From 8beb2b3f3b984b4818eb4704b6e7c8e651f100bd7631c9b49784327a86613d0f Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 12 Jan 2023 07:15:59 +0000 Subject: [PATCH 1/2] Accepting request 1057912 from home:jsegitz:branches:security:SELinux - Add fix_container.patch to allow privileged containers to use timedatectl (bsc#1207054) OBS-URL: https://build.opensuse.org/request/show/1057912 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=168 --- fix_container.patch | 12 ++++++++++++ selinux-policy.changes | 6 ++++++ selinux-policy.spec | 4 +++- 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 fix_container.patch diff --git a/fix_container.patch b/fix_container.patch new file mode 100644 index 0000000..d216c2b --- /dev/null +++ b/fix_container.patch @@ -0,0 +1,12 @@ +Index: fedora-policy-20221019/policy/modules/services/container.te +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/services/container.te ++++ fedora-policy-20221019/policy/modules/services/container.te +@@ -681,6 +681,7 @@ init_dbus_chat(spc_t) + optional_policy(` + systemd_dbus_chat_machined(spc_t) + systemd_dbus_chat_logind(spc_t) ++ systemd_dbus_chat_timedated(spc_t) + ') + + optional_policy(` diff --git a/selinux-policy.changes b/selinux-policy.changes index 3ab948c..1eef46d 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jan 11 14:17:02 UTC 2023 - Johannes Segitz + +- Add fix_container.patch to allow privileged containers to use + timedatectl (bsc#1207054) + ------------------------------------------------------------------- Thu Dec 15 16:11:15 UTC 2022 - Hu diff --git a/selinux-policy.spec b/selinux-policy.spec index 89d670b..6d85ed7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -148,6 +148,8 @@ Patch063: fix_alsa.patch Patch064: dontaudit_interface_kmod_tmpfs.patch Patch065: fix_sendmail.patch Patch066: fix_ipsec.patch +# https://github.com/containers/container-selinux/pull/199, can be dropped once this is included +Patch067: fix_container.patch Patch100: sedoctool.patch From 5b345f822cfc5f76335ab6dbe2356918f1a036ba5a2ed6396412c5eadf69cac3 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 12 Jan 2023 13:57:34 +0000 Subject: [PATCH 2/2] Accepting request 1058003 from home:jsegitz:branches:security:SELinux - Update fix_container.patch to allow privileged containers to use localectl (bsc#1207077) OBS-URL: https://build.opensuse.org/request/show/1058003 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=169 --- fix_container.patch | 3 ++- selinux-policy.changes | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/fix_container.patch b/fix_container.patch index d216c2b..f54d046 100644 --- a/fix_container.patch +++ b/fix_container.patch @@ -2,11 +2,12 @@ Index: fedora-policy-20221019/policy/modules/services/container.te =================================================================== --- fedora-policy-20221019.orig/policy/modules/services/container.te +++ fedora-policy-20221019/policy/modules/services/container.te -@@ -681,6 +681,7 @@ init_dbus_chat(spc_t) +@@ -681,6 +681,8 @@ init_dbus_chat(spc_t) optional_policy(` systemd_dbus_chat_machined(spc_t) systemd_dbus_chat_logind(spc_t) + systemd_dbus_chat_timedated(spc_t) ++ systemd_dbus_chat_localed(spc_t) ') optional_policy(` diff --git a/selinux-policy.changes b/selinux-policy.changes index 1eef46d..88845c2 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jan 12 13:01:47 UTC 2023 - Johannes Segitz + +- Update fix_container.patch to allow privileged containers to use + localectl (bsc#1207077) + ------------------------------------------------------------------- Wed Jan 11 14:17:02 UTC 2023 - Johannes Segitz