup_dirs(init_t)
# for network namespaces
@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_
@@ -698,6 +706,7 @@ systemd_write_inherited_logind_sessions_
create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
create_dirs_pattern(init_t, var_log_t, var_log_t)
@ -77,7 +59,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
auth_use_nsswitch(init_t)
auth_rw_login_records(init_t)
@@ -1596,6 +1611,8 @@ optional_policy(`
@@ -1543,6 +1552,8 @@ optional_policy(`
optional_policy(`
postfix_list_spool(initrc_t)
@ -86,3 +68,15 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
')
optional_policy(`
Index: fedora-policy/policy/modules/system/init.if
===================================================================
--- fedora-policy.orig/policy/modules/system/init.if
+++ fedora-policy/policy/modules/system/init.if
@@ -3205,6 +3205,7 @@ interface(`init_filetrans_named_content'
files_etc_filetrans($1, machineid_t, file, "machine-id" )
files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
+ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late")
init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
')

10
fix_iptables.patch
View File

@ -1,9 +1,9 @@
Index: fedora-policy-20220428/policy/modules/system/iptables.te
Index: fedora-policy/policy/modules/system/iptables.te
===================================================================
--- fedora-policy-20220428.orig/policy/modules/system/iptables.te
+++ fedora-policy-20220428/policy/modules/system/iptables.te
@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t)
kernel_read_kernel_sysctls(iptables_t)
--- fedora-policy.orig/policy/modules/system/iptables.te 2020-02-19 09:36:25.440182406 +0000
+++ fedora-policy/policy/modules/system/iptables.te 2020-02-21 12:19:23.060595602 +0000
@@ -76,6 +76,7 @@ kernel_read_kernel_sysctls(iptables_t)
kernel_read_usermodehelper_state(iptables_t)
kernel_use_fds(iptables_t)
kernel_rw_net_sysctls(iptables_t)
+kernel_rw_pipes(iptables_t)

26
fix_kernel_sysctl.patch
View File

@ -1,26 +0,0 @@
Index: fedora-policy-20221019/policy/modules/kernel/files.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
+++ fedora-policy-20221019/policy/modules/kernel/files.fc
@@ -242,6 +242,8 @@ ifdef(`distro_redhat',`
/usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0)
/usr/lib/modules(/.*)/initramfs.img -- gen_context(system_u:object_r:usr_t,s0)
+/usr/lib/modules(/.*)/sysctl.conf -- gen_context(system_u:object_r:usr_t,s0)
+/usr/lib/modules(/.*)/System.map -- gen_context(system_u:object_r:system_map_t,s0)
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
Index: fedora-policy-20221019/policy/modules/system/systemd.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/systemd.te
+++ fedora-policy-20221019/policy/modules/system/systemd.te
@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t)
logging_send_syslog_msg(systemd_sysctl_t)
systemd_read_efivarfs(systemd_sysctl_t)
+# kernel specific sysctl.conf may be in modules dir
+allow systemd_sysctl_t modules_object_t:dir search;
#######################################
#

13
fix_libraries.patch
View File

@ -1,13 +0,0 @@
Index: fedora-policy-20210419/policy/modules/system/libraries.fc
===================================================================
--- fedora-policy-20210419.orig/policy/modules/system/libraries.fc
+++ fedora-policy-20210419/policy/modules/system/libraries.fc
@@ -124,6 +124,8 @@ ifdef(`distro_redhat',`
/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/usr/lib/libreoffice/program/resource.* -- gen_context(system_u:object_r:lib_t,s0)
+
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)

14
fix_locallogin.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20220624/policy/modules/system/locallogin.te
Index: fedora-policy/policy/modules/system/locallogin.te
===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/locallogin.te
+++ fedora-policy-20220624/policy/modules/system/locallogin.te
--- fedora-policy.orig/policy/modules/system/locallogin.te 2020-02-19 09:36:25.440182406 +0000
+++ fedora-policy/policy/modules/system/locallogin.te 2020-02-21 08:52:35.961803038 +0000
@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctls(local_login_t)
kernel_search_key(local_login_t)
@ -10,11 +10,3 @@ Index: fedora-policy-20220624/policy/modules/system/locallogin.te
corecmd_list_bin(local_login_t)
corecmd_read_bin_symlinks(local_login_t)
@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t)
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
auth_use_nsswitch(local_login_t)
+auth_read_shadow(local_login_t)
init_dontaudit_use_fds(local_login_t)
init_stream_connect(local_login_t)

14
fix_logging.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20220624/policy/modules/system/logging.fc
Index: fedora-policy/policy/modules/system/logging.fc
===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/logging.fc
+++ fedora-policy-20220624/policy/modules/system/logging.fc
--- fedora-policy.orig/policy/modules/system/logging.fc
+++ fedora-policy/policy/modules/system/logging.fc
@@ -3,6 +3,8 @@
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@ -19,11 +19,11 @@ Index: fedora-policy-20220624/policy/modules/system/logging.fc
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
Index: fedora-policy-20220624/policy/modules/system/logging.if
Index: fedora-policy/policy/modules/system/logging.if
===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/logging.if
+++ fedora-policy-20220624/policy/modules/system/logging.if
@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',`
--- fedora-policy.orig/policy/modules/system/logging.if
+++ fedora-policy/policy/modules/system/logging.if
@@ -1686,3 +1686,22 @@ interface(`logging_dgram_send',`
allow $1 syslogd_t:unix_dgram_socket sendto;
')

8
fix_logrotate.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te
Index: fedora-policy/policy/modules/contrib/logrotate.te
===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te
+++ fedora-policy-20210628/policy/modules/contrib/logrotate.te
@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log
--- fedora-policy.orig/policy/modules/contrib/logrotate.te
+++ fedora-policy/policy/modules/contrib/logrotate.te
@@ -107,6 +107,7 @@ files_var_lib_filetrans(logrotate_t, log
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)

2
fix_nagios.patch
View File

@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/contrib/nagios.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/nagios.te
+++ fedora-policy/policy/modules/contrib/nagios.te
@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map;
@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map;
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)

69
fix_networkmanager.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
Index: fedora-policy/policy/modules/contrib/networkmanager.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te
+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te
@@ -275,6 +275,9 @@ userdom_read_home_certs(NetworkManager_t
--- fedora-policy.orig/policy/modules/contrib/networkmanager.te
+++ fedora-policy/policy/modules/contrib/networkmanager.te
@@ -236,6 +236,9 @@ userdom_read_home_certs(NetworkManager_t
userdom_read_user_home_content_files(NetworkManager_t)
userdom_dgram_send(NetworkManager_t)
@ -12,18 +12,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(NetworkManager_t)
')
@@ -284,6 +287,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ nis_systemctl_ypbind(NetworkManager_t)
+')
+
+optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
avahi_signal(NetworkManager_t)
@@ -292,6 +299,14 @@ optional_policy(`
@@ -253,6 +256,14 @@ optional_policy(`
')
optional_policy(`
@ -38,39 +27,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t)
bind_kill(NetworkManager_t)
@@ -419,6 +434,8 @@ optional_policy(`
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
nscd_systemctl(NetworkManager_t)
+ nscd_socket_use(NetworkManager_dispatcher_tlp_t)
+ nscd_socket_use(NetworkManager_dispatcher_custom_t)
')
optional_policy(`
@@ -606,6 +623,7 @@ files_manage_etc_files(NetworkManager_di
init_status(NetworkManager_dispatcher_cloud_t)
init_status(NetworkManager_dispatcher_ddclient_t)
+init_status(NetworkManager_dispatcher_custom_t)
init_append_stream_sockets(networkmanager_dispatcher_plugin)
init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
init_stream_connect(networkmanager_dispatcher_plugin)
@@ -621,6 +639,10 @@ optional_policy(`
')
optional_policy(`
+ nscd_shm_use(NetworkManager_dispatcher_chronyc_t)
+')
+
+optional_policy(`
cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
')
Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
Index: fedora-policy/policy/modules/contrib/networkmanager.if
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
--- fedora-policy.orig/policy/modules/contrib/networkmanager.if
+++ fedora-policy/policy/modules/contrib/networkmanager.if
@@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
')
@ -95,15 +56,3 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
########################################
## <summary>
## Execute NetworkManager server in the NetworkManager domain.
Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc
+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
@@ -24,6 +24,7 @@
/usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0)
+/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)

14
fix_nscd.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc
Index: fedora-policy/policy/modules/contrib/nscd.fc
===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc
+++ fedora-policy-20210628/policy/modules/contrib/nscd.fc
--- fedora-policy.orig/policy/modules/contrib/nscd.fc
+++ fedora-policy/policy/modules/contrib/nscd.fc
@@ -8,8 +8,10 @@
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
@ -14,11 +14,11 @@ Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc
/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
+
Index: fedora-policy-20210628/policy/modules/contrib/nscd.te
Index: fedora-policy/policy/modules/contrib/nscd.te
===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te
+++ fedora-policy-20210628/policy/modules/contrib/nscd.te
@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
--- fedora-policy.orig/policy/modules/contrib/nscd.te
+++ fedora-policy/policy/modules/contrib/nscd.te
@@ -127,6 +127,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`

13
fix_policykit.patch Normal file
View File

@ -0,0 +1,13 @@
Index: fedora-policy/policy/modules/contrib/policykit.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/policykit.te 2020-02-21 13:28:23.080385220 +0000
+++ fedora-policy/policy/modules/contrib/policykit.te 2020-02-21 13:31:09.023086041 +0000
@@ -98,6 +98,8 @@ userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
userdom_dontaudit_search_admin_dir(policykit_t)
+policykit_dbus_chat(policykit_t)
+
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)

38
fix_postfix.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
Index: fedora-policy/policy/modules/contrib/postfix.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc
+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc
@@ -1,37 +1,21 @@
--- fedora-policy.orig/policy/modules/contrib/postfix.fc
+++ fedora-policy/policy/modules/contrib/postfix.fc
@@ -1,37 +1,20 @@
# postfix
-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
@ -41,7 +41,6 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/bin/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/systemd/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@ -57,7 +56,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -45,13 +29,16 @@ ifdef(`distro_redhat', `
@@ -45,6 +28,9 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@ -67,28 +66,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
Index: fedora-policy-20221019/policy/modules/contrib/postfix.te
Index: fedora-policy/policy/modules/contrib/postfix.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te
+++ fedora-policy-20221019/policy/modules/contrib/postfix.te
@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c
allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+# SUSE also runs this on /etc/alias
+mta_filetrans_aliases(postfix_master_t, etc_t)
can_exec(postfix_master_t, postfix_exec_t)
@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t)
--- fedora-policy.orig/policy/modules/contrib/postfix.te
+++ fedora-policy/policy/modules/contrib/postfix.te
@@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t)
userdom_use_inherited_user_ptys(postfix_map_t)
@ -103,7 +85,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.te
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m
@@ -687,6 +695,14 @@ corenet_tcp_connect_spamd_port(postfix_m
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`

26
fix_rpm.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
Index: fedora-policy/policy/modules/contrib/rpm.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
@@ -18,6 +18,10 @@
--- fedora-policy.orig/policy/modules/contrib/rpm.fc
+++ fedora-policy/policy/modules/contrib/rpm.fc
@@ -17,6 +17,10 @@
/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -56,6 +60,8 @@ ifdef(`distro_redhat', `
@@ -54,6 +58,8 @@ ifdef(`distro_redhat', `
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
@ -22,11 +22,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
Index: fedora-policy-20221019/policy/modules/contrib/rpm.if
Index: fedora-policy/policy/modules/contrib/rpm.if
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if
+++ fedora-policy-20221019/policy/modules/contrib/rpm.if
@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',`
--- fedora-policy.orig/policy/modules/contrib/rpm.if
+++ fedora-policy/policy/modules/contrib/rpm.if
@@ -431,8 +431,10 @@ interface(`rpm_named_filetrans',`
logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
@ -37,11 +37,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.if
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
Index: fedora-policy-20221019/policy/modules/kernel/files.fc
Index: fedora-policy/policy/modules/kernel/files.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
+++ fedora-policy-20221019/policy/modules/kernel/files.fc
@@ -67,6 +67,7 @@ ifdef(`distro_redhat',`
--- fedora-policy.orig/policy/modules/kernel/files.fc
+++ fedora-policy/policy/modules/kernel/files.fc
@@ -67,6 +67,7 @@ ifdef(`distro_suse',`
/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)

21
fix_selinuxutil.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
Index: fedora-policy/policy/modules/system/selinuxutil.te
===================================================================
--- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.te
+++ fedora-policy-20210628/policy/modules/system/selinuxutil.te
--- fedora-policy.orig/policy/modules/system/selinuxutil.te 2020-02-19 09:36:25.444182470 +0000
+++ fedora-policy/policy/modules/system/selinuxutil.te 2020-02-24 07:57:26.556813139 +0000
@@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',`
')
@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
portage_dontaudit_use_fds(load_policy_t)
')
@@ -618,6 +622,10 @@ logging_send_audit_msgs(setfiles_t)
@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t)
logging_send_syslog_msg(setfiles_t)
optional_policy(`
@ -24,16 +24,3 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
cloudform_dontaudit_write_cloud_log(setfiles_t)
')
Index: fedora-policy-20210628/policy/modules/system/selinuxutil.if
===================================================================
--- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.if
+++ fedora-policy-20210628/policy/modules/system/selinuxutil.if
@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config'
dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file read_file_perms;
+ # /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps
+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
')
########################################

18
fix_snapper.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20221019/policy/modules/contrib/snapper.te
Index: fedora-policy/policy/modules/contrib/snapper.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te
+++ fedora-policy-20221019/policy/modules/contrib/snapper.te
--- fedora-policy.orig/policy/modules/contrib/snapper.te
+++ fedora-policy/policy/modules/contrib/snapper.te
@@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t)
type snapperd_data_t;
files_type(snapperd_data_t)
@ -23,25 +23,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/snapper.te
kernel_setsched(snapperd_t)
domain_read_all_domains_state(snapperd_t)
@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t)
@@ -73,6 +80,10 @@ storage_raw_read_fixed_disk(snapperd_t)
auth_use_nsswitch(snapperd_t)
optional_policy(`
+ packagekit_dbus_chat(snapperd_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(snapperd_t)
+')
+
+optional_policy(`
cron_system_entry(snapperd_t, snapperd_exec_t)
')
Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc
Index: fedora-policy/policy/modules/contrib/snapper.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc
+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc
--- fedora-policy.orig/policy/modules/contrib/snapper.fc
+++ fedora-policy/policy/modules/contrib/snapper.fc
@@ -7,9 +7,17 @@
/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)

8
fix_sysnetwork.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc
Index: fedora-policy/policy/modules/system/sysnetwork.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc
+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc
@@ -103,6 +103,8 @@ ifdef(`distro_debian',`
--- fedora-policy.orig/policy/modules/system/sysnetwork.fc
+++ fedora-policy/policy/modules/system/sysnetwork.fc
@@ -102,6 +102,8 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')

32
fix_systemd.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/system/systemd.te
Index: fedora-policy/policy/modules/system/systemd.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/systemd.te
+++ fedora-policy-20221019/policy/modules/system/systemd.te
@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system
--- fedora-policy.orig/policy/modules/system/systemd.te
+++ fedora-policy/policy/modules/system/systemd.te
@@ -332,6 +332,10 @@ userdom_manage_user_tmp_chr_files(system
xserver_dbus_chat(systemd_logind_t)
optional_policy(`
@ -13,8 +13,8 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te
apache_read_tmp_files(systemd_logind_t)
')
@@ -863,6 +867,10 @@ optional_policy(`
dbus_system_bus_client(systemd_localed_t)
@@ -823,6 +827,10 @@ optional_policy(`
dbus_connect_system_bus(systemd_hostnamed_t)
')
+optional_policy(`
@ -23,22 +23,4 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te
+
#######################################
#
# Hostnamed policy
@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
# systemd_gpt_generator domain
#
-allow systemd_gpt_generator_t self:capability sys_rawio;
+allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin};
allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
dev_read_sysfs(systemd_gpt_generator_t)
@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_
systemd_create_unit_file_dirs(systemd_gpt_generator_t)
systemd_create_unit_file_lnk(systemd_gpt_generator_t)
+kernel_dgram_send(systemd_gpt_generator_t)
+
optional_policy(`
udev_read_pid_files(systemd_gpt_generator_t)
')
# rfkill policy

17
fix_systemd_watch.patch
View File

@ -1,17 +0,0 @@
Index: fedora-policy-20221019/policy/modules/system/systemd.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/systemd.te
+++ fedora-policy-20221019/policy/modules/system/systemd.te
@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t)
storage_getattr_fixed_disk_dev(systemd_sleep_t)
storage_getattr_removable_dev(systemd_sleep_t)
+#######################################
+#
+# Allow systemd to watch certificate dir for ca-certificates
+#
+watch_dirs_pattern(init_t,cert_t,cert_t)
+
optional_policy(`
sysstat_domtrans(systemd_sleep_t)
')

8
fix_thunderbird.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te
Index: fedora-policy/policy/modules/contrib/thunderbird.te
===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te
+++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te
@@ -138,7 +138,6 @@ optional_policy(`
--- fedora-policy.orig/policy/modules/contrib/thunderbird.te
+++ fedora-policy/policy/modules/contrib/thunderbird.te
@@ -139,7 +139,6 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(thunderbird_t)
gnome_domtrans_gconfd(thunderbird_t)

8
fix_unconfined.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20221019/policy/modules/system/unconfined.te
Index: fedora-policy/policy/modules/system/unconfined.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/unconfined.te
+++ fedora-policy-20221019/policy/modules/system/unconfined.te
--- fedora-policy.orig/policy/modules/system/unconfined.te
+++ fedora-policy/policy/modules/system/unconfined.te
@@ -1,5 +1,10 @@
policy_module(unconfined, 3.5.0)
@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/system/unconfined.te
########################################
#
# Declarations
@@ -45,3 +50,6 @@ optional_policy(`
@@ -39,3 +44,6 @@ optional_policy(`
optional_policy(`
container_runtime_domtrans(unconfined_service_t)
')

12
fix_unconfineduser.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
Index: fedora-policy/policy/modules/roles/unconfineduser.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te
+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te
@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all'
--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
+++ fedora-policy/policy/modules/roles/unconfineduser.te
@@ -120,6 +120,11 @@ tunable_policy(`unconfined_dyntrans_all'
domain_dyntrans(unconfined_t)
')
@ -14,7 +14,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
optional_policy(`
gen_require(`
type unconfined_t;
@@ -214,6 +219,10 @@ optional_policy(`
@@ -210,6 +215,10 @@ optional_policy(`
')
optional_policy(`
@ -25,7 +25,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
chrome_role_notrans(unconfined_r, unconfined_t)
tunable_policy(`unconfined_chrome_sandbox_transition',`
@@ -248,6 +257,18 @@ optional_policy(`
@@ -244,6 +253,18 @@ optional_policy(`
dbus_stub(unconfined_t)
optional_policy(`

8
fix_unprivuser.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te
Index: fedora-policy/policy/modules/roles/unprivuser.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te
+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te
@@ -300,6 +300,13 @@ ifndef(`distro_redhat',`
--- fedora-policy.orig/policy/modules/roles/unprivuser.te
+++ fedora-policy/policy/modules/roles/unprivuser.te
@@ -289,6 +289,13 @@ ifndef(`distro_redhat',`
')
optional_policy(`

12
fix_userdomain.patch
View File

@ -1,12 +0,0 @@
Index: fedora-policy-20220624/policy/modules/system/userdomain.if
===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/userdomain.if
+++ fedora-policy-20220624/policy/modules/system/userdomain.if
@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',`
# port access is audited even if dac would not have allowed it, so dontaudit it here
# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+ corenet_dontaudit_udp_bind_all_rpc_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
corenet_tcp_bind_generic_node($1_usertype)

10
fix_usermanage.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
Index: fedora-policy/policy/modules/admin/usermanage.te
===================================================================
--- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te
+++ fedora-policy-20220428/policy/modules/admin/usermanage.te
--- fedora-policy.orig/policy/modules/admin/usermanage.te
+++ fedora-policy/policy/modules/admin/usermanage.te
@@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
allow groupadd_t self:unix_dgram_socket sendto;
@ -10,7 +10,7 @@ Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)
@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c
@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@ -18,7 +18,7 @@ Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v
@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)

23
fix_wine.patch
View File

@ -1,23 +0,0 @@
Index: fedora-policy-20220428/policy/modules/system/libraries.fc
===================================================================
--- fedora-policy-20220428.orig/policy/modules/system/libraries.fc
+++ fedora-policy-20220428/policy/modules/system/libraries.fc
@@ -90,7 +90,7 @@ ifdef(`distro_redhat',`
/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/cx.*/lib/wine/.+\.(so|dll) -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -173,7 +173,8 @@ ifdef(`distro_redhat',`
/usr/lib/systemd/libsystemd-.+\.so.* -- gen_context(system_u:object_r:lib_t,s0)
/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/wine/*-windows/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)

45
fix_xserver.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20221019/policy/modules/services/xserver.fc
Index: fedora-policy/policy/modules/services/xserver.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
+++ fedora-policy-20221019/policy/modules/services/xserver.fc
--- fedora-policy.orig/policy/modules/services/xserver.fc
+++ fedora-policy/policy/modules/services/xserver.fc
@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
@ -18,15 +18,7 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/usr/bin/Xwayland -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/greetd -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
@@ -135,6 +137,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
@ -34,30 +26,13 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc
ifndef(`distro_debian',`
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
')
@@ -155,6 +159,7 @@ ifndef(`distro_debian',`
/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -184,6 +189,8 @@ ifndef(`distro_debian',`
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
Index: fedora-policy-20221019/policy/modules/services/xserver.te
Index: fedora-policy/policy/modules/services/xserver.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.te
+++ fedora-policy-20221019/policy/modules/services/xserver.te
@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi
kernel_read_vm_sysctls(xdm_t)
--- fedora-policy.orig/policy/modules/services/xserver.te
+++ fedora-policy/policy/modules/services/xserver.te
@@ -477,6 +477,10 @@ userdom_delete_user_home_content_files(x
userdom_signull_unpriv_users(xdm_t)
userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
+files_manage_generic_pids_symlinks(xdm_t)
+userdom_manage_user_home_content_dirs(xdm_t)

8
modules-minimum-base.conf
View File

@ -392,6 +392,13 @@ udev = module
#
unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module
# Layer: admin
# Module: rpm
#
@ -412,3 +419,4 @@ packagekit = module
# Name service cache daemon
#
nscd = module

14
modules-minimum-contrib.conf
View File

@ -342,6 +342,13 @@ cmirrord = module
#
cobbler = module
# Layer: contrib
# Module: cockpit
#
# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
#
cockpit = module
# Layer: services
# Module: collectd
#
@ -2360,6 +2367,13 @@ minissdpd = module
#
freeipmi = module
# Layer: contrib
# Module: freeipmi
#
# ipa policy module contain SELinux policies for IPA services
#
ipa = module
# Layer: contrib
# Module: mirrormanager
#

14
modules-targeted-base.conf
View File

@ -392,6 +392,13 @@ udev = module
#
unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module
# Layer: contrib
# Module: packagekit
#
@ -412,10 +419,3 @@ rtorrent = module
# Policy for wicked
#
wicked = module
# Layer: system
# Module: rebootmgr
#
# Policy for rebootmgr
#
rebootmgr = module

14
modules-targeted-contrib.conf
View File

@ -342,6 +342,13 @@ cmirrord = module
#
cobbler = module
# Layer: contrib
# Module: cockpit
#
# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
#
cockpit = module
# Layer: services
# Module: collectd
#
@ -2374,6 +2381,13 @@ minissdpd = module
#
freeipmi = module
# Layer: contrib
# Module: freeipmi
#
# ipa policy module contain SELinux policies for IPA services
#
ipa = module
# Layer: contrib
# Module: mirrormanager
#

1
rebootmgr.fc
View File

@ -1 +0,0 @@
/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)

61
rebootmgr.if
View File

@ -1,61 +0,0 @@
## <summary>policy for rebootmgr</summary>
########################################
## <summary>
## Execute rebootmgr_exec_t in the rebootmgr domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rebootmgr_domtrans',`
gen_require(`
type rebootmgr_t, rebootmgr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
')
######################################
## <summary>
## Execute rebootmgr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rebootmgr_exec',`
gen_require(`
type rebootmgr_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rebootmgr_exec_t)
')
########################################
## <summary>
## Send and receive messages from
## rebootmgr over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rebootmgr_dbus_chat',`
gen_require(`
type rebootmgr_t;
class dbus send_msg;
')
allow $1 rebootmgr_t:dbus send_msg;
allow rebootmgr_t $1:dbus send_msg;
')

37
rebootmgr.te
View File

@ -1,37 +0,0 @@
policy_module(rebootmgr, 1.0.0)
########################################
#
# Declarations
#
type rebootmgr_t;
type rebootmgr_exec_t;
init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
########################################
#
# rebootmgr local policy
#
allow rebootmgr_t self:process { fork };
allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(rebootmgr_t)
files_manage_etc_files(rebootmgr_t)
logging_send_syslog_msg(rebootmgr_t)
miscfiles_read_localization(rebootmgr_t)
systemd_start_power_services(rebootmgr_t)
systemd_dbus_chat_logind(rebootmgr_t)
unconfined_dbus_chat(rebootmgr_t)
optional_policy(`
dbus_system_bus_client(rebootmgr_t)
dbus_connect_system_bus(rebootmgr_t)
')

2
rtorrent.fc
View File

@ -1 +1 @@
/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)
/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)

158
rtorrent.if
View File

@ -1,71 +1,6 @@
## <summary>Policy for rtorrent.</summary>
## <summary>policy for rtorrent</summary>
########################################
## <summary>
## Execute rtorrent_exec_t in the rtorrent domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rtorrent_domtrans',`
gen_require(`
type rtorrent_t, rtorrent_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
')
######################################
## <summary>
## Execute rtorrent in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rtorrent_exec',`
gen_require(`
type rtorrent_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rtorrent_exec_t)
')
########################################
## <summary>
## Execute rtorrent in the rtorrent domain, and
## allow the specified role the rtorrent domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the rtorrent domain.
## </summary>
## </param>
#
interface(`rtorrent_run',`
gen_require(`
type rtorrent_t;
attribute_role rtorrent_roles;
')
rtorrent_domtrans($1)
roleattribute $2 rtorrent_roles;
')
########################################
############################################################
## <summary>
## Role access for rtorrent
## </summary>
@ -82,14 +17,95 @@ interface(`rtorrent_run',`
#
interface(`rtorrent_role',`
gen_require(`
type rtorrent_t;
attribute_role rtorrent_roles;
attribute_role rtorrent_roles;
type rtorrent_t, rtorrent_exec_t;
')
roleattribute $1 rtorrent_roles;
rtorrent_domtrans($2)
# transition from the userdomain to the derived domain
domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
# allow ps to show rtorrent
ps_process_pattern($2, rtorrent_t)
allow $2 rtorrent_t:process { signull signal sigkill };
allow $2 rtorrent_t:process { signull sigstop signal sigkill };
ifdef(`hide_broken_symptoms',`
#Leaked File Descriptors
dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms;
')
')
########################################
## <summary>
## Transition to a user torrent domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rtorrent_domtrans',`
gen_require(`
type rtorrent_t, rtorrent_exec_t;
')
domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
')
######################################
## <summary>
## Execute torrent in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rtorrent_exec',`
gen_require(`
type rtorrent_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rtorrent_exec_t)
')
######################################
## <summary>
## Make rtorrent an entrypoint for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## The domain for which cifs_t is an entrypoint.
## </summary>
## </param>
#
interface(`rtorrent_entry_type',`
gen_require(`
type rtorrent_exec_t;
')
domain_entry_file($1, rtorrent_exec_t)
')
########################################
## <summary>
## Send generic signals to user rtorrent processes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rtorrent_signal',`
gen_require(`
type rtorrent_t;
')
allow $1 rtorrent_t:process signal;
')

85
rtorrent.te
View File

@ -1,4 +1,4 @@
policy_module(rtorrent, 1.0.0)
policy_module(rtorrent, 1.0.1)
########################################
#
@ -18,84 +18,81 @@ gen_tunable(rtorrent_send_mails, false)
## </desc>
gen_tunable(rtorrent_enable_rutorrent, false)
## <desc>
## <p>
## Allow rtorrent to execute helper scripts in home directories
## </p>
## </desc>
gen_tunable(rtorrent_exec_scripts, false)
attribute rtorrentdomain;
attribute_role rtorrent_roles;
roleattribute system_r rtorrent_roles;
type rtorrent_t;
type rtorrent_exec_t;
application_domain(rtorrent_t, rtorrent_exec_t)
userdom_user_application_domain(rtorrent_t, rtorrent_exec_t)
role rtorrent_roles types rtorrent_t;
########################################
#
# rtorrent local policy
#
allow rtorrent_t self:process { fork signal_perms };
allow rtorrent_t self:fifo_file manage_fifo_file_perms;
allow rtorrent_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(rtorrent_t)
files_read_etc_files(rtorrent_t)
miscfiles_read_localization(rtorrent_t)
sysnet_dns_name_resolve(rtorrent_t)
optional_policy(`
gen_require(`
type staff_t;
role staff_r;
')
rtorrent_run(staff_t, staff_r)
')
corenet_tcp_bind_commplex_main_port(rtorrent_t)
type rtorrent_port_t;
corenet_port(rtorrent_port_t)
allow rtorrent_t rtorrent_port_t:tcp_socket name_bind;
userdom_read_user_home_content_symlinks(rtorrent_t)
userdom_manage_user_home_content_files(rtorrent_t)
userdom_manage_user_home_content_dirs(rtorrent_t)
allow rtorrent_t self:tcp_socket { accept listen };
allow rtorrent_t self:process setpgid;
allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
allow rtorrent_t self:fifo_file rw_fifo_file_perms;
allow rtorrent_t self:tcp_socket create_stream_socket_perms;
allow rtorrent_t self:unix_stream_socket connectto;
allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read };
allow rtorrent_t self:udp_socket { connect create getattr };
nscd_shm_use(rtorrent_t)
#corecmd_exec_shell(rtorrent_t)
corecmd_exec_bin(rtorrent_t)
# execute helper scripts
userdom_exec_user_bin_files(rtorrent_t)
corenet_all_recvfrom_netlabel(rtorrent_t)
corenet_tcp_sendrecv_generic_if(rtorrent_t)
corenet_udp_sendrecv_generic_if(rtorrent_t)
corenet_tcp_sendrecv_generic_node(rtorrent_t)
corenet_udp_sendrecv_generic_node(rtorrent_t)
corenet_tcp_sendrecv_all_ports(rtorrent_t)
corenet_udp_sendrecv_all_ports(rtorrent_t)
corenet_tcp_connect_all_ports(rtorrent_t)
corenet_sendrecv_all_client_packets(rtorrent_t)
corenet_udp_bind_all_unreserved_ports(rtorrent_t)
domain_use_interactive_fds(rtorrent_t)
auth_use_nsswitch(rtorrent_t)
miscfiles_map_generic_certs(rtorrent_t)
fs_getattr_xattr_fs(rtorrent_t)
userdom_use_inherited_user_terminals(rtorrent_t)
# this might be to much
userdom_manage_user_home_content_files(rtorrent_t)
userdom_manage_user_home_content_dirs(rtorrent_t)
userdom_home_manager(rtorrent_t)
userdom_filetrans_home_content(rtorrent_t)
userdom_stream_connect(rtorrent_t)
optional_policy(`
tunable_policy(`rtorrent_send_mails',`
userdom_exec_user_bin_files(rtorrent_t)
userdom_exec_user_home_content_files(rtorrent_t)
files_manage_generic_tmp_files(rtorrent_t)
mta_send_mail(rtorrent_t)
')
tunable_policy(`rtorrent_send_mails',`
userdom_exec_user_bin_files(rtorrent_t)
userdom_exec_user_home_content_files(rtorrent_t)
files_manage_generic_tmp_files(rtorrent_t)
mta_send_mail(rtorrent_t)
')
')
optional_policy(`
apache_manage_sys_content(rtorrent_t)
tunable_policy(`rtorrent_enable_rutorrent',`
apache_manage_sys_content(rtorrent_t)
apache_exec_sys_content(rtorrent_t)
')
')
tunable_policy(`rtorrent_exec_scripts',`
# execute helper scripts
corecmd_exec_bin(rtorrent_t)
userdom_exec_user_bin_files(rtorrent_t)
')

435
selinux-policy.changes
View File

@ -1,438 +1,3 @@
-------------------------------------------------------------------
Wed Oct 19 11:45:57 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20221019. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_apache.patch
* fix_chronyd.patch
* fix_cron.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_rpm.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
-------------------------------------------------------------------
Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Updated quilt couldn't unpack tarball. This will cause ongoing issues
so drop the sed statement in the %prep section and add
distro_suse_to_distro_redhat.patch to add the necessary changes
via a patch
-------------------------------------------------------------------
Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update fix_networkmanager.patch to ensure NetworkManager chrony
dispatcher is properly labled and update fix_chronyd.patch to ensure
chrony helper script has proper label to be used by NetworkManager.
Also allow NetworkManager_dispatcher_custom_t to query systemd status
(bsc#1203824)
-------------------------------------------------------------------
Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
- Update fix_xserver.patch to add greetd support (bsc#1198559)
-------------------------------------------------------------------
Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Revamped rtorrent module
-------------------------------------------------------------------
Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- Move SUSE directory from manual page section to html docu
-------------------------------------------------------------------
Wed Jul 27 14:00:55 UTC 2022 - Hu <cathy.hu@suse.com>
- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t
and NetworkManager_dispatcher_custom_t to access nscd socket
(bsc#1201741)
-------------------------------------------------------------------
Thu Jul 26 10:50:21 UTC 2022 - Zdenek Kubala <zkubala@suse.com>
- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper
(bnc#1201015)
-------------------------------------------------------------------
Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20220714. Refreshed:
* fix_init.patch
* fix_systemd_watch.patch
-------------------------------------------------------------------
Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
systemd_gpt_generator_t (bsc#1200911)
-------------------------------------------------------------------
Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- postfix: Label PID files and some helpers correctly (bsc#1197242)
-------------------------------------------------------------------
Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
-------------------------------------------------------------------
Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20220624. Refreshed:
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_networkmanager.patch
* fix_unprivuser.patch
Dropped fix_hadoop.patch, not necessary anymore
* Updated fix_locallogin.patch to allow accesses for nss-systemd
(bsc#1199630)
-------------------------------------------------------------------
Fri May 20 13:46:47 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20220520 to pass stricter 3.4 toolchain checks
-------------------------------------------------------------------
Fri May 20 09:14:58 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20220428. Refreshed:
* fix_apache.patch
* fix_hadoop.patch
* fix_init.patch
* fix_iptables.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unprivuser.patch
* fix_usermanage.patch
* fix_wine.patch
-------------------------------------------------------------------
Thu May 19 12:25:31 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Add fix_dnsmasq.patch to fix problems with virtualization on Microos
(bsc#1199518)
-------------------------------------------------------------------
Tue May 3 13:18:38 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Modified fix_init.patch to allow init to setup contrained environment
for accountsservice. This needs a better, more general solution
(bsc#1197610)
-------------------------------------------------------------------
Mon May 2 11:27:49 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
This happens in certain boot conditions (bsc#1182500)
- Changed fix_unconfineduser.patch to not transition into ldconfig_t
from unconfined_t (bsc#1197169)
-------------------------------------------------------------------
Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf <kkaempf@suse.com>
- use %license tag for COPYING file
-------------------------------------------------------------------
Thu Feb 10 09:04:08 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
-------------------------------------------------------------------
Wed Feb 9 16:04:09 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
- Fix bitlbee runtime directory (bsc#1193230)
* add fix_bitlbee.patch
-------------------------------------------------------------------
Mon Jan 24 07:33:34 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20220124. Refreshed:
* fix_hadoop.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_systemd.patch
* fix_systemd_watch.patch
- Added fix_hypervkvp.patch to fix issues with hyperv labeling
(bsc#1193987)
-------------------------------------------------------------------
Fri Jan 14 15:07:00 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Allow colord to use systemd hardenings (bsc#1194631)
-------------------------------------------------------------------
Thu Nov 11 14:21:47 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20211111. Refreshed:
* fix_dbus.patch
* fix_systemd.patch
* fix_authlogin.patch
* fix_auditd.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_chronyd.patch
* fix_unconfineduser.patch
* fix_unconfined.patch
* fix_firewalld.patch
* fix_init.patch
* fix_xserver.patch
* fix_logging.patch
* fix_hadoop.patch
-------------------------------------------------------------------
Mon Oct 25 11:35:24 UTC 2021 - Marcus Meissner <meissner@suse.com>
- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
-------------------------------------------------------------------
Tue Sep 28 12:44:22 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Fix auditd service start with systemd hardening directives (boo#1190918)
* add fix_auditd.patch
-------------------------------------------------------------------
Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Modified fix_systemd.patch to allow systemd gpt generator access to
udev files (bsc#1189280)
-------------------------------------------------------------------
Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
- fix rebootmgr does not trigger the reboot properly (boo#1189878)
* fix managing /etc/rebootmgr.conf
* allow rebootmgr_t to cope with systemd and dbus messaging
-------------------------------------------------------------------
Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Properly label cockpit files
- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
-------------------------------------------------------------------
Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
- Added policy module for rebootmgr (jsc#SMO-28)
-------------------------------------------------------------------
Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
- Allow systemd-sysctl to read kernel specific sysctl.conf
(fix_kernel_sysctl.patch, boo#1184804)
-------------------------------------------------------------------
Tue Aug 10 08:31:16 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
- Fix quoting in postInstall macro
-------------------------------------------------------------------
Fri Jul 16 07:11:57 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20210716
- Remove interfaces for container module before building the package
(bsc#1188184)
- Updated
* fix_init.patch
* fix_systemd_watch.patch
to adapt to upstream changes
-------------------------------------------------------------------
Thu Jul 15 15:45:57 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing
here
-------------------------------------------------------------------
Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Add tabrmd SELinux modules from upstream (bsc#1187925)
https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
- Automatic spec-cleaner to fix ordering and misaligned spaces
-------------------------------------------------------------------
Mon Jun 28 08:11:25 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20210419
- Dropped fix_gift.patch, module was removed
- Updated wicked.te to removed dropped interface
- Refreshed:
* fix_cockpit.patch
* fix_hadoop.patch
* fix_init.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_networkmanager.patch
* fix_nscd.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
-------------------------------------------------------------------
Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
that trigger on changes in those.
Added fix_systemd_watch.patch
- own /usr/share/selinux/packages/$SELINUXTYPE/ and
/var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
files there
-------------------------------------------------------------------
Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
- allow cockpit socket to bind nodes (fix_cockpit.patch)
- use %autosetup to get rid of endless patch lines
-------------------------------------------------------------------
Tue Apr 27 06:30:08 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Updated fix_networkmanager.patch to allow NetworkManager to watch
its configuration directories
- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
-------------------------------------------------------------------
Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added Recommends for selinux-autorelabel (bsc#1181837)
- Prevent libreoffice fonts from changing types on every relabel
(bsc#1185265). Added fix_libraries.patch
-------------------------------------------------------------------
Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Transition unconfined users to ldconfig type (bsc#1183121).
Extended fix_unconfineduser.patch
-------------------------------------------------------------------
Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20210419
- Refreshed:
* fix_dbus.patch
* fix_hadoop.patch
* fix_init.patch
* fix_unprivuser.patch
-------------------------------------------------------------------
Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
- Adjust fix_init.patch to allow systemd to do sd-listen on
tcp socket [bsc#1183177]
-------------------------------------------------------------------
Tue Mar 9 13:39:11 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20210309
- Refreshed
* fix_systemd.patch
* fix_selinuxutil.patch
* fix_iptables.patch
* fix_init.patch
* fix_logging.patch
* fix_nscd.patch
* fix_hadoop.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_unprivuser.patch
* fix_rpm.patch
- Ensure that /usr/etc is labeled according to /etc rules
-------------------------------------------------------------------
Tue Feb 23 13:53:40 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
- Update to version 20210223
- Change name of tar file to a more common schema to allow
parallel installation of several source versions
- Adjust fix_init.patch
-------------------------------------------------------------------
Mon Jan 11 09:29:18 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
- Update to version 20210111
- Drop fix_policykit.patch (integrated upstream)
- Adjust fix_iptables.patch
- update container policy
-------------------------------------------------------------------
Tue Nov 10 08:52:35 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
- Updated fix_corecommand.patch to set correct types for the OBS
build tools
-------------------------------------------------------------------
Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- wicked.fc: add libexec directories
- Update to version 20201029
- update container policy
-------------------------------------------------------------------
Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Update to version 20201016
- Use python3 to build (fc_sort.c was replaced by fc_sort.py which
uses python3)
- Drop SELINUX=disabled, "selinux=0" kernel commandline option has
to be used instead. New default is "permissive" [bsc#1176923].
-------------------------------------------------------------------
Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20200910. Refreshed
* fix_authlogin.patch
* fix_nagios.patch
* fix_systemd.patch
* fix_usermanage.patch
- Delete suse_specific.patch, moved content into fix_selinuxutil.patch
- Cleanup of booleans-* presets
* Enabled
user_rw_noexattrfile
unconfined_chrome_sandbox_transition
unconfined_mozilla_plugin_transition
for the minimal policy
* Disabled
xserver_object_manager
for the MLS policy
* Disabled
openvpn_enable_homedirs
privoxy_connect_any
selinuxuser_direct_dri_enabled
selinuxuser_ping (aka user_ping)
squid_connect_any
telepathy_tcp_connect_generic_network_ports
for the targeted policy
Change your local config if you need them
- Build HTML version of manpages for the -devel package
-------------------------------------------------------------------
Thu Sep 3 07:47:52 UTC 2020 - Johannes Segitz <jsegitz@suse.com>

168
selinux-policy.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package selinux-policy
#
# Copyright (c) 2022 SUSE LLC
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -12,12 +12,12 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# TODO: This turns on distro-specific policies.
# There are almost no SUSE specific modifications available in the policy, so we utilize the
# ones used by redhat and include also the SUSE specific ones (distro_suse_to_distro_redhat.patch)
# ones used by redhat and include also the SUSE specific ones (see sed statement below)
%define distro redhat
%define ubac n
%define polyinstatiate n
@ -33,9 +33,9 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
Version: 20221019
Version: 20200717
Release: 0
Source: fedora-policy-%{version}.tar.bz2
Source: fedora-policy.%{version}.tar.bz2
Source1: selinux-policy-rpmlintrc
Source10: modules-targeted-base.conf
@ -65,6 +65,7 @@ Source52: users-minimum
Source60: selinux-policy.conf
Source90: selinux-policy-rpmlintrc
Source91: Makefile.devel
Source92: customizable_types
#Source93: config.tgz
@ -81,23 +82,22 @@ Source125: rtorrent.fc
Source126: wicked.te
Source127: wicked.if
Source128: wicked.fc
Source129: rebootmgr.te
Source130: rebootmgr.if
Source131: rebootmgr.fc
Patch000: distro_suse_to_distro_redhat.patch
Patch001: fix_djbdns.patch
Patch002: fix_dbus.patch
Patch003: fix_gift.patch
Patch004: fix_java.patch
Patch005: fix_hadoop.patch
Patch006: fix_thunderbird.patch
Patch007: fix_postfix.patch
Patch008: fix_nscd.patch
Patch009: fix_sysnetwork.patch
Patch010: fix_logging.patch
Patch007: fix_postfix.patch
Patch008: fix_nscd.patch
Patch009: fix_sysnetwork.patch
Patch010: fix_logging.patch
Patch011: fix_xserver.patch
Patch012: fix_miscfiles.patch
Patch013: fix_init.patch
Patch014: fix_locallogin.patch
Patch015: fix_policykit.patch
Patch016: fix_iptables.patch
Patch017: fix_irqbalance.patch
Patch018: fix_ntp.patch
@ -123,33 +123,17 @@ Patch039: fix_cron.patch
Patch040: fix_usermanage.patch
Patch041: fix_smartmon.patch
Patch042: fix_geoclue.patch
Patch043: suse_specific.patch
Patch044: fix_authlogin.patch
Patch045: fix_screen.patch
Patch046: fix_unprivuser.patch
Patch047: fix_rpm.patch
Patch048: fix_apache.patch
Patch049: fix_nis.patch
Patch050: fix_libraries.patch
Patch051: fix_dovecot.patch
# https://github.com/cockpit-project/cockpit/pull/15758
#Patch052: fix_cockpit.patch
Patch053: fix_systemd_watch.patch
# kernel specific sysctl.conf (boo#1184804)
Patch054: fix_kernel_sysctl.patch
Patch055: fix_auditd.patch
Patch056: fix_wine.patch
Patch057: fix_hypervkvp.patch
Patch058: fix_bitlbee.patch
Patch059: systemd_domain_dyntrans_type.patch
Patch060: fix_dnsmasq.patch
Patch061: fix_userdomain.patch
Patch062: fix_cloudform.patch
Patch063: fix_alsa.patch
Patch064: dontaudit_interface_kmod_tmpfs.patch
Patch100: sedoctool.patch
Patch100: sedoctool.patch
URL: https://github.com/fedora-selinux/selinux-policy.git
Url: https://github.com/fedora-selinux/selinux-policy.git
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
BuildRequires: checkpolicy
@ -157,9 +141,8 @@ BuildRequires: gawk
BuildRequires: libxml2-tools
BuildRequires: m4
BuildRequires: policycoreutils
BuildRequires: policycoreutils-devel
BuildRequires: python3
BuildRequires: python3-policycoreutils
BuildRequires: policycoreutils-devel
# we need selinuxenabled
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): pam-config
@ -170,9 +153,7 @@ Recommends: audit
Recommends: selinux-tools
# for audit2allow
Recommends: python3-policycoreutils
Recommends: container-selinux
Recommends: policycoreutils-python-utils
Recommends: selinux-autorelabel
%define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
@ -198,7 +179,6 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
@ -226,8 +206,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
%dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \
%dir %{_sharedstatedir}/selinux/%1/active/modules/100 \
%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \
%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
%dir %{_sysconfdir}/selinux/%1/policy/ \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \
@ -268,7 +246,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
%dir %{_datadir}/selinux/%1 \
%dir %{_datadir}/selinux/packages/%1 \
%{_datadir}/selinux/%1/base.lst \
%{_datadir}/selinux/%1/modules-base.lst \
%{_datadir}/selinux/%1/modules-contrib.lst \
@ -280,7 +257,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%{_sharedstatedir}/selinux/%1/active/seusers \
%{_sharedstatedir}/selinux/%1/active/file_contexts \
%{_sharedstatedir}/selinux/%1/active/policy.kern \
%{_sharedstatedir}/selinux/%1/active/modules_checksum \
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
@ -320,9 +296,9 @@ fi;
%define postInstall() \
. %{_sysconfdir}/selinux/config; \
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%2/.rebuild; \
/usr/sbin/semodule -B -n -s %2; \
if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%%2/.rebuild; \
/usr/sbin/semodule -B -n -s %%2; \
fi; \
if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
touch /etc/selinux/.autorelabel \
@ -370,18 +346,18 @@ creating other policies.
%files
%defattr(-,root,root,-)
%license COPYING
%doc COPYING
%dir %{_datadir}/selinux
%dir %{_datadir}/selinux/packages
%dir %{_sysconfdir}/selinux
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
#%ghost %{_sysconfdir}/sysconfig/selinux-policy
%{_tmpfilesdir}/selinux-policy.conf
%{_rpmconfigdir}/macros.d/macros.selinux-policy
%package sandbox
Summary: SELinux policy sandbox
Group: System/Management
Requires(pre): selinux-policy-targeted = %{version}-%{release}
Summary: SELinux policy sandbox
Requires(pre): selinux-policy-targeted = %{version}-%{release}
%description sandbox
SELinux sandbox policy used for the policycoreutils-sandbox package
@ -408,13 +384,66 @@ fi;
exit 0
%prep
%autosetup -n fedora-policy-%{version} -p1
%setup -n fedora-policy
%patch001 -p1
%patch002 -p1
%patch003 -p1
%patch004 -p1
%patch005 -p1
%patch006 -p1
%patch007 -p1
%patch008 -p1
%patch009 -p1
%patch010 -p1
%patch011 -p1
%patch012 -p1
%patch013 -p1
%patch014 -p1
%patch015 -p1
%patch016 -p1
%patch017 -p1
%patch018 -p1
%patch019 -p1
%patch020 -p1
%patch021 -p1
%patch022 -p1
%patch024 -p1
%patch025 -p1
%patch026 -p1
%patch027 -p1
%patch028 -p1
%patch029 -p1
%patch030 -p1
#% patch031 -p1
%patch032 -p1
%patch033 -p1
%patch034 -p1
%patch035 -p1
%patch036 -p1
%patch037 -p1
%patch038 -p1
%patch039 -p1
%patch040 -p1
%patch041 -p1
%patch042 -p1
%patch043 -p1
%patch044 -p1
%patch045 -p1
%patch046 -p1
%patch047 -p1
%patch048 -p1
%patch049 -p1
%patch100 -p1
find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;
%build
%install
mkdir -p %{buildroot}%{_sysconfdir}/selinux
touch %{buildroot}%{_sysconfdir}/selinux/config
#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy
mkdir -p %{buildroot}%{_tmpfilesdir}
cp %{SOURCE60} %{buildroot}%{_tmpfilesdir}
@ -428,14 +457,15 @@ sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfig
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_datadir}/selinux/packages
mkdir selinux_config
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
cp $i selinux_config
done
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
cp $i policy/modules/contrib
done
@ -482,13 +512,11 @@ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/seli
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
mkdir %{buildroot}%{_datadir}/selinux/devel/html
mv %{buildroot}%{_datadir}/man/man8/SUSE %{buildroot}%{_datadir}/selinux/devel/html
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
rm %{buildroot}%{_mandir}/man8/container_selinux.8*
rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if
#XXX what's missing for html?
#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
#mkdir %{buildroot}%{_datadir}/selinux/devel/html
#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
%post
if [ ! -s %{_sysconfdir}/selinux/config ]; then
@ -497,15 +525,14 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then
if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then
mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
else
# XXX right default for SELINUXTYPE?
echo "
# This file controls the state of SELinux on the system.
# SELinux can be completly disabled with the \"selinux=0\" kernel
# commandline option.
#
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
SELINUX=permissive
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
@ -532,7 +559,9 @@ if [ $1 -eq 0 ]; then \
if [ "$SELINUXTYPE" = "$2" ]; then \
%{_sbindir}/setenforce 0 2> /dev/null \
if [ -s %{_sysconfdir}/selinux/config ]; then \
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \
else \
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config \
fi \
fi \
pam-config -d --selinux \
@ -542,12 +571,15 @@ exit 0
%postun
if [ $1 = 0 ]; then
%{_sbindir}/setenforce 0 2> /dev/null
if [ -s %{_sysconfdir}/selinux/config ]; then
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
if [ ! -s %{_sysconfdir}/selinux/config ]; then
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
else
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
fi
fi
exit 0
%package devel
Summary: SELinux policy devel
Group: System/Management
@ -562,10 +594,7 @@ SELinux policy development and man page package
%files devel
%defattr(-,root,root,-)
%doc %{_datadir}/man/ru/man8/*
%doc %{_datadir}/man/man8/*
%dir %{_datadir}/selinux/devel
%dir %{_datadir}/selinux/devel/html/
%doc %{_datadir}/selinux/devel/html/*
%dir %{_datadir}/selinux/devel/include
%{_datadir}/selinux/devel/include/*
%{_datadir}/selinux/devel/Makefile
@ -625,6 +654,7 @@ Requires(pre): /usr/bin/awk
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
%description minimum
SELinux Reference policy minimum base module.

13
suse_specific.patch Normal file
View File

@ -0,0 +1,13 @@
Index: fedora-policy/policy/modules/system/selinuxutil.if
===================================================================
--- fedora-policy.orig/policy/modules/system/selinuxutil.if
+++ fedora-policy/policy/modules/system/selinuxutil.if
@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file read_file_perms;
+ # /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy
+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
')
########################################

13
systemd_domain_dyntrans_type.patch
View File

@ -1,13 +0,0 @@
Index: fedora-policy-20220124/policy/modules/system/init.te
===================================================================
--- fedora-policy-20220124.orig/policy/modules/system/init.te
+++ fedora-policy-20220124/policy/modules/system/init.te
@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac
allow init_t self:packet_socket create_socket_perms;
allow init_t self:key manage_key_perms;
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+domain_dyntrans_type(init_t)
+allow init_t self:process { dyntransition setcurrent };
# is ~sys_module really needed? observed:
# sys_boot

18
update.sh
View File

@ -4,19 +4,21 @@ date=$(date '+%Y%m%d')
echo Update to $date
rm -rf fedora-policy container-selinux
rm -rf fedora-policy container-selinux selinux-policy-contrib
git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git
git clone --depth 1 https://github.com/fedora-selinux/selinux-policy-contrib.git
git clone --depth 1 https://github.com/containers/container-selinux.git
mv selinux-policy fedora-policy-$date
rm -rf fedora-policy-$date/.git*
mv container-selinux/container.* fedora-policy-$date/policy/modules/services/
mv selinux-policy fedora-policy
rm -rf fedora-policy/.git*
mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/
mv container-selinux/* fedora-policy/policy/modules/contrib/
rm -f fedora-policy?$date.tar*
tar cf fedora-policy-$date.tar fedora-policy-$date
bzip2 fedora-policy-$date.tar
rm -rf fedora-policy-$date container-selinux
rm -f fedora-policy.$date.tar*
tar cf fedora-policy.$date.tar fedora-policy
bzip2 fedora-policy.$date.tar
rm -rf fedora-policy container-selinux selinux-policy-contrib
sed -i -e "s/^Version:.*/Version: $date/" selinux-policy.spec

1
users-minimum
View File

@ -36,4 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

2
users-mls
View File

@ -36,5 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

3
users-targeted
View File

@ -36,6 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

1
wicked.fc
View File

@ -19,7 +19,6 @@
/usr/sbin/rcwicked.* -- gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
/usr/lib/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0)
/usr/libexec/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0)
#/usr/lib64/libwicked-0.6.63.so

8
wicked.te
View File

@ -326,6 +326,10 @@ optional_policy(`
fcoe_dgram_send_fcoemon(wicked_t)
')
optional_policy(`
hal_write_log(wicked_t)
')
optional_policy(`
howl_signal(wicked_t)
')
@ -494,10 +498,6 @@ optional_policy(`
virt_dbus_chat(wicked_t)
')
optional_policy(`
networkmanager_dbus_chat(wicked_t)
')
#tunable_policy(`use_ecryptfs_home_dirs',`
#fs_manage_ecryptfs_files(wicked_t)
#')